Practice questions · Finance & Accounting
CIA (Certified Internal Auditor): Practice Questions
Original concept-check questions across the CIA syllabus: Part 1 Essentials of Internal Auditing, Part 2 Practice of Internal Auditing and Part 3 Business Knowledge for Internal Auditing. Each answer is explained, including why the other options are wrong. Filter by domain or difficulty. These test understanding of public concepts - not real exam questions. The CIA is a credential from the Institute of Internal Auditors, not an intelligence agency.
Answered 0 · Correct 0
-
The primary purpose of internal auditing is to:
Correct answer: C. Internal auditing adds value by providing independent, objective assurance and consulting on governance, risk and control. It does not prepare the financial statements (management does), does not replace the external auditor (who gives an opinion to shareholders), and cannot guarantee profitability. -
Independence of the internal audit activity is best supported by:
Correct answer: A. Functional reporting to the board or audit committee protects the audit activity's independence from management pressure. Reviewing your own past work, reporting only to the audited managers, or letting operational staff control the plan all create threats to independence and objectivity. -
The difference between objectivity and independence is that objectivity is:
Correct answer: B. Objectivity is the individual auditor's unbiased mental attitude, while independence is the audit activity's freedom from conditions that threaten its ability to carry out responsibilities. They are not reversed (objectivity is not a reporting line), apply to internal auditors, and are distinct from competence, which is about skills. -
Due professional care means an internal auditor should:
Correct answer: D. Due professional care is the care and skill expected of a reasonably prudent, competent internal auditor - it does not require examining every transaction or guarantee that no fraud exists, since audits give reasonable, not absolute, assurance. Acting only on the auditee's instructions would compromise objectivity. -
A quality assurance and improvement programme (QAIP) for internal audit primarily aims to:
Correct answer: A. A QAIP evaluates conformance with professional standards and the audit activity's overall effectiveness, through internal and external assessments. It does not move the share price, replace the external audit, or set risk appetite, which is a board and management responsibility. -
Inherent risk is best described as the risk:
Correct answer: C. Inherent risk is the risk that exists before considering any controls. Risk remaining after controls is residual risk, the risk of a wrong opinion is broadly audit/detection risk, and inherent risk is never assumed to be zero. -
In the Three Lines model, the internal audit function typically represents:
Correct answer: B. Internal audit provides independent assurance to the governing body in the Three Lines model. The first line owns and manages risk in operations, the external regulator sits outside the model, and marketing is an operational (first-line) activity, so none of those is internal audit's role. -
Reasonable assurance provided by internal audit means:
Correct answer: D. Reasonable assurance is a high but not absolute level, reflecting inherent limitations such as sampling, judgement and the possibility of collusion. It is not a guarantee that controls never fail, not zero assurance, and not limited to cash. -
Segregation of duties is an internal control that works by:
Correct answer: A. Segregation of duties divides authorisation, recording and custody of assets so no one person controls an entire transaction, reducing fraud and error risk. Concentrating all steps in one person is the weakness it prevents, and annual recording or identical tasks for all do not describe the control. -
When internal audit detects a red flag of possible fraud, the auditor should generally:
Correct answer: C. The auditor evaluates the indicators with professional scepticism and, where warranted, escalates following the organisation's protocol while preserving evidence. Publicly accusing someone, ignoring non-cash red flags, or concluding fraud is certain are all inappropriate responses to mere indicators. -
Governance, in the internal audit context, is best described as:
Correct answer: D. Governance is the combination of processes and structures by which an organisation is directed, managed and held accountable. It is not the external auditor's work alone, not tax-return preparation, and not an inventory-valuation method, which are unrelated technical tasks. -
The internal audit charter primarily:
Correct answer: B. The internal audit charter is a formal document that defines the activity's purpose, authority and responsibility, approved by the board. It does not set product prices, list salaries, or replace the risk register, which records and tracks risks. -
A risk-based audit plan is one that:
Correct answer: A. A risk-based plan allocates audit effort to the areas of highest assessed risk to the organisation's objectives. Alphabetical order, auditing the same areas regardless of risk, or letting auditees decide the plan all ignore the risk-prioritisation principle. -
During engagement planning, establishing the engagement objectives and scope is important because it:
Correct answer: C. Objectives and scope define what the engagement will and will not address and keep the work focused on the relevant risks and controls. They do not guarantee a clean opinion, replace fieldwork, or set the auditee's operating budget. -
Audit evidence should be sufficient and appropriate. 'Sufficient' refers mainly to the:
Correct answer: D. Sufficiency is about quantity: having enough evidence to support the engagement conclusions. Appropriateness, separately, covers relevance and reliability (quality). Cost and the auditor's seniority are not what 'sufficient' measures. -
A working paper in an audit engagement primarily serves to:
Correct answer: B. Working papers document the procedures performed, the evidence obtained and the basis for conclusions, supporting the report and allowing review. They are not advertising, do not replace the final report, and do not record the auditee's marketing plan. -
An audit finding is normally structured around condition, criteria, cause and effect. The 'criteria' element is:
Correct answer: A. Criteria are the standards, policies or expectations the situation is measured against. The condition is what was actually observed, the cause is why it happened, and the effect is the impact - so those are the other three elements, not the criteria. -
Communicating engagement results to management is most effective when the report is:
Correct answer: C. Effective audit communications are accurate, objective, clear, concise, constructive, complete and timely. Verbal-only with no record, long delays after fieldwork, or jargon for its own sake all reduce the report's usefulness and credibility. -
Follow-up on audit findings is performed to:
Correct answer: B. Follow-up confirms that management has implemented adequate action, or that senior management has accepted the risk of not acting. It is not about punishing managers, repeating the whole audit, or closing the file without verification. -
When management decides to accept a risk rather than act on an audit finding, the chief audit executive should:
Correct answer: D. If the CAE believes management has accepted a level of risk that may be unacceptable to the organisation, the matter should be discussed and, if unresolved, communicated to the board. The CAE does not override management's decisions, resign reflexively, or delete the finding. -
Analytical procedures in an audit involve:
Correct answer: A. Analytical procedures evaluate information by studying plausible relationships among data and comparing actual results to expectations, highlighting unusual items for further work. Counting cash is a specific substantive test, and customer marketing interviews or reading advertising are not analytical procedures. -
Sampling is used in audit testing mainly because:
Correct answer: C. Sampling is used because examining every item is often impractical or uneconomic, yet a well-designed sample provides sufficient appropriate evidence. It is not inherently more accurate than full testing, not legally required, and not about the department's image. -
Working capital is calculated as:
Correct answer: D. Working capital is current assets minus current liabilities, a measure of short-term liquidity. Total assets minus total liabilities is net assets/equity, revenue minus expenses is profit, and fixed assets plus equity is not a standard measure. -
In information security, the 'CIA triad' (in an IT context) stands for:
Correct answer: A. In information security the CIA triad means Confidentiality, Integrity and Availability - the three core goals of protecting information. The other expansions are invented and are not the recognised security triad. (Note this is unrelated to the Certified Internal Auditor credential, which shares the same letters.) -
A general IT control, as opposed to an application control, is best illustrated by:
Correct answer: D. General IT controls, such as access management and change control, apply across the whole IT environment. The invoice-total check, customer-code validation and date range check are application controls embedded in a specific program's processing of data. -
The break-even point in cost-volume-profit analysis is where:
Correct answer: B. Break-even is where total revenue equals total costs, so profit is zero. Maximum profit occurs well beyond break-even, and zero revenue or zero fixed costs are not the definition. -
A SWOT analysis used in strategic planning examines:
Correct answer: C. SWOT stands for Strengths, Weaknesses, Opportunities and Threats, pairing internal factors with external ones. The other expansions are invented and are not what the SWOT acronym means. -
A disaster recovery plan in IT primarily aims to:
Correct answer: C. A disaster recovery plan sets out how to restore IT systems and data after a disruption within acceptable recovery objectives. It does not drive sales, remove the need for backups (which it depends on), or replace internal audit. -
A leader using a participative (democratic) style mainly:
Correct answer: A. A participative leader involves team members in decision-making while keeping final accountability for the outcome. Deciding alone with no input is autocratic, avoiding decisions is a vacuum of leadership, and delegating total control with no review is extreme laissez-faire, so none describes the participative style. -
The audit committee of the board contributes to internal audit's effectiveness mainly by:
Correct answer: B. The audit committee provides governance oversight and a functional reporting line for the chief audit executive, which protects internal audit's independence. It does not perform the fieldwork, set product prices, or prepare the financial statements, which is management's job. -
The professional guidance that sets out the requirements and expectations for the internal audit profession is currently issued by The IIA as the:
Correct answer: A. The IIA's Global Internal Audit Standards provide the authoritative guidance for the internal audit profession. GAAP and IFRS are accounting frameworks, and Sarbanes-Oxley is US legislation, not the internal audit standards. -
A core principle of internal auditing is that the activity should be:
Correct answer: C. Internal auditing must be objective and independent, free from undue influence, to be credible. Being controlled by audited operations destroys independence, the scope is broader than financial statements, and the activity is not limited to a single department. -
The chief audit executive (CAE) should report functionally to:
Correct answer: B. Functional reporting to the board or audit committee supports the audit activity's independence and authority. Reporting to an audited department head, the external auditor, or a junior committee would undermine independence and standing. -
An impairment to independence or objectivity that arises must be:
Correct answer: D. Any impairment to independence or objectivity, whether in fact or appearance, must be disclosed to the appropriate parties. Concealing it, ignoring small engagements, or leaving resolution to the audited manager would breach professional requirements. -
An internal auditor who previously managed a process should generally not audit that same process for a period because of:
Correct answer: A. Auditing one's own recent work is a self-review threat to objectivity, so a cooling-off period is appropriate. The concern is objectivity, not technical skill, budget, or staffing levels. -
Consulting services provided by internal audit are best described as:
Correct answer: C. Consulting (advisory) services are intended to add value and improve operations, with the nature and scope agreed with the engagement client. They are not mandatory assurance opinions, external audit opinions, or tax preparation. -
The internal audit activity's purpose, authority and responsibility are formally established in the:
Correct answer: B. The internal audit charter, approved by the board, formally defines purpose, authority and responsibility. A marketing plan, budget, or employee handbook serve other functions and do not establish the audit mandate. -
Residual risk is the risk that remains:
Correct answer: D. Residual risk is what remains after management's risk responses and controls are applied; inherent risk is the level before controls. It is not confined to financial accounts or relevant only to external auditors. -
A control that detects an error after it has occurred, such as a bank reconciliation, is a:
Correct answer: A. A reconciliation that finds errors after the fact is a detective control. A preventive control stops errors beforehand, a directive control encourages a desired outcome, and no control prevents all fraud. -
Within the Three Lines model, management control and internal control measures are primarily the responsibility of the:
Correct answer: C. Operational management forms the first line, owning and managing risks and controls day to day. Internal audit is the third line providing assurance, the regulator sits outside the model, and the audit committee provides governance oversight, not first-line control. -
A fraud risk that internal audit should consider includes the risk of:
Correct answer: B. Management override of controls is a key fraud risk because senior staff can bypass otherwise effective controls. Strong segregation of duties, effective oversight, and accurate reporting are control strengths, not fraud risks. -
The quality assurance and improvement program requires external assessments to be performed at least:
Correct answer: D. An external assessment of the internal audit activity must generally be conducted at least once every five years by a qualified, independent assessor. Never, daily, or only at a sale do not reflect the requirement. -
Internal control, as commonly defined, is a process designed to provide reasonable assurance regarding the achievement of objectives in:
Correct answer: A. Internal control aims to provide reasonable assurance over operations, reporting and compliance objectives. It is not limited to marketing, the share price, or hiring. -
Objectivity for an internal auditor is best preserved by:
Correct answer: C. Objectivity is preserved by avoiding conflicts of interest and not subordinating professional judgment to others. Accepting significant gifts, letting the auditee write the report, or auditing friends all threaten objectivity. -
Governance, risk management and control are sometimes called the focus areas of internal audit because internal audit:
Correct answer: B. Internal audit evaluates and contributes to improving governance, risk management and control processes. It does not set strategy, own the risks (management does), or replace the board. -
The annual internal audit plan should be based primarily on:
Correct answer: D. The audit plan should flow from a documented risk assessment so effort targets the highest risks to objectives. Personal preferences, alphabetical order, and department size alone are not sound bases for the plan. -
Engagement objectives for an assurance engagement should:
Correct answer: A. Engagement objectives should address the risks and controls relevant to the activity under review, guiding the work. They should be defined, are not limited to marketing, and are set by the auditor, informed by but not dictated solely by the auditee. -
A preliminary risk assessment performed during engagement planning helps the auditor to:
Correct answer: C. A planning-stage risk assessment identifies significant risks so resources focus on the most important areas. It does not let the auditor skip fieldwork, guarantee a clean result, or set salaries. -
Audit evidence is considered 'appropriate' when it is:
Correct answer: B. Appropriateness concerns the quality of evidence: its relevance and reliability. Quantity relates to sufficiency, cost is not a measure of appropriateness, and reliability generally favors documented over purely verbal evidence. -
Evidence obtained directly by the auditor through observation or recalculation is generally:
Correct answer: D. Evidence the auditor obtains directly, such as by observation or recalculation, is generally more reliable than indirect or second-hand evidence. It is not less reliable than hearsay, is usable, and is relevant to internal auditors. -
An audit observation's 'effect' element describes:
Correct answer: A. The effect is the consequence or potential impact of the condition, helping convey significance. The criteria are the standard, the condition is what was found, and the cause is why it happened. -
When internal audit issues recommendations, management is generally responsible for:
Correct answer: C. Management decides on and implements corrective actions in response to findings, or accepts the risk. Management should not ignore findings, audit itself for assurance purposes, or write the independent audit report. -
Engagement supervision is important mainly to ensure that:
Correct answer: B. Supervision helps ensure engagement objectives are met, quality is maintained, and staff develop. It is not about auditee approval of every step, omitting documentation, or prolonging the audit. -
Before final distribution, communicating preliminary findings to management helps to:
Correct answer: D. Discussing preliminary findings with management confirms factual accuracy and gathers their responses and planned actions. It does not allow deleting valid findings, avoid the report, or set the budget. -
The chief audit executive should share results of engagements with:
Correct answer: A. Results should go to parties who can ensure they receive due consideration, typically senior management and the board. They are not shared with no one, with competitors, or routinely with the general public. -
A statistical sampling approach, compared with judgmental sampling, allows the auditor to:
Correct answer: C. Statistical sampling lets the auditor quantify sampling risk and project sample results to the population. It does not avoid testing, guarantee no errors, or limit testing to the single largest item. -
Continuous auditing refers to:
Correct answer: B. Continuous auditing uses technology to test controls and transactions frequently or in real time, improving timeliness. It is not a once-a-decade activity, does not skip documentation, and is not limited to manual sampling. -
When evaluating the adequacy of a control, the auditor first considers whether the control is:
Correct answer: D. Control evaluation starts with whether the control is designed appropriately to address the relevant risk, then whether it operates effectively. Staff preference, cost, and being the newest technology are not the primary design criteria. -
A debt-to-equity ratio measures a company's:
Correct answer: A. The debt-to-equity ratio measures financial leverage by comparing debt to equity financing. It is not a profitability, inventory, or market-share measure. -
The return on assets (ROA) ratio shows how efficiently a company:
Correct answer: C. ROA (net income divided by total assets) shows how efficiently a company generates profit from its assets. It does not measure supplier payments, hiring, or marketing. -
In project management, the critical path is the:
Correct answer: B. The critical path is the longest sequence of dependent tasks, which sets the minimum time to complete the project. It is not the cheapest tasks, a single shortest task, or the marketing schedule. -
A firewall in information security is primarily used to:
Correct answer: D. A firewall controls network traffic between trusted and untrusted networks based on rules. It is not a backup tool, not primarily an encryption mechanism, and not an employee-training method. -
Encryption protects data confidentiality by:
Correct answer: A. Encryption converts data into an unreadable form that requires the proper key to decrypt, protecting confidentiality. It does not delete, print, or publicly share the data. -
A change management control in IT is designed to ensure that:
Correct answer: C. Change management ensures system changes are authorized, tested and documented before going into production, reducing risk. Allowing anyone to change systems, skipping backups, or sharing passwords are weaknesses, not the control. -
The economic concept of price elasticity of demand measures how:
Correct answer: B. Price elasticity of demand measures the responsiveness of quantity demanded to a change in price. It does not measure production speed, headcount, or profitability. -
A company's cost of capital is relevant to internal audit's understanding of:
Correct answer: D. The cost of capital is the minimum return investments must earn to create value, informing capital decisions audit may review. Logo color, lunch menus, and cleaning schedules are unrelated. -
Access controls based on the principle of least privilege mean users are granted:
Correct answer: A. Least privilege grants users only the access needed to perform their duties, limiting risk. Granting all access for convenience, no access at all, or unrelated executive access do not reflect the principle. -
A budget variance in management accounting is the difference between:
Correct answer: C. A budget variance compares budgeted amounts with actual results to highlight differences for investigation. It is not a comparison of competitors' prices, distant historical years, or revenue versus share price. -
Outsourcing a business process introduces a risk that internal audit should consider, namely:
Correct answer: B. Outsourcing reduces direct control over the activity and creates reliance on the provider, a risk to manage through contracts and monitoring. It does not automatically improve control, guarantee savings with no downside, or eliminate all risk. -
Data analytics applied in internal audit can help the auditor to:
Correct answer: D. Data analytics lets auditors test full populations and flag anomalies efficiently, focusing follow-up work. It does not remove the need to understand the business, replace judgment, or guarantee fraud detection. -
A service organization control (SOC) report is often used by internal audit to gain assurance about:
Correct answer: A. A SOC report provides assurance about controls at a third-party service provider that are relevant to the user organization. It has nothing to do with the weather, a marketing slogan, or employee birthdays. -
A key feature of the agile approach to projects is:
Correct answer: C. Agile emphasizes iterative delivery with frequent feedback and the ability to adapt. It is not a single end-of-project delivery, the absence of planning, or ignoring stakeholders. -
When relying on the work of another assurance provider, the chief audit executive should:
Correct answer: B. Before relying on another provider's work, the CAE should assess their competence, objectivity and the adequacy of the work. Blind acceptance, always redoing everything, or ignoring the provider are not appropriate. -
Internal audit's role in an organization's fraud risk management is mainly to:
Correct answer: D. Internal audit evaluates the potential for fraud and how the organization manages fraud risk, supporting controls and awareness. It does not personally prosecute all fraud, guarantee no fraud, or set the marketing budget. -
The risk appetite of an organization is best described as the:
Correct answer: A. Risk appetite is the amount and type of risk an organization is willing to accept to meet its objectives, set by the board and management. It is not a single-year maximum loss, total assets, or an audit fee. -
Internal audit should remain free from interference in determining the scope of internal auditing because such interference is a(n):
Correct answer: C. Interference in setting the audit scope is a scope limitation that impairs independence and should be reported to the board. It is not a practice to encourage, a routine feature, or a requirement of the standards. -
Whistleblower mechanisms, such as a confidential hotline, primarily help an organization by:
Correct answer: B. A whistleblower hotline gives a confidential channel to report suspected misconduct, aiding fraud detection and governance. It is not an advertising tool, a replacement for internal audit, or a pricing mechanism. -
A business impact analysis (BIA) in continuity planning is used to:
Correct answer: D. A business impact analysis identifies critical processes and the impact of disruption, informing recovery priorities and objectives. It is not a sales tool, a replacement for the audit charter, or a hiring method. -
The audit committee's review of the internal audit plan and budget supports internal audit's:
Correct answer: A. Audit committee review of the plan and budget supports internal audit's independence and helps ensure adequate resources. It is unrelated to marketing reach, product pricing, or office decoration. -
The 'tone at the top' refers to the way that:
Correct answer: B. Tone at the top is how leadership's attitudes and behavior set the organization's ethical climate, influencing the control environment. It is not about desk decoration, building construction, or shipping. -
An internal auditor who lacks the knowledge to perform part of an engagement should:
Correct answer: D. If lacking the needed knowledge, the auditor should obtain competent advice and assistance, or decline that portion of the engagement. Proceeding regardless, hiding the limitation, or delegating to the auditee would compromise quality and objectivity. -
A control self-assessment (CSA) involves:
Correct answer: B. Control self-assessment engages management and staff in assessing their own controls, frequently facilitated by internal audit. It is not audit working alone, the elimination of internal audit, or ignoring weaknesses.
Practice questions FAQ
- Are these real CIA exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.