CCIA Practice
Sign inStart free
Home / PART2 · Part 2: Practice of Internal Auditing / Domain III: Performing the Engagement

CIA·PART2 · Part 2: Practice of Internal Auditing·UnitPART2 · Unit 03Access: Premium

Domain III: Performing the Engagement

Prepare for Domain III: Performing the Engagement with CIA practice questions covering 9 topics. Part of Part 2: Practice of Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
175
Topics
9
Access
Premium

What’s in it.

9 topics
  • Topic 01

    Information Gathering Techniques — Interviews, Observation, Flowcharting, Walkthroughs

    37 questions
  • Topic 02

    Sampling Techniques — Statistical and Judgement Sampling

    32 questions
  • Topic 03

    Data Analytics in Audit Fieldwork

    16 questions
  • Topic 04

    Analysis and Evaluation of Evidence

    16 questions
  • Topic 05

    Root Cause Analysis

    15 questions
  • Topic 06

    Identifying Control Deficiencies and Exceptions

    15 questions
  • Topic 07

    Engagement Supervision

    15 questions
  • Topic 08

    Working Paper Standards — Documentation, Indexing, Retention

    15 questions
  • Topic 09

    Using the Work of Others (Specialists, Co-Sourcing)

    14 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. What are the main categories of 'others' whose work internal audit may rely upon?

    • Only co-sourced providers who are engaged under a formal service level agreement approved by the board
    • Only the risk management and compliance functions as second-line functions in the Three Lines Model
    • Internal specialists and co-sourced providers only — external specialists are considered independent and cannot be relied upon
    • Internal specialists, external specialists, co-sourced providers, and other assurance functions (external auditors, risk management, compliance)
      Correct answer
    Explanation

    IIA Standards and guidance identify four main categories of 'others' whose work internal audit may rely upon: (1) internal specialists — organisation employees with specialised expertise not in the audit function; (2) external specialists — third-party experts engaged for specific expertise; (3) co-sourced providers — external firms supplementing the in-house team; and (4) other assurance functions — external auditors, risk management, compliance, and control self-assessment processes. Each category requires assessment of competence and objectivity before reliance can be placed.

  2. Does the IIA specify a universal minimum retention period for working papers?

    • No — working papers need not be retained after the audit report has been issued and all review notes are closed
    • No — retention periods are set at the discretion of each individual auditor for their own working papers
    • No — the IIA does not specify a universal retention period; retention must comply with applicable laws, regulations, and organisational policy
      Correct answer
    • Yes — the IIA requires retention until the external auditors have completed their annual review of internal audit work
    Explanation

    The IIA defers to applicable laws, regulations, and organisational guidelines for determining working paper retention periods. Standard 2330.A2 requires the CAE to develop retention requirements that comply with these external requirements — it does not prescribe a specific number of years. Common periods in practice range from 5 to 7 years, but financial services firms, government agencies, or organisations subject to specific regulations may be required to retain records for longer. The important principle for the CIA exam is that retention is governed by law and policy, not the IIA's direct specification.

  3. What factors does an auditor consider when assessing the significance of a control deficiency?

    • Whether the deficiency relates to a financial control or an operational control, and whether it was previously reported
    • The seniority of the person responsible for the control and the length of time the deficiency has existed
    • The number of exceptions found in the sample and the deviation rate compared to the tolerable rate
    • Financial exposure, likelihood, frequency, pervasiveness, intentionality, sensitivity of data affected, compensating controls, and detectability
      Correct answer
    Explanation

    Significance assessment requires consideration of multiple factors: (1) Financial exposure — actual or potential monetary impact; (2) Likelihood — probability of a negative outcome; (3) Frequency — how often the failure occurs; (4) Pervasiveness — does it affect one area or the whole organisation; (5) Intentionality — is there evidence of deliberate override vs. error; (6) Sensitivity — does the control protect particularly sensitive data; (7) Compensating controls — do other controls mitigate the impact; (8) Detectability — would failure be caught by other means. Significance is a multi-factor judgment, not a single metric.