CIA Part 2 Questions and Answers
Who is ordinarily responsible for guiding governance processes? - CORRECT
ANSWER IS The board
Who is ordinarily responsible for leading risk management and control processes? -
CORRECT ANSWER IS Senior management
Compliance is defined as - CORRECT ANSWER IS adherence to policies, plans,
procedures, laws, regulations, contracts, or other requirements
Types of Internal Audit Engagements - CORRECT ANSWER IS Assurance services
and Consulting services
Reporting to senior management and the board provides assurance about - CORRECT
ANSWER IS Governance, Risk management, and Control
Who establishes policies and procedures for the IAA? - CORRECT ANSWER IS The
CAE
Policies and procedures for a large, mature IAA are - CORRECT ANSWER IS formal in
a manual
Policies and procedures for a small or less mature IAA are - CORRECT ANSWER IS
Separate documents or an audit management software program (less formal)
Who and how often should Internal audit policies and procedures be reviewed? -
CORRECT ANSWER IS CAE or an internal audit manager periodically reviews
Who is responsible for hiring a proper IAA? - CORRECT ANSWER IS The CAE
Effective interviewing methods - CORRECT ANSWER IS Structured (eliminates
individual bias) or Behavioral (how candidates handled past situations)
CAE independence and report structure with the board and senior management. -
CORRECT ANSWER IS CAE must have direct and unrestricted access to senior
management and the board. Reports administratively to senior management and
functionally to the board.
The most important function of the audit committee is - CORRECT ANSWER IS
promote the independence of internal and external auditors by protecting them from
management's influence.
,What is participative auditing? - CORRECT ANSWER IS Collaboration between the
internal auditor and management during the auditing process. Objective is to minimize
conflict and build a shared interest.
The CAE must ensure that internal audit resources are - CORRECT ANSWER IS
appropriate, sufficient, and effectively deployed to achieve the approved plan.
Appropriate refers to - CORRECT ANSWER IS mix of knowledge, skills, and other
competencies to perform the plan
Sufficient refers to - CORRECT ANSWER IS quantity of resources needed to
accomplish the plan
Resources are effectively deployed when - CORRECT ANSWER IS optimizes the
achievement of the approved plan
Resource planning considers - CORRECT ANSWER IS 1. The audit universe
2. Relevant risk levels
3. IA plan
4. Coverage Expectations
5. Estimate of unanticipated activities
When selecting the appropriate audit staff, the CAE must consider - CORRECT
ANSWER IS 1. Complexity of the engagement
2. Experience levels of the auditors
3. Training needs of the auditors
4. Available Resources
The Three Lines of Defense in Effective Risk Management and Control - CORRECT
ANSWER IS Stakeholders = BoD and senior management
1. Operational Management (own and manage risk)
2. Business-enabling functions (oversee risk, monitor)
3. Internal Auditors (independent assurance)
Who determines the nature and scope of an assurance engagement? - CORRECT
ANSWER IS The internal auditor
Objectives of COSO Framework - CORRECT ANSWER IS operations, reporting,
compliance
Operations objectives relate to - CORRECT ANSWER IS Effectiveness and efficiency of
operations
Reporting objectives relate to - CORRECT ANSWER IS Internal and external financial
and no financial reporting (reliability, timeliness, transparency)
, Control Self-Assessment (CSA) - CORRECT ANSWER IS A method/process by which
management and staff of all levels collectively identify and evaluate risk and controls
with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager; includes testing the design of automated application controls
Advantages of a CSA program - CORRECT ANSWER IS Increase coverage of
assessments of control processes across the org.
Improves quality of corrective actions made by process owners.
Focuses IAA's work on reviewing high-risk processes and unusual situations.
CSA types - CORRECT ANSWER IS Self-assessment surveys and facilitated
workshops
CSA: facilitation approach formats - CORRECT ANSWER IS 1) Objective - best way to
accomplish a business objectives
2) Risk - listing risks to achieving an objective
3) Control - how well the controls in place are working
4) Process - selected activities that are elements of a chain of processes
Objective-based format - CORRECT ANSWER IS The aim of the workshop is to decide
whether the procedures are working effectively and are resulting in residual risks within
an acceptable level.
Risk-based format - CORRECT ANSWER IS The aim of the workshop is to determine
significant residual risks. This format takes the work team through the entire objective-
risks-controls formula.
Control-based format - CORRECT ANSWER IS Aims to produce an analysis of the gap
between how controls are working and how well management expects those controls to
work
Process-based format - CORRECT ANSWER IS Aims to evaluate, update, validate,
improve, and streamline processes
Limitations to control self assesments - CORRECT ANSWER IS Don't effectively use
selected approach(es), persons performing assessment may not be skilled in risk
management and control. Relevant risks and controls may not be identified or properly
assessed.
Benefits of external business relationships - CORRECT ANSWER IS Lower cost, better
operational efficiency, expertise, new technology, known brand, or economies of scale
lump sum contract - CORRECT ANSWER IS A contract with a fixed total price for a
well-defined product or service; consideration of progress payments, incentives, an
escalator cause, adjustments for labor, and change orders.
Who is ordinarily responsible for guiding governance processes? - CORRECT
ANSWER IS The board
Who is ordinarily responsible for leading risk management and control processes? -
CORRECT ANSWER IS Senior management
Compliance is defined as - CORRECT ANSWER IS adherence to policies, plans,
procedures, laws, regulations, contracts, or other requirements
Types of Internal Audit Engagements - CORRECT ANSWER IS Assurance services
and Consulting services
Reporting to senior management and the board provides assurance about - CORRECT
ANSWER IS Governance, Risk management, and Control
Who establishes policies and procedures for the IAA? - CORRECT ANSWER IS The
CAE
Policies and procedures for a large, mature IAA are - CORRECT ANSWER IS formal in
a manual
Policies and procedures for a small or less mature IAA are - CORRECT ANSWER IS
Separate documents or an audit management software program (less formal)
Who and how often should Internal audit policies and procedures be reviewed? -
CORRECT ANSWER IS CAE or an internal audit manager periodically reviews
Who is responsible for hiring a proper IAA? - CORRECT ANSWER IS The CAE
Effective interviewing methods - CORRECT ANSWER IS Structured (eliminates
individual bias) or Behavioral (how candidates handled past situations)
CAE independence and report structure with the board and senior management. -
CORRECT ANSWER IS CAE must have direct and unrestricted access to senior
management and the board. Reports administratively to senior management and
functionally to the board.
The most important function of the audit committee is - CORRECT ANSWER IS
promote the independence of internal and external auditors by protecting them from
management's influence.
,What is participative auditing? - CORRECT ANSWER IS Collaboration between the
internal auditor and management during the auditing process. Objective is to minimize
conflict and build a shared interest.
The CAE must ensure that internal audit resources are - CORRECT ANSWER IS
appropriate, sufficient, and effectively deployed to achieve the approved plan.
Appropriate refers to - CORRECT ANSWER IS mix of knowledge, skills, and other
competencies to perform the plan
Sufficient refers to - CORRECT ANSWER IS quantity of resources needed to
accomplish the plan
Resources are effectively deployed when - CORRECT ANSWER IS optimizes the
achievement of the approved plan
Resource planning considers - CORRECT ANSWER IS 1. The audit universe
2. Relevant risk levels
3. IA plan
4. Coverage Expectations
5. Estimate of unanticipated activities
When selecting the appropriate audit staff, the CAE must consider - CORRECT
ANSWER IS 1. Complexity of the engagement
2. Experience levels of the auditors
3. Training needs of the auditors
4. Available Resources
The Three Lines of Defense in Effective Risk Management and Control - CORRECT
ANSWER IS Stakeholders = BoD and senior management
1. Operational Management (own and manage risk)
2. Business-enabling functions (oversee risk, monitor)
3. Internal Auditors (independent assurance)
Who determines the nature and scope of an assurance engagement? - CORRECT
ANSWER IS The internal auditor
Objectives of COSO Framework - CORRECT ANSWER IS operations, reporting,
compliance
Operations objectives relate to - CORRECT ANSWER IS Effectiveness and efficiency of
operations
Reporting objectives relate to - CORRECT ANSWER IS Internal and external financial
and no financial reporting (reliability, timeliness, transparency)
, Control Self-Assessment (CSA) - CORRECT ANSWER IS A method/process by which
management and staff of all levels collectively identify and evaluate risk and controls
with their business areas. This may be under the guidance of a facilitator such as an
auditor or risk manager; includes testing the design of automated application controls
Advantages of a CSA program - CORRECT ANSWER IS Increase coverage of
assessments of control processes across the org.
Improves quality of corrective actions made by process owners.
Focuses IAA's work on reviewing high-risk processes and unusual situations.
CSA types - CORRECT ANSWER IS Self-assessment surveys and facilitated
workshops
CSA: facilitation approach formats - CORRECT ANSWER IS 1) Objective - best way to
accomplish a business objectives
2) Risk - listing risks to achieving an objective
3) Control - how well the controls in place are working
4) Process - selected activities that are elements of a chain of processes
Objective-based format - CORRECT ANSWER IS The aim of the workshop is to decide
whether the procedures are working effectively and are resulting in residual risks within
an acceptable level.
Risk-based format - CORRECT ANSWER IS The aim of the workshop is to determine
significant residual risks. This format takes the work team through the entire objective-
risks-controls formula.
Control-based format - CORRECT ANSWER IS Aims to produce an analysis of the gap
between how controls are working and how well management expects those controls to
work
Process-based format - CORRECT ANSWER IS Aims to evaluate, update, validate,
improve, and streamline processes
Limitations to control self assesments - CORRECT ANSWER IS Don't effectively use
selected approach(es), persons performing assessment may not be skilled in risk
management and control. Relevant risks and controls may not be identified or properly
assessed.
Benefits of external business relationships - CORRECT ANSWER IS Lower cost, better
operational efficiency, expertise, new technology, known brand, or economies of scale
lump sum contract - CORRECT ANSWER IS A contract with a fixed total price for a
well-defined product or service; consideration of progress payments, incentives, an
escalator cause, adjustments for labor, and change orders.
