CCIA Practice
Sign inStart free
Home / PART2 · Part 2: Practice of Internal Auditing / Domain I: Managing the Internal Audit Activity

CIA·PART2 · Part 2: Practice of Internal Auditing·UnitPART2 · Unit 01Access: Premium

Domain I: Managing the Internal Audit Activity

Prepare for Domain I: Managing the Internal Audit Activity with CIA practice questions covering 8 topics. Part of Part 2: Practice of Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
307
Topics
8
Access
Premium

What’s in it.

8 topics
  • Topic 01

    Strategic Planning for the Internal Audit Activity

    45 questions
  • Topic 02

    Risk-Based Audit Planning and Annual Audit Plan Development

    33 questions
  • Topic 03

    Audit Universe and Coverage

    34 questions
  • Topic 04

    Coordinating with External Auditors and Other Assurance Providers

    36 questions
  • Topic 05

    Quality Assurance and Improvement Programme (QAIP)

    36 questions
  • Topic 06

    Resource Management — Staffing, Budget, Technology

    48 questions
  • Topic 07

    Performance Metrics for the Internal Audit Activity

    33 questions
  • Topic 08

    Reporting to the Board and Audit Committee

    42 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. Under Standard 2010.A1, the CAE must base the audit plan on a documented risk assessment and consider input from senior management and the board. How does this requirement affect the construction of the audit universe?

    • Standard 2010.A1 only applies to the risk assessment process, not to the construction of the audit universe, which is entirely the CAE's prerogative.
    • Standard 2010.A1 requires the audit universe to include only those entities explicitly approved by the board in the audit charter.
    • The audit universe must be informed by management and board input on strategic priorities and significant risks — not defined solely by the CAE. This input helps ensure the universe is comprehensive and reflects the organisation's current structure, risk profile, and strategic direction.
      Correct answer
    • Standard 2010.A1 requires management to approve each entity included in the audit universe before the CAE can add it to the audit plan.
    Explanation

    The audit universe should reflect the organisation's full range of auditable activities, informed by input from both management and the board. Management knows what processes and systems exist; the board knows what governance areas it considers significant. Both perspectives are needed to build a comprehensive, relevant audit universe. The CAE is responsible for maintaining the universe but cannot define it in isolation.

  2. What triggers a need to revise the internal audit strategic plan?

    • Significant changes in the organisation's strategy, risk environment, or stakeholder expectations
      Correct answer
    • The issuance of updated financial statements by the organisation
    • A request from the external auditors to expand their reliance on internal audit work
    • The appointment of a new senior auditor to the internal audit team
    Explanation

    The internal audit strategic plan is a living document that must be revised when significant changes occur — in organisational strategy (e.g., new CEO, major acquisition), the risk environment (e.g., new regulatory requirements, emerging technology risks), or stakeholder expectations (e.g., the board requesting expanded advisory services). Routine operational events do not trigger a plan revision.

  3. A CAE benchmarks internal audit performance against IIA CBOK data and finds: average engagement duration 24 days vs CBOK median 14 days; plan completion rate 82% vs CBOK median 91%; report cycle time 28 days vs CBOK median 12 days. Management uses this to argue that internal audit is underperforming on all dimensions. How should the CAE respond to management's interpretation?

    • The CAE should reject the CBOK benchmarking data entirely since it is not collected from directly comparable organisations
    • The CAE should contextualise the benchmark data: CBOK medians represent all organisations across many sizes and risk profiles; if the organisation has complex processes, large regulatory requirements, or a small audit team relative to its audit universe, the variances may be explained by context rather than poor performance — but the CAE should also investigate whether process improvements are achievable
      Correct answer
    • The CAE should commission an immediate external QAIP assessment to determine whether the CBOK comparison indicates Standards non-conformance
    • The CAE should present only the metrics where performance exceeds CBOK medians and exclude the underperforming metrics from the management discussion
    Explanation

    Benchmarking data must be interpreted in context. CBOK medians aggregate data from organisations of all sizes, industries, and risk profiles. An internal audit function in a large, heavily regulated, complex financial institution will naturally take longer per engagement and produce more detailed reports than the median organisation. The CAE should: acknowledge the data, investigate whether the variances reflect genuine process inefficiencies or legitimate contextual factors, and present a balanced analysis to management. Where genuine improvement opportunities exist (e.g., report cycle time of 28 days might be reduceable), the CAE should develop improvement plans. But matching CBOK medians regardless of context could compromise quality in complex engagements.