Free IIA-CIA-Part1 Practice Test Questions 2026

According to ISO 31000, which of the following statements is correct?

A. The board is responsible for setting the organizational attitude through tone at the top,

B. The internal audit activity will provide assurance over operating effectiveness but not over the design of risk management activities,

C. The internal audit activity can give objective assurance on any part of the risk management framework for which it is responsible.

D. The framework is designed to be effective for organizations no matter how small.

What is the best course of action when the internal audit activity does not have the knowledge necessary to perform a planned audit of the organization's new IT data backup process?

A. Postpone the audit engagement to a later date.

B. Recruit and hire a full-time staff auditor who is proficient in data backup processes.

C. Change the plan from an assurance engagement to a consulting engagement.

D. Provide data backup training to the engagement supervisor.

A whistle blower notified internal audit of a conflict of interest between an organization's employee and a major supplier. Which of the following steps should be undertaken first?

A. Interview the employee identified by the whistleblower.

B. Attain an understanding of the employee's role, responsibilities, and relationship with the supplier.

C. Notify senior management, the board, and the external auditor about the alleged fraud

D. Review all the orders issued to the supplier to investigate potential fraud.

According to IIA guidance, which of the following actions by the chief audit executive (CAE) best demonstrates the organizational independence of the internal audit activity?

A. The CAE seeks senior management approval of the internal audit charter

B. The CAE obtains senior management's approval to hire staff

C. The CAE reports significant issues to the organization's CEO

D. The CAE provides the board with an annual budget for approval

According to IIA guidance, which of the following most appropriately justifies the CEO’s decision that the internal audit activity shall be responsible for risk management and investigation at a multinational organization?

A. The recommendation of the parent office external auditors.

B. The provisions of the internal audit charter

C. The authority of the CEO.

D. The level of proficiency of the chief audit executive

An internal auditor has suspicions that some fictitious vendors have been created in the organization's computer system. Which of the following would be the best technique to detect this fraud?

A. Review for duplicate invoice numbers, duplicate dates, and duplicate amounts

B. Run checks to find matches between vendor and employee addresses

C. Check for recurring requests for refunds where invoices are paid twice

D. Review for unexplained increases in inventory

Which of the following tools would be most useful to an internal auditor performing an assessment of the effectiveness of the organization's risk responses?

A. Heat map.

B. Risk and control matrix.

C. Risk register.

D. Process map.

According to The IIA’s Code of Ethics, which of the following best describes the principle of integrity?

A. Auditors shall observe the law and make disclosures expected by the law and the profession

B. Auditors shall disclose all material facts known to them that if not disclosed may distort the reporting of activities under review

C. Auditors shall engage only in those services for which they have the necessary knowledge skills and experience

D. Auditors shall be prudent in the use and protection of information acquired in the course of their duties

Which of the following threatens internal audit objectivity'?

A. Internal auditors are expected by senior management to identify a minimum of five major control weaknesses in each area audited

B. Internal auditors are prevented from accessing information necessary to undertake their audit engagements

C. The chief audit executive reports directly to the chief financial officer who previously led the internal audit activity

D. The CEO requests the internal audit activity develop a charter that clearly delineates its purpose and responsibilities within the organization

Which of the following statements is true regarding consulting and assurance engagements performed by the internal audit activity'?

A. For both assurance and consulting engagements, the auditor must independently and objectively select the criteria for evaluation

B. For a consulting engagement, internal auditors and management jointly agree on the adequate criteria needed to evaluate governance, risk management, and controls. This is not true of assurance engagements

C. Engagement planning and fieldwork are similar for both types of engagements (there are no major differences) although the reporting process is different depending on which service is provided

D. For a consulting engagement objectives must address governance risk management and control processes to the extent agreed upon with the client. This is not true of assurance engagements

Which of the following statements is true regarding consulting engagements?

A. Internal auditors cannot provide consulting services related to operations for which they had previous responsibilities.

B. The nature of consulting services to be performed by internal auditors must be defined in the internal audit charter

C. If internal auditors have potential impairments to objectivity related to the proposed consulting engagement, the engagement must be declined.

D. If internal auditors lack the knowledge, skills, or other competencies needed to perform the consulting engagement, the engagement can proceed with proper disclosures.

Which of the following would show appropriate disclosure of nonconformance with the Standards?

A. The chief audit executive (CAE) documented in the personnel file a critical conflict of interest involving an internal auditor on an upcoming contracting engagement.

B. The CAE discussed with the board an issue regarding the internal audit activity performing an IT engagement without proper skills and knowledge.

C. The CAE met with the peer review team to discuss an internal auditor's failure to meet the annual requirements for continuing professional education.

D. The CAE revealed to operational managers that he failed to appropriately consider risks while he was developing the audit plan.