CCIA Practice
Sign inStart free
Home / PART1 · Part 1: Essentials of Internal Auditing / Domain IV: Governance, Risk Management, and Control

CIA·PART1 · Part 1: Essentials of Internal Auditing·UnitPART1 · Unit 04Access: Premium

Domain IV: Governance, Risk Management, and Control

Prepare for Domain IV: Governance, Risk Management, and Control with CIA practice questions covering 7 topics. Part of Part 1: Essentials of Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
249
Topics
7
Access
Premium

What’s in it.

7 topics
  • Topic 01

    Corporate Governance Frameworks and Board Responsibilities

    36 questions
  • Topic 02

    Risk Management Concepts, Frameworks (COSO ERM, ISO 31000)

    27 questions
  • Topic 03

    Internal Control Frameworks — COSO Internal Control — Integrated Framework

    30 questions
  • Topic 04

    Types of Controls (Preventive, Detective, Corrective; Manual vs. Automated)

    36 questions
  • Topic 05

    Control Environment and Tone at the Top

    30 questions
  • Topic 06

    Three Lines Model and Internal Audit's Role

    42 questions
  • Topic 07

    Residual Risk and Risk Appetite

    48 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. Why must internal audit have a functional reporting line to the audit committee rather than reporting solely to management?

    • Functional reporting is required only for publicly listed companies; private companies may direct internal audit to report solely to the CEO.
    • Functional reporting to the audit committee (governing body) preserves internal audit's independence, ensuring findings can be reported without management interference or suppression.
      Correct answer
    • Functional reporting to the audit committee is required because audit committee members have greater technical accounting expertise than management.
    • The audit committee sets the risk appetite and must receive internal audit reports to monitor risk levels against that appetite.
    Explanation

    The Three Lines Model and IIA Standard 1110 both require functional reporting to the audit committee (governing body) to preserve internal audit's independence. Management is the subject of many internal audit evaluations. If internal audit reported only to management, those same managers could suppress unfavourable findings, direct audit scope away from sensitive areas, or influence how findings are presented. The audit committee provides governance-level oversight without being the subject of audit work, enabling internal audit to fulfil its third-line role independently.

  2. Which of the following best describes strategic risk?

    • The risk of loss from a hazard event such as fire, flood, or theft.
    • The threat to an organisation's ability to achieve its long-term goals, such as disruptive competition or a failed acquisition.
      Correct answer
    • The risk of regulatory sanctions or financial penalties from failure to comply with laws.
    • The risk of financial loss from market movements, credit defaults, or liquidity shortfalls.
    Explanation

    Strategic risk relates to threats to the organisation's ability to achieve its long-term strategic objectives — such as disruptive technology changing the competitive landscape, a failed merger, or a major strategic misjudgement. Operational risk relates to process/people/system failures; financial risk to market, credit, or liquidity; compliance risk to regulatory breaches; reputational risk to brand damage; and hazard/pure risk to physical events like fire or flood.

  3. An organisation has moved from silo-based risk management to an ERM programme. The CFO argues that ERM adds bureaucracy without benefit because each department already manages its own risks adequately. An internal auditor is asked to evaluate this claim. Which argument most effectively challenges the CFO's position?

    • ERM's primary benefit is regulatory compliance reporting; if the organisation is not publicly listed, the CFO's argument may be valid.
    • The auditor should recommend replacing ERM with an ISO 31000 certified programme, which provides the same benefits without bureaucracy.
    • Silo-based management cannot identify risks that cross departmental boundaries or assess aggregate exposure; ERM provides the portfolio view needed for the board to make informed strategic decisions about total risk exposure.
      Correct answer
    • The CFO's argument is valid for operational risks but incorrect for financial risks, where ERM provides measurable benefits.
    Explanation

    The core benefit of ERM over silo-based management is the portfolio view: the ability to see how risks across departments interact, aggregate, and cumulate. Silo management creates blind spots where cross-cutting risks — such as a cyber attack affecting IT, finance, and operations simultaneously — are not recognised as a combined threat. The board cannot fulfil its risk oversight responsibility without an enterprise-wide risk picture. COSO ERM is not legally binding — it is a framework, not a statute — so the argument cannot rely on legal compulsion. ISO 31000 cannot be 'certified.'