Free IIA-IAP Practice Test Questions 2026

Explanation:
Operational audits assess the efficiency, economy, and effectiveness of an organization’s operations. Appraising the economy (minimizing resource costs) of a mining process and measuring achievement of production targets directly aligns with operational audit objectives, which focus on resource utilization and goal attainment rather than financial statement accuracy or compliance.

Correct Option:

C. Operational
Operational audits evaluate internal processes for economy (cost-minimization), efficiency (input-output ratio), and effectiveness (goal achievement). Here, reviewing shale mining’s resource use and yearly production targets matches all three elements. Unlike financial or compliance audits, operational audits focus on performance metrics and process improvement, making this the best fit for the described engagement.

Incorrect Options:

A. Due diligence:
Due diligence audits assess risks and facts before mergers, acquisitions, or major investments. It does not focus on ongoing operational economy or production target achievement. This is a pre-decision review, not a post-implementation performance appraisal of a mining process.

B. Business process improvement:
While related, BPI specifically redesigns processes to enhance workflow and eliminate waste. It is narrower and more change-oriented. The question asks for “appraising economy and production targets,” which is measurement-focused, not necessarily redesign-focused, making “operational” the broader, correct classification.

Reference:
IIA International Professional Practices Framework (IPPF) – Performance Standard 2110 (Governance) and 2130 (Control) indirectly support operational audits; directly, Standard 2120 – Risk Management clarifies operational objectives. IIA Practice Guide: “Operational Auditing: A Practical Approach” defines operational audits as evaluating economy, efficiency, and effectiveness (the “3 Es”), matching this scenario perfectly.

Explanation:
Independence of the internal audit activity requires that the CAE have no operational or management responsibilities that create conflicts of interest or bias. Reporting to the controller—who typically oversees financial operations—places internal audit under direct supervision of a management role it may need to audit, impairing objectivity and perceived independence.

Correct Option:

C. The CAE reports directly to the controller for the organization, and the internal audit activity resides in the office of the comptroller.
Reporting to the controller compromises functional independence because the controller is a management role responsible for financial processes that internal audit may evaluate.
The IIA Standards require the CAE to report functionally to the board/audit committee and administratively to the CEO, not to a management position like controller.
This structure creates a self-review threat, as audit findings might affect the controller’s performance.

Incorrect Options:

A. The CAE regularly attends and participates in critical executive management meetings for the organization.
Attending management meetings does not impair independence; in fact, it supports risk assessment and strategic alignment. The CAE remains independent as long as no operational decision-making authority is assumed.

B. The CAE has direct access to records, personnel, and physical properties throughout the organization.
Direct access strengthens internal audit’s ability to perform work independently. Unlimited access to information and personnel is a requirement under Standard 1100 (Independence and Objectivity), not an impairment.

Reference:
IIA Standard 1110 – Organizational Independence: “The CAE must report to a level within the organization that allows internal audit to fulfill its responsibilities.” Standard 1110.A1 prohibits reporting to a function like comptroller/controller that may restrict audit scope. Implementation Guidance for Standard 1110 explicitly states reporting to the finance director or controller impairs independence.

Explanation:
Creating new vendors without management review is a significant control deficiency because it exposes the company to fraudulent or erroneous payments to unauthorized parties. This violates segregation of duties and authorization principles. The auditor should document this as a control weakness, then perform additional testing to identify any compensating controls or recommend redesign.

Correct Option:

B. The observation is an internal control weakness; therefore, additional testing should be performed to determine whether secondary mitigating controls exist or whether the control should be redesigned.
Vendor creation without management approval fails the control principle of authorization.
The auditor must first confirm if compensating controls (e.g., invoice matching with purchase orders, duplicate payment checks) mitigate the risk.
If no mitigating controls exist, the auditor should recommend redesign (e.g., requiring manager approval for new vendors).
This follows IIA Standard 2410 – Criteria for Communicating, which requires stating deficiencies and their potential effects.

Incorrect Options:

A. The observation doesn't affect the adequacy of internal controls because the existing process controls ensure that invoices are promptly and accurately paid.
This is incorrect. Prompt payment does not address the risk of paying fake or unauthorized vendors. A vendor creation control gap exists regardless of invoice processing efficiency, and ignoring it violates professional skepticism.

C. The observation is a sign of adequate internal controls; however, effectiveness testing should be performed to ensure that the controls are operating as designed and intended.
This is incorrect. The described condition is not adequate control—it is a missing control. Effectiveness testing applies when controls exist but need validation. Here, no approval control exists at all, so testing effectiveness is not applicable.

Reference:
IIA Standard 1220.A1 – Due Professional Care requires auditors to consider the probability of significant errors, fraud, or noncompliance. Vendor creation without approval is a classic red flag for fraud (COSO Principle 6 – Authority and Responsibility). IIA Practice Guide: “Auditing Accounts Payable and Vendor Master Data” states vendor master changes require independent approval to prevent fictitious vendor schemes.

Explanation:
In an engagement communication, "criteria" refers to the standards, benchmarks, or expectations against which the actual condition is compared. Criteria represent what should exist. Among the options, only one states the benchmark (policies and procedures) used to evaluate compliance, making it the correct example of criteria.

Correct Option:

B. The audit test was designed to evaluate compliance with the organization's policies and procedures related to business conduct and ethics.
Criteria are the required standards or norms. Here, the organization's policies and procedures for business conduct and ethics serve as the benchmark.
The statement explicitly identifies what should be followed, which is the definition of criteria in an audit finding (condition, criteria, cause, effect).
Without criteria, the auditor cannot determine whether a condition is a deficiency.

Incorrect Options:

A. Annual business conduct training was not performed over the past two years due to inadequate operating budgets.
This describes the condition (what actually exists) and the cause (inadequate budgets), not the criteria. Criteria would be "annual training should be performed," not the statement of its absence.

C. As a result of inadequate business conduct training, 16% of the executive team was unaware of their obligation to report potential conflicts of interest.
This describes the effect (consequence) of the condition. The effect explains impact but does not provide the benchmark or standard against which performance is measured. Criteria remain unstated here.

Reference:
IIA Standard 2410 – Criteria for Communicating requires engagement communications to include engagement objectives, scope, and results including criteria. IIA Practice Guide: "Formulating and Communicating Audit Findings" defines criteria as the "standards, measures, or expectations used in making an evaluation and verification." Also see COSO Internal Control Framework, where criteria are established policies and procedures.

Explanation:
Independence of the internal audit activity requires that internal auditors not assume management responsibilities. Setting risk appetite is a strategic management decision that belongs to the board and senior management. Performing this activity creates a self-review threat because internal audit would later evaluate the very risk parameters it helped establish.

Correct Option:

B. Setting the organization's risk appetite.
Risk appetite is the amount of risk an organization is willing to accept. Determining it is a governance and strategic management function.
IIA Standard 1130 explicitly states that internal auditors must avoid activities that impair objectivity, including making management decisions.
If internal audit sets risk appetite, it cannot independently assess whether risk management is effective against that appetite.
This activity compromises both independence and perceived objectivity.

Incorrect Options:

A. Championing the establishment of organization-wide risk management.
Championing means advocating for or supporting the implementation of risk management processes. This is an advisory/consulting role allowed under Standard 1130, as long as no management responsibility is assumed. The auditor promotes the concept without making risk decisions.

C. Coordinating risk management activities.
Coordinating—such as scheduling meetings, facilitating discussions, or tracking action items—is generally acceptable for internal audit if done without owning risk decisions. However, if coordination includes directing or approving risk responses, it becomes problematic. Pure administrative coordination does not impair independence.

Reference:
IIA Standard 1130 – Impairment to Independence or Objectivity: "Internal auditors must not have direct operational responsibility or authority for any activity they audit. They must not design, install, or operate systems or procedures, nor initiate transactions." Implementation Guidance for Standard 1130 specifically lists "setting the risk appetite" as a management activity that impairs independence if performed by internal audit. Also see IIA Position Paper: "The Role of Internal Auditing in Enterprise Risk Management" (2019).

Explanation:
The objective requires assessing all three aspects: collateral sufficiency, aging by payment status, and proper categorization (current/noncurrent). To achieve this reliably across the entire loan portfolio, the auditor needs a method that allows systematic analysis of the complete population followed by representative testing of individual loans.

Correct Option:

A. Use generalized audit software to read the total loan file, age the file by last payment due, and select a statistical sample stratified by the current and aged population. Examine each loan selected for proper collateralization and aging.
Generalized audit software (e.g., ACL, IDEA) enables efficient analysis of entire loan populations, including automated aging and stratification.
Stratified statistical sampling ensures representation from both current and aged categories, allowing valid conclusions about the whole portfolio.
This approach directly addresses all three audit objectives: collateral (loan file review), aging (software calculation), and categorization (test of selected loans).
It follows IIA Standard 2230 – Engagement Resource Allocation, which encourages use of technology for population analysis.

Incorrect Options:

B. Select a block sample of all loans in excess of a specified dollar limit and determine whether they are current and properly categorized. For each loan approved, verify aging and categorization.
Block sampling only large-dollar loans ignores smaller loans that may also be misaged or under-collateralized. This introduces bias and does not allow generalization to the entire population. Also, it does not address collateral verification for the sampled loans as completely as Option A.

C. Select a discovery sample of all loan applications to determine whether each application contains a statement of collateral.
Discovery sampling is designed to find at least one instance of an error, not to measure population characteristics. Reviewing applications instead of actual loans fails to verify current collateral status or aging. This procedure does not achieve any of the three stated objectives effectively.

Reference:
IIA Standard 2310 – Identifying Information: "Engagement procedures must include procedures to identify sufficient, reliable, relevant, and useful information." Generalized audit software is cited in IIA Practice Guide: "Auditing Loan Portfolios in Financial Institutions" as the preferred method for aging, stratification, and sampling. Also see GAAS on audit sampling (AU-C 530), which supports statistical sampling for population inferences.

Explanation:
An audit objective must be specific, measurable, and clearly aligned with internal audit's assurance role—typically evaluating governance, risk management, or control processes. Among the options, only one directly states an assessment against established criteria (policies), which is the essence of an assurance engagement objective.

Correct Option:

C. Assess compliance with human resources hiring and compensation policies.
This objective clearly defines what is being evaluated (compliance) and the criteria (hiring and compensation policies).
It follows the standard audit objective structure: to assess whether activities conform to established standards.
Compliance testing is a core internal audit activity under Standard 2100 – Nature of Work.
The outcome is measurable—either policies are followed or exceptions exist.

Incorrect Options:

A. Analyze the turnover rates in mining and production subsidiaries.
"Analyze" describes an analytical procedure, not a complete audit objective. An objective should state why the analysis is being performed (e.g., to assess workforce stability or retention risk). Without a clear criterion or purpose, this is merely a data-gathering step.

B. Evaluate common practices of hiring via interviews with responsible personnel.
This describes a procedure (interviews) and a vague concept ("common practices"), not a defined objective. It lacks a benchmark or standard against which to evaluate. "Common" does not mean compliant or effective. An audit objective requires a clear standard (e.g., policies, regulations, benchmarks).

Reference:
IIA Standard 2210 – Engagement Objectives: "Objectives must be established for each engagement. Engagement objectives must include criteria against which to evaluate." IIA Practice Advisory 2210-1: "Engagement objectives should be stated in terms of evaluating something against something (criteria)." Also see IPPF – Core Principles, Principle 5: "Internal audit is objective and free from undue influence."

Explanation:
Engagement objectives define what the audit will accomplish and provide the foundation for designing specific audit procedures. During planning, establishing clear objectives ensures that subsequent testing, sampling, and evaluation are directly linked to the risks and controls of the area under review, preventing scope creep or irrelevant work.

Correct Option:

A. To ensure that audit procedures are designed to address the risks relevant to the area being audited.
Engagement objectives translate high-level audit goals into specific, risk-based targets.
Once objectives are set, the auditor designs procedures that directly test whether controls mitigate identified risks.
This aligns with the risk-based audit approach required by IIA Standards.
Without clear objectives, procedures may miss critical risks or produce irrelevant findings.
Standard 2210.A1 specifically requires consideration of risk when establishing objectives.

Incorrect Options:

B. To ensure that all auditors have a common understanding of the area being audited.
While a common understanding among team members is desirable, this is a secondary benefit of engagement planning, not the primary purpose of establishing engagement objectives. The main purpose is risk-focused procedure design, not team alignment.

C. To ensure that the work performed by other internal or external assurance providers is considered during audit planning.
Considering other assurance providers is part of coordination and reliance evaluation under Standard 2050, but this relates to overall audit planning, not specifically to establishing engagement objectives. It is a separate planning activity, not the purpose of setting objectives.

Reference:
IIA Standard 2210 – Engagement Objectives: "Objectives must be established for each engagement... Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing engagement objectives." Standard 2210.A1: "Internal auditors must consider the organization's strategies, objectives, and risks relevant to the engagement." Implementation Guidance confirms objectives drive risk-aligned procedure design.

Explanation:
The issue is paying for services not rendered, which indicates a lack of independent verification that services were actually received before payment. To prevent this, a control must confirm receipt of services prior to authorizing payment. Comparing acknowledgment (receipt evidence) to the invoice directly addresses this gap.

Correct Option:

A. The accounts payable clerk should compare the acknowledgment of goods and services to the invoice.
This control ensures payment is made only when proof of service delivery (e.g., signed receiving report, service completion certificate) matches the invoice.
It creates a "three-way match" (purchase order, receiving report, invoice) for services.
Without this comparison, fictitious or undelivered services can be paid.
This is a preventive/detective control directly targeting the condition described.

Incorrect Options:

B. The supervisor should observe the input of invoices into the payment system.
Observing data entry verifies accurate input of invoice details but does not confirm that services were actually rendered. A fake invoice can still be accurately entered into the system and paid. This control addresses accuracy, not service delivery verification.

C. The supervisor should verify that the amount paid agrees with the contracted amount.
Price verification ensures the amount charged matches the contract, but again, this does not confirm services were performed. A vendor could submit a correct-price invoice for services never provided, and this control would miss the fraud entirely.

Reference:
IIA Standard 2120 – Risk Management requires controls to mitigate risks such as fraudulent payments. COSO Internal Control framework – Control Activities principle includes proper authorization and documentation of transactions. IIA Practice Guide: "Auditing Accounts Payable" identifies three-way matching (purchase order, receiving report, invoice) as a key control to prevent payment for undelivered goods/services.

Explanation:
A detailed engagement risk assessment goes beyond simply listing risks. Its core purpose is to evaluate significant risks to the activity's objectives and understand the controls (the means) that management uses to mitigate those risks to an acceptable level. This directly links risk to the audit's scope.

Correct Option:

C. To consider significant risks to the activity’s objectives and the means by which the potential impact of risk is kept to an acceptable level.
This option captures the dual purpose: identifying significant risks AND evaluating the controls ("means") that reduce risk impact.
It reflects the IIA's requirement to understand risk management processes.
The "acceptable level" concept ties to risk appetite and residual risk.
This understanding directly shapes the audit procedures—testing controls that keep risks within acceptable bounds.

Incorrect Options:

A. To ensure that all risks identified during the engagement planning process are addressed during the audit.
This is impractical and inefficient. Not all identified risks are significant enough to require audit procedures. The purpose is to focus on significant risks, not every risk. Addressing "all risks" would waste resources and dilute audit effectiveness.

B. To prioritize risks to the activity’s objectives, according to the likelihood of occurrence.
Prioritization based only on likelihood is incomplete. A complete risk assessment considers both likelihood and impact. Furthermore, prioritization is a result of risk assessment, not its primary purpose. The deeper purpose is understanding how risks are managed to acceptable levels.

Reference:
IIA Standard 2210.A1 – Engagement Objectives: "Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing engagement objectives." Standard 2120.A1 requires evaluating risk management processes. IIA Practice Guide: "Auditing Risk Management" states that engagement risk assessment evaluates both risks and the controls mitigating them.

Explanation:
Root cause analysis (RCA) is a systematic process for identifying the fundamental reasons for a problem, which often reveals multiple contributing factors—not just one. Once causes are identified, auditors can recommend targeted control enhancements for each cause, leading to more sustainable corrective actions.

Correct Option:

C. Root cause analysis enables internal auditors to reveal multiple causes and recommend control enhancements for each cause identified.
Most problems have multiple root causes (e.g., process design, training gaps, system limitations, inadequate monitoring).
RCA tools like "5 Whys" or cause-and-effect diagrams help uncover these interconnected causes.
Recommending enhancements for each cause ensures comprehensive remediation.
This aligns with IIA Standard 2410.A1, which requires root cause identification for findings to enable effective corrective action.

Incorrect Options:

A. Root cause analysis enables internal auditors to improve the effectiveness and efficiency of the organization’s governance, risk management, and control processes.
While RCA supports improvement, stating it "enables" auditors to achieve such broad improvements is an overstatement. RCA is a tool for identifying causes; actual improvement requires management action. The statement claims too direct a causal link.

B. Root cause analysis is a simple, straightforward tool that can be implemented by internal auditors who may not possess relevant subject matter expertise.
This is false. Many RCA techniques (e.g., fault tree analysis, barrier analysis, change analysis) require analytical skill and subject matter understanding. Performing RCA without expertise can lead to superficial or incorrect conclusions, harming audit quality.

Reference:
IIA Standard 2410.A1 – Criteria for Communicating: "Final engagement communications must include... root causes and recommendations." IIA Practice Guide: "Root Cause Analysis" states that RCA systematically identifies multiple contributing factors and that each identified cause may warrant a separate recommendation. Also see IPPF – Implementation Guidance on root cause techniques requiring relevant expertise.

Explanation:
The Fraud Triangle consists of three elements: pressure (incentive), opportunity, and rationalization. Opportunity refers to circumstances that allow fraud to occur, such as weak internal controls, poor segregation of duties, or lack of oversight. The correct option directly describes a control weakness that creates opportunity.

Correct Option:

C. Poor segregation of duties allows for an executive assistant to authorize payments to one-time vendors without supervisory approvals.
This describes a classic opportunity factor: a single person can both initiate and authorize payments without independent review.
Lack of supervisory approval removes a key control, making fraud easier to commit and conceal.
One-time vendors are higher risk because no established relationship exists.
Poor segregation of duties is consistently cited in fraud literature as a primary opportunity indicator.

Incorrect Options:

A. Reserves were established based on conservative assumptions to maximize amounts set aside for when operating results may not meet investors' expectations.
This relates to pressure (financial statement manipulation to meet expectations). Management creating excessive reserves to smooth future earnings is an incentive/pressure indicator, not an opportunity indicator.

B. Executive management establishes financial performance objectives for business unit managers. The objectives include significant increases in annual sales and market penetration.
This creates pressure (unrealistic targets) that may motivate fraud to achieve bonuses or avoid penalties. Aggressive performance goals are a classic pressure element, not an opportunity element, of the Fraud Triangle.

Reference:
IIA Practice Guide: "Auditing Fraud" identifies the Fraud Triangle (Cressey, 1953) as the framework for fraud indicators. Opportunity factors include: lack of internal controls, poor segregation of duties, inadequate supervision, and weak management oversight. Also see Standard 1210.A2 – Proficiency to Identify Fraud Indicators. Association of Certified Fraud Examiners (ACFE) Fraud Triangle materials consistently cite poor segregation of duties as an opportunity indicator.