A newly appointed chief audit executive (CAE) reviews current reporting practices. The CAE notices
that exit meetings tend to be unproductive. When internal auditors present summaries of
observations, engagement clients consistently complain that they do not understand where the
observations come from. Which of the following could improve this situation?
A
Explanation:
Exit meetings are intended to ensure that engagement clients clearly understand the observations,
conclusions, and recommendations of the internal audit activity. The IIA’s International Standards for
the Professional Practice of Internal Auditing emphasize that communication should be clear,
constructive, and timely. Providing engagement clients with written summaries of the observations
before the exit meeting allows them to review the facts, prepare questions, and understand the basis
for the observations. This preparation improves dialogue, reduces confusion, and increases the
effectiveness of the meeting.
Option B is less effective because it limits client engagement and postpones resolution of
disagreements. Option C is impractical, as reading the full draft report during the meeting is time-
consuming and may overwhelm clients. Option D eliminates the opportunity for discussion and
relationship building with management, which is a critical part of audit communication.
Reference:
IIA’s International Standards for the Professional Practice of Internal Auditing (Standards 2400 –
Communicating Results, Practice Advisory 2410-2).
Upon completing a follow-up audit engagement, the chief audit executive (CAE) noted that
management has not implemented any mitigation measures to address the high risks that were
reported in the initial audit report. What initial step must the CAE take to address this situation?
B
Explanation:
According to the International Standards for the Professional Practice of Internal Auditing, when
significant risk exposures remain unaddressed after a follow-up engagement, the CAE must first
discuss the matter with the appropriate level of management responsible for the area. The purpose
is to determine whether there is a valid reason for not implementing the recommended corrective
actions, to clarify management’s perspective, and to encourage timely resolution.
If management still refuses to act and the risk remains high, the CAE must then escalate the issue to
senior management and, if necessary, to the board. Immediate escalation to the board without first
discussing with management is inappropriate, as it bypasses the chain of accountability. Reporting
directly to external auditors is also not the responsibility of the CAE unless specifically mandated by
regulation or law.
Therefore, the correct initial step is to discuss the issue with management responsible for the risk
area (Option B).
Reference:
IIA Standards – Standard 2500: Monitoring Progress; Implementation Guide 2500 – Monitoring
Progress.
The board is considering outsourcing the internal audit function to an external service provider.
Which of the following would always remain the responsibility of the organization?
D
Explanation:
Even if the internal audit activity is outsourced, the organization’s senior management and the board
retain overall responsibility for governance, risk management, and control processes. Specifically,
management must ensure that an annual risk assessment is performed to identify and prioritize
organizational risks. This forms the basis of the internal audit plan.
While the external service provider may assist in planning and execution, the assessment of risks to
the organization cannot be delegated away because accountability for risk management remains
with the organization itself. Activities such as quality assurance programs or audit scope discussions
can be supported or executed by the service provider, but responsibility for risk assessment is always
with management and the board.
Reference:
IIA Standards – Standard 2070: External Service Provider and Organizational Responsibility for
Internal Auditing.
During the process of setting the annual audit plan, the chief audit executive receives a request from
senior management to conduct an assurance engagement on the cybersecurity controls of the
organization. Which of the following is a reason cybersecurity should be included in the annual
internal audit plan?
C
Explanation:
The internal audit plan must be risk-based, as required by the IIA Standards. If cybersecurity has
been identified as a high risk during the annual risk assessment, then it should be included in the
audit plan to provide assurance over the adequacy of controls.
Including engagements simply to satisfy management (Option A) or for auditor learning purposes
(Option B) does not align with risk-based planning principles. Likewise, management requests alone
(Option D) do not dictate audit plan content; engagements must be prioritized based on risk to the
organization.
Reference:
IIA Standards – Standard 2010: Planning; Implementation Guide 2010 – Risk-Based Planning.
Which of the following documents would provide an internal auditor with information on the length
of time to maintain documents after the completion of an engagement?
C
Explanation:
The retention and maintenance of internal audit engagement records, including the period of time
they must be kept, is governed by the internal audit activity’s policies and procedures. These policies
provide guidance on record retention consistent with organizational requirements, legal and
regulatory obligations, and professional standards.
The charter (Option A) defines purpose, authority, and responsibility but does not detail document
retention. The annual plan (Option B) outlines engagements but not recordkeeping. The quality
assurance and improvement program (Option D) addresses continuous improvement and
compliance with standards, not retention guidelines.
Therefore, the correct source for document retention requirements is internal audit policies (Option
C).
Reference:
IIA Standards – Standard 2330: Documenting Information; Implementation Guide 2330.
How can the chief audit executive best provide the internal audit function with the resources needed
to fulfill the annual audit plan?
A
Explanation:
According to the IIA Standards, the CAE must ensure that the internal audit activity is appropriately
staffed with competent individuals to achieve the approved audit plan. While risk-based planning
and collaboration with risk functions support effectiveness, the most direct way to ensure resources
are adequate is by developing and maintaining the competencies of internal audit staff through
training, recruitment, and professional development.
Mapping the audit risk assessment (Option B), collaboration with risk functions (Option C), or
refining processes (Option D) may strengthen planning and alignment, but they do not directly
address the resource requirement. Only enhancing and ensuring competencies ensures the internal
audit activity has the skills necessary to execute the plan.
Reference:
IIA Standards – Standard 2030: Resource Management.
The chief audit executive (CAE) and management of the area under review disagree over managing a
significant risk item. According to IIA guidance, which of the following actions should the CAE take
first?
D
Explanation:
When disagreements occur regarding risk management or audit findings, the CAE should first
escalate the matter within management levels to attempt resolution. Only if the disagreement
remains unresolved after discussion with senior management should the CAE report the matter to
the board or audit committee.
Options B and C are premature: the charter does not grant internal audit supremacy over
management’s decisions, and documenting disagreement in the audit report should occur only after
reasonable attempts at resolution. Option A (escalating immediately to the board) should occur only
if discussion with management does not resolve the issue.
Reference:
IIA Standards – Standard 2600: Communicating the Acceptance of Risks.
An organization's IT systems can only be accessed using the organization's virtual private network.
However, organizational emails, videoconferencing, and file-sharing tools are cloud-based and can
be accessed using multi-factor authentication via any device. Which of the following risks should the
organization acknowledge?
A
Explanation:
Cloud-based applications accessible outside the VPN perimeter increase the possibility of data
leakage through unapproved or unsecured applications (shadow IT). Even with multi-factor
authentication, risks remain around the use of personal devices and uncontrolled storage or sharing.
Option B is incorrect because VPNs are generally secure if configured correctly. Option C is
misleading, as remote access controls can be effective in cloud solutions when properly designed.
Option D (employees accessing emails after hours) is not a risk related to security but rather a work-
life balance issue.
Thus, the key risk is potential leakage of organizational data via unapproved or uncontrolled
applications (Option A).
Reference:
IIA Global Technology Audit Guide (GTAG): Auditing Cloud Computing; IIA Standards – Standard 2110:
Governance.
Which of the following data privacy concerns can be attributed specifically to blockchain
technologies?
D
Explanation:
A core feature of blockchain technology is immutability—once data is recorded, it cannot be altered
or deleted. While this supports integrity and transparency, it also creates a conflict with data privacy
regulations such as the General Data Protection Regulation (GDPR), which grants individuals the
“right to be forgotten.” The inability to erase personal data stored on blockchain creates a
compliance challenge.
Options A and B are incorrect: phishing is not inherent to blockchain, and transactions are not easily
tampered with (immutability actually prevents that). Option C is misleading because regulations
address data use but do not “overregulate” blockchain specifically.
Reference:
IIA Global Technology Audit Guide (GTAG): Understanding Blockchain and Related Risks.
Which of the following would be most likely found in an internal audit procedures manual?
B
Explanation:
The internal audit procedures manual documents policies and procedures for conducting audit
engagements, including steps to follow when issues arise, such as disputes with management
regarding findings. It ensures consistency and standardization of audit practice.
Option A (strategic plan) and Option C (resources) are not part of audit procedures but rather part of
planning or organizational documents. Option D (authority to collect data) belongs in the internal
audit charter, not in the procedures manual.
Therefore, the correct answer is appropriate response options for disputes with management
(Option B).
Reference:
IIA Practice Guide – Developing the Internal Audit Manual.
The sole internal auditor of a municipality wants to implement proper supervision over internal audit
workpapers. Which of the following would be the most appropriate?
D
Explanation:
The Global Internal Audit Standards require that workpapers be properly supervised and reviewed to
ensure quality and compliance. A sole auditor cannot perform a meaningful self-review (Option A).
Having clients review workpapers (Option B) compromises independence. Having management or
the board sign off (Option C) is also inappropriate as it undermines audit objectivity.
The most suitable solution is to arrange for peer reviews from external auditors or other
organizations, with confidentiality and legal safeguards in place. This provides independent oversight
while maintaining audit quality.
Reference:
IIA Standards – Standard 1312: External Assessments; Practice Guide – Quality Assurance and
Improvement Program.
After auditing the treasury function, the internal audit team issued a final report, which included an
action plan agreed with management. When the audit team returned three months later to follow
up on the action plan, management indicated that the plan had not been implemented because the
old treasury system was being replaced with a new system. Which of the following is the most
appropriate audit response?
D
Explanation:
When management has not implemented agreed action plans, the internal audit team must escalate
the matter to the CAE. The CAE is responsible for discussing such cases with senior management to
understand the reasons and determine next steps.
Option A is inappropriate because it is management’s responsibility—not internal audit’s—to
propose action plans. Option B disregards the initial high-risk issue. Option C (escalation to the
board) is premature unless senior management fails to act.
Thus, the correct response is Option D: report to the CAE, who should discuss with senior
management.
Reference:
IIA Standards – Standard 2500: Monitoring Progress; Standard 2600: Communicating the Acceptance
of Risks.
Which of the following best describes the chief audit executive's responsibility for assessing the
organization's residual risk?
D
Explanation:
The CAE’s role is to provide assurance that risks are identified and managed appropriately. When
residual risk appears to exceed the organization’s tolerance, the CAE should first communicate the
matter with senior management to discuss the issue and understand management’s acceptance of
risk. Only if the risk remains unresolved should it be escalated to the board.
Option A is management’s responsibility, not internal audit’s. Option B is incomplete as evidence
alone does not fulfill the communication requirement. Option C is premature because immediate
escalation to the board skips management dialogue.
Reference:
IIA Standards – Standard 2600: Communicating the Acceptance of Risks.
During an internal audit engagement, it was found that several vendors were on a government
sanctions list and must no longer be traded with. Which of the following would most effectively
mitigate the risk of noncompliance with sanctions lists that are updated regularly?
C
Explanation:
The most effective mitigation is to embed ongoing controls within vendor management processes to
ensure that both new and existing vendors are continuously screened against updated sanctions lists.
This creates a sustainable and automated compliance mechanism.
Option A is reactive and does not address future compliance. Option B only addresses onboarding of
new vendors but ignores existing ones. Option D undermines compliance obligations and does not
mitigate risk.
Reference:
IIA Global Technology Audit Guide (GTAG): Auditing Third-Party Risk; IIA Standards – Standard 2130:
Control.
Which of the following best describes meaningful recommendations for corrective actions?
D
Explanation:
Meaningful recommendations are those that address the root cause of the condition by comparing it
to the established criteria and propose sustainable, long-term solutions. This ensures that the
identified issue will not recur and strengthens the control environment.
Option A relates to symptoms (condition vs. consequence), not root causes. Option B identifies the
correct gap (criteria vs. condition) but offers only short-term fixes. Option C incorrectly compares
criteria to consequence, which is not a valid basis for audit recommendations.
Thus, Option D is correct.
Reference:
IIA Practice Guide – Audit Findings: Condition, Criteria, Cause, Effect, and Recommendation.