Free IIA-IAP Practice Test Questions 2026

Explanation:
Testing controls is performed to obtain evidence that controls are operating effectively—meaning they prevent or detect material misstatements or risks in a timely manner. This involves testing both design (whether control is suitably designed) and operating effectiveness (whether it works as intended over time).

Correct Option:

A. To determine whether controls are operating effectively.
Operating effectiveness means the control works consistently throughout the period.
Testing includes inquiry, observation, inspection, and re-performance.
Effectiveness testing confirms that the control reduces risk to an acceptable level.
Standard 2310 – Identifying Information requires evidence that controls are effective.
This is distinct from understanding control design (walkthroughs) or identifying errors in balances.

Incorrect Options:

B. To understand whether a control is in place.
Understanding whether a control exists (design assessment) is a preliminary step, usually done via walkthroughs during planning. The primary objective of testing is to confirm operating effectiveness, not just existence.

C. To identify major patterns of errors or irregularities that might exist in final account balances.
This describes substantive testing (directly verifying account balances), not control testing. Control testing focuses on the processes that prevent or detect errors, not on finding errors in final balances themselves.

Reference:
IIA Standard 2310 – Identifying Information: "Sufficient, reliable, relevant, and useful information must be obtained to achieve engagement objectives." Implementation Guidance distinguishes between understanding control design (walkthroughs) and testing operating effectiveness (control testing). Also see IIA Practice Guide: "Control Testing and Documentation" – primary objective is effectiveness, not existence or error detection in balances.

Explanation:
Inherent risk is the risk that exists in the absence of any management action or controls. It represents the natural exposure to loss based solely on the nature of the activity, transaction, or environment. This is the starting point before considering how controls might mitigate the risk.

Correct Option:

B. Inherent
Inherent risk assumes no controls are applied to modify the outcome.
It is based on factors like complexity, transaction volume, asset liquidity, or external environment.
Auditors assess inherent risk to determine where controls are most needed.
Standard 2010.A1 requires the CAE to consider inherent risks in audit planning.
Contrast with residual risk, which is risk remaining after controls.

Incorrect Options:

A. Residual
Residual risk is the risk that remains after management has implemented controls. The question explicitly says "in the absence of any action to control or modify circumstances," which excludes residual risk because residual risk considers controls already in place.

C. Control
Control risk is the risk that existing controls will fail to prevent or detect material misstatements or losses. This assumes controls exist but may be ineffective. The question describes a scenario with no controls at all, making inherent risk the correct term.

Reference:
IIA Standard 2010.A1 – Planning: "The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually... The input of senior management and the board must be considered." Implementation Guidance defines inherent risk as "risk in the absence of any actions to alter its likelihood or impact." Also see COSO ERM Framework, which distinguishes inherent risk (no controls) from residual risk (after controls).

Explanation:
The auditor observed that accounts payable staff extensively preview expense reports before manager review. Since travel expenses are only 1% of the total budget, the cost (staff time) of this dual-review control likely exceeds the potential loss from undetected errors or fraud. This supports a risk-based recommendation to reduce redundant reviews.

Correct Option:

B. The cost of the control outweighs the benefit.
Controls should be cost-effective; if implementation cost exceeds potential loss, the control may be inefficient.
Travel expenses represent less than 1% of budget, so maximum potential loss is relatively small.
Dual review (AP preview + manager approval) duplicates effort without proportional benefit.
Standard 2120.A2 requires evaluating whether control costs are reasonable relative to potential risks.
Recommendation to streamline is justified by cost-benefit analysis.

Incorrect Options:

A. The inherent risk of travel expense fraud is low.
Low inherent risk might suggest less need for controls, but it does not directly justify removing an existing control. The auditor's observation focuses on control duplication and cost, not on fraud risk level alone. Inherent risk could still be moderate despite small budget percentage.

C. The duplication of effort in the review process is unnecessary.
Calling the duplication "unnecessary" assumes the fact without analysis. The justification for reducing reviews rests on cost-benefit (value for money), not merely the presence of duplication. Some duplication may be justified for high-risk areas; here, low budget percentage makes it inefficient.

Reference:
IIA Standard 2120.A2: "Internal auditors must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk." Implementation Guidance for Standard 2130 – Control states: "Controls must be cost-effective... The cost of a control should not exceed the benefit derived from it." Also see COSO Internal Control – Control Environment principle on balancing control costs with benefits.

Explanation:
Judgmental sampling (also called purposive or expert sampling) is a nonrandom selection technique where the auditor uses professional judgment to choose sample items believed to be representative of the population. While not statistically valid, it relies on the auditor's knowledge and experience to select typical or high-risk items.

Correct Option:

A. Judgmental sampling.
Judgmental sampling is nonrandom because the auditor deliberately selects specific items.
The expectation of representativeness comes from the auditor's expertise and understanding of the population.
Common uses include testing controls where randomness is impractical or population is homogeneous.
Results cannot be statistically projected to the entire population.
Standard 2330 – Documenting Information allows judgmental sampling when appropriate.

Incorrect Options:

B. Haphazard sampling.
Haphazard sampling attempts to be random without a structured method (e.g., picking items without bias). It is still nonstatistical but does not rely on deliberate judgment for representativeness. The technique itself does not ensure representativeness; bias may occur.

C. Attribute sampling.
Attribute sampling is a statistical sampling method used to estimate the rate of occurrence (e.g., deviation rate) in a population. It requires random selection and allows mathematical projection. It is not a nonrandom technique, so it does not match the question's description.

Reference:
IIA Standard 2330 – Documenting Information: "Internal auditors must document sufficient, reliable, relevant, and useful information to support engagement results." Practice Advisory 2330-1 discusses sampling methods. Also see IIA Practice Guide: "Audit Sampling" – Judgmental sampling is nonstatistical, relies on auditor expertise, and expects representativeness without randomness. Contrast with haphazard (no deliberate judgment pattern) and attribute (statistical) sampling.

Explanation:
Quality audit workpapers must support engagement conclusions and be useful for review by other auditors or supervisors. The two primary characteristics are understandability (clear logic, labeling, and organization) and completeness (all necessary evidence, cross-references, and documentation). Without these, workpapers fail to demonstrate due professional care.

Correct Option:

C. They should be understandable and complete.
Understandable means another qualified auditor can follow the work without additional explanation.
Complete means all procedures performed, evidence obtained, and conclusions reached are documented.
Standard 2330 – Documenting Information requires workpapers to support engagement results.
Incomplete or confusing workpapers impair review quality and audit defense.
These characteristics align with the IIA's requirements for sufficient and reliable information.

Incorrect Options:

A. They should be relevant and interesting.
While relevance is important (workpapers must relate to engagement objectives), "interesting" is not a quality criterion for audit documentation. Workpapers are professional records, not narrative publications. Interesting content is irrelevant to audit quality.

B. They should be electronic and indexed.
Electronic format and indexing are methods of organizing workpapers but are not universal quality descriptors. Many quality workpapers are paper-based. Indexing supports organization but does not itself define quality; understandability and completeness are fundamental regardless of medium.

Reference:
IIA Standard 2330 – Documenting Information: "Internal auditors must document sufficient, reliable, relevant, and useful information to support engagement results." Implementation Guidance specifies that workpapers should be "complete, accurate, concise, and clearly understandable." Also see Practice Advisory 2330-1: "Workpapers should be organized and contain adequate information for a reviewer to understand the nature, timing, extent, and results of procedures."

Explanation:
IIA guidance explicitly permits internal auditors to provide recommendations as part of consulting or even assurance engagements. Recommendations based on observations and conclusions add value and help management improve processes. Refusing to offer recommendations when asked would not serve the organization's best interests.

Correct Option:

B. Agree to offer recommendations based on observations and conclusions.
Standard 2240.A1 requires engagement work programs to include procedures for developing recommendations when appropriate.
Recommendations are constructive and help management address root causes.
Providing recommendations does not impair independence as long as the auditor does not assume management responsibility for implementing them.
Standard 1130 allows consulting services that do not create self-review threats.
Refusing would violate the IIA's mission to provide advice and insight.

Incorrect Options:

A. Refrain from providing recommendations to preserve audit independence.
This misinterprets independence. Independence refers to freedom from conditions that threaten objectivity. Providing recommendations (without implementing them) is a standard consulting activity and does not impair independence if properly managed.

C. Explain that only management should recommend and implement the corrective action.
Management implements corrective action, but internal auditors routinely recommend actions. Telling management that only they should recommend denies the value of audit insights and contradicts IIA guidance that encourages recommendations.

Reference:
IIA Standard 2240.A1: "Engagement work programs must include procedures for identifying, analyzing, evaluating, and documenting sufficient information to achieve the engagement's objectives." Implementation Guidance for Standard 2240 states that recommendations are part of engagement communications. IIA Code of Ethics – Principle of Confidentiality does not restrict recommendations. Standard 1130 allows consulting without assuming management responsibility. IPPF Mission includes "providing insight and advice."

Explanation:
Analytical procedures compare information to identify unusual fluctuations or patterns. Trend analysis specifically examines data over multiple time periods (e.g., monthly, quarterly, annually) to identify consistent patterns, upward/downward movements, or unexpected changes. This directly addresses examining changes in performance over time.

Correct Option:

A. Trend analysis
Trend analysis compares current performance data with prior periods to identify significant changes.
It answers the question: "How has performance changed over time?"
Examples include comparing monthly sales, production output, or expense patterns across years.
Standard 2320 – Analysis and Evaluation requires auditors to use analytical procedures, including trend analysis.
Trend analysis detects unexpected variances that may indicate errors, fraud, or process issues.

Incorrect Options:

B. Ratio analysis
Ratio analysis compares relationships between two or more variables at a point in time (e.g., current ratio, inventory turnover). While useful for financial health assessment, ratios typically compare elements within the same period, not changes over multiple time periods.

C. Analysis of common size financial statements
Common size analysis expresses financial statement items as percentages of a base (e.g., total assets or revenue) for a single period or across periods. Primarily used for structural comparison within periods, it is less effective than trend analysis for examining performance changes over time.

Reference:
IIA Standard 2320 – Analysis and Evaluation: "Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations." Practice Advisory 2320-1 lists analytical procedures including trend analysis, ratio analysis, and regression analysis. Specifically: "Trend analysis involves comparing current data with prior periods to identify significant changes." Also see GTAG: "Analytical Procedures in Internal Audit" – trend analysis is preferred for examining performance over time.

Explanation:
A risk and control matrix (RCM) is a comprehensive documentation tool that integrates multiple elements: process steps, associated risks, control activities, control ownership, and sometimes timelines. Unlike simple flowcharts, an RCM explicitly links each risk to corresponding controls and responsible parties, making it ideal for complex processes.

Correct Option:

C. Risk and control matrix.
RCM combines risks, controls, process steps, ownership, and testing status in one structured document.
It supports risk-based auditing by identifying where controls address specific risks.
Ownership column assigns responsibility for each key control or process step.
Timelines can be embedded (e.g., frequency of control execution).
Standard 2120 – Risk Management requires documentation of risk and control relationships.
RCM is a standard tool in audit workpapers for complex engagements.

Incorrect Options:

A. Process map.
A process map shows workflow and sequence of activities but typically does not explicitly document risks, controls, or ownership. It provides visual process understanding but lacks the integrated risk-control-owner linkage of an RCM.

B. Detailed flowchart.
A detailed flowchart (e.g., cross-functional swimlane diagram) shows tasks, decision points, and handoffs. While it may indicate who performs steps, it generally does not document associated risks or control objectives systematically. Less comprehensive than an RCM.

Reference:
IIA Standard 2130 – Control: "Internal auditors must evaluate the effectiveness and efficiency of controls." Practice Guide: "Risk and Control Matrices" states an RCM documents risks, controls, process owners, and control frequency. Also see GTAG: "Auditing Risk Management" – RCM is preferred for complex processes because it integrates multiple dimensions. COSO Internal Control framework suggests using matrices to link risks to control activities.

Explanation:
Paying all invoices at 30 days regardless of vendor terms ignores early payment discounts (e.g., "2/10, n/30"). This represents poor cash management because the organization misses opportunities to reduce costs. The second observation (not comparing invoices to previous ones) was not the direct cause of this specific risk.

Correct Option:

A. Poor cash management due to potentially lost payment discounts
Vendors often offer discounts for early payment (e.g., 2% discount if paid within 10 days).
Paying at a fixed 30 days means the organization loses these discounts unnecessarily.
Lost discounts directly impact cash management and profitability.
Standard 2120 – Risk Management requires evaluating risks affecting financial performance.
The fixed payment policy ignores commercial terms, indicating ineffective accounts payable controls.

Incorrect Options:

B. Poor cash management due to potentially paying fraudulent invoices
Paying fraudulent invoices relates to the second observation (not comparing to previous invoices). However, the 30-day fixed payment policy does not directly cause fraudulent payments; that risk arises from inadequate verification controls. This option incorrectly links the primary observation to fraud risk.

C. Poor cash management due to potentially paying the wrong vendors
Paying wrong vendors typically results from vendor master data errors or invoice approval failures. While related to the second observation (lack of comparison), the 30-day payment policy does not cause wrong vendor payments. This misattributes the risk.

Reference:
IIA Standard 2120 – Risk Management requires auditors to evaluate risk exposures. IIA Practice Guide: "Auditing Accounts Payable" identifies early payment discounts as a key cash management control. Failure to take discounts is a common finding in AP audits. Also see COSO principle on control activities: timely payment terms should be aligned with vendor agreements. Fixed 30-day policy ignoring terms indicates ineffective process design.

Explanation:
Evidence obtained through interviews, verbal statements, or survey responses is classified as testimonial evidence. It relies on what individuals say rather than documents or physical objects. While useful for understanding processes and gathering insights, testimonial evidence is generally considered less reliable than documentary or physical evidence because it is subject to bias, memory errors, or misstatement.

Correct Option:

A. Testimonial evidence.
Testimonial evidence comes from oral or written statements obtained from individuals.
Interviews with design and maintenance employees provide firsthand accounts but are not independent.
Standard 2310 – Identifying Information requires reliable evidence; testimonial evidence should be corroborated where possible.
This type of evidence helps explain why control concerns exist and how systems operate.
It contrasts with documentary (written records) and physical (tangible assets) evidence.

Incorrect Options:

B. Documentary evidence.
Documentary evidence includes written records such as policies, system logs, transaction reports, or design specifications. Interview results are spoken or noted statements, not original documents created as part of system operations.

C. Analytical evidence.
Analytical evidence results from analyzing relationships among data (e.g., trend analysis, ratio comparisons). Interviews do not produce analytical evidence; they produce qualitative information through human responses.

Reference:
IIA Standard 2310 – Identifying Information: "Internal auditors must identify sufficient, reliable, relevant, and useful information." Implementation Guidance defines testimonial evidence as "information obtained through interviews, inquiries, and questionnaires." Practice Advisory 2310-1 ranks evidence reliability: documentary > testimonial > analytical, noting testimonial requires corroboration. Also see IIA Glossary: "Testimonial evidence – Evidence obtained from interviews or statements of individuals."

Explanation:
The IIA Code of Ethics has four principles: Integrity, Objectivity, Confidentiality, and Competency. Competency specifically requires internal auditors to continually improve their proficiency, apply knowledge, perform services in accordance with standards, and maintain quality. Option A directly describes continuous improvement, which falls under Competency.

Correct Option:

A. The auditor continually improves her proficiency and the effectiveness and quality of her services
Competency includes maintaining professional knowledge and skills through ongoing education.
Continually improving proficiency directly aligns with Rule of Conduct for Competency.
Standard 1230 – Continuing Professional Development requires auditors to enhance knowledge.
This reflects the principle of performing services only when competent and continuously improving.
The other options relate to other Code of Ethics principles.

Incorrect Options:
B. The auditor is prudent in the use and protection of information acquired in the course of her work
This describes the principle of Confidentiality, not Competency. Confidentiality requires protecting sensitive information and not disclosing without proper authorization.

C. The auditor does not accept anything that may impair or be presumed to impair her professional judgment
This describes the principle of Objectivity, not Competency. Objectivity requires avoiding conflicts of interest, gifts, or anything that biases professional judgment.

Reference:
IIA Code of Ethics – Principle of Competency: "Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services." Rule of Conduct under Competency: "Internal auditors shall continually improve their proficiency and the effectiveness and quality of their services." Also see Standard 1230 – Continuing Professional Development. The other options correspond to Confidentiality (Rule 3) and Objectivity (Rule 2).

Explanation:
Attribute sampling is used to estimate the rate of occurrence (proportion) of a specific characteristic in a population—for example, the percentage of transactions that lack proper approval. Since compliance testing asks whether a control was applied or not (yes/no), attribute sampling is the appropriate statistical method for such evaluations.

Correct Option:

A. Attribute sampling
Attribute sampling tests binary conditions: control applied (no error) or not applied (error).
Results are expressed as a deviation rate (e.g., 2% missing approvals).
Compliance testing focuses on control effectiveness, which aligns with attribute sampling objectives.
Standard 2330 – Documenting Information supports statistical sampling when appropriate.
Common in tests of controls for policies, authorizations, and approvals.

Incorrect Options:

B. Difference estimation sampling
Difference estimation is a variables sampling method used to estimate a monetary amount (e.g., total overpayment). It is appropriate for substantive testing of dollar values, not for testing compliance with a control that yields yes/no results.

C. Probability-proportional-to-size (PPS) sampling
PPS sampling (also a variables/monetary unit sampling method) selects items based on their dollar value. It is designed to detect monetary misstatements, not to measure compliance rates. PPS is used in substantive testing, not compliance testing.

Reference:
IIA Practice Guide: "Audit Sampling" – Attribute sampling is used for tests of controls (compliance testing) to estimate a population deviation rate. Variables sampling (including difference estimation and PPS) is used for substantive testing of monetary amounts. Standard 2310 – Identifying Information requires appropriate sampling methods based on engagement objectives. Also see AICPA AU-C 530 – Audit Sampling, which distinguishes attribute sampling (controls) from variables sampling (substantive).