Free Practice Questions for IIA IIA-CIA-Part2 Exam

A risk-based approach to control self-assessment focuses on aligning the organization’s business objectives with the risks managed by specific work units. This method ensures that the controls are effectively designed and operated to mitigate risks that could impede achieving business objectives. Options A, B, and C describe evaluating controls and processes in specific contexts but do not illustrate the primary focus of linking business objectives with the associated risks at the work unit level, which is central to a risk-based approach.

IIA Practice Guide on Control Self-Assessment.

IIA Standard 2120: Risk Management.

Highly centralized organizations concentrate decision-making at the top. This often results in micromanagement (B).

Option A (rapid change) and C (empowerment) are more aligned with decentralized structures.

Option D contradicts centralization, since authority is not pushed downward.

A key planning step for internal auditors to establish appropriate engagement objectives is to evaluate management's risk assessment and the internal audit activity's risk assessment. This step ensures that the audit focuses on areas of highest risk and aligns with the organization's risk management framework. By understanding and incorporating the organization's risk priorities, the internal auditors can design their engagements to provide maximum value and assurance regarding the control environment and risk management processes.

The Institute of Internal Auditors (IIA) Standard 2010: Planning

IIA Practice Advisory 2010-2: Using the Risk Management Process in Internal Audit Planning

In internal auditing, the reliability of evidence is critical. According to IIA standards, evidence that is obtained directly from an external source, such as a customer, is generally considered more reliable, especially when it is timely.

IIA Standard 2310 – Identifying Information:

This standard requires that internal auditors obtain sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. Evidence obtained directly from external sources is often deemed more reliable because it is less likely to be biased or manipulated.

Direct Evidence:

Evidence obtained directly from a customer is considered highly reliable because it comes from an independent and external party. It is less likely to be influenced by internal pressures or conflicts of interest.

Timeliness:

The timeliness of evidence also affects its reliability. Recent and relevant information is more likely to accurately reflect the current state of affairs, making it more reliable for decision-making.

Option A (Untested third party): Although external, the reliability of evidence from an untested third party is uncertain until their credibility is established.

Option B (Uncorroborated evidence from an employee): This is less reliable as it may be subject to bias or self-interest.

Option C (Undocumented evidence from a manager): Undocumented evidence is generally less reliable as it lacks supporting documentation that can be verified.

Detailed Explanation:Why Not Other Options?

According to IIA guidance, when the internal audit activity investigates potential ethics violations in a foreign subsidiary, communication of any internal ethics violations to external parties may occur, but only with appropriate safeguards. This ensures that sensitive information is protected and that the organization complies with both local and international legal requirements. Cross-cultural differences and local laws must be considered, but the primary focus is on maintaining appropriate safeguards during communication. References: IIA Practice Guide – Auditing Ethics Programs, IIA Standard 2440 – Disseminating Results

Discovery sampling is typically used when testing for fraud, especially when the expected deviation rate is very low. This method is designed to detect at least one occurrence of a specific characteristic (such as fraud) within a given sample size, making it effective for identifying rare but critical issues. It is particularly useful when the auditor suspects that fraud may exist but expects it to be infrequent.

Institute of Internal Auditors (IIA), Practice Guide – Auditing for Fraud.

A properly supervised engagement ensures that the audit is conducted effectively, efficiently, and in accordance with IIA standards. The auditor in charge has the responsibility to oversee the audit process and ensure that the engagement objectives are achieved.

IIA Standard 2340 – Engagement Supervision:

This standard requires that engagements be supervised to ensure that objectives are achieved, work is performed according to appropriate standards, and the results are supported by sufficient, relevant, and reliable evidence.

Reasonable Assurance:

The auditor in charge must provide reasonable assurance that the audit engagement's objectives were met. This involves reviewing work performed, ensuring compliance with audit standards, and verifying that conclusions are supported by adequate evidence.

IIA Practice Advisory 2340-1:

The advisory emphasizes the role of the auditor in charge in providing oversight throughout the audit engagement. This includes ensuring that auditors follow procedures, apply professional judgment, and that all significant findings are appropriately addressed.

Option A (Daily record review): While keeping a record is good practice, it does not constitute comprehensive supervision.

Option B (Review by peers): Peer review is useful but does not replace the overarching responsibility of the auditor in charge.

Option C (Accompanying new auditors): This is part of training and guidance but does not alone ensure that engagement objectives are met.

Detailed Explanation:Why Not Other Options?

The observation provided in the final engagement communication includes the criteria (competitive bidding requirements), condition (three of the 10 contracts reviewed did not meet these requirements), and cause (senior management deemed these purchases critical and awarded them as sole-source). However, it lacks the effect, which would explain the potential consequences or impact of not meeting the competitive bidding requirements, such as increased costs, lack of transparency, or potential for favoritism. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), Standard 2410 - Criteria for Communicating.

The IIA’s Practice Guide on Communicating Results.

Given the urgency and the lack of internal expertise in forensic investigation, the most effective and immediate solution is to outsource the investigation to independent professional consultants. This approach ensures that the investigation is conducted by individuals with the necessary skills and experience, thereby maintaining the integrity and quality of the investigation. Training internal staff or recruiting new auditors would take time and may not address the immediate need, while declining the engagement would not fulfill the audit committee's request. References:

"Internal Auditing: Assurance & Advisory Services" (The Institute of Internal Auditors)

"Forensic Accounting and Fraud Investigation for Non-Experts" (Howard Silverstone and Michael Sheetz)

Comprehensive and Detailed Explanation:

The current ratio = Current Assets ÷ Current Liabilities. To increase it, either current assets must rise or current liabilities must decrease.

Option A has no effect because it simply shifts funds between accounts.

Option B increases current assets (inventory) without adding current liabilities, since the loan is long-term, thus improving the ratio.

Option C (leasing) affects long-term liabilities, not current assets.

Option D converts receivables to cash, which keeps current assets unchanged in total.

Therefore, the only option that improves the current ratio is purchasing inventory using long-term loans (B), since it raises current assets without raising current liabilities.

To confirm the existence of a specific vehicle selected from the fixed asset register, the best indirect evidence would be to compare the registered details of the vehicle with a date-stamped photograph. This method provides a verifiable form of evidence that the vehicle exists and matches the details recorded in the asset register. It ensures that the vehicle is still in possession of the organization and can be indirectly verified without the need for physical presence at an off-site location.

IIA Practice Guide: "Auditing Fixed Assets"

COSO Internal Control – Integrated Framework

ISO 31000 Context: ISO 31000 provides guidelines on risk management, emphasizing the importance of understanding the external context.

External Context: This includes external factors such as regulatory and competitive environments that can impact the organization’s risk profile.

Regulatory Environment: Understanding regulations helps the organization ensure compliance and avoid legal risks.

Competitive Environment: Analyzing the competitive environment allows the organization to anticipate market changes and manage competitive risks.

To determine if loans were granted in accordance with the organization's policies, the most effective approach is to validate a sample of loans against the applicable underwriting guidelines. This method allows the auditor to directly assess compliance with the specific criteria set out in the organization's loan granting policies, providing clear evidence on whether the loans meet the required standards.

The Institute of Internal Auditors (IIA) Practice Guide: Auditing Credit Risk Management

IIA Standard 2210 - Engagement Objectives

When employees continue to violate segregation-of-duty controls despite previous recommendations, the most effective approach is to recommend appropriate awareness training. This training can help employees understand the importance of these controls and how to comply with them, addressing the root cause of the violations. References: = IIA Standard 2130 - Control and IIA Practice Guide: “Auditing Segregation of Duties”.

 Non-Assurance Engagements: Non-assurance engagements focus on advisory and consulting services rather than providing an independent assessment. These engagements aim to add value by offering insights and recommendations to management.

 Objective Characteristics:

Informing Management: Providing information on potential risks and advising on risk management strategies is typical for non-assurance engagements. This helps management make informed decisions and manage risks effectively.

Assessment and Compliance: Options A, C, and D are more aligned with assurance engagements, where the internal audit activity provides an independent assessment or ensures compliance with policies and procedures.

 IIA Guidance:

Standard 2120 – Risk Management: Internal auditors must evaluate and contribute to the improvement of risk management processes, often through advisory services in non-assurance roles.

 References:

Non-assurance engagements focus on informing and advising management about risks, improvements, and strategic decisions, as exemplified by informing management about risks related to moving the data warehouse to a third-party cloud server​​​​.