Free IIA-CRMA-ADV Practice Test Questions 2026

An internal auditor would like to identify the involvement of various organizational units in handling employee travel reimbursement claims. Which of the following methods would be most effective and efficient in completing this task?

A. Process mapping.

B. Interviewing.

C. Monitoring.

D. Distributing questionnaires.

Which of the following best describes the assessment of risks?

A. Assess the actions necessary to reduce the likelihood and/or impact of risk to tolerable levels.

B. Assess the likelihood and/or impact of risk on the achievement of organizational objectives.

C. Assess the amount of risk an organization can accept while pursuing its objectives.

D. Assess alternative strategies to reduce or eliminate major risks.

An internal audit charter describes the mission and scope of the internal audit activity (IAA), responsibilities of the IAA, accountability of the chief audit executive, independence of the IAA, and standards followed by the IAA. Which of the following also should be included in the charter?

A. The purpose of the IAA.

B. The IAA's right to have unrestricted access to functions, records, personnel, and physical property.

C. A detailed audit plan or program for the year.

D. The job specifications and descriptions of the internal audit staff.

What type of risk management strategy is being employed when an organization installs two firewalls to provide protection from unauthorized access to the network?

A. Diversifying the risk that network access will not be available to legitimate, authorized users.

B. Accepting the risk that there may be attempts at unauthorized access to the network.

C. Avoiding the risk of having a direct network connection to un-trusted networks.

D. Sharing the risk that either firewall could be compromised by hackers.

A new chief audit executive (CAE) of a large internal audit activity (IAA) is dissatisfied with the current amount and quality of training being provided to the staff and wishes to implement improvements. According to IIA guidance, which of the following actions would best help the CAE reach this objective?

A. Require that all staff obtain a minimum of two relevant audit certifications.

B. Perform a gap analysis of the IAA's existing knowledge, skills and competencies.

C. Engage a consultant to benchmark the IAA's training program against its peers.

D. Assign one experienced manager to better coordinate staff training and development activities.

According to IIA guidance, which of the following objectives of an assurance engagement for the organization's risk management process is valid?

A. All risks have been identified and mitigated.

B. Risks have been accurately analyzed and evaluated.

C. All controls are both adequate and efficient.

D. The board is appropriately addressing intolerable risks.

Which of the following audit procedures would provide the most relevant information to identify discrepancies between budgeted versus actual raw material consumption in a production facility?

A. Analytical review.

B. Inquiry.

C. Document verification.

D. Observation.

Which of the following is not an appropriate activity for internal auditors to perform?

A. Recommend management seek a consulting firm to advise on outsourcing.

B. Highlight matters that require management's attention.

C. Implement solutions for specific organizational problems.

D. Accumulate data, obtain varying views, and report information to senior management.

Which of the following statements is true regarding the use of non-statistical sampling in auditing control tests?

A. It considers tolerable deviation rate more effectively than does statistical sampling.

B. Sampling risk will be accurately quantified through non-statistical sampling.

C. Non-statistical sample results must be projected to the population.

D. Lesser evidence is required to support a conclusion than for statistical sampling.

What is the primary purpose of a fishbone diagram?

A. To depict the areas of responsibility for departments in an organization.

B. To plan and control complex projects, such as internal audits.

C. To represent the frequencies of adverse conditions in a given process.

D. To identify the possible causes of adverse conditions.

Which of the following scenarios would represent the greatest threat to the authority of the internal audit activity (IAA)?

A. A change was implemented requiring the IAA to report administratively to the organization's chief legal counsel rather than the board.

B. Responsibility for risk management processes were removed from the IAA and placed under a newly created chief risk officer.

C. The IAA was denied access to expenditure and budget requirement reports because the reports were considered to be financial administrative matters.

D. An internal auditor was informed by the chief financial officer that client survey results would be unfavorable unless the auditor changed a finding in the report.

Which of the following actions does not violate the IIA Code of Ethics or Standards?

A. An internal auditor performing an audit on an operation that they managed less than a year ago.

B. An internal auditor performing an audit on procedures that they were responsible for creating.

C. An internal auditor disclosing details of an audit report to colleagues from a different organization.

D. An internal auditor disclosing confidential information in response to a lawsuit.