Free IIA-CRMA-ADV Practice Test Questions 2026

The internal audit supervisor is reviewing the workpapers prepared by the staff. According to the Standards, which of the following statements regarding workpaper supervision is not true?

A. Review notes of questions that arise during the review process must be retained.

B. Dating and initialing each workpaper provides evidence of review.

C. Workpaper review allows for staff training and development.

D. Workpapers may be amended during the review process.

According to IIA guidance, which of the following statements is true?

A. Risks in IT processes are best mitigated by individual controls.

B. The overall focus of the framework is on significant controls in all critical IT applications.

C. IT risks and related controls are operational and best identified using a bottom-up approach.

D. Control process risks are found at multiple layers of the IT environment.

Which of the following are components of the COSO enterprise risk management framework?
1. Objective setting.
2. External environment.
3. Data collection.
4. Control activities.

A. 1 and 3 only

B. 1 and 4 only

C. 2 and 3 only

D. 2 and 4 only

Which of the following scenarios exemplifies a potential internal control weakness?

A. The same employee who receives cash from customers prepares a prelisting of cash receipts.

B. The same employee who records cash receipts in the accounts receivable subsidiary ledger ensures that the ledger automatically updates the information.

C. The same employee who restrictively endorses checks received from customers prepares the bank's check deposit slips.

D. The same employee who makes deposits at the bank prepares the monthly bank reconciliation.

An organization's chief audit executive (CAE) determines that the internal audit staff does not have the requisite skills to conduct an audit of the financial derivatives area. Which of the following would be the best course of action for the CAE to follow?

A. Outsource the audit engagement to a qualified external auditing firm without burdening the audit committee with the decision.

B. Determine the requisite knowledge needed, and obtain the proper training for auditors, even if the training will significantly push back the project's timeframe as outlined by the audit committee.

C. Notify the audit committee of the problem, and assign the most competent auditors on staff to perform the audit engagement.

D. Employ the skills of a financial derivatives expert to consult on the project, and supplement the consulting with a local seminar on financial derivatives.

An internal auditor makes a series of observations when performing an analytical review of division operations. The auditor notes the following things: the current ratio is increasing and the quick ratio is decreasing, sales and current liabilities have remained constant, and the number of day sales in inventory is increasing. Which conclusion should the auditor

A. Cash or accounts receivable has decreased.

B. The gross margin has decreased.

C. The division produced fewer items this year than in prior years.

D. The gross margin has increased.

The director of purchasing, a certified internal auditor (CIA), signs a contract to procure a large order from a supplier whose products provide the best price, quality, and performance. A few days after signing the contract, the supplier presents the CIA with $1, 000 as a gift. Which statement regarding acceptance of the money is correct?

A. Accepting the money would be prohibited only if it were non-customary.

B. Accepting the money would violate the IIA Code of Ethics.

C. Because the CIA is not acting as an internal auditor, accepting the money would be governed only by the organization's code of conduct.

D. Because the contract was signed before the money was offered, accepting the money would not violate the IIA Code of Ethics.

A computer system automatically locks a user's account after three unsuccessful attempts to log on.
Which type of control does this scenario represent?

A. Corrective control.

B. Preventive control.

C. Detective control.

D. Compensating control.

Which of the following would not be a red flag for fraud?

A. Several recent, large expenditures to a new vendor have not been documented.

B. A manager has bragged about multiple extravagant vacations taken within the last year, which are excessive relative to the manager's salary.

C. A weak control environment has been accepted by management to encourage creativity.

D. New employees occasionally fail to meet established project deadlines due to staffing shortages.

According to IIA guidance, which of the following best describes processes and tools typically used in ongoing internal assessments?

A. Benchmarking of the internal audit activity's practices and performance.

B. Report of internal assessment results, response plans, and outcomes.

C. Analysis of performance metrics such as cycle times.

D. Self-assessments and surveys of stakeholder groups.

Which of the following would be considered a preventive control?

A. A library control log.

B. A review of exception reports.

C. A password lock on a server.

D. A software scan of financial records for irregularities.

Which the following activities should be performed by the internal audit activity to facilitate an effective relationship with the audit committee?
1. Periodically report about the accounting standards followed by the organization.
2. Provide assurance to the audit committee that its charter, activities, and processes are appropriate.
3. Ensure that the role and activities of the internal audit activity are clearly understood and responsive to the needs of the audit committee.
4. Maintain open and effective communications with the audit committee.

A. 1 and 2 only

B. 3 and 4 only

C. 1, 3, and 4 only

D. 2, 3, and 4 only