CIA

Preparatory Program

Part 1

Essentials of Internal Auditing

Mock Exam
CIA Part 1 Mock Exam

125 Multiple Choice Questions

Time: 2 Hours, 30 Minutes (150 Minutes)
Select a single answer that best completes the statement or answers the question.

1. Which of the following is not true with regard to the internal audit charter?

a. It defines the authorities and responsibilities for the internal audit activity.

b. It specifies the minimum resources needed for the internal audit activity.

c. It provides a basis for evaluating the internal audit activity.

d. It should be approved by senior management and the board.

2. The function of internal auditing, as related to internal financial reports, would be to:

a. Ensure compliance with reporting procedures.

b. Review expenditure items and match each item with expenses incurred.

c. Determine if there are any employees spending funds without authorization.

d. Identify inadequate controls that increase the likelihood of unauthorized expenditures.

3. The status of the internal audit activity should be free from the effects of irresponsible policy changes
by management. The most effective way to assure that freedom is to:

a. Have the internal audit charter approved by the board.

b. Adopt policies for the functioning of the internal audit activity.

c. Establish an audit committee as a subcommittee of the board.

d. Develop written policies and procedures to serve as standards of performance for the internal audit
activity.

4. If a department's operating standards are vague and thus subject to interpretation, an auditor should:

a. Seek agreement with the departmental manager on the criteria needed to measure operating perfor-
mance.

b. Determine best practices in the area and use them as the standard.

c. Interpret the standards in their strictest sense because standards are otherwise only minimum measures
of acceptance.

d. Omit any comments on standards and the department's performance in relation to those standards,
because such an analysis would be inappropriate.

5. Which of the following would not be considered mandatory guidance?

a. The Definition of Internal Auditing.

b. The Code of Ethics.

c. The Core Principles.

d. The Mission of Internal Audit.

1
CIA Part 1 Mock Exam

6. One of the purposes of the Standards is to:

a. Encourage the professionalization of internal auditing.

b. Establish the independence of the internal audit activity and emphasize the objectivity of internal au-
diting.

c. Encourage external auditors to make more extensive use of the work of internal auditors.

d. Establish the basis for evaluating internal auditing performance.

7. The Standards require that the chief audit executive (CAE) have a formal, written internal audit charter
approved by management and the board. The purpose of the internal audit charter is to:

a. Protect the internal auditing activity from outside influence.

b. Establish the purpose, authority, and responsibility of the internal auditing activity.

c. Define the internal auditor’s relationship with the external auditor.

d. Define the role of the chief audit executive as a member of the audit committee.

8. The best means for the internal auditing activity to determine whether it has achieved its goal of im-
plementing broader audit coverage of functional activities is through:

a. Accumulation of audit findings by auditable area.

b. Comparison of the audit plan to actual audit activity.

c. Surveys of management satisfaction with the internal audit activity.

d. Implementation of a quality assurance and improvement program.

9. If a department outside of the internal audit activity (IAA) is responsible for reviewing a function or
process, the internal auditor should:

a. Consider the work of the other department when assessing the function or process.

b. Ignore the work of the other department and proceed with an independent audit.

c. Reduce the scope of the audit because the work has already been performed by the other department.

d. Yield the responsibility for assessing the function or process to the other department.

10. During an engagement to evaluate the organization’s accounts payable function, an internal auditor
plans to confirm balances with suppliers. What is the source of authority for the auditor’s contact with
units outside the organization?

a. Internal audit activity policies and procedures.

b. The Standards.

c. The Code of Ethics.

d. The internal audit activity’s charter.

2
CIA Part 1 Mock Exam

11. Which of the following is not one of the ten Core Principles:

a. Promotes organizational improvement.

b. Is appropriately positioned and adequately resourced.

c. Provides risk-based assurance.

d. Is insightful, proactive, and focused on the present.

12. According to the Standards, the internal audit activity’s goals should specify:

a. Policies and procedures to guide the internal audit staff.

b. Engagement work schedules and activities to be reviewed.

c. Measurement criteria and target dates for completion.

d. Staffing plans and financial budgets.

13. Which of the following best describes an internal auditor’s purpose in reviewing the organization’s ex-
isting risk management, control, and governance processes?

a. To help determine the nature, timing, and extent of tests necessary to achieve engagement objectives.

b. To ensure that weaknesses in the internal control system are corrected.

c. To provide reasonable assurance that the processes will enable the organization’s objectives and goals
to be met efficiently and economically.

d. To determine whether the processes ensure that the accounting records are correct and that financial
statements are fairly stated.

14. Of the following activities, which ones are within the scope of internal auditing?

I. To assess an operating department's effectiveness in achieving stated organizational goals.

II. To safeguard assets.

III. To evaluate controls over compliance with laws and regulations.

IV. To ascertain the extent to which objectives and goals have been established.

a. I and III only.

b. I and IV only.

c. I, III and IV only.

d. I, II and IV only.

15. The consultative approach to internal auditing emphasizes:

a. Imposition of corrective measures.

b. Participation with engagement clients to improve methods.

c. Fraud investigation.

d. Implementation of policies and procedures.

3
CIA Part 1 Mock Exam

16. A CIA, working as the purchasing director, signs a contract to procure a large order from the supplier
with the best price, quality, and performance. Shortly after signing the contract, the supplier presents
the CIA with a gift of significant monetary value. Which of the following statements regarding the ac-
ceptance of the gift is correct?

a. Acceptance of the gift would be prohibited only if it were non-customary.

b. Acceptance of the gift would violate the IIA Code of Ethics and would be prohibited.

c. Because the CIA is not acting as an internal auditor, acceptance of the gift would be governed only by
the organization’s code of conduct.

d. Because the contract was signed before the gift was offered, acceptance of the gift would not violate
either the IIA Code of Ethics or the organization’s code of conduct.

17. A review of an organization’s code of conduct revealed that it contained comprehensive guidelines de-
signed to inspire high levels of ethical behavior. The review also revealed that employees were knowl-
edgeable of its provisions. However, some employees still did not comply with the code. What element
should a code of conduct contain to enhance its effectiveness?

a. Periodic review and acknowledgment by all employees.

b. Employee involvement in its development.

c. Public knowledge of its contents and purpose.

d. Provisions for disciplinary action in the event of violations.

18. Which of the following statements is not appropriate to include in a manufacturer’s conflict of interest
policy? An employee shall not:

a. Accept money, gifts, or services from a customer.

b. Participate (directly or indirectly) in the management of a public agency.

c. Borrow from or lend money to vendors.

d. Use organizational information for private purposes.

19. An internal auditor, during the course of evaluating the policies & procedures for capitalizing fixed as-
sets, uncovered some information that indicated that management had capitalized some general
maintenance costs that should have been expensed. The amount is considered to be material. If the
internal auditor failed to disclose this information to senior management or the audit committee, the
internal auditor would be in violation of which rule of conduct?

a. Integrity.

b. Objectivity.

c. Confidentiality.

d. Competence.

4
CIA Part 1 Mock Exam

20. Which of the following concurrent occupations could appear to subvert the ethical behavior of an internal
auditor?

a. Internal auditor and local in-house chairperson for a well-known charitable organization.

b. Internal auditor and part-time business insurance broker.

c. Internal auditor and adjunct faculty member of a local business college that educates potential employ-
ees.

d. Internal auditor and landlord of multiple housing units that publicly advertise for tenants in a local
community newspaper.

21. As part of a company-sponsored award program, an internal auditor was offered an award of significant
monetary value by a division in recognition of the cost savings that resulted from the auditor's recom-
mendations. According to the International Professional Practices Framework (IPPF), what is the most
appropriate action for the auditor to take?

a. Accept the gift because the engagement is already concluded and the report issued.

b. Accept the award under the condition that any proceeds go to charity.

c. Inform audit management and ask for direction on whether or not to accept the gift.

d. Decline the gift and advise the division manager's superior.

22. Towards the end of an engagement, the auditor discovers that the director of marketing has a gambling
habit. The gambling issue is not directly related to the existing engagement and there is pressure to
complete the current engagement. The auditor notes the problem and forwards the information to the
chief audit executive but performs no further follow-up. The auditor's actions would:

a. Be in violation of the IIA Code of Ethics for withholding meaningful information.

b. Be in violation of the Standards because the auditor did not properly follow up on a red flag that might
indicate the existence of fraud.

c. Not be in violation of either the IIA Code of Ethics or Standards.

d. Both a and b.

23. In which of the following would an internal auditor potentially lack objectivity?

a. The internal auditor reviews the procedures for a new electronic data interchange (EDI) connection to
a major customer before it is implemented.

b. A former purchasing assistant performs a review of the internal controls over purchasing four months
after being transferred to the internal audit activity.

c. An internal auditor recommends standards of control and performance measures for a contract with a
service organization for the processing of payroll and employee benefits.

d. A payroll accounting employee assists an internal auditor in verifying the physical inventory of small
motors.

5
CIA Part 1 Mock Exam

24. An auditor’s objectivity could be compromised in all of the following situations except:

a. A conflict of interest.

b. Auditee familiarity with auditor due to lack of rotation in assignment.

c. Auditor assumption of operational duties on a temporary basis.

d. Reliance on outside expert opinion when appropriate.

25. Independence is most likely impaired by an internal auditor’s:

a. Continuation of an engagement at a division for which (s)he will soon be responsible as the result of a
promotion.

b. Reduction of the scope of the engagement due to budget restrictions.

c. Participation on a task force that recommends standards for control of a new distribution system.

d. Review of a purchasing agent’s contract drafts prior to their execution.

26. Independence from outside pressure is an important factor for the internal audit activity to work freely
and objectively. Which of the following contributes to the internal auditor’s independence?

a. Management should assist the IAA by reviewing, revising, and forwarding engagement communications
to the audit committee.

b. The IAA reports directly to the audit committee, without corroborating engagement communications
with management.

c. Ideally, the IAA functionally reports to the audit committee but reports to the chief operating officer on
all engagements relating to operations.

d. The accuracy of the engagement communications should be verified with management, and the IAA
should then report to management and the audit committee.

27. Internal auditors must distinguish carefully between a scope limitation and other limitations. Which of
the following is not considered a scope limitation?

a. The divisional manager of an engagement client has indicated that the division is in the process of
converting a major computer system and that the information systems portion of the planned engage-
ment will have to be postponed until next year.

b. The board reviews the engagement work schedule for the year and deletes an engagement that the
CAE thought was important to conduct.

c. The engagement client has indicated that certain customers cannot be contacted because the organi-
zation is in the process of negotiating long-term contracts and does not want to upset the customers.

d. None of the answers are correct.

6
CIA Part 1 Mock Exam

28. Which of the following combinations best illustrates a scope limitation and the appropriate response by
the CAE?

Nature of limitation Internal audit action

a. Engagement client limits scope based upon pro- Report only to the controller
prietary information.

b. Engagement client will not provide access to rec- Report to the board.
ords needed for approved work schedule.

c. Engagement client requests that the engage- Report directly to the CEO and controller.
ment be delayed for 2 weeks to allow it to
close its books.

d. Engagement client will not allow the internal au- No reporting is required because the opera-
ditor to contact major customers as part of tional engagement concerns operational
an engagement to evaluate the efficiency efficiency.
of operations.

29. In practice, internal auditing should have a dual reporting process. The CAE must report to a level within
the organization that allows internal auditing to fulfill its responsibilities. The ideal reporting situation
for a company’s CAE is to:

a. Functionally report to the CFO and administratively report to the audit committee.

b. Administratively report to the board and functionally report to upper management.

c. Functionally report to the board and administratively report to upper management.

d. Administratively report to upper management and functionally report to the external auditor.

30. Administrative reporting would typically include all of the following except:

a. Developing and submitting the annual internal auditing budget.

b. Approving the risk-based internal audit plan.

c. Administration of the internal audit activities policies and procedures.

d. Human resource administration, including personnel evaluations and compensation.

31. Internal auditors are expected to be objective when conducting their work. Which of the following cir-
cumstances would not cause an internal auditor’s objectivity to be impaired?

I. The internal auditor audited an area for which they were responsible more than one year ago.

II. The internal auditor accepted a sizable gift from a client after the successful completion of an audit.

III. The internal auditor designed some control procedures for an engagement client.

IV. The internal auditor was given a small token of appreciation from a client after the completion of an
audit.

a. I and II only

b. II and III only

c. I and IV only

d. II and IV only

7
CIA Part 1 Mock Exam

32. An internal auditor’s involvement in the evaluation of the organization’s accounts payable function
should include all of the following except:

a. Testing whether the organization’s vendor balances are accurately stated.

b. Recommending areas for improvement.

c. Developing audit plans for future audits.

d. Drafting procedures to improve control over the accounts payable function.

33. Which of the following statements is correct? In a consulting engagement:

a. The auditor provides an assessment and states an opinion about whether or not something with the
company is operating or performing correctly.

b. The auditor does not need to be independent but does need to be objective.

c. The auditor should be objective in the investigation and independent in the decision.

d. The engagements are an analysis of past events.

34. Individual objectivity means that:

a. Internal auditors must make conclusions based on facts without being influenced by feeling, emotions,
relationships, bribes, or any other outside influence.

b. Internal auditors must report to a level within the organization that allows the internal audit activity to
fulfill its responsibilities.

c. Neither a nor b are correct.

d. Both a and b are correct.

35. To be effective, internal auditors need to have organizational independence. Organizational independ-
ence is achieved largely through the status of the internal audit activity and the authority that the
board gives it. Based on this, the board authorizes the internal audit activity to:

I. Have unrestricted access to all functions, records, property, and personnel pertinent to carrying out
any engagement.

II. Have unlimited access to all external audit working papers.

III. Allocate necessary resources to accomplish audit objectives.

a. I only.

b. II and III only.

c. I and III only.

d. I and II only.

8
CIA Part 1 Mock Exam

36. A company has seen tremendous growth in its sales revenue the past few years and management is
considering replacing its legacy system with an ERP system. Management believes that an ERP system
will allow the company to integrate applications to better manage the business. Which of the following
would be an appropriate internal auditing role in purchasing the ERP system?

a. Ascertain whether the feasibility study addresses the cost-benefit relationship.

b. Solicit bids from vendors.

c. Determine the requirements for preparing a manual of specifications.

d. Participate in the ERP acquisition and implementation.

37. Which of the following is not a true statement concerning a conflict of interest?

a. A conflict of interest exists even if no unethical or improper act results.

b. A conflict of interest can create an appearance of impropriety that undermines confidence in the inter-
nal auditor.

c. An internal auditor with a conflict of interest in a consulting activity should be removed.

d. A conflict of interest could impair an auditor’s ability to perform his or her duties and responsibilities
objectivity.

38. There are a number of procedures that the chief audit executive can follow in order to maintain objec-
tivity within the internal audit activity. Which of the following would not be a procedure for maintain-
ing objectivity?

a. Make sure job assignments minimize potential conflicts of interests.

b. Promote continuing professional development.

c. Develop a strong QAIP system to ensure organizational independence and objectivity.

d. Periodically rotate internal auditing assignments so relationships do not develop between the auditor
and the auditee that might impair the auditor’s judgment.

39. During an internal audit, the internal auditor should exercise due professional care. Due professional
care means that the internal auditor should consider:

I. The extent of work needed to achieve the engagement’s objectives.

II. The relative complexity and materiality to which assurance procedures are applied.

III. The probability of significant errors, irregularities, or noncompliance.

IV. The engagement procedures necessary to ensure that all significant risks have been identified.

a. I and II only.

b. I, II and IV only.

c. I, II, III and IV.

d. I, II and III only.

9
CIA Part 1 Mock Exam

40. As part of the process to improve the relationship between the internal auditor and engagement client,
it is very important to deal with how the internal audit activity is perceived. Certain types of attitudes
in the work performed will help create these perceptions. From a management perspective, which atti-
tude is likely to be the most conducive to a positive perception?

a. Interrogatory.

b. Investigative.

c. Consultative.

d. Objective.

41. Internal auditors need to have an understanding of which discipline?

a. Internal auditing procedures and techniques.

b. Accounting principles and techniques.

c. Management principles.

d. Marketing techniques.

42. The Standards require that internal auditors possess which of the following skills?

I. Internal auditors should understand human relations and be skilled in dealing with people.

II. Internal auditors should be able to recognize and evaluate the materiality and significance of deviations
from good business practices.

III. Internal auditors should be experts on subjects such as economics, commercial law, taxation, finance,
and information technology.

IV. Internal auditors should be skilled in oral and written communication.

a. I and II only.

b. I, II and III only.

c. I, II, III and IV.

d. I, II and IV only.

43. Your organization has selected you to develop an internal audit activity. Your approach will most likely
be to hire:

a. Internal auditors who possess all of the skills required to handle all engagements.

b. Inexperienced personnel and train them in the way that the organization wants them trained.

c. Individuals with accounting degrees because most internal audit work is accounting-related.

d. Internal auditors who collectively have the knowledge and skills needed to perform the responsibilities
of the IAA.

10
CIA Part 1 Mock Exam

44. The IIA Standards require internal auditors to have the knowledge, skills, and disciplines essential to
performing an audit. Which of the following is true considering the level of knowledge or skill required
by the Standards? Internal auditors must:

I. Be proficient in the application of auditing standards and procedures to specific situations without ex-
tensive recourse to technical research and assistance.

II. Be proficient in accounting principles when auditing the financial records and reports of the organization.

III. Be proficient in applying knowledge of accounting and computerized information systems to specific or
potential problems.

a. I only.

b. I and II only.

c. II and III only.

d. I, II and III.

45. Within the context of quality control, the primary purpose of continuing professional education and
training is to enable the internal audit activity to provide its personnel with:

a. Technical training so its internal auditors are valuation experts.

b. Professional education that is required in order to perform engagements with due professional care.

c. Knowledge required to fulfill assigned responsibilities.

d. Knowledge required to perform a peer review.

46. When an internal auditor is not qualified to perform an engagement, the internal auditor should:

a. Acquire the requisite knowledge and skills.

b. Suggest someone else who is qualified to perform the work.

c. Decline the engagement.

d. Any of the above.

47. When hiring a prospective internal auditor, reasonable assurance should be obtained as to the candi-
date’s qualifications and proficiency. Which of the following is the least useful application of this prin-
ciple?

a. Determining that all applicants have an accounting degree.

b. Obtaining college transcripts.

c. Checking an applicant's references.

d. Determining previous job experience.

11
CIA Part 1 Mock Exam

48. The internal audit activity (IAA) can perform an important role in preventing and detecting significant
fraud by being assigned all but which one of the following tasks?

a. Review large, abnormal, or unexplained expenditures.

b. Review sensitive expenses such as legal fees, consultant fees, and foreign sales commissions.

c. Review every control feature pertaining to petty cash receipts.

d. Review contributions by the organization that appears to be unusual.

49. A new chief audit executive (CAE) for a major retail company is questioning the audit activity’s extensive
use of store compliance testing, stating that the approach is not responsive to materiality concepts.
Which of the following statements are valid in response to the CAE’s claims?

I. Materiality is not based only on the size of individual stores; rather it is also based on the control
structure that affects the whole organization.

II. Any deviation from a prescribed control procedure is, by definition, material.

III. The only way to ensure that a material amount of the company’s control structure is reviewed is a
comprehensive audit of all stores.

a. I only.

b. III only.

c. I and II only.

d. I, II and III.

50. An internal auditor issues a final report that had to do with evaluating the client’s procedures for in-
creasing the diversity of the organization’s workforce. In this regard, the internal auditor made several
recommendations for changes in hiring and retaining practices. Regarding due professional care, the
internal auditor would conduct a follow-up to ensure which of the following actions by the client?

a. To ascertain whether the client has carried out the internal auditor’s recommendations.

b. To ascertain whether the organization is in line with the organization’s diversity policies.

c. To ascertain whether the client has considered the audit findings and has taken action to improve di-
versity within the organization.

d. All of the above are true.

51. Regarding assurance engagements, due professional care calls for:

a. A detailed review of all transactions.

b. Infallibility and extraordinary performance when the system of internal control is known to be weak.

c. The consideration of the possibility of material irregularities during every engagement.

d. Testing in sufficient detail to give an absolute assurance that noncompliance does not exist.

12
CIA Part 1 Mock Exam

52. Due professional care is concerned with the work that is done by the internal auditor. For example,
due professional care in the matter of a review of internal controls over financial reporting would con-
sider all of the following except:

a. The content of the working papers is sufficient to provide support for the internal auditor's opinion.

b. The audit evidence in the working papers is principally performed to protect the company in the case
of a lawsuit by investors.

c. The probability of significant errors, fraud, or noncompliance.

d. The cost of the engagement in relation to potential benefits.

53. When using the services of an outside service provider, the CAE must:

a. Be involved in the hiring of the service provider.

b. Verify that the service provider has the CIA designation.

c. Evaluate the skills and reputation of the service provider.

d. Verify the service provider’s knowledge of the internal auditing standards.

54. An internal auditor should have an appreciation with respect to which discipline?

a. Quantitative methods.

b. Auditing techniques.

c. Auditing procedures.

d. Internal audit standards.

55. An internal auditor is employed by a large department store. During a planned engagement the inter-
nal auditor performed an audit of the store's cash operations. Which of the following actions would be
deemed lacking in due professional care?

a. A flowchart of the entire cash operation was developed but only a sample of transactions was tested.

b. The report included a well-supported recommendation for the reduction in staff although it was known
that such a reduction would adversely impact morale.

c. Because of a highly developed system of internal controls over cash operations, the audit report as-
sured top management that no irregularities existed.

d. The auditor informed appropriate authorities within the organization about suspected wrongdoing. No
report was made to external authorities.

13
CIA Part 1 Mock Exam

56. The CAE is concerned that a recently-disclosed fraud was not uncovered during the last engagement
to evaluate cash operations. A review of the working papers indicated that the fraudulent transaction
was not included in a properly-designed statistical sample of transactions tested. Which of the follow-
ing applies to this situation?

a. Because cash operations are a high-risk area, 100% testing of transactions should have been per-
formed.

b. The internal auditor acted with due professional care because an appropriate statistical sample of ma-
terial transactions was tested.

c. Fraud should not have gone undetected in a recently reviewed area.

d. Extraordinary care is necessary for the performance of a cash operations engagement, and the inter-
nal auditor should be held responsible for the oversight.

57. The CAE of a manufacturing company has interviewed an individual for a staff position. The CAE has
reviewed the individual’s credentials and has performed a detailed background check. The individual
has a strong knowledge of accounting and finance; however, the individual has limited knowledge of
environmental management systems (EMS). What is the most appropriate action for the CAE to take?

a. Reject the individual because of the lack of knowledge of EMS.

b. Offer the individual a position despite the lack of knowledge of EMS.

c. Encourage the individual to obtain additional training in EMS and then reapply.

d. Offer the individual a position if other staff members have sufficient knowledge of EMS.

58. A recently-hired internal auditor's first assignment is to review the cash management operations of
the organization. The internal auditor has no background in cash management. Under which of the
following conditions would this arrangement be appropriate?

I. The senior internal auditor is skilled in the area and closely supervises the staff internal auditor.

II. The staff internal auditor performs the work and prepares an engagement communication that is re-
viewed in detail by the CAE.

a. I only.

b. Both I and II.

c. II only.

d. Neither I nor II.

59. If internal auditors fail to maintain their proficiency through continuing professional education they
could be found to be in violation of:

a. The International Standards for the Professional Practice of Internal Auditing.

b. The IIA’s Code of Ethics.

c. Both the Standards and The IIA's Code of Ethics.

d. None of the above.

14
CIA Part 1 Mock Exam

60. An internal auditor suspects that the company’s financial statements are misstated; however, the in-
ternal auditor does not have conclusive evidence to prove his suspicion. The internal auditor has failed
to exercise due professional care if he:

a. Identified potential ways in which a misstatement could occur and ranked the items for investigation.

b. Did not test for possible misstatement because the engagement work program had already been ap-
proved by engagement management.

c. Informed the engagement manager of the suspicions and asked for advice on how to proceed.

d. Expanded the engagement work program without the engagement client's approval to address the
highest-ranked ways in which a misstatement may have occurred.

61. Quality program assessments may be performed internally or externally. A distinguishing feature of an
external assessment is its objective to:

a. Provide independent assurance.

b. Set forth the recommendations for improvement.

c. Determine whether internal auditing services meet professional standards.

d. Identify tasks that can be performed better.

62. External assessment of an internal audit activity is not likely to evaluate:

a. The tools and techniques employed by the internal audit activity.

b. Detailed cost-benefit analysis of the internal audit activity.

c. Compliance with the Standards for the International Professional Practice of Internal Auditing.

d. Adherence to the internal audit activity’s charter.

63. You were appointed the chief audit executive (CAE) of an organization one week ago. An engagement
client has come to you complaining vigorously that one of your internal auditors is taking up an excessive
amount of the client’s time on an engagement that seems to be lacking a clear purpose. In handling this
conflict with the client, you should consider:

a. Promising the client that you will have the internal auditor finish the work within 1 week.

b. Whether existing procedures within the internal audit activity provide for proper planning and quality
assurance.

c. Presenting an immediate defense of the internal auditor based upon currently-known facts.

d. Discounting what is said, but documenting the complaint.

64. Periodic external assessments of an internal audit activity's quality assurance and improvement program
should be undertaken. On completion of such an assessment, a formal report or other communication
should be issued expressing an opinion as to the:

a. Adequacy of internal control.

b. Effectiveness of the internal auditing coverage.

c. Conformance with the internal audit activity's charter.

d. Internal audit activity's compliance with the Standards.

15
CIA Part 1 Mock Exam

65. Assessments of the performance of the organization’s external auditors should:

a. Be carried out only when the external auditor is appointed.

b. Not include any participation by the internal audit activity.

c. Include the internal audit activity only when the external auditor is appointed.

d. Include the internal audit activity at the time of the appointment and regularly thereafter.

66. The interpretation related to quality assurance given by the Standards is that:

a. The IAA is primarily measured against the IIA’s Code of Ethics.

b. External assessments can provide senior management and the board with independent assurance about
the quality of the IAA.

c. Continuous supervision is limited to the planning, examination, evaluation, communication, and follow-
up process.

d. Appropriate follow-up to an external assessment is the responsibility of the chief audit executive's im-
mediate supervisor.

67. Which of the following persons might be considered when conducting a periodic external review of the
IAA in an organization’s regional office?

I. An auditor from headquarters.

II. An internal audit “peer” from another organization’s IAA.

III. A tax consultant who has no audit experience but will review only technical matters related to tax audits.

IV. An external chartered accountant with internal auditing experience who has been an external auditor of
the organization’s external financial reports.

a. I and II only.

b. II and III only.

c. I, II, III and IV.

d. I, II and IV only.

68. Procedures describing how the supervisory review of staff auditors will be accomplished should be fully
documented so that the internal audit activity will:

a. Have a basis for promotions, pay raises, or disciplinary actions, if required.

b. Have substantiation of its quality program.

c. Comply with the Standards.

d. Have a consistent framework for evaluating staff performance.

16
CIA Part 1 Mock Exam

69. An internal audit activity is currently undergoing its first external quality assurance review since its
formation three years ago. From interviews, the review team is informed of certain internal auditor
activities over the past year. Which of the following activities could affect the quality assurance review
team's evaluation of the objectivity of the internal auditors?

a. One internal auditor told the review team that, during an engagement to review the payroll function,
he was approached by the payroll manager who indicated that he was looking for an accountant to
prepare his financial statements for his part-time business. The internal auditor agreed to perform this
work for a reduced fee during non-work hours.

b. During an engagement to review the construction of a building addition to the organization's headquar-
ters, the vice president of facilities management gave the internal auditor a commemorative mug with
the organization's logo. These mugs were distributed to all employees present at the ground-breaking
ceremony.

c. After reviewing the installation of a data processing system, the internal auditor made recommendations
on standards of control. Three months after completion of the engagement, the engagement client
requested the internal auditor's review of certain procedures for adequacy. The internal auditor agreed
and performed this review.

d. An internal auditor's participation was requested on a task force to reduce the organization's inventory
losses from theft and shrinkage. This is the first consulting assignment undertaken by the internal audit
activity. The internal auditor's role is to advise the task force on appropriate control techniques.

70. The Institute of Internal Auditing developed a position paper titled The Three Lines of Defense in Effec-
tive Risk Management and Control. Which of the following best describes the purpose of the paper?

a. To provide a simple and effective way to enhance communications on risk management and control.

b. To lay out the functions of the audit committee.

c. To describe the monitoring functions of the internal audit activity.

d. A means of alerting operational management to emerging issues and changing regulatory and risk
scenarios.

71. Which of the following best describes organizational governance?

a. Organizational governance is the way in which companies are planned and directed.

b. Organizational governance is the combination of processes and structures implemented by the board to
inform, direct, manage, and monitor the achievement of its objectives.

c. Organizational governance entails tracking and minimizing control deficiencies.

d. Organizational governance processes are rules-based instead of principles-based.

72. An internal auditor should play a vital role in the assessment and improvement of a company’s govern-
ance process. Internal auditing’s role would include all of the following except:

a. Reviewing existing governance-related documentation.

b. Developing the audit plan.

c. Reporting violations to outside authorities.

d. Executing the approved audit plan.

17
CIA Part 1 Mock Exam

73. A company’s control environment is the foundation of an effective system of internal control. Which of
the following is not a component of a company’s control environment?

a. Management philosophy and operating style.

b. Integrity and ethical values.

c. Formulate business objectives.

d. Competence of personnel.

74. Which of the following represents the best governance structure?

Executive Management Board and Audit Committee Internal Auditing

a. Responsibility for risk Oversight role Advisory role

b. Oversight role Responsibility for risk Advisory role

c. Responsibility for risk Advisory role Oversight role

d. Oversight role Advisory role Responsibility for risk

75. Internal auditors can play an important role in assessing the ethical climate of an organization. Methods
to assess an organization’s ethical climate include all of the following except:
a. Reviewing ethics-related policies and processes.
b. Conducting an ethics-related survey.
c. Facilitating an ethics-related training program.
d. Conducting audits of specific ethics-related functions.

76. Corporate Social Responsibility (CRS) recognizes that:

a. Companies have a responsibility for their impact on society and the environment.

b. The natural environment is every organization’s primary focus.

c. Human rights are enforced by national governments.

d. Companies must pay equal attention to the interest of shareholders.

77. One of the biggest challenges with corporate social responsibility (CSR) is:

a. Identifying the different groups that have a legitimate interest in the corporation.

b. Deciding what information to report.

c. Identifying the financial issues that concern stakeholders.

d. Deciding the role of internal auditing in CSR.

18
CIA Part 1 Mock Exam

78. Which of the following would not be a criticism of CSR?

a. It is too costly.

b. There is a lack of clarity of the concept of CSR.

c. It can lead to enhanced brand reputation.

d. Profit wins over principles.

79. The IAA’s role in an organization’s risk management process can, and often does, change over time.
The IAA’s role within an organization may encompass all of the following except:
a. Auditing the risk management process as part of the internal audit plan.
b. Managing and coordinating the risk of a business operation.
c. Providing continuous support and involvement in the risk management process, such as monitoring
activities, providing status reports, and participating on an oversight committee.
d. No role.

80. Which of the following statements is most accurate concerning inherent risk?

a. Management can eliminate inherent risk by taking mitigating actions.

b. Inherent risk is the level of risk that remains after management has taken actions to mitigate the risk.

c. Inherent risk results in greater losses than operational risk.

d. None of the above.

81. A company’s board of directors is concerned that a new children’s toy is not as safe as it should
be. The board is concerned that if word gets out that the toy is not safe, the reputation of the
company could suffer. The board’s concern has to do with:

a. Financial risk.

b. Operating risk.

c. Strategic risk.

d. Hazard risk.

82. The first step in the risk management process is the identification of risks. Risk events can be either
internal or external. Which of the following would be an internal risk event?

a. The loss of key employees.

b. New regulations.

c. Changing demographics.

d. Rising inflation.

19
CIA Part 1 Mock Exam

83. Which of the following is not a technique for identifying risks?

a. Conducting a brainstorming session.

b. Performing variable sampling.

c. Conducting scenario analysis.

d. Analyzing feedback from risk questionnaires and risk surveys.

84. It is common for insurance policies to include a deductible clause, which means that the insured party
will have to pay some portion of the repair or replacement. The amount paid by the insured party is
referred to as what type of risk?

a. Operational risk.

b. Inherent risk.

c. Residual risk.

d. Transactional risk.

85. There are four general terms used to express the measurement of potential loss that could occur from
a specific risk. The difference between expected loss and unexpected loss is:

a. Expected loss is the maximum potential loss that could occur, whereas unexpected loss is the mini-
mum potential loss.

b. Expected loss is the loss that management expects to be lost during the period, whereas unexpected
loss is the loss that management thinks could be lost in excess of the budgeted amount.

c. Expected loss is the loss that management expects to occur during the period, whereas unexpected
loss is the worst-case scenario loss.

d. Expected loss is the loss that is expected to occur during the short-term, whereas unexpected loss is
the loss that is expected to occur during the long term.

86. Value at Risk (VaR) is a quantitative risk assessment tool used by financial managers for all of the fol-
lowing reasons except:

a. To measure and control the level of risk that the firm undertakes.

b. To measure and control a firm’s fat-tailed distribution.

c. To give management a level of confidence that the loss level will not be exceeded during a certain pe-
riod of time.

d. To ensure that risks are not taken beyond the firm’s ability to absorb the losses of a probable worst
outcome.

87. It is possible for some risks to be negatively correlated with one another. When this situation occurs
the best course of action is to:

a. Off-set the risk.

b. Put in place additional controls to mitigate the risk.

c. Devise a hedging strategy.

d. Do nothing.

20
CIA Part 1 Mock Exam

88. The risk management process includes all of the following except:

a. Risk monitoring and control.

b. Risk avoidance.

c. Risk response planning.

d. Risk assessment.

89. A risk response that entails eliminating the threat of the risk is referred to as:

a. Risk mitigation.

b. Risk deflection.

c. Risk avoidance.

d. Residual risk.

90. A firm has a valuable project that has many hazards that could potentially cause bodily injury. Given
the nature of the project, there is no way to avoid the potential risk for damages. To deflect the risk,
the project manager should consider:

a. Eliminating the project.

b. Taking out insurance to cover the potential for bodily injury.

c. Establish a contingency fund.

d. Accepting the risk.

91. Risk appetite is the level of risk that an organization is willing to pursue, retain, or take. Factors that
could influence an organization’s risk appetite might include:

a. Viewpoints of the major stakeholders.

b. The complexity of the organization’s accounting system.

c. External factors, such as changing economic considerations, changes in technology, changes in the
industry, etc.

d. All of the above.

92. Enterprise risk management (ERM):

a. Guarantees achievement of organizational objectives.

b. Requires establishment of risk and control activities by internal auditors.

c. Involves the identification of events with negative impacts on organizational objectives.

d. Includes selection of the best risk response for the organization.

21
CIA Part 1 Mock Exam

93. ERM is a risk management program that is used to assist management in the achievement of its ob-
jectives. The benefits of establishing an ERM process include all of the following except:

a. Determining the firm’s risk appetite.

b. Identifying potential risk events.

c. Improving the ability of the firm to act on opportunities.

d. Improving the utilization of capital and the resources of the company.

94. The development of a strategic plan is intended to increase a company’s long-term performance.
Which of the following would most likely not be a strategic objective?

a. Financial growth.

b. Improved customer satisfaction.

c. Product innovation.

d. Administrative cost cutting.

95. The ERM model has five components. Under which component would the company identify specific risk
events?

a. Governance and Culture.

b. Strategy and Objective-setting.

c. Control Activities.

d. Performance.

96. There are numerous benefits to implementing a well-developed ERM system. These benefits include:

I. The entity will anticipate every risk that could result in a loss.

II. Better alignment of strategy with risk appetite.

III. Better resource deployment.

IV. All unknown risks will become known.

a. I and II only.

b. II and III only.

c. III and IV only.

d. II and IV only.

97. Concerning ERM, which of the following is not a role that internal auditing should undertake?

a. Giving assurance on the risk management processes.

b. Developing a risk management strategy for board approval.

c. Setting the risk appetite.

d. Coordinating ERM activities.

22
CIA Part 1 Mock Exam

98. Which of the following is not implied by the definition of control?

a. Measurement of progress toward goals.

b. Uncovering of deviations from plans.

c. Assignment of responsibility for deviations.

d. Indication of the need for corrective action.

99. Controls should be designed to ensure that:

a. Operations are performed efficiently.

b. Management’s plans have not been circumvented by worker collusion.

c. The IAA’s guidance and oversight of management’s performance is accomplished economically and
efficiently.

d. Management’s planning, organizing, and directing processes are properly evaluated.

100. Which of the following is true regarding the difference between corporate-level and operational-level
controls?

a. Corporate-level controls are mostly automated, whereas operational-level controls are mostly manual.

b. Operational-level controls include both manual and automated controls, whereas corporate–level con-
trols are mostly manual and include general policy statements that concern ethics and corporate val-
ues.

c. Corporate-level controls are mostly manual, whereas operational-level controls are mostly automated,
consisting of complying with specific control procedures and making sure financial information is accu-
rate and complete.

d. Operational-level controls include both manual and automated controls, whereas corporate-level con-
trols are mostly manual and encompass planning and performance monitoring, the system of ac-
countability to superiors, and risk evaluation.

101. Which of the following types of controls is often difficult to evaluate because they may lack established
criteria or standards?

a. Operating controls.

b. Financial controls.

c. Directive controls.

d. Preventive controls.

102. Which of the following is not a preventive control?

a. The general ledger master file is locked in a safe each night.

b. All bills are marked “Paid” to prevent duplicate payment.

c. The accounts receivable subsidiary ledger is reconciled against the general ledger accounts receivable
control total.

d. Customer numbers are verified by the computer before a sales order is accepted to ensure the sales
order is from an established company.

23
CIA Part 1 Mock Exam

103. The control process can be divided into feedforward, concurrent, and feedback controls. Which of the
following is a concurrent control?

a. Product quality control training.

b. Online activity monitoring.

c. Raw materials variance analysis.

d. 90-day cash budgeting.

104. Which of the following is an example of an effectiveness measure?

a. The rate of absenteeism.

b. The goal of becoming a leading manufacturer.

c. The number of insurance claims processed per day.

d. The rate of customer complaints.

105. Budgets are generally classified as both planning documents and control devices. An important differ-
ence between the budget planning information needed and the budget control information needed is
that planning information is more:

a. Likely to be generated using external data.

b. Detailed.

c. Likely to be quantifiable.

d. Likely to be accurate.

106. Which of the following exemplifies an inherent limitation of internal control?

a. A controller makes and records cash deposits.

b. A security guard allows a warehouse employee to remove company property from the premises without
authorization.

c. The company sells to customers on credit without proper credit approval.

d. An employee who is unable to read is assigned custody of the company’s tape library and run manuals.

24
CIA Part 1 Mock Exam

107. The following are steps in a typical control process.

1) Select the times or points at which to collect information about the activities that are being meas-
ured and controlled.

2) Set the standards.

3) Observe the process, or collect the samples.

4) Report any significant deviations or problems.

5) Review and revise the standards.

6) Record the information that was collected.

7) Implement whatever corrections to the system or processes are necessary.

8) Evaluate if the performance is satisfactory.

What is the correct order of these steps?

a. 2, 1, 6, 3, 8, 7, 4, 5.

b. 1, 2, 3, 6, 5, 7, 8, 4.

c. 2, 1, 3, 6, 8, 4, 7, 5.

d. 1, 3, 2, 6, 7, 5, 8, 4.

108. An internal auditor was evaluating the company’s application controls over financial reporting. Which
of the following would not be an application control objective?

a. Input data is accurate, complete, authorized, and correct.

b. Data is processed as intended in an acceptable time period.

c. Outputs are accurate and complete.

d. Only authorized personnel are able to access information in the network.

109. A control likely to prevent purchasing agents from favoring specific suppliers is:

a. Requiring management's review of a monthly report of the totals spent by each buyer.

b. Requiring buyers to adhere to detailed material specifications.

c. Rotating buyer assignments periodically.

d. Monitoring the number of orders placed by each buyer.

110. The results of an audit of cash controls indicated that the bookkeeper signed expense checks and rec-
onciled the checking account. If the cash account reconciliations were current and no cash shortages
were found, an internal auditor should conclude that the system of internal controls over:

a. Recording of cash receipts is adequate.

b. Accounting for cash is inadequate.

c. Reconciliations of the cash account are adequate.

d. Physical safeguards of cash are adequate.

25
CIA Part 1 Mock Exam

111. Which of the following is a control weakness rather than a control strength with regards to the payroll
clerk? The payroll clerk:

a. Has custody of the check signature stamp.

b. Prepares the payroll register.

c. Forwards the payroll register to the chief accountant for approval.

d. Draws the paychecks on a separate payroll checking account.

112. Which of the following situations would cause an internal auditor to question the adequacy of controls
over a purchasing function?

a. The original and one copy of the purchase order are mailed to the vendor. The copy on which the vendor
acknowledges acceptance is returned to the purchasing department.

b. Receiving reports are forwarded to purchasing where they are matched with the purchase orders and
sent to accounts payable.

c. The accounts payable department prepares documentation for payments.

d. Unpaid voucher files and perpetual inventory records are independently maintained.

113. Proper segregation of duties reduces the opportunities in which a person could both:

a. Establish controls and execute them.

b. Designs the controls and monitor them.

c. Perpetrate errors and frauds and conceal them.

d. Record transactions in the accounting journal and general ledger.

114. Internal auditors use the COSO model to evaluate the strength of a company’s internal control system
over financial reporting. Which of the following is not a core principle of the control environment?

a. Having a commitment to financial reporting competence.

b. Having the right management philosophy and operating style.

c. Having the right human resource policies and procedures.

d. Determining the company’s financial reporting objectives.

115. An effective control system should have all of the following characteristics except:

a. The control system should actually reflect what the organization is trying to measure and control.

b. The control system must be understandable by all persons using the system.

c. The organization saves less than the cost of the control.

d. The information provided by the control system must be available in a timely manner.

26
CIA Part 1 Mock Exam

116. Which of the following actions can help reduce the ability of an individual to rationalize fraud?

a. Having a strong human resource department and strong personnel policies.

b. Having a strong internal control system.

c. Ethics training and a principled corporate culture.

d. Having a drug or gambling problem.

117. Which of the following are examples of fraud that would not benefit an organization?

a. Intentional/improper transfer pricing.

b. Tax fraud.

c. Claims submitted for services or goods not actually provided to the organization.

d. Sale or assignment of fictitious or misrepresented assets.

118. Which of the following best describes an auditor's responsibility after noting indicators of fraud?

a. Expand audit activities to determine whether an investigation is warranted.

b. Report the possibility of fraud to top management and ask how to proceed.

c. Consult with external legal counsel to determine the course of action to be taken.

d. Report the matter to the audit committee and request funding for outside specialists to help investigate
the possible fraud.

The following information is for questions 119 and 120.

The manager of a production line has the authority to order and receive replacement parts for all machinery
that requires periodic maintenance. The internal auditor received an anonymous tip that the manager ordered
substantially more parts than were necessary from a family member in the parts supply business. The un-
needed parts were never delivered. Instead, the manager processed receiving documents and charged the
parts to machinery maintenance accounts. The payments for the undelivered parts were sent to the supplier,
and the money was divided between the manager and the family member.

119. Which of the following internal controls would most likely have prevented this fraud from occurring?

a. Establishing predefined spending levels for all vendors during the bidding process.

b. Segregating the receiving function from the authorization of parts purchases.

c. Comparing the bill of lading for replacement parts to the approved purchase order.

d. Using the company’s inventory system to match quantities requested with quantities received.

120. Which of the following tests would best assist the auditor in deciding whether to investigate this anon-
ymous tip further?

a. Comparison of the current quarter’s maintenance expense with prior-period activity.

b. Physical inventory testing of replacement parts for existence and valuation.

c. Analysis of repair parts charged to maintenance to review the reasonableness of the number of items
replaced.

d. Review of a test sample of parts invoices for proper authorization and receipt.

27
CIA Part 1 Mock Exam

121. Which of the following fraudulent entries is most likely to be made to conceal the theft of an asset?

a. Debit expenses and credit the asset.

b. Debit the asset and credit another asset account.

c. Debit revenue and credit the asset.

d. Debit another asset account and credit the asset.

122. Which of the following would not be considered a condition that indicates a higher likelihood of fraud?

a. Management has delegated the authority to make purchases under a certain dollar limit to subordinates.

b. An individual has held the same cash-handling job for an extended period without any rotation of duties.

c. Individual handling marketable securities is responsible for making the purchases, recording the pur-
chases, and reporting any discrepancies and gains/losses to senior management.

d. The assignment of responsibility and accountability in the accounts receivable department is not clear.

123. Which of the following statements is (are) true regarding the prevention of fraud?

I. The primary means of preventing fraud is through internal controls established and maintained by
management.

II. Internal auditors are responsible for assisting in the prevention of fraud by examining and evaluating
the adequacy of the internal control system.

III. Internal auditors should assess the operating effectiveness of fraud-related communication systems.

a. I only.

b. II only.

c. I and II only.

d. I, II and III.

124. Internal auditors are more likely to detect fraud by developing and strengthening their ability to:

a. Recognize and question changes that occur in organizations.

b. Interrogate fraud perpetrators to discover why fraud was committed.

c. Develop internal controls to prevent the occurrence of fraud.

d. Document computerized operating systems.

125. In some cases of fraud, it is necessary to use the services of a forensic auditor. Which of the following
is generally not a type of investigation that is conducted by forensic auditors?

a. Deliberate falsification of accounting records.

b. Management compensation.

c. Acts of extortion.

d. Theft of company assets.

28