Hock CIA P2 - Mock Exam
Hock CIA P2 - Mock Exam
Hock CIA P2 - Mock Exam
Preparatory Program
Part 2
Mock Exam
CIA Part 2 Mock Exam
Select a single answer that best completes the statement or answers the question.
1. The IAA is considered effectively managed in all of the following circumstances except:
a. Individuals who are part of the IAA provide only recommendations acceptable to management.
b. The work of the IAA achieves the purpose and responsibility included in its charter.
d. Individuals who are part of the IAA demonstrate conformance with the Code Ethics and the Standards.
2. IAA policies and procedures should be established to guide the IAA and the individual auditors in their
work. Which of the following statements is true with respect to this requirement?
a. A small IAA may be managed informally through close supervision and written memos.
b. The form and content of written policies and procedures should be the same for all IAAs.
3. A newly appointed CAE was reviewing the audit manual to make sure it was up-to-date and included
items of importance. Which of the following items would generally not be included in the audit manual?
4. The goals that the CAE sets for the IAA should:
IV. Be measurable.
b. II and IV only.
c. I and IV only.
1
CIA Part 2 Mock Exam
5. The most important reason for the CAE to ensure that the IAA has adequate and sufficient resources is
to:
6. The CAE has been given approval to hire someone for a new internal audit position. The CAE has to
decide whether to recruit the individual from within the organization or go outside the organization.
Which of the following is most likely not true concerning the recruitment from within the organiza-
tion?
a. Persons from within the organization are more likely to be familiar with company policies and proce-
dures.
d. Training costs would be higher because the internal employee would need more training for the job.
7. A senior internal auditor has been approached by the CAE to interview a potential candidate. The CAE
likes the candidate but would like a second opinion. During the interview process, the senior internal
auditor should not:
a. Ask open-ended questions, because they require more than a “yes” or “no” answer.
a. To communicate the internal audit activity’s plans and resource requirements to senior management
and the board for review and approval.
b. To coordinate with other internal and external providers of audit and consulting services to ensure
proper coverage and minimize duplication.
c. To oversee the establishment, administration, and assessment of the organization’s system of risk
management processes.
d. To follow up on whether appropriate management actions have been taken on significant reported
risks.
9. Which of the following is the best reason for the chief audit executive to consider the strategic plan in
developing the annual audit plan?
a. To ensure that the internal audit plan supports the overall business objectives.
b. To ensure that the internal audit plan will be approved by senior management.
During the planning phase, a CAE is evaluating four audit engagements based on the following factors: the
engagement’s ability to reduce risk to the organization, the engagement’s ability to save the organization
money, and the extent of change in the area since the last engagement. The CAE has scored the engage-
ments for each factor from low to high, assigned points, and calculated an overall ranking. The results are
shown below with the points in parenthesis:
10. Which audit engagements should the CAE pursue if all factors are weighed equally?
a. 1 and 2 only.
b. 1 and 3 only.
c. 2 and 4 only.
d. 3 and 4 only.
11. If the organization has asked the CAE to consider the cost savings factor to be twice as important as
any other factor, which engagements should the CAE pursue?
a. 1 and 2 only.
b. 1 and 3 only.
c. 2 and 4 only.
d. 3 and 4 only.
12. Which of the following represent(s) appropriate internal audit action in response to the risk assessment
process?
a. The low-risk areas may be delegated to the external auditor, but the high-risk areas should be per-
formed by the internal auditor.
b. Only high-risk areas should be integrated into an engagement work schedule along with the high-
priority requests of senior management and the audit committee.
c. The risk analysis should be used in determining an annual engagement work schedule; therefore, the
risk analysis should be performed only on an annual basis.
d. None of the above are appropriate actions to be taken by the IAA.
3
CIA Part 2 Mock Exam
13. According to the Standards, internal auditors are able to provide both assurance and consulting ser-
vices. Which of the following would be considered consulting services?
I. Compliance engagements.
a. I and II only.
14. Which type of engagement attempts to obtain information about the costs, output (effectiveness),
benefits, and effects of a program?
a. Program-results engagement.
b. Process engagement.
c. Compliance engagement.
d. Privacy engagement.
15. An organization wants to improve on its performance measures for a new business line. Which type of
benchmarking is most likely to provide information useful for this purpose?
a. Functional.
b. Competitive.
c. Generic.
d. Internal.
16. Sales representatives for a manufacturing company are reimbursed for 100 percent of their mobile
phone bills. Mobile phone costs vary significantly from representative to representative and from
month to month, complicating the budgeting and forecasting processes. Management has requested
that the internal auditors develop a method for controlling these costs. Which of the following would
most appropriately be included in the scope of the consulting project?
4
CIA Part 2 Mock Exam
17. Which of the following procedures would be appropriate for testing whether cost overruns on a con-
struction project were caused by the contractor improperly accounting for costs related to contract
change orders?
I. Verify that the contractor has not charged change orders with costs that have already been billed to
the original contract.
II. Determine if the contractor has billed for original contract work that was canceled as a result of change
orders.
III. Verify that the change orders were properly approved by management.
a. I only.
b. III only.
c. I and II only.
18. It is possible that the IAA could be called upon to perform an e-commerce engagement. In deciding
whether to conduct such an engagement, the CAE should assess the IAA’s:
19. When conducting a privacy engagement, which issue would the internal auditor not address?
c. Protection of personal information to ensure that all possible controls are in place and operating as
they should.
20. In which of the following facilitated team workshops does the facilitator identify the key risks and con-
trols before the beginning of the workshop?
a. Process-based.
b. Control-based.
c. Risk-based.
d. Objectives-based.
5
CIA Part 2 Mock Exam
21. Risk and Control self-assessment is a process where employees become involved in the examination
and assessment of the effectiveness of an organization’s control system. As such, employees become
process owners. Which of the following are the primary advantages of implementing a risk and control
self-assessment process?
I. It gives employees the chance to gain a greater understanding of the company’s risks and controls.
a. I and II only.
c. I and IV only.
d. II and IV only.
22. Using the IAA to coordinate regulatory examiners’ efforts is beneficial to the organization because in-
ternal auditors can:
a. Influence the regulatory examiners’ interpretation of law to match corporate practice.
b. Recommend changes in scope to limit bias by the regulatory examiners.
c. Perform fieldwork for the regulatory examiners and thus reduce the amount of time regulatory exam-
iners are on-site.
d. Supply evidence of adequate compliance testing through internal audit working papers and reports.
23. The CAE plans to meet with the external auditor to discuss joint efforts regarding an upcoming external
audit of the organization's pension plan. The external auditor has performed all external audit work in
this area in the past. The CAE's objective is to:
a. Ascertain which account balances have been tested by the external auditor so that the internal auditors
may test the internal controls to determine the reliability of these balances.
b. Coordinate the external audit to fulfill professional responsibilities and not duplicate work of the exter-
nal auditor.
c. Determine whether the external auditor's techniques, methods, and terminology should be used by
internal auditors in this area to conform with past work or to use techniques consistent with those used
by other internal auditors.
d. Determine whether work in this area could not be performed exclusively by the internal auditors.
24. At least once a year, the CAE needs to communicate the audit plan to the board and senior manage-
ment in order to do all of the following except:
a. Provide information about the work plan, staffing plan, and financial budget.
b. Allow the board to ascertain whether the IAA is properly supporting the objectives and plans of the or-
ganization.
6
CIA Part 2 Mock Exam
25. The IAA should develop an appropriate internal assessment program and identify appropriate Key Per-
formance Indicators (KPIs). Which of the following would not be an appropriate KPI for the IAA?
a. Rate of staff turnover.
b. Number of completed audits per auditor.
c. Completed versus planned audits.
d. Overhead cost allocation rates.
26. A specific objective of an audit of a company's revenue-receivable cycle is to make sure that credit
sales are promptly and accurately recorded. This objective would address which of the following
primary objectives identified in the Standards?
a. I and II only.
b. I and IV only.
27. Internal auditors should develop and record a plan for each engagement. The planning process should
include all the following except:
d. Determining how, when, and to whom the engagement results will be communicated.
28. Which of the following would be considered an external compliance objective for an organization’s pay-
roll cycle?
b. All employee benefits should be properly calculated and accrued (if not paid by the end of a period).
c. The employer is deducting the correct amount for employee payroll taxes.
d. Employees are receiving their wages at the rate agreed in their contract.
7
CIA Part 2 Mock Exam
29. Which of the following is an appropriate objective in an engagement to review a personnel department?
Determining whether:
a. Hourly employees are being paid only for hours actually worked as indicated by time cards or similar
reports.
b. An equitable training program exists that provides all employees with approximately the same amount
of training each year.
d. Recruitment is being delegated to the various departments that have personnel needs.
30. Internal auditors must develop and document a work program for each engagement. The work pro-
gram should include all of the following except:
b. The procedures to be used by the internal auditor to collect, analyze, interpret, and document infor-
mation during the engagement.
31. In planning an engagement, an internal auditor should establish objectives to address the risk associ-
ated with the activity to be audited. Which of the following would be considered potential risks associ-
ated with payroll?
I. The company is paying payroll in excess of the time actually spent by employees.
IV. The company is properly reporting and disclosing its payroll expenses.
a. I and II only.
32. The internal auditor-in-charge has just been informed of the next engagement and the engagement
team has been assigned. Select the appropriate phase for finalizing the engagement budget.
8
CIA Part 2 Mock Exam
33. Internal auditors must determine appropriate and sufficient resources to achieve engagement objec-
tives. When determining the necessary resources needed to perform an engagement, which of follow-
ing should the auditor consider?
a. I and II only.
b. I and IV only.
34. The final step in the planning process is the development of the work program. Engagement work pro-
grams should:
III. Identify the technical elements, risks, transactions, and processes that will be examined.
b. I and IV only.
35. An auditor traces individual time tickets to the payroll cost distribution, and also trace totals from the
payroll cost distribution to the various work-in-process accounts. If no exceptions are found, this pro-
cedure constitutes evidence that:
a. The work-in-process accounts have not been padded by the inclusion of unsupported payroll costs.
36. During a review of purchasing operations, an auditor found that procedures in use did not agree with
stated company procedures. However, audit tests revealed that the procedures in use represented an
increase in efficiency and a decrease in processing time, without a discernible decrease in control. The
auditor should:
b. Develop a flowchart of the new procedures and include it in the report to management.
c. Report the change and suggest that the change in procedures be documented.
d. Suspend the completion of the engagement until the engagement client documents the new proce-
dures.
9
CIA Part 2 Mock Exam
37. Underlying accounting data is information that is part of the accounting system. This includes the origi-
nal documents, journals, ledgers, supporting information, and the output from the accounting systems.
Is this type evidence sufficient to support an internal auditor’s conclusion?
b. No, because this type of evidence is internally generated and thus not the most competent.
d. No, because this type of evidence is externally generated and thus not the most competent.
38. During an assessment of the risk associated with sales contracts and related commissions, which of the
following situations would most likely result in an expansion of the engagement scope?
39. A standardized internal audit work program would not be appropriate for which of the following situa-
tions?
a. The possibility that the balance or class of transactions and related assertions contain misstatements
that could be material to the financial statements.
b. The failure of the internal auditor to negotiate with the client on the content of the final engagement
communication.
c. The failure to adhere to organizational policies, plans, and procedures or to comply with relevant laws
and regulations.
d. The failure to accomplish established objectives and goals for operations or programs.
10
CIA Part 2 Mock Exam
42. When preparing an engagement work program, the internal auditor would not be concerned about:
d. Reviewing a set of criteria established by management to determine whether operating goals and ob-
jectives have been accomplished.
43. In a review of the accounting department’s bank reconciliation unit, which of the following is an appro-
priate engagement procedure to test canceled checks for authorized signatures?
b. Determine that all checks are signed by individuals authorized by the board.
c. Examine a representative sample of signed checks and determine that the signatures are authorized in
the organization’s signature book.
44. The internal auditor is concerned about whether all the debits to the computer security expense ac-
count are appropriate expenditures. The most appropriate engagement procedure is to:
a. Take an attribute sample of computer security-related invoices and determine whether all invoices are
properly classified.
b. Perform an analytical review comparing the amount of expenditures incurred this year with the
amounts incurred on a trend line for the past 5 years.
c. Take an attribute sample of employee wage expenses incurred by the outsourcing organization and
trace to the proper account classification.
d. Take a sample of all debits to the account and investigate them by examining source documents to
determine the nature and authority of the expenditure.
45. Evidence that tends to supports a proposition that is already supported by some initial evidence is:
a. Direct evidence.
b. Corroborative evidence.
c. Circumstantial evidence.
d. Conclusive evidence.
c. A “walk-through” of the financial control system to identify risks and the controls that can address
those risks.
d. A process used to become familiar with activities and risks in order to identify areas for engagement
emphasis.
11
CIA Part 2 Mock Exam
47. During a preliminary survey of the accounts receivable function, an internal auditor discovered a po-
tentially major control deficiency while preparing a flowchart. What immediate action should the inter-
nal auditor take regarding the weakness?
c. Schedule a separate engagement to evaluate that segment of the accounts receivable function.
d. Highlight the weakness to ensure that procedures to test it are included in the engagement work pro-
gram.
48. Which of the following would not aid in the effectiveness of the preliminary survey?
49. Which of the following observations made during a preliminary survey of a local department store’s
disbursement cycle reflects a control strength?
a. Individual department managers use prenumbered forms to order merchandise from vendors.
b. The receiving department is given a copy of the purchase order complete with a description of goods,
quantity ordered, and extended price for all merchandise ordered.
c. The treasurer prepares checks/EFT for suppliers based on vouchers prepared by the accounts payable
department.
d. Individual department managers are responsible for the movement of merchandise from the receiving
dock to storage or sales areas as appropriate.
50. If an auditor’s preliminary evaluation of internal controls results in an observation that controls may be
inadequate, the next step is to:
a. Expand audit work prior to the preparation of the engagement’s final communication.
51. An internal auditor is developing a questionnaire for company employees that includes several rating
scales. Which of the following statements is not correct regarding the use of rating scales?
a. A range of choices gives employees the ability to express the strength of their feelings about a particu-
lar topic.
b. The auditor will know exactly how employees feel after compiling the results of the survey.
d. Employees may have a hard time distinguishing between “agree” and “strongly agree” when taking the
questionnaire.
12
CIA Part 2 Mock Exam
52. Auditors must be effective listeners, especially when asking complex questions. To improve their listen-
ing, auditors should take care to do all of the following except:
a. Stop talking. It is very difficult to listen and talk at the same time.
c. Hold questions. Avoid all questions until the speaker has concluded.
53. Which of the following would not be included when planning an interview?
c. Showing up on time.
54. An internal auditor is interviewing an employee. While listening to the interviewee, the internal auditor
should:
b. Take mental notes on the speaker’s non-verbal communication because it is more important than what
is being said.
c. Make sure all details, as well as the main ideas of the interviewee, are remembered.
d. Integrate the incoming information from the interviewee with information that is already known.
55. As a consulting engagement for marketing, internal audit was asked to conduct a customer satisfaction
survey. Of the 100 surveys that the company sent out to customers, only 40 were returned. When as-
sessing the results of the survey, internal audit would most be most concerned about:
56. In internal auditing sampling applications, there are four types of errors that may occur. These four
errors are divided into two categories of risks. These risks:
a. Result directly from the chance that the sample obtained by the internal auditor does not represent the
entire population.
b. Can be decreased by using more reliable, albeit more expensive, audit procedures.
c. Have a magnitude based only on the economic consequences of incorrect sample-based conclusions.
d. Refer respectively to the risks that (1) internal controls will fail, and (2) the resultant error(s) will go
undetected.
13
CIA Part 2 Mock Exam
57. An auditor is conducting a survey of perceptions and beliefs of employees concerning an organization's
healthcare plan. The best approach to selecting a sample would be to:
a. Focus on people who are likely to respond so that a larger sample can be obtained.
b. Focus on managers and supervisors because they can also reflect the opinions of the people in their
departments.
c. Use stratified sampling where the strata are defined by marital and family status, age, and sala-
ried/hourly status.
d. Use monetary-unit sampling according to employee salaries.
58. An auditor applying a discovery-sampling plan with a 5% risk of overreliance may conclude that there
is:
a. A 95% probability that the actual rate of occurrence in the population is less than the critical rate if
only one exception is found.
b. A 95% probability that the actual rate of occurrence in the population is less than the critical rate if no
exceptions are found.
c. A 95% probability that the actual rate of occurrence in the population is less than the critical rate if the
occurrence rate in the sample is less than the critical rate.
d. Greater than a 95% probability that the actual rate of occurrence in the population is less than the crit-
ical rate if no exceptions are found.
59. What would be a principal issue surrounding the use of CAAT tools?
60. Which of the following computer-assisted auditing techniques allows fictitious and real transactions to
be processed together without operating personnel being aware of the testing process?
a. Parallel simulation.
14
CIA Part 2 Mock Exam
62. To determine the sufficiency of information regarding interpretation of a contract, an internal auditor
uses:
b. Subjective judgments.
c. Objective evaluations.
c. It is directly related to the engagement observations and includes all of the elements of an engage-
ment observation.
d. It is convincing enough that a prudent person would reach the same conclusion.
64. The information collected by an internal auditor should help the auditor achieve the engagement objec-
tives. Based on this, the information should:
65. The objective of the engagement is to verify the existence and completeness of all operational equip-
ment owned by the company. In this case, the inspection of the equipment is:
15
CIA Part 2 Mock Exam
66. RiskSoft is a computer software company that develops specific risk management software programs
for its business clients. Clients are obligated to pay a 50% advance at the time of signing a contract,
25% when the project is estimated to be 75% complete, and the remaining 25% when the program is
delivered. In order to conclude that the company’s revenue is accurately stated, reviewing the signed
contracts is:
I. Sufficient.
II. Reliable.
III. Relevant.
IV. Useful.
a. I and II only.
67. While performing an engagement relating to an organization’s cash controls, the internal auditor ob-
served that cash deposits are not deposited daily. A comparison of a sample of the daily cash receipts
lists revealed that each cash receipt list was equal to the cash journal entry amount for the day, but
not equal to the daily bank deposit amounts, although the total of the cash receipts lists over a long
period of time did equal the bank deposit totals over the same period. This information as support for
the internal auditor’s observations is:
68. The internal auditor wants to develop a flowchart of (1) the process of receiving sales order infor-
mation at headquarters, (2) the transmission of the data to the plants to generate the shipment, and
(3) the plants’ processing of the information for shipment. The internal auditor should:
a. Start with management’s decisions to set sales prices. Gather internal documentation on the approval
process for changing sales prices. Complement documentation with a copy of the program flowchart.
Prepare an overview flowchart that links these details.
b. Start with a shipment of goods and trace the transaction back through the origination of the sales or-
der as received from the sales representative.
c. Start with the receipt of a sales order from a sales representative and “walk through” both the manual
and computerized processing at headquarters and the plant until the goods are shipped and billed.
d. Obtain a copy of the plants’ systems flowchart for the sales process, interview relevant personnel to
determine if any changes have been made, and then develop an overview flowchart that will highlight
the basic process.
16
CIA Part 2 Mock Exam
69. An internal auditor reviews and adapts a horizontal flowchart to understand the flow of information in
the processing of cash receipts. Which of the following statements is true regarding the use of such
flowcharts? The flowcharts:
a. Show specific control procedures used, such as edit tests that are implemented and batch control rec-
onciliations.
70. Which of the following tools could be useful to help an internal auditor determine fundamental issues
with a process, such as when the wrong people are involved and/or no one is accountable?
a. Dataflow diagram.
b. Flowchart.
c. Spaghetti diagram.
d. RACI diagram.
71. Which of the following could be a barrier that impedes an internal auditor’s root cause analysis?
c. Determining whether it costs more to remove the root cause than to treat the symptom.
72. An internal auditor learns that a company has 80 remote warehouses and that each warehouse con-
tains between 100 and 500 different products. From this information, the auditor can conclude that:
a. There are at least two warehouses with the same number of products.
c. The total number of products contained in all of the warehouses is at least 8,400.
73. During an operational audit engagement, an auditor compared the inventory turnover rate of a subsid-
iary with established industry standards in order to:
d. Assess performance and indicate where additional audit work may be needed.
17
CIA Part 2 Mock Exam
74. The following represents accounts receivable information for a corporation for a three-year period.
Year 1 Year 2 Year 3
Net accounts receivable as a percentage of total assets 23.4% 27.3% 30.8%
Accounts receivable turnover ratio 6.98 6.05 5.21
Which of the following is the most plausible explanation for these changes?
a. Fictitious sales may have been recorded.
b. Credit and collection procedures have become ineffective.
c. Allowance for bad debts is understated.
d. All of the answers are correct.
75. A review of a division's operations revealed that both sales revenue and the customer base remained
the same while inventory and gross margin increased significantly. Which of the following statements,
if true, could explain the increase in gross margin?
I. The company has developed a new manufacturing process that is much more efficient.
a. I only.
b. III only.
c. I and II only.
c. They meet or exceed the work standards of the organization’s external auditors.
d. They are properly referenced for easy follow-up within the next year.
77. Which of the following describe the functions of engagement working papers?
18
CIA Part 2 Mock Exam
Legend:
(a) Confirmed with bank – see confirmation on W/P A-4.
(b) Verified by tracing to July 15 cut-off statement; traced to cash receipts journal.
(c) Okay.
(d) Examined supporting documentation and traced to final disposition.
(e) Compared the footed total with the balance in the general ledger.
78. The working paper will be considered to be deficient if which other relevant engagement working paper
is not cross-referenced and included in the cash section of the working paper file?
d. Engagement client representation that the cash balance per books is accurate.
19
CIA Part 2 Mock Exam
80. Which type of working paper summary is typically used to consolidate numerical data scattered among
several schedules?
a. Statistical summaries.
b. Segment summaries.
c. Result summaries.
d. Pyramid summaries.
81. Internal auditors use a variety of indexing and cross-referencing methods in their working papers. An
internal auditing manager might devise a working paper indexing method tailored to a specific organi-
zation's needs. On the other hand, a governmental agency might devise a method for all organizations
under the agency's jurisdiction. Which of the following best explains the reason for this difference in
working paper index methods?
a. The internal auditing manager devises a method that simplifies the review process within a particular
organization, but the governmental agency devises one uniform method to simplify the review process
of the vastly different organizations to be reviewed.
b. The method of the internal auditing manager is prescribed by the Standards, but the method of the
governmental agency is required by the regulatory agency.
c. The method of the internal auditing manager is prescribed by the Standards, but the method of the
governmental agency is required by law.
d. The internal auditing manager devises the method specified by the board of the organization, but the
governmental agency devises one uniform method required by law.
83. Of the many tools available to assist an internal auditing supervisor, which of the following would be of
least assistance in the supervision of a specific engagement?
a. Assignment board.
b. Time budget.
d. Time report.
20
CIA Part 2 Mock Exam
84. Supervision of the work of internal auditors should be carried out continually. Which of the following
statements regarding supervision is (are) true?
II. Supervision should also be extended to training, time reporting, and expense control.
a. II only.
b. I only.
85. Engagements must be properly supervised. Proper supervision includes all of the following except:
a. Ensuring auditors assigned to the engagement have the proper skills and knowledge to carry out the
engagement.
a. A financial controller writes a letter to a local newspaper accusing the CFO of financial fraud.
b. A financial controller tells the manager of the clothing department how the CFO is committing financial
fraud.
c. A financial controller informs the CEO about financial fraud being committed by the CFO.
87. An internal auditor is conducting an engagement of the warehousing function for a food distribution
company. During the engagement, the internal auditor noticed that there was some water leakage on
the fresh produce. Given the situation, which of the following would be an appropriate engagement
communication?
a. A summary communication.
c. An exit communication.
d. An oral communication.
21
CIA Part 2 Mock Exam
88. An engagement was performed at the organization’s accounts receivable department. The engagement
has detailed various control weaknesses, one of which is the length of time it takes on average to col-
lect receivables. This weakness along with other weaknesses was addressed in the final engagement
communication. Who within the organization would find the final engagement report the most useful?
a. The CEO.
89. An internal audit of a food distribution company’s warehousing function found that there was some wa-
ter leakage on the fresh produce. During the exit interview, the warehouse manager said that correc-
tive action to stop the leakage would be done immediately and that the warehousing maintenance
system would be enhanced within three months to prevent any future leakage problems. Based on this
response, the CAE should:
a. Modify the scope of the next regularly scheduled audit of the warehousing department to assess the
warehousing maintenance system.
b. Monitor the status of corrective action and schedule a follow-up engagement when appropriate.
c. Schedule a follow-up engagement within three months to assess the status of corrective action.
d. Discuss the findings with the audit committee and ask the committee to determine the appropriate fol-
low-up action.
90. An IAA had been requested to perform an engagement to determine whether the organization is in
compliance with a particular set of laws and regulations. The engagement did not reveal any issues of
noncompliance but did reveal that the organization did not have an established system to ensure com-
pliance with the applicable laws and regulations. The internal auditor’s responsibility is to:
II. Report that the organization has a significant control deficiency because management has not estab-
lished a system to ensure compliance.
III. Meet with management to determine what follow-up action will be taken.
a. I only.
b. I and II only.
22
CIA Part 2 Mock Exam
91. Which of the following describes the most appropriate action to be taken concerning a repeated obser-
vation of violations of company policy pertaining to competitive bidding?
a. The engagement’s final communication should note that this same condition had been reported in the
prior engagement.
b. During the exit interview, management should be made aware that the violation has not been corrected.
c. The chief audit executive should determine whether management or the board has assumed the risk of
not taking corrective action.
d. The chief audit executive should determine whether this condition should be reported to the external
auditor and any regulatory agency.
92. An audit committee is concerned that management is not addressing all internal audit observations and
recommendations. What should the audit committee do to address this situation?
a. Require managers to provide detailed action plans with specific dates for addressing audit observations
and recommendations.
c. Require the chief executive officer to report why action has not been taken.
93. An engagement of accounts payable found that the employees responsible for maintaining the vendor
master file could also enter vendor invoices into the accounts payable system. During the exit confer-
ence, management agreed to correct this problem. When performing a follow-up engagement of ac-
counts payable, the auditor should expect to find that management had:
a. Transferred the individuals who maintained the vendor master file to another department to ensure
that the responsibilities were appropriately segregated.
b. Compared the vendor and employee master files to determine if any unauthorized vendors had been
added to the vendor master file.
c. Modified the access control system to prevent employees from both entering invoices and approving
payments.
d. Modified the accounts payable system to prevent individuals who maintained the vendor master file
from entering invoices.
94. An internal audit found that the cost of some material installed on capital projects had been transferred
to the inventory account because the capital budget had been exceeded. Which of the following would
be an appropriate technique for the IAA to use to monitor this situation?
a. Identify variances between amounts capitalized each month and the capital budget.
b. Analyze a sample of capital transactions each quarter to detect instances in which installed material
was transferred to inventory.
c. Review all journal entries that transferred costs from capital to inventory accounts.
d. Compare inventory receipts with debits to the inventory account and investigate discrepancies.
23
CIA Part 2 Mock Exam
95. Which of the following statements best describes the internal audit activity’s responsibility for follow-
up related to a previous engagement?
a. Internal auditors should determine if corrective action has been taken and is achieving the desired re-
sults, or if management has assumed the risk of not taking the corrective action.
b. Internal auditors should determine if management has initiated corrective action, but they have no
responsibility to determine if the action is achieving the desired results. That determination is man-
agement's responsibility.
c. The chief audit executive is responsible for scheduling follow-up activities only if directed to do so by
senior management or the audit committee. Otherwise, follow-up is entirely discretionary.
96. When conducting audit follow-up of a finding related to cash management routines, which of the fol-
lowing does not need to be considered?
b. The steps being taken resolved the condition disclosed by the finding.
97. An organization’s internal auditors have conducted a series of assurance engagements. The resulting
recommendations have been readily accepted by engagement clients because of the potential cost sav-
ings. Given the acceptance of the cost savings engagements and the scarcity of internal auditing re-
sources, the manager in charge of these engagements also decided that follow-up action was not
needed. The manager reasoned that cost savings should be sufficient to motivate the client to imple-
ment the engagement recommendations. Thus, follow-up was not scheduled as a regular part of the
engagement plan. Was the manager’s decision appropriate?
b. No. The internal auditors should determine whether the client has appropriately implemented all of the
engagement recommendations.
d. Yes. Given sufficient evidence of motivation by the client, follow-up is not needed.
98. The CAE realized that corrective action had not been taken even when agreed to by the engagement
client. In this circumstance, the CAE should:
c. Decide to conduct follow-up work only if management requests the internal auditor’s assistance.
d. Write a follow-up engagement communication with all observations and recommendations and their
significance to the operations.
24
CIA Part 2 Mock Exam
99. After an engagement report with adverse observations has been communicated to appropriate en-
gagement client personnel, internal auditing’s proper action is to:
100. Assume that the internal auditors’ observations are so serious that, in their view, they require immedi-
ate action by management. Which of the following statements regarding the internal auditors’ respon-
sibility with respect to communicating results and follow-up are true?
I. The conditions should be actively monitored by the internal auditors until corrected.
II. The initial observations should be communicated to senior management and the audit committee even
if the engagement is not complete.
III. The internal auditors should test the actions implemented by management to determine if they remedy
the problem.
a. I only.
b. II only.
d. I, II and III.
25
CIA Part 2 Mock Exam
Solutions
The chart below cross-references the question numbers for Part 2 with the topics tested:
• Types of Engagements 13 - 21
Section I – Managing the
Internal Audit Activity • Coordinate Internal Audit Efforts with Other As-
22 - 23
surance Providers
1. Information Gathering 46 - 60
Section III – Performing
2. Analysis and Evaluation 61 - 82
the Engagement
3. Engagement Supervision 83 - 85
26
CIA Part 2 Mock Exam Answers
1. Solution: a
a. Correct. Internal auditors are expected to provide recommendations that add value to the organiza-
tion. There may be cases where management does not agree with the internal auditor’s recommenda-
tion, but the IAA has a duty to provide a recommendation deemed best for the organization as a
whole.
b. Incorrect. The IAA is considered effective when the work of the IAA achieves the purpose and respon-
sibility included in the internal audit charter.
c. Incorrect. The IAA is considered effective when the IAA conforms to the Standards.
d. Incorrect. The IAA is considered effective when internal auditors demonstrate conformance with the
Code of Ethics and the Standards.
2. Solution: a
a. Correct. A smaller IAA may be managed more informally through close supervision and written mem-
os.
b. Incorrect. The form and content of written policies and procedures should be appropriate to the size of
the IAA.
c. Incorrect. The form and content of written policies and procedures should be appropriate to the size
and structure of the IAA and the complexity of its work (PA 2040-1).
d. Incorrect. Only (a) is correct.
3. Solution: c
a. Incorrect. Methods of evaluating and assessing risk should be included in the audit manual.
b, Incorrect. Reporting to audit committee should be included in the audit manual.
c. Correct. The audit manual provides guidance for the IAA from the beginning of the audit to its conclu-
sion. The level of financing needed to support internal auditing activities would be detailed in the audit
budget plan, not in the audit manual.
d. Incorrect. Instructions for preparing the audit report should be included in the audit manual.
5. Solution: b
a. Incorrect. The decision to outsource the IAA is not primarily based on existing resources.
b. Correct. Standard 2030 requires that resources be adequate, sufficient, and effectively deployed to
achieve the approved plan.
c. Incorrect. The amount of resources is not a significant factor in establishing credibility.
d. Incorrect. Succession planning is not related to the amount of audit resources.
27
CIA Part 2 Mock Exam Answers
6. Solution: d
a. Incorrect. This is true. Persons from within the organization are more likely to be familiar with compa-
ny policies and procedures than persons from outside the organization.
b. Incorrect. This is true. Promoting from within is good for overall organizational morale.
c. Incorrect. This is true. There may be qualified persons within the organization.
d. Correct. Even though the employee is being promoted to a new position, their familiarity with the
company would likely cause training costs to be less than for an outside hire.
7. Solution: c
a. Incorrect. Asking open-ended questions is something the internal auditor should do.
b. Incorrect. Asking questions about background experience is something the internal auditor should do.
c. Correct. A person’s political affiliation is unrelated to the performance of internal auditing.
d. Incorrect. Finding out what the candidate would do in different situations is a good way to see whether
the candidate is acceptable or not.
8. Solution: c
a. Incorrect. According to Standard 2020, this is a responsibility of the CAE.
b. Incorrect. According to Standard 2050, this is a responsibility of the CAE.
c. Correct. Practice Advisory 2120-1.1 states that risk management is a key responsibility of senior
management and the board. PA 2120-1.4 goes further and says the CAE should obtain an understand-
ing of senior management’s and the board’s expectations of the IAA in the organization’s management
process.
d. Incorrect. According to Standard 2500, this is a responsibility of the CAE.
9. Solution: a
a. Correct. Considering the strategic plan in the development of the internal audit plan will ensure that
the audit objectives support the overall business objectives stated in the strategic plan.
b. Incorrect. This action may make the internal audit plan fit better with the strategic plan, but may not
have an effect on management's approval.
c. Incorrect. The CAE can make recommendations to improve the strategic plan, however this is not the
primary purpose of the CAE reviewing the plan.
d. Incorrect. Although the importance of the IAA may be increased by such action, this is not the primary
reason for the action.
10. Solution: c
a. Incorrect. The total points are less than those of engagements 2 and 4.
b. Incorrect. Total points are less than the other choices.
c. Correct. Engagements 2 and 4 have the highest overall points.
d. Incorrect. To perform engagements 3 and 4 would mean to bypass engagement 2, which ranks highest
in overall points.
28
CIA Part 2 Mock Exam Answers
11. Solution: d
a. Incorrect. This choice involves the least total points.
b. Incorrect. The total points are less than for engagements 3 and 4.
c. Incorrect. The total points are less than for engagements 3 and 4.
d. Correct. This has the highest total points, and the engagements have medium and high potentials for
cost savings.
12. Solution: d
a. Incorrect. Work with the external auditor should be coordinated in order to minimize duplication of
work.
b. Incorrect. High risk areas should be integrated into the work schedule; however, there may be cases
where lower risk areas should be integrated as well. For example, maybe the area had not been re-
viewed for a number of years. In this case, even though it is low risk, it still needs to be reviewed.
c. Incorrect. Risk analysis should be performed any time that there is a change in the work environment.
d. Correct. None of the answers are correct.
14. Solution: a
a. Correct. A program-results engagement is intended to obtain information about the costs, outputs,
benefits, and effects of a program.
b. Incorrect. A process engagement does not attempt to measure anything; it focuses on operations and
how effectively and efficiently the organizational units affected will cooperate.
c. Incorrect. A compliance engagement relates to compliance with legal, regulatory, procedural, and other
requirements.
d. Incorrect. A privacy engagement does not attempt to measure anything; it addresses the security of
personal information.
15. Solution: a
a. Correct. Benchmarking is a continuous evaluation of the practices of the best organizations in their
class and the adaptation of processes to reflect the best of these practices. The type of benchmarking
most likely to help improve performance measures for a new business line is functional benchmarking.
b. Incorrect. Comparison with the best competitors focuses on performance in related organizations as a
whole and likely includes some activities unrelated to the new business line.
c. Incorrect. Comparison of processes that are virtually the same regardless of industry (such as docu-
ment processing) would not be as helpful as comparison of processes that are similar in function.
d. Incorrect. Comparison against the best business lines within the same organization may be mislead-
ing. It does not provide information about what is being accomplished outside the organization in the
new business line.
29
CIA Part 2 Mock Exam Answers
16. Solution: c
a. Incorrect. Risk and control self-assessment would not address management's objective of controlling
costs.
b. Incorrect. Although benchmarking may have some applicability, it is not the most appropriate tool.
c. Correct. A business process review (BPR) assesses the performance of administrative and financial
processes, such as within procurement and payables. BPR considers process effectiveness and efficien-
cy, including the presence of appropriate controls to mitigate business risk. Because the objective is to
control mobile phone costs, BPR is the appropriate tool to use.
d. Incorrect. Performance measurement would not address management’s objective of controlling costs.
18. Solution: b
a. Incorrect. Independence and objectivity are not the main concerns of the CAE when performing an e-
commerce engagement.
b. Correct. The two main concerns of the CAE when deciding whether to perform an e-commerce en-
gagement are skill level and capacity. Some questions that may constrain the IAA in this type of en-
gagement are:
§ Does the IAA have the sufficient skill level to perform the engagement?
§ Are training or other resources necessary?
§ Is the staffing level sufficient for the near-term and long-term?
§ Can the expected audit plan be delivered?
c. Incorrect. Objectivity would not be a main concern of the CAE in deciding to conduct the engagement.
d. Incorrect. Independence would not be a main concern of the CAE in deciding whether to conduct the
engagement.
19. Solution: b
a. Incorrect. Complying with governmental statutory and regulatory mandates would be an issue that the
internal auditor would address.
b. Correct. Making sure the private information is accurate would not be an issue for the auditor when
conducting a privacy engagement.
c. Incorrect. Protection of the personal information to ensure that all possible controls are in place and
that the controls are regularly reviewed and assessed would be addressed by the auditor.
d. Incorrect. Internal auditors have to make sure that whatever information they find during the audit
remains confidential.
30
CIA Part 2 Mock Exam Answers
20. Solution: b
a. Incorrect. The process-based format focuses on selected activities that are elements of a chain of pro-
cesses.
b. Correct. The control-based format focuses on how well the controls are working. This format is differ-
ent than the others because the facilitator identifies the key risks and controls before the start of work-
shop. During the workshop, the work team assesses how well the controls mitigate risks and promote
the achievement of objectives. The aim of the workshop is to produce an analysis of the gap between
how well controls are working and how well management expects the controls to be working.
c. Incorrect. The risk-based format focuses on listing the risks to achieving an objective.
d. Incorrect. The objective-based format focuses on the best way to accomplish a business objective.
22. Solution: d
a. Incorrect. Internal auditors should not attempt to influence regulators’ interpretations of law.
b. Incorrect. Internal auditors should not attempt to influence the scope of work of the regulatory exam-
iners.
c. Incorrect. Internal auditors should not perform fieldwork for regulatory examiners.
d. Correct. Internal auditors have immediate access to working papers and reports, which can supply
evidence of compliance testing to the regulatory examiners.
23. Solution: b
a. Incorrect. This is an example of duplicate work, which the internal auditor is trying to avoid.
b. Correct. In coordinating the work of internal auditors with the work of other internal and external pro-
viders, the CAE should ensure proper coverage and minimize duplication of work (Standard 2050).
c. Incorrect. The objective of coordinating efforts is to ensure adequate engagement coverage and to
minimize duplication of work.
d. Incorrect. The objective of coordinating efforts is to ensure adequate engagement coverage and to
minimize duplication of work.
24. Solution: c
a. Incorrect. The CAE does need to communicate information about the work plan, staffing plan, and fi-
nancial budget.
b. Incorrect. Communicating the audit plan would allow the board to ascertain whether the IAA is properly
supporting the objectives and plans of the organization.
c. Correct. The audit plan would not include information about the independence of the external auditor.
31
CIA Part 2 Mock Exam Answers
25. Solution: d
d. Correct. Overhead cost allocation rate is the rate by which management can allocate overhead costs
to specific areas of the company. Allocation rate would not be used as a KPI.
27. Solution: c
a. Incorrect. The planning process includes establishing engagement objectives and scope of work.
b. Incorrect. The planning process includes obtaining background information.
c. Correct. Identifying sufficient information to achieve engagement objectives is done during the field-
work, not planning stage.
d. Incorrect. The planning process includes determining how, when, and to whom the engagement results
will be communicated.
28. Solution: c
a. Incorrect. This is an operational objective.
b. Incorrect. This is a financial objective.
c. Correct. Making sure that the company is deducting the correct amount for employee payroll taxes
has to do with being in compliance with regulations. Thus, this is a compliance objective.
d. Incorrect. This is an operational objective.
29. Solution: c
a. Incorrect. This would be an example of an engagement to review payroll, not to review the personnel
department.
b. Incorrect. Not all employees are going to need the same training.
c. Correct. The personnel department is necessary for hiring, training, and monitoring the organization’s
human resources. Thus, reference checks of prospective employees are needed to make sure the pro-
spective employees have the right qualifications.
d. Incorrect. Recruitment is the responsibility of the personnel department.
32
CIA Part 2 Mock Exam Answers
30. Solution: c
a. Incorrect. The work program must include the specific objectives of the engagement.
b. Incorrect. The work program documents the procedures to be used by the internal auditor to collect,
analyze, and interpret information during the engagement.
c. Correct. The work program would not include the reliability of the information necessary to achieve
the engagement objectives. The sufficiency and reliability of information is discovered during the next
phase of the engagement, which is conducting the audit.
d. Incorrect. The work program would include the nature and extent of the required testing to be done
during the engagement.
I. Correct. The company paying payroll in excess of the time actually spent by employees is a risk factor
that needs to be considered.
II. Correct. The potential that the company is paying payroll to fictitious employees is a risk factor that
needs to be considered.
III. Correct. The company not adhering to applicable laws and regulations is a risk factor that needs to be
considered.
32. Solution: b
a. Incorrect. A budget is formulated for the long-range plan, but revisions will probably be made during
the preliminary survey.
b. Correct. The final engagement budget can be prepared after the preliminary survey has been com-
pleted.
c. Incorrect. The final budget is not possible to complete during the planning meeting.
d. Incorrect. The budget would lose its importance if it is made at the completion of the fieldwork.
I and II. Correct. Internal auditors consider the following when determining the appropriateness and suffi-
ciency of resources:
§ Knowledge, skills, and other competencies of the internal auditing staff when selecting internal au-
ditors for the engagement.
§ Availability of external resources where additional knowledge and competencies are required.
§ Training needs of internal auditors as each engagement assignment serves as a basis for meeting
the IAA’s developmental needs.
III. Incorrect. Using the proper sampling technique is a means to achieve to the engagement objectives.
IV. Incorrect. The probability of errors, irregularities, noncompliance, and other exposures should be con-
sidered when developing the engagement objectives.
33
CIA Part 2 Mock Exam Answers
I. Correct. Work programs have to contain the specific objectives of the engagement.
II. Incorrect. Identifying significant control deficiencies would be done when conducting the engagement.
III. Correct. Work programs need to identify the technical elements, risks, transactions, and processes
that will be examined.
IV. Incorrect. Work programs can only be modified with the approval of the CAE, not the client.
35. Solution: c
a. Incorrect. The direction of testing to establish that the work-in-process accounts have not been padded
is to the individual time tickets.
b. Incorrect. The cost distribution is not relevant to the proper authorization of the time tickets.
c. Correct. The time tickets contain the total hours worked on each job. An item distributed to an im-
proper WIP account (i.e. one different from that listed on the time ticket) could be discovered by this
test.
d. Incorrect. To establish that employees have been paid only for time actually worked, you would also
have to reconcile total payroll costs to the payroll cost distribution.
36. Solution: c
a. Incorrect. The procedures do not represent a deficiency because efficiency has improved without di-
minishing control.
b. Incorrect. A flowchart is not the best form of documentation because it does not address efficiency.
c. Correct. This represents a change in process that should be brought to the attention of management,
and also be documented.
37. Solution: b
a. Incorrect. Any information that comes from a company’s accounting system is not the most reliable
because it is internally generated. Therefore, it is not sufficient for the auditor’s conclusion.
b. Correct. Because this information comes from the company’s accounting system, it is not sufficient or
reliable. This information would have to be supported by some other corroborative type of information,
which could include third-party invoices, checks, contracts, or similar types of documents.
c. Incorrect. Conclusive evidence is evidence where no other evidence is required to draw a conclusion.
Information from a company’s accounting system is not conclusive evidence because it requires cor-
roboration.
d. Incorrect. Information from a company’s accounting system is internally generated, not externally
generated.
34
CIA Part 2 Mock Exam Answers
38. Solution: b
a. Incorrect. These trends would not result in scope expansion, because they are compatible.
c. Incorrect. These trends would not result in scope expansion, because they are compatible.
d. Incorrect. These trends would not result in scope expansion, because they are compatible.
39. Solution: b
b. Correct. A standardized engagement program would not be appropriate for a complex or changing
operating environment because the engagement objectives and related work steps may no longer have
relevance.
c. Incorrect. A standardized engagement program could be used to audit multiple branches with similar
operations.
d. Incorrect. A standardized engagement program would be acceptable for conducting subsequent inven-
tory audit engagements at the same location.
40. Solution: a
a. Correct. Controls are specific to each operation, and therefore audit work programs should be tailored
for each operation.
b. Incorrect. A generalized program cannot take into account variations resulting from changing circum-
stances and varied conditions.
c. Incorrect. A generalized program cannot take into account variations in circumstances and conditions.
d. Incorrect. Only the parts of the operation that are likely to have difficulties or conceal problems need to
be examined.
41. Solution: b
b. Correct. The internal auditor does not negotiate with the client on the contents of the final engage-
ment communication. The internal auditor is simply informing management about the report’s contents
and confirming that everything is factually correct.
35
CIA Part 2 Mock Exam Answers
42. Solution: c
a. Incorrect. The findings of a preliminary risk assessment are vital to preparing the work program. The
work plan will be based on the results of the risk assessment.
b. Incorrect. Reviewing material from past engagement communications could contain information about
observations from past engagements and the corrective actions taken.
c. Correct. There may be cases where the audit work program has to be modified.
d. Incorrect. Internal auditors must ascertain the extent to which management has established adequate
criteria to determine whether objectives and goals have been accomplished.
43. Solution: c
a. Incorrect. Comparing the check date with the first cancellation date would not tell you whether the
check was properly authorized.
b. Incorrect. This is an engagement objective, not an engagement procedure.
c. Correct. The best procedure to know whether canceled checks are properly signed would be to test a
sample of the checks.
d. Incorrect. A time budget goal is not an engagement procedure.
44. Solution: d
a. Incorrect. Taking an attribute sample would not tell you whether the computer security expenses are
appropriate expenditures.
b. Incorrect. Analytical procedures provide information as to whether or not the total expense is reasona-
ble. They do not determine whether specific debits are correct.
c. Incorrect. This procedure furnishes some information about the wage component of costs, but it is not
relevant to other computer security costs.
d. Correct. Taking a sample of all debits to the account would vouch the accounting records to the source
documents.
45. Solution: b
a. Incorrect. Direct evidence supports the truth of an assertion directly, i.e., without an intervening infer-
ence.
b. Correct. Corroborative evidence is evidence that tends to support a proposition that is already sup-
ported by some initial evidence.
c. Incorrect. Circumstantial evidence consists of a fact or set of facts which, if proven, will support the
creation of an inference that the matter asserted is true.
d. Incorrect. Conclusive evidence is evidence that cannot be disputed and that, as a matter of law, must
be taken to establish facts.
36
CIA Part 2 Mock Exam Answers
46. Solution: d
a. Incorrect. A preliminary survey might include the use of standard questionnaires to gain a better un-
derstanding of management objectives, but it is not the best description of a preliminary survey.
b. Incorrect. A preliminary survey might include the use of statistical sampling to gain an understanding
of key employee attitudes, skills, and knowledge, but it is not the best description of a preliminary sur-
vey.
c. Incorrect. A preliminary survey might include a walk-through of the financial control system, but it is
not the best description of a preliminary survey.
d. Correct. A preliminary survey is used to become familiar with the activities, risks and controls; to
identify areas for engagement emphasis; and to invite comments and suggestions from engagement
clients (PA 2210.A1-1.3). A preliminary survey might include the use of standard questionnaires, sta-
tistical sampling, and a walk-through.
47. Solution: d
a. Incorrect. Testing of the control deficiency will be done during the fieldwork phase.
b. Incorrect. There is no need to report the preliminary findings. Detailed testing is needed before report-
ing to management.
d. Correct. The internal auditor would highlight the weakness to ensure that procedures to test it are
included in the engagement work program.
48. Solution: d
a. Incorrect. Reading all of the relevant background information should be done to maximize the effec-
tiveness of the preliminary survey.
b. Incorrect. Identifying the risks implicit in the areas under review should be done to maximize the effec-
tiveness of the preliminary survey.
c. Incorrect. Identifying people from whom to obtain additional needed information should be done to
maximize the effectiveness of the preliminary survey.
d. Correct. Reviewing the adequacy and effectiveness of controls is part of the fieldwork, which is done
after the planning stage.
49. Solution: c
a. Incorrect. Department managers prepare a purchase requisition form that is given to the purchasing
department.
b. Incorrect. The receiving department is given a copy of the purchase order but it does not include the
quantity ordered. This is to encourage proper counting.
c. Correct. This is control strength. The treasurer should prepare checks/EFT based on vouchers pre-
pared by the accounts payable department.
d. Incorrect. The receiving department is responsible for the movement of merchandise from the receiv-
ing dock to the sales floor.
37
CIA Part 2 Mock Exam Answers
50. Solution: a
a. Correct. If preliminary indications are that controls are inadequate, then the internal auditor should
expand testing in order to gain a higher level of confidence.
c. Incorrect. The internal auditor is not ready to report until more work has been done.
51. Solution: b
b. Correct. Imprecise word choice when constructing rating scale questions may result in misinterpreta-
tion of the question leading to poor data from the survey, and employees may have thoughts that are
not captured by a simple rating scale.
52. Solution: c
c. Correct. If the person waits until the speaker has concluded, it is possible that important questions
will be forgotten and not asked. Also, asking questions while the speaker is talking may provide need-
ed clarification.
d. Incorrect. This is good advice. You want to try to make the speaker feel as comfortable as possible.
53. Solution: c
a. Incorrect. Before the interview, the auditor should become familiar with the organization, which would
include reviewing the company’s control flowcharts.
b. Incorrect. Before the interview, the auditor should become familiar with the organization, which would
include examining prior audit engagements.
d. Incorrect. Before the interview, the auditor should become familiar with the organization, which would
include learning more about the person to be interviewed.
54. Solution: d
a. Incorrect. Planning a response before the interviewee has finished may cause the internal auditor to
miss an important point.
c. Incorrect. It is not likely that the internal auditor will be able to remember all of the details and ideas
given by the interviewee.
d. Correct. The mind can process information faster than most people speak. Therefore, the internal au-
ditor can sort through information that he/she already knows with new information from the interview-
ee. This puts the internal auditor in a better position to respond to the interviewee.
38
CIA Part 2 Mock Exam Answers
55. Solution: a
a. Correct. When reviewing the results, internal audit would be most concerned about non-response bias
because only 40 surveys were returned. Those who did respond may not be indicative of the entire
population.
c. Incorrect. The internal audit would be most concerned about non-response bias, not about coming to
the right conclusion about the results.
d. Incorrect. The internal auditor would be most concerned about non-response bias, not about conduct-
ing a consulting engagement for marketing.
56. Solution: a
a. Correct. Sampling risk is the risk that the sample will not be representative of the population. Alpha
and Beta risk are types of risks inherent in the practice of sampling. Alpha risk will cause the auditor to
do additional and unnecessary work in coming to the correct conclusion. This makes the audit less effi-
cient. Beta risk will cause the auditor to come to the wrong conclusion. This reduces audit effective-
ness.
57. Solution: c
a. Incorrect. This convenience sample is likely to emphasize people with lots of time on their hands at the
expense of key employees who are too busy with company work to respond.
b. Incorrect. Managers and supervisors often do not have the same needs and perceptions as their sub-
ordinates and often misperceive their subordinates’ views.
c. Correct. Because different employees probably have different situations, needs, and experiences,
stratified sampling would best ensure that a representative sample would result.
d. Incorrect. This approach would produce a disproportionate number of highly paid employees who may
not have the same needs as lower-paid employees.
58. Solution: b
a. Incorrect. There is a 95% probability that the actual rate of occurrence is equal to or greater than the
critical rate if one exception is found.
b. Correct. Discovery sampling is when the auditor is looking for that one critical error or irregularity. If
no exceptions are found, the correct conclusion is that the occurrence rate is less than the critical rate.
c. Incorrect. There is a 95% probability that the actual rate is equal to or exceeds the critical rate if any
exceptions are found.
39
CIA Part 2 Mock Exam Answers
59. Solution: b
a. Incorrect. The capability of the software vendor would be a consideration, but not the principal consid-
eration.
b. Correct. CAATs are able to perform tasks faster than humans and produce more accurate data in func-
tions such as systems scanning. Costs, training, and security would be major considerations.
c. Incorrect. This would not be a consideration concerning the use of CAAT tools.
d. Incorrect. Documentary evidence is not necessarily more effective.
60. Solution: c
a. Incorrect. Parallel simulation uses real data and processes it through test or audit programs.
b. Incorrect. Generalized audit software performs automated functions and is useful for testing both con-
trols and balances.
c. Correct. Integrated test facility is similar to test data, except that in ITF the auditor is creating a false
company in the records and then creating different transactions for the fictitious company that are pro-
cessed alongside real data.
d. Incorrect. Test data uses only fictitious data that is processed separately from real data.
61. Solution: d
a. Incorrect. Whether sampling is appropriate and the results are valid are issues related to the determi-
nation of sufficiency and reliability rather than relevance.
b. Incorrect. Objectivity and lack of bias do not assure that information will support observations and rec-
ommendations and be consistent with the engagement objectives.
c. Incorrect. Sufficient information is factual, adequate, and convincing so that a prudent, informed per-
son would reach the same conclusions as the internal auditor.
d. Correct. The information that internal auditors gather must be sufficient, reliable, relevant, and useful
to provide a sound basis for engagement observations, conclusions, and recommendations. Relevant
information supports engagement observations, conclusions, and recommendations and is consistent
with the objectives for the engagement.
62. Solution: c
a. Incorrect. The best obtainable information might be reliable, but it will not necessarily be sufficient.
b. Incorrect. An evaluation of the sufficiency of information will require objective judgments, not subjec-
tive.
c. Correct. Information should be sufficient, reliable, relevant, and useful. It is sufficient only if it is so
factual, adequate, and convincing that a prudent, informed person would reach the same conclusions
as the internal auditor. The internal auditor’s judgment should be objective.
d. Incorrect. Logical relationships between information and issues will not determine whether the infor-
mation is sufficient. Information must be relevant, but relevant information may not be sufficient.
40
CIA Part 2 Mock Exam Answers
63. Solution: d
b. Incorrect. Information that is well-documented and cross-referenced does not make it sufficient.
d. Correct. Sufficient information is information that is factual, adequate, and convincing so that a pru-
dent, informed person would reach the same conclusion as the internal auditor.
64. Solution: a
a. Correct. Information should be collected on all matters related to the engagement objectives and
scope of work. Information needs to be sufficient, reliable, relevant, and useful to provide a sound ba-
sis for engagement observations, conclusions, and recommendations.
65. Solution: c
a. Incorrect. The information is reliable but not sufficient. Inspection can only tell you that the equipment
exists, but you still don’t know whether the company owns the equipment. Maybe it was set up as an
operational lease.
b. Incorrect. The information is relevant because it has to do with checking for the existence of the com-
pany’s equipment. However, inspecting the equipment still does not tell you whether the company
owns the equipment or not.
c. Correct. Inspection is reliable because the auditor saw the piece of equipment. It is also relevant be-
cause it helps the auditor achieve the engagement objectives.
I. Incorrect. Sufficient information is factual, adequate, and convincing. An original signed document may
not be sufficient to verify whether revenue is accurately stated on the income statement. The internal
auditor would still need to verify which contracts had been fulfilled and which ones are still being de-
veloped.
II. Correct. Reliable information is the best attainable information through the use of appropriate en-
gagement techniques (Interpretation: Standard 2310). An original signed document is considered to be
reliable because it shows that revenue is expected but it is still not sufficient to indicate whether the
revenue should be recognized in the current year.
III. Correct. Relevant information concerns the relationship of the information to some objective of the en-
gagement. Internal auditing’s objective is to verify the accuracy of the company’s revenue so reviewing
signed contracts would indicate that a client does exist and that revenue is expected.
IV. Correct. Useful information will help the organization achieved its goals. If the goal is to verify the ac-
curacy of company revenue, then reviewing signed contracts would help the internal auditor meet the
objective.
41
CIA Part 2 Mock Exam Answers
67. Solution: b
b. Correct. The presented information has all of the traits to be considered sufficient, reliable, and rele-
vant. It is sufficient because a reasonable person would judge a comparison of the organization’s rec-
ords with the bank records as persuasive proof that deposits were not made daily. It is reliable
because the auditor is able to verify information by an independent source (the bank). The information
is furthermore deemed relevant because it is relevant to the issue of whether cash receipts are depos-
ited daily.
68. Solution: c
a. Incorrect. The issue is the processing of sales orders, not the system for making changes in the sales
price data.
b. Incorrect. Starting with the completed transaction does not identify processing steps in which docu-
ments or data were diverted and processed separately.
c. Correct. The survey during the engagement planning phase helps the internal auditor to become fa-
miliar with activities, risks, and controls and to identify areas for audit emphasis. Flowcharting is a typ-
ical survey procedure, and the “walk-through” is a means of gathering information to be reflected in
the flowchart.
d. Incorrect. Processing steps that occur other than at the plant level must also be considered.
69. Solution: b
a. Incorrect. A program flowchart would identify the specific edit tests implemented.
b. Correct. Systems flowcharts are an overall graphic analyses of the flow of data and the processing
steps in an information system. Accordingly, they can be used to show segregation of duties and the
transfer of data between different segments in the organization.
c. Incorrect. Flowcharts are usually not kept up-to-date. Therefore, internal auditors need to understand
what changes occurred in the system since the flowchart was developed.
d. Incorrect. Systems should show both manual and computer processes.
70. Solution: d
a. Incorrect. A dataflow diagram is a graphical notation of the path and transformation of data as it
moves through an information system. A dataflow diagram would not be able to determine fundamen-
tal issues with a process.
b. Incorrect. Flowcharts are diagrams that create a visual representation of processes or events.
Flowcharts are good to identify the different elements of a process and understand the interrelation-
ships among the various steps. A flowchart would not be able to determine fundamental issues with a
process.
c. Incorrect. The purpose of a Spaghetti diagram is to expose inefficient process layouts, unnecessary
travel distance between process steps, and overall process waste.
d. Correct. A RACI diagram can be used to determine fundamental issues with a process, such as when
the wrong people are involved and/or no one is accountable. In its most basic form, a RACI diagram is
a way to examine a process step, task, activity, effort, decision, or inspection to determine who is re-
sponsible, accountable, consulted, or informed.
42
CIA Part 2 Mock Exam Answers
71. Solution: c
a. Incorrect. There could be more than just one root cause of the problem.
b. Incorrect. The internal auditor not being qualified to conduct the analysis is barrier.
c. Correct. Determining whether it costs more to remove the root cause than to treat the symptom is a
decision for management. However, the decision is not a barrier to conducting the analysis.
72. Solution: c
a. Incorrect. Two warehouses would not necessarily have the same number of products.
b. Incorrect. All of the warehouses but one could have less than 250 products.
c. Correct. At minimum, 79 warehouses could contain 100 products and one could have 500 products,
resulting in 8,400 products.
d. Incorrect. The average number of products in the warehouses cannot be computed from the infor-
mation given.
73. Solution: d
a. Incorrect. Comparison with industry standards will not test the accuracy of internal reporting.
b. Incorrect. Comparison with industry standards will not test the controls designed to safeguard the in-
ventory.
d. Correct. Such an analytical procedure will provide an indication of the efficiency and effectiveness of
the subsidiary's management of the inventory.
74. Solution: d
a. Correct, but all choices are correct. Fictitious sales would generate additional uncollectible accounts
receivable that are not necessarily being reflected in the allowance for bad debts.
b. Correct, but all choices are correct. Ineffective credit and collection procedures could contribute to in-
creases in uncollectible accounts receivable that are not necessarily being reflected in the allowance for
bad debts.
c. Correct, but all choices are correct. An understated allowance for bad debts would contribute to over-
statements in net accounts receivable and decreases in the accounts receivable turnover ratio.
d. Correct. All of the answers are plausible reasons for the changes.
I. Correct.
II. Correct.
III. Incorrect. If inventory is understated, then cost of goods sold would be overstated. Therefore, gross
margin would be understated.
43
CIA Part 2 Mock Exam Answers
76. Solution: b
a. Incorrect. Cross-referencing working papers to the engagement communications is not specifically ad-
dressed.
b. Correct. All engagement working papers are reviewed to ensure that they properly support all en-
gagement communications and that all necessary engagement procedures have been performed.
c. Incorrect. Meeting or exceeding the work standards of the external auditor is not a reason to review
working papers.
d. Incorrect. Proper referencing of working papers for easy follow up is not a reason to review the work-
ing papers.
II. Correct. Working papers aid in the planning, performance, supervision, and review of engagements.
IV. Incorrect. Working papers do not aid in the development of the accounting staff. They only aid in the
development of internal audit staff.
78. Solution: b
a. Incorrect. Petty cash is not relevant. The working paper only concerns cash in the bank.
b. Correct. Confirming the cash balance in the bank account as of the end of the period is a standard
operating procedure.
c. Incorrect. Under normal circumstances, copies of deposit slips are not needed.
d. Incorrect. The engagement’s client’s representation is not relevant when outside confirmation and
analysis of cash records support the cash balance.
79. Solution: b
a. Incorrect. Standardizing the working papers can help make the audit more efficient, but not every
working paper can be standardized.
b. Correct. Each engagement working paper should contain a heading, which usually consists of the
name of the client’s organization or function, a title or description of the contents or purpose of the pa-
per, and the date or period covered. Each working paper should be signed (initialed) and dated by the
internal auditor and contain an index or reference number. Verification symbols (tick marks) are also
likely to appear on most working papers and should be adequately explained in a note. In this exam-
ple, the explanation for tick mark (c) does not detail the procedures used to review outstanding
checks.
c. Incorrect. Analytical procedures are usually not as relevant to the examination of cash as to other as-
sets and liabilities.
44
CIA Part 2 Mock Exam Answers
80. Solution: a
a. Correct. Statistical summaries are typically used to consolidate numerical data scattered among sev-
eral schedules.
b. Incorrect. A segment summary is a narrative with respect to a particular part of the engagement.
c. Incorrect. Result summaries provide the significant facts about engagement observations.
81. Solution: a
a. Correct. By standardizing the process, the forms, the tick marks, indexing, cross-referencing, and
other elements of the working papers, it becomes easier for everyone to prepare and review the work-
ing papers. The internal auditor of a private organization will develop the indexing and cross-
referencing methods that are best suited for the organization. On the other hand, a governmental
agency is more inclined to develop uniform methods that are compatible throughout its jurisdiction.
b. Incorrect. The Standards only outline the need for indexing and cross-referencing and do not dictate
the indexing method. There is no governmental requirement that its auditors have to follow a particu-
lar index method.
c. Incorrect. The Standards only outline the need for indexing and cross-referencing and do not dictate
the indexing method. There is no law that requires governmental agencies to follow a particular index
method.
d. Incorrect. The board is not active in the management of the IAA. Thus, the board does not devise the
working paper indexing method. In addition, there is no law that requires governmental agencies to
follow a particular index method.
82. Solution: c
c. Correct. The coefficient of correlation is expressed as a number between -1 and +1. Therefore, the
relationship between the variables is strong and negative.
83. Solution: a
a. Correct. An assignment board would provide only minimal assistance to the engagement supervisor.
An assignment board provides an overview of the staff members working on each project.
45
CIA Part 2 Mock Exam Answers
II. Correct. Supervision should also be extended to training, time reporting, and expense control.
III. Correct. The extent of supervision needs to be documented. Engagements should be properly super-
vised to ensure objectives are achieved, quality is assured, and staff is developed (Standard 2340).
Supervision starts in the planning stages and continues all of the way through until the issuance of the
report.
85. Solution: b
a. Incorrect. Proper supervision includes making sure assigned staff have the skills and knowledge to car-
ry out the assignment.
b. Correct. Modifications to the engagement must have the approval of the CAE, not the approval of the
client.
c. Incorrect. Proper supervision includes making sure communications are accurate, objective, concise,
and timely.
d. Incorrect. Proper supervision includes making sure there is budgetary control over the engagement.
86. Solution: c
a. Incorrect. Whistleblowing is where an employee goes outside the chain of command. Therefore, report-
ing the financial fraud to a newspaper would be an example of whistleblowing.
b. Incorrect. Whistleblowing includes telling anyone outside of the chain of command even if the person
works for the company.
c. Correct. Whistleblowing is where an employee goes outside the chain of command. In this case, be-
cause the CFO is accused of the financial fraud, the CEO would be someone in the chain of command.
d. Incorrect. Exposing the financial fraud to the securities exchange commission would be considered
whistleblowing.
87. Solution: d
A. Incorrect. Summary communication is done to highlight information. In this case, the leakage needs to
be reported to management as quickly as possible.
b. Incorrect. Given the seriousness of the situation, the leakage needs to be reported as quickly as possi-
ble to management.
c. Incorrect. An exit communication is done at the end of engagement to discuss the results with the cli-
ent. Given the situation with the water leakage, this information needs to be reported to management
as quickly as possible.
d. Correct. Oral communications can be used when the situation is serious and needs to be quickly re-
ported to management. Given the seriousness of the situation, oral communication would be appropri-
ate.
46
CIA Part 2 Mock Exam Answers
88. Solution: c
a. Incorrect. The CEO is not responsible for the accounts receivable department.
b. Incorrect. The Chair of the audit committee is not responsible for the accounts receivable department.
c. Correct. Final engagement communications should be distributed to those members of the organiza-
tion who are in a position to ensure that engagement results are given due consideration. In this case,
control weaknesses in the accounts receivable department would be most useful to the accounts re-
ceivable manager.
d. Incorrect. The credit manager is not responsible for the accounts receivable department.
89. Solution: b
a. Incorrect. Because the finding is significant, the IAA should not wait until the next regularly scheduled
audit to assess the status of corrective action.
b. Correct. The IAA should monitor the status of the corrective action. A follow-up engagement should be
scheduled when the warehousing maintenance system has been sufficiently completed to allow for
testing of adequacy and effectiveness.
c. Incorrect. Although the warehouse manager said that leakage would be corrected immediately and the
maintenance system would be enhanced within three months, this may not be the case. As a result,
the IAA should monitor the status of leakage and schedule a follow-up engagement when it is appro-
priate.
d. Incorrect. Although the findings should be discussed with the audit committee because of its signifi-
cance, the scope and timing of a follow-up engagement should be determined by the CAE based on
available information.
I. Correct. When presenting a report, the internal auditor would report that no significant compliance
issues were noted.
II. Correct. Because there was no established system to ensure compliance, this deficiency would have to
be reported.
III. Correct. Because of the deficiency, the internal auditor would need to meet with management to de-
termine what action needs to be taken.
IV. Correct. The internal auditor would need to monitor the situation to make sure that action had been
taken to correct the deficiency.
91. Solution: c
a. Incorrect. This action would be insufficient to determine whether management takes responsibility for
the violations.
b. Incorrect. This action is insufficient to determine whether management takes responsibility for not cor-
recting the violation.
c. Correct. Management may decide to assume the risk of not correcting a reported condition because of
the cost or other considerations.
d. Incorrect. This action would be insufficient. The CAE should first determine if management takes re-
sponsibility for correcting the company policy pertaining to the bidding process.
47
CIA Part 2 Mock Exam Answers
92. Solution: d
a. Incorrect. The CAE would generally provide only summary reports to the audit committee on the status
of the recommendations provided by the internal auditors.
b. Incorrect. The CAE would generally provide only summary reports to the audit committee on the status
of the recommendations provided by the internal auditors.
c. Incorrect. It is the responsibility of management to report why action had not been taken, not the
CEO’s responsibility.
d. Correct. The CAE is responsible for establishing appropriate procedures for monitoring the progress by
management on all internal audit observations and recommendations. This responsibility should be
written into its charter by the audit committee, and progress should be reported at each audit commit-
tee meeting.
93. Solution: d
a. Incorrect. Transferring the individuals is not necessary and would not resolve the control problem.
b. Incorrect. This may help detect prior problems but it does not create a control to address future prob-
lems.
c. Incorrect. This would not address the problem because it does not involve the vendor master file.
d. Correct. This is the only option that will correct the deficiency identified during the audit.
94. Solution: c
a. Incorrect. Variances would not identify costs transferred to inventory.
b. Incorrect. There is a better answer; this choice would sample from all capital transactions rather than
specifically address transfers.
c. Correct. This procedure would focus on the problem of inappropriate transfers.
d. Incorrect. There would be no inventory receipts for the transfers, so beginning with inventory receipts
would not be an effective method to monitor this situation.
95. Solution: a
a. Correct. The internal auditor determines whether the desired results were achieved or if senior man-
agement or the board has assumed the risk of not taking action or implementing the recommendation
(PA 2500.A1-1.1).
b. Incorrect. It is the internal auditor who has the responsibility to determine whether corrective action
has been taken.
c. Incorrect. Follow-up is not discretionary. Standard 2500.A1 states that the CAE must establish a fol-
low-up process to monitor and ensure that management actions have been effectively implemented or
that senior management has accepted the risk of not taking action.
d. Incorrect. The internal auditors do have a responsibility for follow-up.
96. Solution: a
a. Correct. Inherent risk could only be accomplished by eliminating the use of cash, which is probably
not realistic.
b. Incorrect. It would be appropriate to assess whether steps being taken resolved the condition.
c. Incorrect. It would be appropriate to assess whether appropriate controls have been implemented.
d. Incorrect. It would be appropriate to assess whether benefits have accrued to the entity.
48
CIA Part 2 Mock Exam Answers
97. Solution: c
a. Incorrect. A follow-up is required.
b. Incorrect. The follow-up will determine what management actions have been taken, not merely wheth-
er the engagement recommendations have been implemented.
c. Correct. The CAE must establish and maintain a system to monitor the disposition of results communi-
cated to management (Standard 2500). Follow-up should have been scheduled, and scarcity of re-
sources would not be a sufficient reason to omit a follow-up.
d. Incorrect. A follow-up is required.
98. Solution: a
a. Correct. The CAE is responsible for scheduling follow-up activities as part of developing engagement
work schedules. Scheduling of follow-up is based on the risk and exposure involved, as well, as the de-
gree of difficulty and the significance of timing in implementing corrective action (PA 2500.A1-1.4).
b. Incorrect. It is the CAE’s responsibility to determine the nature and extent of follow-up. It is not man-
agement’s responsibility.
c. Incorrect. It is the CAE’s responsibility to determine the nature and extent of follow-up. Management’s
responsibility is to decide the appropriate action to be taken in response to reported engagement ob-
servations and recommendations.
d. Incorrect. The CAE must decide the extent of follow-up before submitting a follow-up engagement
communication.
99. Solution: a
a. Correct. The CAE must establish and maintain a system to monitor the disposition of results communi-
cated to management (Standard 2500).
I. Correct.
II. Correct.
III. Correct.
49