CIA·ModulePART2
Part 2: Practice of Internal Auditing
Prepare for Part 2: Practice of Internal Auditing with CIA practice questions covering 33 topics. Build your knowledge, track your progress, and study effectively with CIA Practice.
What’s in it.
5 units- Unit 01
Domain I: Managing the Internal Audit Activity
Access: Premium307 questions · 8 topics - Unit 02
Domain II: Planning the Engagement
Access: Premium238 questions · 6 topics - Unit 03
Domain III: Performing the Engagement
Access: Premium175 questions · 9 topics - Unit 04
Domain IV: Communicating Results
Access: Premium295 questions · 7 topics - Unit 05
Domain V: Monitoring Progress
Access: Premium211 questions · 3 topics
Sample questions
3 of manyA few questions from this module, with the answer and a full explanation. The complete bank is available when you start practising.
An entity's board has approved a risk appetite statement specifying that the organisation will not accept residual risk above 'medium' in any financial reporting process. During engagement planning, the auditor assesses residual risk in the accounts payable process as 'high'. What action does the risk appetite framework most directly require?
- The auditor should revise the risk rating to 'medium' to align with the board's stated preference before finalising the risk assessment.
- The auditor should reflect this as a risk appetite breach — residual risk exceeds the board's stated tolerance — and ensure the engagement objectives address whether controls are sufficient to reduce risk to the approved level.Correct answer
- The auditor should reduce the scope of the engagement to avoid reporting a finding that contradicts the board's risk appetite.
- The auditor should escalate the matter to the external auditor immediately, as financial reporting risk above medium requires statutory audit attention.
ExplanationRisk appetite provides the reference standard for the risk assessment. When residual risk in a process exceeds the board's stated tolerance, this is itself a significant finding — the entity is operating outside its approved risk boundaries. The auditor must reflect this in the risk assessment and design engagement objectives that specifically address whether controls are adequate to reduce risk to within appetite. Adjusting the rating downward to match the appetite statement, deferring the engagement, or reducing scope would all be inappropriate — they would either misrepresent the risk environment or reduce the audit's ability to provide meaningful assurance.
In a conglomerate where divisional risk acceptances are governed by divisional boards and the group CAE reports to the group audit committee, management at a subsidiary level formally accepts a risk that the group CAE considers excessive. The subsidiary CEO (who is not a group board member) dismisses the concern. What governance structure considerations should guide the CAE's next step?
- The group CAE should escalate to the subsidiary board as they have primary governance responsibility for the subsidiary's risks
- The group CAE should escalate to the group audit committee as the appropriate governance body with oversight over risk acceptances across the conglomerate, and should document whether the subsidiary's acceptance is within group-level risk appetiteCorrect answer
- The group CAE should accept the subsidiary CEO's decision because they are senior management at the relevant entity level
- The group CAE should report the matter to the financial regulator because conglomerate risk acceptances have systemic implications
ExplanationIn a conglomerate structure, the group CAE's functional reporting to the group audit committee means that the group-level governance body is the appropriate recipient of an escalation that the subsidiary's management has not resolved. The group audit committee has oversight responsibility for risk management across the conglomerate and can direct the subsidiary to reconsider, escalate within the group board structure, or formally accept the risk at the group level. The subsidiary CEO is not the resolving authority when the group CAE considers the risk excessive from a group-wide perspective. The subsidiary's own board, external auditors, and financial regulators are not the appropriate first escalation points for an internal governance matter.
Under what circumstances may audit results be shared with parties outside the organisation?
- External sharing is permitted only when the board has given advance written approval for each specific disclosure
- Audit results may never be shared outside the organisation under any circumstances
- Audit results may be freely shared with any external party at the CAE's discretion
- When required by regulation, compelled by legal process, or agreed under coordination protocols with external auditors — subject to including appropriate limitations statements and consulting legal counsel as neededCorrect answer
ExplanationStandard 2440.A2 and Standard 2410.A3 govern external disclosure. Audit results may be shared externally when: required by regulatory obligation (e.g., disclosure to prudential regulators in regulated industries); compelled by legal process (court orders, subpoenas); or agreed with external auditors under coordination protocols. When results are released to external parties, Standard 2410.A3 requires the communication to include limitations on distribution and use. Legal counsel should be consulted when legal privilege or regulatory considerations are involved. Discretionary external sharing (e.g., to investors or third parties) requires organisational approval and appropriate limitations statements.