CCIA Practice
Sign inStart free
Home / PART2 · Part 2: Practice of Internal Auditing / Domain IV: Communicating Results

CIA·PART2 · Part 2: Practice of Internal Auditing·UnitPART2 · Unit 04Access: Premium

Domain IV: Communicating Results

Prepare for Domain IV: Communicating Results with CIA practice questions covering 7 topics. Part of Part 2: Practice of Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
295
Topics
7
Access
Premium

What’s in it.

7 topics
  • Topic 01

    Communication Standards — Criteria for Effective Audit Communications

    79 questions
  • Topic 02

    Interim and Final Report Structure and Content

    66 questions
  • Topic 03

    Audit Findings — Condition, Criteria, Cause, Effect, Recommendation

    77 questions
  • Topic 04

    Quality and Accuracy of Audit Communications

    25 questions
  • Topic 05

    Error and Omission Criteria

    15 questions
  • Topic 06

    Management Response and Action Plans

    15 questions
  • Topic 07

    Distributing Audit Results — Confidentiality and Disclosure

    18 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. What is the purpose of the 'effect' attribute in an audit finding?

    • To explain the actual or potential consequences of the deviation, establishing why the finding matters and why action is justified
      Correct answer
    • To identify the standard or policy that the observed condition has failed to meet
    • To document the impact of the finding on the next audit's risk assessment and scope
    • To state the corrective action management has agreed to implement to address the finding
    Explanation

    The effect attribute answers 'so what' — it states the actual or potential consequence of the condition and establishes why the finding is important. Effect should be expressed in terms meaningful to management: financial loss, reputational damage, regulatory penalty, operational disruption, or fraud risk. Quantifying the effect increases the persuasiveness of the finding and management's motivation to act. The effect is not the auditor's overall conclusion, management's response, the criteria, the root cause analysis, or a future audit planning note.

  2. According to IIA Standard 2420, which seven criteria must all audit communications satisfy?

    • Accurate, objective, clear, brief, constructive, complete, and timely
    • Relevant, objective, clear, concise, constructive, complete, and timely
    • Accurate, objective, clear, concise, constructive, complete, and timely
      Correct answer
    • Accurate, objective, transparent, concise, constructive, complete, and timely
    Explanation

    IIA Standard 2420 enumerates exactly seven quality criteria: accurate, objective, clear, concise, constructive, complete, and timely. All seven must be satisfied simultaneously — the Standard provides no hierarchy among them. Substituting terms such as 'independent', 'transparent', or 'balanced' misrepresents the Standard's language.

  3. An audit finding involves an IT system that allows users to access records outside their assigned security role. The criteria cited is the organisation's information security policy, which requires role-based access controls. The cause states: 'The access control settings were not updated when role assignments changed.' Management argues that this is not a 'root' cause because the system administrator also failed to perform quarterly access reviews that would have caught the gap. How should the auditor address this?

    • The auditor should replace the cause with a summary of management's position to avoid further dispute and maintain a constructive relationship
    • The auditor should remove the cause attribute entirely since it is disputed and reframe the finding with condition, criteria, effect, and recommendation only
    • The auditor should revise the cause to state only the absence of quarterly reviews, because the most recent preventive control failure is always the primary root cause
    • The auditor should update the cause to reflect both the failure to update access settings when roles changed and the absence of periodic access reviews as contributing root causes, and ensure the recommendation addresses both
      Correct answer
    Explanation

    When management's challenge reveals that a finding's cause statement is incomplete rather than incorrect, the auditor should revise the cause to reflect all contributing root causes. In this case, both the failure to update access settings when roles changed and the absence of periodic access reviews are genuine root causes that independently contributed to the control failure. The recommendation must then address both: updating the process for maintaining role-based access settings when assignments change, and reinstating (or establishing) a regular access review procedure. Accepting only one cause when two are identified would make the recommendation incomplete.