Free IIA-IAP Practice Test Questions 2026

Explanation:
Engagement scope and objectives must be established before any substantive audit work begins. The planning phase is specifically designed for this purpose—defining what the audit will cover (scope) and what it aims to achieve (objectives). Determining them later would compromise audit efficiency and focus.

Correct Option:

A. During the planning of the engagement
According to IIA Standard 2200 – Engagement Planning, internal auditors must develop and document a plan for each engagement, including objectives and scope.
Planning occurs before fieldwork (performance phase) to ensure procedures are risk-based and resources are allocated appropriately.
Clear objectives and scope set at planning guide evidence collection and prevent scope creep.
Late determination would violate professional standards and could introduce bias.

Incorrect Options:

B. During the performance of the engagement
Performance is the execution phase where auditors collect evidence against already-established objectives and scope. Determining scope or objectives during performance would mean collecting evidence without clear direction, violating Standard 2200's requirement for documented planning.

C. In the final engagement report
The final engagement report communicates results, scope, and objectives to stakeholders—it does not establish them. Presenting new scope or objectives in the final report would mislead readers about what work was actually performed and why.

Reference:
IIA Standard 2200 – Engagement Planning: "Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing, and resource allocations." Standard 2220 – Engagement Scope: "The established scope must be sufficient to achieve the engagement's objectives." Implementation Guidance confirms scope and objectives are determined during planning, not later phases.

Explanation:
Risk appetite is the amount and type of risk an organization is willing to accept in pursuit of its objectives. It directly guides management's decisions on acceptable risk levels, serving as the benchmark for taking on, avoiding, or mitigating risks. It is a strategic, board-approved statement.

Correct Option:

B. Risk appetite.
Risk appetite explicitly defines acceptable risk boundaries (e.g., low, moderate, high tolerance for financial loss, compliance failures, or reputational harm).
Management uses risk appetite to decide whether to accept, transfer, mitigate, or reject a specific risk.
Without a defined risk appetite, risk decisions become inconsistent and reactive.
IIA Standards require internal audit to evaluate whether risk management processes align with the organization's risk appetite.

Incorrect Options:

A. Risk capacity.
Risk capacity is the maximum amount of risk an organization can absorb without failing (e.g., capital reserves, liquidity). While it sets an upper limit, it does not directly guide day-to-day management decisions on acceptable risk. Appetite is usually set below capacity.

C. Risk perception.
Risk perception is subjective—how individuals or groups view risk based on experience, bias, or culture. It influences behavior but is not a formal decision-making benchmark. Management should not base acceptable risk levels on perception alone without defined appetite criteria.

Reference:
IIA Standard 2120 – Risk Management: "The internal audit activity must evaluate the effectiveness of the organization's risk management processes." Implementation Guidance for Standard 2120 defines risk appetite as "the amount of risk the organization is willing to accept." COSO ERM Framework (2017) states risk appetite directly guides strategy and objective-setting. ISO 31000 similarly distinguishes appetite (willingness to accept) from capacity (maximum bearable).

Explanation:
An exit conference (or closing conference) is held to discuss engagement findings, conclusions, and recommendations with management responsible for the audited areas. Their presence ensures they understand the results, agree on facts, and begin formulating corrective actions. The conference is primarily between auditors and those managers.

Correct Option:

B. Management over areas covered by the engagement
Standard 2440 – Disseminating Results requires communication with appropriate levels of management.
The exit conference ensures responsible managers acknowledge findings and have no factual disputes.
Their presence enables immediate discussion of root causes and action plans.
Including them demonstrates professional courtesy and supports timely remediation.
The IIA Practice Guide on Audit Reports explicitly identifies auditee management as mandatory attendees.

Incorrect Options:

A. Audit committee members
Audit committee members typically receive final audit reports but do not attend operational exit conferences. Their role is governance oversight, not detailed findings discussion. Involving them prematurely could undermine management's ownership of corrective actions.

C. The chief executive officer
The CEO may be notified of significant findings but is not required to attend routine exit conferences. Day-to-day operational managers are the appropriate attendees. CEO presence is reserved for high-risk or enterprise-level findings, not standard engagements.

Reference:
IIA Standard 2440 – Disseminating Results states communication must be made to appropriate levels of management. Implementation Guidance for Standard 2420 – Quality of Results requires exit conferences "with management responsible for the areas covered." IIA Practice Guide: "Communicating Results" lists attendees: engagement team, auditee management, and process owners—not senior executives or audit committee unless specific circumstances warrant.

Explanation:
Generalized audit software (GAS) such as ACL, IDEA, or Teammate is specifically designed to allow auditors to access, extract, and analyze large volumes of data independently. Its core benefit is enabling testing of entire populations (e.g., millions of transactions) rather than relying on small manual samples.

Correct Option:

B. It enables internal auditors to analyze very large quantities of data.
GAS can process millions of records quickly, performing functions like aging, stratification, duplicate detection, and gap analysis.
This supports 100% population testing, increasing audit coverage and confidence.
It reduces sampling risk and can identify anomalies that sampling might miss.
This aligns with Standard 1220.A1 – Due Professional Care, which encourages using technology to gather sufficient evidence efficiently.

Incorrect Options:

A. It enables internal auditors to perform tests on data with the assistance of the organization's IT personnel.
One of the main advantages of GAS is that auditors can perform tests independently without relying on IT personnel. The software is user-friendly for auditors. Requiring IT assistance for testing is a limitation, not a benefit.

C. It eliminates the need to obtain access privileges to relevant and reliable data.
This is false. Using GAS does not bypass security protocols. Auditors must still obtain proper access rights and permissions to extract data. Data reliability and access controls remain essential regardless of software used.

Reference:
IIA Practice Guide: "Generalized Audit Software (GAS)" states key benefits include analyzing large volumes of data, complete population testing, and auditor independence from IT. Also see GTAG (Global Technology Audit Guide) 3: "Continuous Auditing" – GAS enables high-volume data analysis. Standard 1220.A2 – Proficiency requires auditors to use technology appropriately, not rely on IT for basic data access.

Explanation:
A vendor invoice address matching an employee’s residential address is a classic red flag for fictitious vendor schemes. The employee may have created a fake vendor to receive fraudulent payments. This indicator directly suggests possible conflict of interest, self-dealing, or shell company fraud in accounts payable.

Correct Option:

C. The address on one of the vendor invoices matches an employee’s residential address.
This is a strong fraud indicator because it suggests the employee may be the vendor or related to the vendor.
Common fraud schemes include setting up fake vendors using home addresses to divert payments.
Professional skepticism requires investigation of such anomalies even without other errors.
ACFE fraud studies identify address matches as a top red flag in AP fraud.
This scenario also potentially violates the organization's conflict of interest policy.

Incorrect Options:

A. The accounts payable manager was unable to provide documentation relating to travel expenses on one of the samples selected.
While missing documentation is a control deficiency, it is not a strong fraud indicator. Documentation may be lost or misfiled. Without additional evidence (e.g., altered receipts), this alone is weak for fraud detection.

B. The invoices submitted by one of the organization’s vendors are more than six months old.
Aged invoices suggest slow processing or vendor laxity, not necessarily fraud. Many legitimate vendors accept late payment without fraud. Timeliness issues relate to efficiency, not intentional misrepresentation. No direct fraud indicator exists here.

Reference:
IIA Practice Guide: "Auditing Accounts Payable and Vendor Master Data" lists vendor address matching employee address as a primary fraud indicator. ACFE Report to the Nations (2024) identifies billing schemes as most common AP fraud, often using fictitious vendors at employee addresses. Standard 1210.A2 requires fraud proficiency. Also see GTAG: "Fraud Prevention and Detection" on red flags in AP.

Explanation:
Reliability of evidence depends on its independence, directness, and objectivity. Documentation created during a walkthrough—where the auditor directly observes and traces transactions—is more reliable than testimonial or benchmarked information. Walkthroughs provide direct, firsthand evidence of how controls actually operate.

Correct Option:

A. Documentation of a walkthrough conducted on the process under review
Walkthrough evidence is direct and based on auditor observation, not hearsay or estimates.
Documentation includes flowcharts, narratives, and copies of actual documents traced.
Evidence is more reliable because it comes from independent observation, not from process participants.
Standard 2310 – Identifying Information requires sufficient, reliable, relevant, and useful information; walkthroughs provide high reliability.
It allows the auditor to confirm what actually happens versus what should happen.

Incorrect Options:

B. Testimonial evidence, such as survey responses, on the process under review
Testimonial evidence is inherently less reliable because it is subject to memory gaps, bias, and self-reporting errors. People may describe what they think should happen rather than actual practices. Surveys cannot substitute for direct observation.

C. Benchmarking information on the process under review compared to similar industries or organizational units
Benchmarking provides useful comparative data but is not direct evidence of how the specific process operates. Industry averages or best practices may not match actual performance. Reliability is low for verifying control effectiveness within the audited entity.

Reference:
IIA Standard 2310 – Identifying Information: "Information must be sufficient, reliable, relevant, and useful." Implementation Guidance ranks evidence reliability: direct observation and documentation (re-examination) > re-performance > inspection of tangible assets > confirmations > analytical procedures > inquiries and surveys. Also see Standard 2320 – Analysis and Evaluation requiring reliance on reliable information. Walkthrough documentation qualifies as re-performance or observation evidence.

Engagement status meetings (interim meetings during fieldwork) are designed to keep management informed of progress, emerging findings, and potential issues. By promoting open two-way communication, these meetings build trust, reduce surprises at the exit conference, and strengthen relationships between internal audit and auditee management.

Correct Option:

A. They are expected to enhance the relationships between the internal audit activity and management of the area under review.
Regular status meetings demonstrate transparency and professionalism, fostering collaboration.
They allow management to clarify facts early and provide input on observations.
Reducing surprises improves management's receptiveness to final recommendations.
Standard 2420 – Quality of Results requires findings to be based on appropriate analysis and discussion, which status meetings facilitate.
Strong relationships lead to better audit outcomes and management cooperation.

Incorrect Options:

B. They mainly involve one-way communication from the internal auditor to management of the area under review.
This is false. Status meetings are two-way dialogues. Management can ask questions, provide explanations, request additional time for evidence gathering, and share operational constraints. One-way communication would impair understanding and relationship building.

C. They should involve the chief audit executive and senior management.
Status meetings typically involve the engagement team and process-level management. CAE and senior management are not required for routine status updates. The CAE may attend critical meetings, but this is not a standard expectation for every status meeting.

Reference:
IIA Standard 2420 – Quality of Results: "Engagement communications must be accurate, objective, clear, concise, constructive, complete, and timely." Implementation Guidance emphasizes ongoing communication during fieldwork. IIA Practice Guide: "Audit Reports and Management Interactions" states status meetings build relationships and should be two-way. Also see IPPF – Core Principle #2: "Internal audit is appropriately positioned and resourced" which relies on constructive management relationships.

Explanation:
Internal audit adds greatest value when it provides forward-looking insights that help the organization improve risk management and achieve objectives. While confirming control efficiency is useful, actionable recommendations that reduce risk exposure directly contribute to protecting organizational assets and enhancing governance, which represents higher value.

Correct Option:

B. Recommendations aimed at reducing risk exposure.
Recommendations address root causes and propose specific improvements to mitigate risks.
Reducing risk exposure directly supports organizational resilience and objective achievement.
Standards 2240.A1 and 2410.A1 require recommendations to help management improve processes.
Value is measured by how audit results help management reduce waste, fraud, or inefficiency.
Forward-looking recommendations prevent future losses, unlike historical confirmations.

Incorrect Options:

A. Confirmation that controls are operating efficiently.
While useful for assurance, confirming existing controls only validates the status quo. It does not necessarily improve the organization unless deficiencies exist. Value is limited compared to risk-reducing recommendations.

C. Reports that state identified deficiencies were remedied during the audit.
Remediation during audit suggests immediate correction but may indicate weak control design or late detection. The greatest value comes from systemic recommendations that prevent recurrence, not just fixing isolated issues during fieldwork.

Reference:
IIA Standard 2120 – Risk Management requires evaluating risk management processes. Standard 2410.A1: "Recommendations must be based on root causes and designed to help the organization achieve its objectives." IIA Position Paper: "Adding Value Across the Organization" states value is maximized through recommendations that improve risk management and governance, not merely reporting on existing controls. IPPF Core Principle #1: "Internal audit demonstrates value by providing objective assurance and advice that improves operations."

Explanation:
A purchasing process audit typically covers the end-to-end procure-to-pay cycle, from requisition authorization to vendor payment. However, "control of goods" (physical custody, inventory management, warehouse security) falls under inventory or logistics management, not the purchasing process itself, making it out of scope for a purchasing-specific audit.

Correct Option:

B. Control of goods
Purchasing ends when goods are received and accepted; subsequent physical control, storage, and inventory management belong to warehousing or logistics functions.
Including goods control would expand scope beyond purchasing into areas with different risks (theft, obsolescence, inventory valuation).
A purchasing audit focuses on requisitioning, vendor selection, purchase orders, receiving, invoice matching, and payment.
Overlapping with goods control would dilute audit objectives and require additional expertise.

Incorrect Options:

A. Authorization of requisitions
Requisition authorization is a key purchasing control to prevent unauthorized or unnecessary purchases. It falls directly within purchasing process scope as it initiates the procurement cycle.

C. Matching goods received to requisitions
Matching received goods to requisitions (or purchase orders) is a critical purchasing control ensuring that only ordered and needed items are accepted. This is part of the three-way match and is central to purchasing audits.

Reference:
IIA Standard 2220 – Engagement Scope: "The established scope must be sufficient to achieve the engagement's objectives." IIA Practice Guide: "Auditing the Procurement Function" defines purchasing scope as including requisition, sourcing, purchase order, receiving, and invoice processing. Inventory control (physical custody, stock records) is explicitly excluded from purchasing audit scope unless the engagement is broadened to supply chain management.

Explanation:
An engagement work program is a documented plan that outlines the procedures necessary to achieve engagement objectives. It typically includes the planning phase details, specific engagement objectives, and preliminary risk assessments that guide the nature, timing, and extent of testing. This ensures a structured, risk-based approach to fieldwork.

Correct Option:

A. Planning, objectives, and preliminary risk assessments
The work program translates objectives into step-by-step procedures.
Preliminary risk assessments help prioritize areas requiring detailed testing.
Including planning steps (e.g., understanding the activity, identifying key controls) ensures completeness.
Standard 2200 – Engagement Planning requires documentation of objectives, scope, and procedures.
Work programs are finalized during planning before fieldwork begins.

Incorrect Options:

B. Fieldwork, analytical testing, and resources
Fieldwork is the execution phase, not a component of the work program itself. Analytical testing is a type of procedure found within a work program, but "fieldwork" as a phase is too broad. Resources (staff, budget) are documented in the engagement plan, not typically in the work program.

C. Opinions and final engagement communications
Opinions and final communications are outputs or results of the engagement, not elements of the work program. The work program guides evidence collection; opinions are formed after analysis and are reported separately in the engagement communication.

Reference:
IIA Standard 2200 – Engagement Planning requires internal auditors to develop and document a work program. Implementation Guidance for Standard 2200 states: "A work program typically includes the engagement objectives, scope, and detailed procedures for obtaining sufficient, reliable, relevant, and useful information." Practice Advisory 2200-1 lists planning steps, objectives, and risk assessments as essential components of a work program.

Explanation:
Effectiveness in procurement means obtaining the right goods (medicine) at the right time, quality, and cost. The entire process depends on accurately specified needs. Without clear specifications, even well-documented or professionally managed procurement may fail to meet clinical requirements, leading to waste or patient safety risks.

Correct Option:

A. The procurement process should begin with clearly specified needs.
Clearly specified needs (e.g., medicine type, dosage, expiry, storage requirements) ensure suppliers provide appropriate products.
This is a prerequisite for effective sourcing, bidding, and contract management.
Vague or incorrect specifications lead to wrong products, delivery delays, or patient harm.
Standard 2120 – Risk Management requires evaluating controls that ensure objectives are met; needs specification is a key control for effectiveness.
This recommendation addresses root cause of procurement failures.

Incorrect Options:

B. The procurement process must be comprehensively documented.
Documentation supports accountability and audit trail but does not directly improve effectiveness. A process can be well-documented yet procure wrong medicine if needs are unclear. Documentation is an efficiency/compliance control, not an effectiveness driver.

C. Only qualified procurement professionals should manage the procurement process.
Qualified professionals are important for efficiency and compliance, but even experts cannot procure effectively if needs are not specified. Competence without clear requirements still results in ineffective outcomes. This is a supporting, not primary, recommendation.

Reference:
IIA Standard 2120.A1 requires evaluation of risk management processes related to achieving objectives. COSO Framework emphasizes that control activities must be based on clear objectives. IIA Practice Guide: "Auditing the Procurement Function" states that defining requirements (needs specification) is the most critical step for procurement effectiveness. Also see ISO 20400 – Sustainable Procurement, which identifies needs identification as first principle.

Explanation:
The internal audit charter is the foundational document that defines the activity's purpose, authority, responsibility, and reporting relationships. Without an approved charter, the CAE has no formal mandate to perform audits, access records, or allocate resources. All other actions depend on the charter's existence.

Correct Option:

A. Establish an internal audit charter.
The charter formally establishes internal audit's position within the organization.
It defines reporting lines (e.g., to the board/audit committee and senior management).
It grants access to records, personnel, and physical properties (Standard 1100).
The charter must be approved by the board and reviewed periodically.
Without a charter, the CAE lacks authority to set budgets, hire staff, or perform engagements.
Standard 1000 – Purpose, Authority, and Responsibility explicitly requires a written charter.

Incorrect Options:

B. Establish a code of ethics for the internal audit activity.
While important, the Code of Ethics is established by the IIA globally, not created by each activity. The CAE must ensure compliance with the IIA Code of Ethics, but this is subsequent to establishing the charter. The charter is the legal/structural foundation.

C. Approve the internal audit budget.
Budget approval requires existing authority granted through the charter. The CAE may develop a budget, but approval comes from the board or audit committee after the charter defines reporting lines. Budget is operational; charter is constitutional.

Reference:
IIA Standard 1000 – Purpose, Authority, and Responsibility: "The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the IPPF." Implementation Guidance for Standard 1000 states: "Establishing the charter is the most important initial step when forming a new internal audit activity." Standard 1100 requires independence and objectivity defined within the charter.