Free IIA-ACCA Practice Test Questions 2026

An internal control questionnaire would be most appropriate in which of the following situations?

A. Testing controls where operating procedures vary.

B. Testing controls in decentralized offices.

C. Testing controls in high risk areas.

D. Testing controls in areas with high control failure rates.

An internal auditor wants to determine whether employees are complying with the information security policy, which prohibits leaving sensitive information on employee desks overnight. The auditor checked a sample of 90 desks and found eight that contained sensitive information. How should this observation be reported, if the organization tolerates 4 percent noncompliance?

A. The matter does not need to be reported, because the noncompliant findings fall within the acceptable tolerance limit.

B. The deviations are within the acceptable tolerance limit, so the matter only needs to be reported to the information security manager.

C. The incidents of noncompliance fall outside the acceptable tolerance limit and require immediate corrective action, as opposed to reporting.

D. The incidents of noncompliance exceed the tolerance level and should be included in the final engagement report.

An organization's board would like to establish a formal risk management function and has asked the chief audit executive (CAE) to be involved in the process. According to IIA guidance, which of the following roles should the CAE not undertake?

A. Manage and coordinate risk management processes.

B. Audit risk management processes.

C. Become involved in risk oversight committees, monitoring activities, and status reporting.

D. Accept management's responsibility for risk management without board approval.

A manufacturer is under contract to produce and deliver a number of aircraft to a major airline. As part of the contract, the manufacturer is also providing training to the airline's pilots. At the time of the audit, the delivery of the aircraft had fallen substantially behind schedule while the training had already been completed. If half of the aircraft under contract have been delivered, which of the following should the internal auditor expect to be accounted for in the general ledger?

A. Training costs allocated to the number of aircraft delivered, and the cost of actual production hours completed to date.

B. All completed training costs, and the cost of actual production hours completed to date.

C. Training costs allocated to the number of aircraft delivered, and 50% of contracted production costs.

D. All completed training costs, and 50% of the contracted production costs.

The chief risk officer (CRO) of a large manufacturing organization decided to facilitate a workshop for process managers and staff to identify opportunities for improving productivity and reducing defects. Which of the following is the most likely reason the CRO chose the workshop approach?

A. It minimizes the amount of time spent and cost incurred to gather the necessary information.

B. Responses can be confidential, thus encouraging participants to be candid expressing their concerns.

C. Workshops do not require extensive facilitation skills and are therefore ideal for nonauditors.

D. Workshop participants have an opportunity to learn while contributing ideas toward the objectives.

Which of the following is an effective approach for internal auditors to take to improve collaboration with audit clients during an engagement?

1. Obtain control concerns from the client before the audit begins so the internal auditor can tailor the scope accordingly.
2. Discuss the engagement plan with the client so the client can understand the reasoning behind the approach.
3. Review test criteria and procedures where the client expresses concerns about the type of tests to be conducted.
4. Provide all observations at the end of the audit to ensure the client is in agreement with the facts before publishing the report.

A. 1 and 2 only

B. 1 and 4 only

C. 2 and 3 only

D. 3 and 4 only

Which of the following statements describes an engagement planning best practice?

A. It is best to determine planning activities on a case-by-case basis because they can vary widely from engagement to engagement.

B. If the engagement subject matter is not unique, it is not necessary to outline specific testing procedures during the planning phase.

C. The engagement plan includes the expected distribution of the audit results, which should be kept confidential until the audit report is final.

D. Engagement planning activities include setting engagement objectives that align with audit client's business objectives.

Which of the following actions are appropriate for the chief audit executive to perform when identifying audit resource requirements?

1. Consider employees from other operational areas as audit resources, to provide additional audit coverage in the organization.
2. Approach an external service provider to conduct internal audits on certain areas of the organization, due to a lack of skills in the organization.
3. Suggest to the audit committee that an audit of technology be deferred until staff can be trained, due to limited IT audit skills among the audit staff.
4. Communicate to senior management a summary report on the status and adequacy of audit resources.

A. 1 and 3 only

B. 2 and 4 only

C. 1, 2, and 4

D. 2, 3, and 4

Which of the following is not a primary reason for outsourcing a portion of the internal audit activity?

A. To gain access to a wider variety of skills, competencies and best practices.

B. To complement existing expertise with a required skill and competency for a particular audit engagement.

C. To focus on and strengthen core audit competencies.

D. To provide the organization with appropriate contingency planning for the internal audit function.

While conducting an audit of a third party's Web-based payment processor, an internal auditor discovers that a programming error allows customers to create multiple accounts for a single mailing address. Management agrees to correct the program and notify customers with multiple accounts that the accounts will be consolidated. Which of the following actions should the auditor take?

1. Schedule a follow-up review to verify that the program was corrected and the accounts were consolidated.
2. Evaluate the adequacy and effectiveness of the corrective action proposed by management.
3. Amend the scope of the subsequent audit to verify that the program was corrected and that accounts were consolidated.
4. Submit management's plan of action to the external auditors for additional review.

A. 1 and 2

B. 1 and 4

C. 2 and 3

D. 3 and 4

According to IIA guidance, which of the following activities is most likely to enhance stakeholders' perception of the value the internal audit activity (IAA) adds to the organization?

1. The IAA uses computer-assisted audit techniques and IT applications.
2. The IAA uses a consistent risk-based approach in both its planning and engagement execution.
3. The IAA demonstrates the ability to build strong and constructive relationships with audit clients.
4. The IAA frequently is involved in various project teams and task forces in an advisory capacity.

A. 1 and 2

B. 1 and 3

C. 2 and 4

D. 3 and 4

Which of the following is the primary purpose of financial statement audit engagements?

A. To assess the efficiency and effectiveness of the accounting department.

B. To evaluate organizational and departmental structures, including assessments of process flows related to financial matters.

C. To provide a review of routine financial reports, including analyses of selected accounts for compliance with generally accepted accounting principles.

D. To provide an analysis of business process controls in the accounting department, including tests of compliance with internal policies and procedures.