CCIA Practice
Sign inStart free
Home / PART3 · Part 3: Business Knowledge for Internal Auditing / Domain I: Business Acumen

CIA·PART3 · Part 3: Business Knowledge for Internal Auditing·UnitPART3 · Unit 01Access: Premium

Domain I: Business Acumen

Prepare for Domain I: Business Acumen with CIA practice questions covering 11 topics. Part of Part 3: Business Knowledge for Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
391
Topics
11
Access
Premium

What’s in it.

11 topics
  • Topic 01

    Organisational Structures — Functional, Divisional, Matrix, Shared Services

    85 questions
  • Topic 02

    Business Strategy and Competitive Dynamics

    40 questions
  • Topic 03

    Industry and Sector Analysis — Key Value Drivers, Competitive Forces

    35 questions
  • Topic 04

    Business Processes — Procurement, Production, Sales, HR, Finance

    32 questions
  • Topic 05

    Project Management Principles

    61 questions
  • Topic 06

    Regulatory and Legal Environment — Compliance Obligations, Regulatory Change

    42 questions
  • Topic 07

    Contracts and Commercial Terms

    30 questions
  • Topic 08

    Change Management and Organisational Culture

    15 questions
  • Topic 09

    Environmental, Social, and Governance (ESG) Considerations

    15 questions
  • Topic 10

    Managerial Accounting — Costing, Budgeting, Variance Analysis

    21 questions
  • Topic 11

    Supply Chain and Operations Management

    15 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. What is a post-implementation review and how does it differ from a lessons learned review?

    • A post-implementation review (PIR) assesses whether the project delivered its intended business benefits after go-live, typically conducted months after closure; a lessons learned review is conducted at project closure to capture what went well and what could be improved for future projects.
      Correct answer
    • A PIR is conducted by the external auditor; a lessons learned review is conducted by the internal project team immediately after go-live.
    • A PIR is conducted during project execution to identify early performance issues and recommend corrective action.
    • A PIR is a regulatory requirement for all capital projects over GBP 1 million; a lessons learned review is optional best practice.
    Explanation

    The two reviews have different purposes and timings: (1) Lessons Learned Review — conducted at project closure (or at the end of each phase in PRINCE2), while the team is still together; it focuses on the project delivery process — what worked well, what caused problems, and what should be done differently on future projects. (2) Post-Implementation Review — conducted 3-12 months after go-live (once the system or product is operating), it assesses whether the projected benefits in the business case are being realised, whether any unintended consequences have emerged, and whether outstanding issues from the project require resolution. Internal auditors should assess whether both reviews are formally conducted and whether their outputs are acted upon.

  2. A UK insurer uses a single reinsurance provider for 80% of its catastrophe risk cover. The reinsurance market is highly concentrated globally. The CAE is planning a strategic audit of reinsurance relationships. Using Porter's Five Forces framework, which combination of forces is most relevant, and what are the key audit focus areas?

    • Bargaining power of buyers is most relevant because the insurer as a large premium payer can dictate terms; the audit should focus on contract compliance.
    • Threat of new entrants and threat of substitutes are most relevant; the audit should focus on whether new reinsurers are entering the market.
    • Competitive rivalry is the only relevant force; the audit should focus on whether the insurer is pricing its products competitively.
    • Bargaining power of suppliers (concentrated reinsurance market) and competitive rivalry (limited alternative capacity) are most relevant; key audit focus areas include concentration risk, contract terms adequacy, financial strength of the reinsurer, and the insurer's contingency plan if the relationship fails.
      Correct answer
    Explanation

    With 80% concentration in a single reinsurer in a globally concentrated market, two forces are primary: (1) supplier bargaining power — the reinsurer can set terms that are unfavourable to the insurer; and (2) limited competitive rivalry among reinsurers — meaning the insurer has few credible alternatives. Key audit areas include: adequacy of contract terms (particularly exclusion clauses and coverage limits); the reinsurer's financial strength and credit rating; the insurer's exposure if the reinsurer becomes insolvent; and whether the board has an approved contingency strategy for reinsurance concentration risk. Porter's Five Forces is applicable across industries including regulated financial services.

  3. A public sector organisation has seven management layers between front-line staff and the chief executive. An internal audit identifies that policy changes issued by the executive team take on average four months to be understood and implemented at the front line. Which structural characteristic is most likely responsible for this delay?

    • The front-line staff are resistant to change, creating a cultural barrier that is independent of the number of management layers.
    • The tall hierarchical structure with multiple management layers slows the transmission of information, as messages must pass through each layer and may be filtered or delayed at each handoff.
      Correct answer
    • The organisation's geographic spread across multiple regions means that policies must be rewritten for each location, causing delays.
    • The IT systems used to communicate policies are outdated, preventing timely distribution of updated guidance to regional offices.
    Explanation

    In a tall hierarchical structure, information must travel through each management layer sequentially. At each stage, there is risk of delay, re-interpretation, or de-prioritisation. A message that is urgent at the executive level may not be perceived as urgent by middle managers or may be queued behind competing priorities. Four months for policy implementation is a significant governance risk in any regulated environment. The structural root cause is the number of intermediary layers — a control implication of tall structures that internal audit should highlight.