Free Practice Questions for IIA IIA-CIA-Part2 Exam

The board manages several key processes to ensure adequate governance within an organization, one of which is the development, approval, and execution of the strategic plan. This process is critical because it defines the organization's direction, goals, and the actions required to achieve these goals.

Strategic Planning: The board plays a pivotal role in setting the organization's strategic direction, which includes establishing long-term goals and defining the means to achieve them.

Performance Measurement: While the board may establish and measure performance objectives for the internal audit activity, this is part of a broader governance framework.

Risk Management: The board also develops strategies to mitigate risks, ensuring that the organization can achieve its objectives effectively.

Thus, the most comprehensive governance-related process managed by the board involves strategic planning

The most effective management action to prevent similar issues in the future involves both corrective and preventive measures. Coaching the IT specialist addresses the immediate knowledge gap and mistake that occurred. Introducing a secondary control, such as a review or verification step, ensures that future access requests are granted correctly, thereby preventing similar errors. This combination addresses the root cause and adds a layer of assurance. References:

"Internal Auditing: Assurance & Advisory Services" (The Institute of Internal Auditors)

"IT Control Objectives for Sarbanes-Oxley" (IT Governance Institute)

Checklists are helpful tools to ensure systematic coverage of procedures. However, one drawback noted in the CIA study materials is the risk of over-reliance, which can create a false sense of security. Auditors may feel that completing the checklist ensures engagement sufficiency, while overlooking important deviations outside the checklist. In this case, the auditor ignored procurement deviations because they were not on the checklist — demonstrating the risk of over-reliance.

According to the IIA Standards, an internal audit activity must have an external assessment conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The validation by an external team ensures that the internal audit activity's self-assessments and quality assurance practices meet the required standards.

IIA Standard 1312 (External Assessments) and IIA Standard 1320 (Reporting on the Quality Assurance and Improvement Program) provide detailed guidelines for this process.

Comprehensive and Detailed Explanation:

When risks are organized by processes, audits capture interfaces between organizational units (A) — i.e., the handoffs where errors and control breakdowns often occur. This approach ensures risks are evaluated across functional boundaries, improving coverage and understanding of interdependencies. Option B is incorrect — process-based audits can be more time-consuming, not less. Option C is subjective and not guaranteed. Option D exaggerates — no audit achieves "true completeness." The recognized advantage is that process-based audits capture risk and control interactions across departments, aligning with best practices in risk-based auditing.

The planning memorandum serves as a comprehensive blueprint for an audit engagement, outlining the specific steps, procedures, and strategies that will be employed to carry out the audit. According to IIA guidance, the purpose of this document is to ensure that the audit team is well-prepared and that the audit process is systematic and thorough.

Documentation of Audit Steps and Procedures: The primary purpose of a planning memorandum is to detail the steps and procedures that the audit team will follow. This ensures consistency and clarity throughout the audit process and provides a clear framework for team members to follow.

Narrative memoranda are used in internal auditing to describe processes in a clear and detailed manner, especially when the process is simple. This method is effective for documenting straightforward processes where a flowchart or other visual representation might be unnecessary or overly complex.

IIA Standard 2330 – Documenting Information:

This standard requires that internal auditors document relevant information to support engagement conclusions and recommendations. Narrative memoranda are one way to document processes, particularly when the process is simple and can be easily described in text.

Use of Narrative Memoranda:

Narrative memoranda provide a written account of a process, outlining each step in a sequential manner. This method is particularly useful for simple processes where the key points can be easily captured in a narrative form, without the need for complex diagrams.

Efficiency in Documentation:

For simple processes, a narrative memorandum is more efficient than a detailed flowchart. It allows the auditor to explain the process clearly and concisely, ensuring that all necessary information is captured without unnecessary detail.

Option A (Detailed risk assessment): A narrative memorandum is not typically used for risk assessments, which require more detailed analysis and often visual aids.

Option B (Identify key roles): While a narrative can mention roles, this is not its primary purpose.

Option D (Document outputs): Documenting outputs that support other activities typically requires more detailed mapping, such as flowcharts or tables.

Detailed Explanation:Why Not Other Options?Conclusion: Option C is correct because narrative memoranda are best suited for explaining simple processes in a clear and concise manner, in line with IIA documentation standards.

The engagement’s objective is compliance with project management principles. The corresponding work program aim is to evaluate whether project management guidance is applied in practice (A). Options B, C, and D reflect risk, legal, or strategy audits — not the stated project management compliance objective.

An internal audit procedures manual typically includes detailed information on the methodologies, tools, and techniques used during audits. It also outlines the protocols and guidelines for auditors to follow, including their authority and the scope of their work. Clearly defining the extent of the auditor's authority to collect data from management ensures that auditors understand their rights and limitations, which is essential for carrying out effective and efficient audits.

The Institute of Internal Auditors (IIA), Practice Guide on Developing the Internal Audit Manual

"Internal Auditing: Assurance and Advisory Services" by Urton L. Anderson, Michael J. Head, Sridhar Ramamoorti, Chris A. Bailey, and David A. Sarens

Successful change management requires prompt decision-making and actions, as well as ensuring that changes lead to improvement or reform. Respecting the traditions of the organization and controlling internal and external communications are important, but not as critical to the success of change management as the necessity for timely actions and positive outcomes. References:

IIA Practice Guide - Change Management: Facilitating Organizational Change

IIA Standards - 2210: Engagement Objectives

According to the IIA's Standards, specifically Standard 1210 - Proficiency, internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. If the internal audit activity lacks the necessary skill set to conduct a requested consulting engagement, the most appropriate action for the CAE is to decline the engagement request. This ensures that the internal audit activity does not compromise the quality and effectiveness of its services.

Comprehensive and Detailed Explanation:

Per IIA Standard 1210 – Proficiency, engagements must be performed by auditors with the necessary skills. If resources are not available, the engagement supervisor cannot unilaterally suspend or reassign staff without CAE input. The appropriate action is to escalate the issue to the CAE (D), who has authority to adjust the audit plan, bring in external expertise, or reallocate resources. Option A may not be feasible due to scheduling conflicts. Options B and C prematurely halt the engagement, which undermines assurance delivery. The CAE is responsible for ensuring resource adequacy (per Standard 2030 – Resource Management). Therefore, the engagement supervisor must seek guidance from the CAE.

Trend analysis is the analytics procedure that an internal auditor would use to compare performance information from one quarter to another. This technique involves analyzing data over a specific period to identify patterns, trends, and changes in performance metrics. Trend analysis helps auditors understand the direction of key performance indicators and assess whether performance is improving, declining, or remaining stable.

Per Standard 2330 – Documenting Information, workpapers must be sufficient, reliable, relevant, and useful. Irrelevant workpapers that do not support engagement objectives should not be retained, as they clutter documentation and weaken audit quality. The supervisor should ensure that only workpapers directly tied to objectives are included, which makes Option A correct.

A survey with closed-ended questions can produce quantifiable evidence. Closed-ended questions limit responses to predefined options, making it easier to analyze and quantify the results. This type of survey is effective in gathering specific, comparable data from respondents.

IIA Practice Guide: Survey Methods in Internal Auditing

IIA Standards: 2310 - Identifying Information