CCIA Practice
Sign inStart free
Home / PART2 · Part 2: Practice of Internal Auditing / Domain V: Monitoring Progress

CIA·PART2 · Part 2: Practice of Internal Auditing·UnitPART2 · Unit 05Access: Premium

Domain V: Monitoring Progress

Prepare for Domain V: Monitoring Progress with CIA practice questions covering 3 topics. Part of Part 2: Practice of Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
211
Topics
3
Access
Premium

What’s in it.

3 topics
  • Topic 01

    Following Up on Audit Findings

    90 questions
  • Topic 02

    Monitoring Management Action Plans

    82 questions
  • Topic 03

    Communicating the Acceptance of Risk by Senior Management

    39 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. An audit committee report shows 18 repeat findings out of 60 closed findings — a 30% recurrence rate. The committee asks the CAE to explain both why the recurrence rate is so high and what changes to the monitoring process would reduce it. What is the most appropriate response?

    • Explain that the recurrence rate reflects incomplete audit coverage in prior years and propose expanding the audit plan to cover all areas annually
    • Explain that a 30% recurrence rate is within industry norms and that no process change is required
    • Conduct a retrospective analysis of the 18 recurring findings to identify whether they share common root causes (e.g., inadequate original action plans, no independent verification, insufficient depth of testing), and propose specific process improvements such as enhanced root cause assessment at the MAP design stage and mandatory operating effectiveness testing before closure
      Correct answer
    • Propose reducing the number of findings issued in future to reduce the denominator and therefore the recurrence rate
    Explanation

    A 30% recurrence rate is a material quality issue requiring systematic analysis. The CAE should examine the 18 recurring findings to identify shared characteristics: were the original action plans vague, was independent verification inadequate, was operating effectiveness untested? Based on that analysis, specific process improvements should be proposed — better MAP design standards, mandatory root cause assessment, and operating effectiveness testing before closure. Explaining away recurrence as normal, external, or as a denominator problem, or suppressing recurring findings, would be misleading to the committee.

  2. What is the risk of internal audit taking an overly prescriptive role in designing management action plans?

    • It allows internal audit to set more achievable timelines that reduce the number of overdue action plans
    • It ensures that action plans address root causes, which improves the overall effectiveness of the follow-up process
    • It compromises internal audit's independence because internal audit would then be auditing its own recommendations, creating a self-review threat
      Correct answer
    • It increases the quality of action plans by ensuring they are specific enough to be monitored effectively
    Explanation

    If internal audit designs the corrective actions that management is expected to implement, internal audit would subsequently be assessing whether its own recommendations were followed correctly — a self-review threat that compromises independence. Internal audit's role is to advise on whether a proposed plan is likely to address the root cause and to question inadequate plans, but the specific design and ownership of the action must rest with management. Improving plan quality or efficiency does not justify impairing independence.

  3. An internal audit team follows up on a procurement finding from 18 months ago. Management agreed to implement a three-way match control. Follow-up testing reveals the control is designed correctly and operating effectively. However, the auditor notes that the original root cause — inadequate authorisation thresholds for purchase orders — has not been addressed. The three-way match only detects errors after the fact. What is the most appropriate conclusion?

    • The finding should be closed because the three-way match control is operating effectively and achieves adequate risk reduction
    • The finding should be closed if the external auditors confirm they are satisfied with the three-way match control
    • The finding should remain open because the root cause has not been addressed; the implemented control is a detective compensating control, not a solution to the preventive control deficiency identified
      Correct answer
    • A new finding should be issued for the authorisation threshold gap, and the original finding should be closed
    Explanation

    Effective follow-up requires assessing whether the root cause has been addressed, not merely whether a control was implemented. The original finding was a preventive control deficiency (inadequate authorisation thresholds). The three-way match is a detective control that identifies errors after they occur — it does not prevent unauthorised purchase orders from being raised. The root cause remains unaddressed. The finding should stay open, documenting that the detective control provides partial mitigation but does not resolve the underlying preventive control gap. Opening a new separate finding for what is the same root cause would fragment tracking.