Iia Part 3 Master Quiz Internal Auditing Techniques and Controlsto Better Reflect Where The Profession

lOMoARcPSD|28560950
IIA Part 3 Master Quiz - Internal Auditing techniques and

controls.
To better reflect where the profession
Developmental Psychology (Samar State University)
Studocu is not sponsored or endorsed by any college or university

Downloaded by Kaan Kayar (exelance331@gmail.com)
lOMoARcPSD|28560950
CIA EXAM Part 3
IIA Part 3 Master Quiz
SECTION I
Chapter A
1. When organizations promote ethical behavior, all of the following would be appropriate except
which one?
A. Provide whistleblower hotlines for reporting incidents.

B. Deliver the ethics message by multiple communication media.
C. Design and administer employee and stakeholder ethics attitude surveys.
D. Build the tone for honesty and integrity from the bottom up.
An organization should set the tone at the top for honesty and integrity and reinforce that every
manager, director, and employee needs to maintain these values.
2. Which of the following best represents a governance structure?
A. Structure 1
B. Structure 2
C. Structure 3
D. Structure 4
Operating management is responsible for risk management, executive management is

responsible for oversight, and internal auditors serve in the capacity of oversight and advisory
roles.
3. Which of the following is not a role of the internal audit activity in best practice governance
activities?
A. Discuss areas of significant risks.

B. Monitor compliance with the corporate code of conduct.
Quiz Questions and Answers Page 1

lOMoARcPSD|28560950
CIA EXAM Part 3
C. Support the board in enterprise-wide risk assessment.

D. Ensure the timely implementation of audit recommendations.
The internal audit activity is responsible for assessing and making recommendations for
improving governance processes in the accomplishment of various organizational objectives.
However, it is the role of management to ensure the timely implementation of the audit
recommendations. The internal audit activity is responsible for the development of a timely
procedure to monitor the disposition of the audit recommendations. The internal audit activity
works with senior management and the audit committee to ensure that audit recommendations
receive appropriate attention.
4. A board’s role in organizational governance is best described as
A. serve as the focal point.

B. manage strategies for the achievement of organizational objectives.
C. establish the entity’s value system.
D. provide assurance to shareholders.
The board is the focal point for all governance activities and establishes the "tone at the top."
The board is also responsible for implementing best governance practices and providing
oversight of organizational activities.
5. Which of the following would be responsible for establishing and maintaining an organization's
governance processes?
A. Board of directors
B. Senior managers
C. Internal auditors
D. Chief audit executive (CAE)
The board of directors is responsible for establishing and maintaining the organization's governance
processes and obtaining assurances concerning the effectiveness of the risk management and
control processes.
6. When trying to understand how well employees understand organizational values and how well
they uphold these values under daily work pressures, which of the following would be most
appropriate?
A. Self-assessment exercises
B. As part of an enterprise risk management (ERM) strategy

lOMoARcPSD|28560950
CIA EXAM Part 3
C. As part of a routine control evaluation

D. Discussions with the board and senior management
Corporate values are not typically assessed during routine risk and control evaluations. Instead,
self-assessment methods and appropriate audit programs are generally used to measure the
comprehension and preservation of corporate values.
7. The internal audit activity should contribute to the organization's governance process by
evaluating the processes through which:
I. Ethics and values are promoted.

II. Effective organizational performance management and accountability are ensured.
III. Risk and control information is communicated.
IV. Activities of the external and internal auditors and management are coordinated.
A. I only
B. IV only
C. II and III only
D. I, II, III, and IV
As noted in Performance Standard 2110, the evaluation of all of these processes would
contribute to corporate governance.
Chapter B
8. Which of the following statements about The International Finance Corporation’s

Environmental, Health, and Safety (IFC’s EHS) Guidelines is correct?
A. Organizations must make whatever changes to practices are necessary to protect environment,
health, and safety without regard to cost of implementation.
B. Purchasing policies should consider the entire lifecycle of products, including disposal.
C. The guidelines are intended to support creation of mission and value statements, not actual
operations.
D. In global organizations, divisions must follow local laws and regulations.

lOMoARcPSD|28560950
CIA EXAM Part 3
The IFC’s EHS Guidelines specify operational practices in different areas, including environment,
occupational and community health and safety, and sustainable materials use. Sustainable
materials policies reflect the entire lifecycle of purchased materials, from procurement through
disposal or decommissioning (e.g., recycling, handling of hazardous waste). When an
organization adopts the guidelines, it pledges to implement whichever is stricter—the guidelines
or the host country’s laws and regulations.
9. A realistic outcome of a privacy framework evaluation is
A. assurance of compliance with specific laws and/or standards.

B. prioritization of enterprise-level privacy initiatives.
C. assessment of organizational privacy business strategies.
D. all of the above.
In conducting an evaluation of the privacy framework, Practice Advisory 2130.A1-2 recommends

that the internal auditor consider the “laws, regulations, and policies relating to privacy in the
jurisdictions where the organization operates.”
Chapter C – Corporate Social Responsibility
10. A chief audit executive advises the board during a meeting to create a corporate social
responsibility (CSR) policy and begin planning a CSR program. The board resists the suggestion,
saying that this is not really their role and that the organization cannot fulfill its obligations to its
shareholders and to society and the environment at the same time. How could the CAE best
respond?
A. Creation of a policy and program may be delayed now but should be considered in the future.
B. Implementing a CSR policy should not require significant investment of time or money.
C. Not having a CSR policy could pose significant risks to the organization.
D. Having a CSR policy is a matter of compliance.
Not having a CSR policy and program exposes the organization to significant risks that the board
is responsible for controlling. These risks could include but are not restricted to penalties for
noncompliance with laws and regulations. Nonsustainable actions could also damage the
organization’s reputation and its ability to attract investors, employees, and customers. It can
also make the organizational liable for damages, possibly including liability for the actions of
suppliers.
11. Which of the following actions best illustrates an organization’s commitment to corporate social
responsibility (CSR)?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Line managers are instructed to review and amend processes to align them with the
organization’s CSR policy.
B. CSR-related activities are reported only within the organization itself.
C. The board of directors announces its adoption of the ISO framework on CSR.
D. CSR activities are audited only by third parties.
Mere adoption of a CSR framework is not sufficient; an organization’s processes must be

integrated into the framework. Results should be reported both within and outside the
organization to meet the needs of various stakeholders, including regulatory groups. Internal
audit may be involved in auditing the organization’s CSR programs, as long as internal auditing
was not involved in creating the programs.
SECTION II
Chapter A
1. A chief audit executive is reviewing the following enterprise-wide risk map:
Which of the following is the correct prioritization of risks, considering limited resources in the internal
audit activity?
A. Risk B, Risk C, Risk D, Risk A
B. Risk B, Risk C, Risk A, Risk D
C. Risk A, Risk B, Risk C, Risk D
D. Risk D, Risk B, Risk C, Risk A
This order ranks the risks by a combination of probability and impact. Risk B would take
precedence over Risk A, as it has a higher probability of occurring. Risk D would take precedence
over Risk C, due to probability and impact.

lOMoARcPSD|28560950
CIA EXAM Part 3
2. When disclosing information about enterprise risk management (ERM) to shareholders, all of
the following areas would be appropriate inclusions except
A. a high-level explanation of the ERM process within the context of strategy setting.
B. a description of how ERM functions in each business unit according to risk management
policy.
C. a summary of internal and external risk factors related to overall business goals and objectives.
D. defining how ERM relates to international best practice frameworks.
ERM provides a portfolio approach to risk and recognizes that risks are interrelated and the
organization stands to derive significant benefits from evaluating and monitoring risk on an
organization-wide basis. Shareholder communications should show how risk management is
integrated into organizational structure and interface with assurance activities such as internal
auditing.
3. Which of the following best describes an event that would be placed on a low impact, high
likelihood area of a risk map?
A. Petty cash is kept in a high traffic area, and the organization doesn't use an imprest account
system.
B. Employees could find a way to bypass the automated controls over Web surfing and thus waste
time.
C. Downsizing consolidates the check signing and check authorization functions in the controller
job role.
D. Computer output sits at the printer after it is printed, and valuable material could end up in
competitors' hands.
While estimating the likelihood and impact of any event is subjective, the controls over petty
cash are almost nonexistent, making the event very likely, but the loss of some petty cash would
not have a high impact on business continuity. The computer output answer is high impact but
low likelihood because an employee would likely need to be colluding with the competitor; the
downsizing answer is high impact and high likelihood, while the Web surfing answer is low
likelihood and low impact.

lOMoARcPSD|28560950
CIA EXAM Part 3
4. How can a common risk language enhance an organization’s enterprise risk management (ERM)
efforts?
I. Ensures everyone shares the same understanding when speaking about risk
II. Enhances the organizational risk culture
III. Facilitates building a risk management framework from the ground up
IV. Supports effective communications with regulatory agencies
A. I only
B. I and II only
C. I, II, and III only
D. I, II, and IV only
ERM should be driven from the top down. Everyone in an organization has a role in effective risk
management. Most organizations have layers (i.e., executives, line managers, and employees)
and silos (i.e., operations, technology, quality management, and compliance). A common
language cuts through the layers and breaks down silos. Without a common language, potential
miscommunications and other communication issues can thwart risk management activities.
5. In a risk assessment process, if a control objective is to ensure employees protect their

passwords, which of the following would describe an employee leaving a password on a note taped to
the monitor?
A. Residual risk
B. Risk event
C. Inherent risk
D. Risk response
In a risk assessment process, risk events are the events that could occur and prevent the
objective from being achieved. The inherent risk is the collective impact and likelihood of all risk
events prior to any response.

lOMoARcPSD|28560950
CIA EXAM Part 3
6. In a risk assessment process regarding the possibility of management override of controls to

manipulate reported earnings, which of the following is an impact factor of such an event occurring?
A. Management turnover levels
B. Complexity of accounting methods
C. Harm to the firm's reputation
D. Loose ethical standards set at the top
Harm to the firm's reputation is one potential impact of public disclosure of managerial
improprieties. The other items affect the likelihood of the event.
Chapter B
7. An organization uses a risk map with impact and likelihood values to classify fraud. The
classification for the theft of proprietary customer data (i.e., credit cards) is high likelihood and high
impact. Based on this classification, the organization should
A. pay little attention to the risk.
B. mitigate the risk with insurance or a backup plan.
C. prevent the risk.
D. contain and control the risk.
The risk assessment map looks at each type of fraud and determines how likely the fraud is to
occur and how significant it would be if it did occur. Any fraud that has a high probability and
high significance of material effect must be addressed with processes and procedures that
prevent this type of fraud. Containing, controlling, and mitigating imply that the organization is
willing to incur the theft. This would not be true for a high impact loss of proprietary data.
classification for theft of inventory is high likelihood and low impact. Based on this classification, the
organization should
A. contain and control the risk.
B. pay little attention to the risk.
C. prevent the risk.
D. mitigate the risk with insurance or a backup plan.

lOMoARcPSD|28560950
CIA EXAM Part 3
occur and how significant it would be if it did occur. Frauds that have high probability but
relatively low material impact are typically mitigated with insurance.
9. Which of the following is true of risk management techniques?
A. Risk assessments should focus on financial hazards rather than soft issues.
B. Internal auditors should avoid risk matrices in favor of developing risks without outside
influences.
C. Precise, detailed quantifications of risks can needlessly complicate risk assessments.
D. Because residual risk cannot be controlled, it should not be allowed to influence decisions.
Unless complex risk quantification is merited (e.g., derivatives), it's best to keep the
quantification and prioritization of risks simple. Rather than the traditional financial hazards,
less tangible soft issues (e.g., human resources) are of increasing importance in risk
assessments. Residual risk (the risk that remains after control is applied) must be considered in
decision making. Internal auditors can use risk matrices as a tool to improve risk assessment;
they should not develop risks in a vacuum.
10. An organization sells goods and services in both domestic and international markets. In
conducting a cultural diversity audit, which of the following are appropriate internal audit actions?
I. Review the organization’s Web site.
II. Verify compliance with country and regional laws and regulations.
III. Assess overt and subtle business practices for different cultures.
IV. Evaluate the political environment of the nations in which the organization conducts business.
A. II only
B. II and III only
Reviewing the organization's Web site should ensure it is accessible in several languages and not
offensive to any ethnic group or nationality. The International Standards for the Professional
Practice of Internal Auditing (Standards) require auditors to verify compliance with laws and

lOMoARcPSD|28560950
CIA EXAM Part 3
regulations. Ignorance of local practices raises the risk exposure for business loss. Evaluating the
political environment should recognize the potential for conflict and the risks associated with
continued operations in a political environment.
11. The primary reason that bank executives would decide to maintain a separate compliance
function is to
A. ensure the independence of line and senior management.
B. strengthen controls over the bank's investments.
C. better respond to shareholder expectations.
D. better manage perceived high risks.
Managing risk includes a variety of activities that attempt to identify, assess, manage, and
control risk across the entire spectrum of an organization, ranging from single events or projects
to narrowly defined types of risk (e.g., market risk) to threats and opportunities facing the entire
enterprise. Organizations such as brokers, banks, and insurance companies may view risks as
sufficiently critical to warrant continuous oversight and monitoring. A separate compliance
function may have recommendations to help strengthen controls, but this is not their primary
purpose. It will help respond to shareholder needs, but it is not the primary reason for
establishing the compliance function. Management is not independent, and risk management is
a direct responsibility.
12. A primary benefit of using risk assessment and risk maps in enterprise risk management (ERM) is
A. a standardized view of organizational risk emerges.
B. the collateral damage from unknown crises is mitigated.
C. top risks can be linked to budgets, capital, and shareholder value.
D. the board and senior executives no longer have sole responsibility for identifying appropriate
risk management processes.
A risk framework provides a master list that enables all risks identified in the organization to be
tracked and categorized. An important step in ERM is to assess risks identified, and the ranking
provides a standardized view of risks. The other three responses can result from establishing a
standardized view of organizational risk.

lOMoARcPSD|28560950
CIA EXAM Part 3
13. Which of the following is not a responsibility of the chief audit executive (CAE)?
A. Follow up on whether appropriate management actions have been taken on significant reported
risks.
B. Coordinate with other internal and external providers of audit and consulting services to ensure
proper coverage and minimize duplication.
C. Oversee the establishment, administration, and assessment of the organization’s system of

risk management processes.
D. Communicate the internal audit activity’s plans and resource requirements to senior
management and the board for review and approval.
Practice Advisory 2120-1 states that risk management is a key responsibility of senior
management and the board, not the CAE. To achieve its business objectives, management
ensures that sound risk management processes are in place and functioning. Boards have an
oversight role to determine that appropriate risk management processes are in place and that
these processes are adequate and effective. In this role, they may direct the internal audit
activity to assist them by examining, evaluating, reporting, and/or recommending improvements
to the adequacy and effectiveness of management’s risk processes.
14. At the beginning of the year, the finance department began using a new accounting software
system. It came with excellent documentation and can handle the complex accounting methods the
organization employs. Which of the following would be the best approach for auditing the accounting
system at the end of the year?
A. Audit the components of the accounting system that appear on a list compiled from prior IT
system audits.
B. Audit the components of the accounting system based on assessed inherent, control, and
detection risks.
C. Audit every component of the accounting system equally.
D. Audit the components of the accounting system that appear on a list received from the
accounting system vendor.
Audits should be risk-based. Inherent and control risks relate to the risk that an account balance
could have misstatements. Detection risk is the risk of not finding the misstatements. Auditors
should note transactions where the risks are greater than normal rather than using "best
practices" lists.

lOMoARcPSD|28560950
CIA EXAM Part 3
15. A risk assessment has determined that for electronic data interchange (EDI), risk of control
failure has been assessed at 5 percent for administrative controls, 10 percent for physical controls, and 6
percent for software controls. What is the control risk for EDI?
A. 0.03 percent
B. 0.07 percent
C. 7 percent
D. 10 percent
Control risk is the risk of all three layers failing. Control Risk = Administrative percent x Physical
percent x Software percent = 0.05 x 0.1 x 0.06 = 0.0003 or 0.03 percent.
16. Which of the following is not true of the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) Enterprise Risk Management (ERM) - Integrated Framework?
A. Includes a focus on meeting financial objectives
B. Makes use of natural hedges and portfolio effects
C. Avoids sole focus on the downside nature of risk by recognizing the upside of opportunities
D. Takes a more focused approach than traditional risk management
ERM takes a broader portfolio approach than traditional risk management and deals with risks
and opportunities affecting the creation or preservation of organizational value.
17. Which of the following Committee of Sponsoring Organizations of the Treadway Commission
(COSO) risk management responses would apply to a situation in which an organization moved from List
A to List B by canceling their insurance because the costs were greater than the item's replacement
cost?
A. List A = reduction, List B = avoidance
B. List A = sharing, List B = avoidance
C. List A = sharing, List B = acceptance
D. List A = reduction, List B = acceptance

lOMoARcPSD|28560950
CIA EXAM Part 3
Sharing reduces risk likelihood or impact by transferring or otherwise sharing a portion of the
risk. Common risk-sharing techniques include purchasing insurance products. Acceptance is
taking no action to affect likelihood or impact.
18. How can internal audit add value to the enterprise risk management (ERM) process?
I. Staying abreast of changes in the risk management field in order to ensure regulatory
compliance
II. Developing strong interpersonal and facilitation skills to educate varying levels of managers and
employees about ERM
III. Providing the audit committee and executive management with assurances that the ERM
process is efficient, effective, and operating as it was intended
IV. Using the output of the ERM process to develop its risk-based audit plan and to identify
unexpected high-risk areas as circumstances change
A. II only
B. III and IV only
D. I, II, and IV only
Both correct choices reflect The IIA definition of internal auditing and the role of internal
auditors in helping “an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.”
19. The function of the chief risk officer (CRO) is most effective when the CRO
A. shares the management of risk with the chief audit executive.
B. shares the management of risk with line management.
C. works with management in their areas of responsibility.
D. manages risk as a member of senior management.

lOMoARcPSD|28560950
CIA EXAM Part 3
The chief risk officer is most effective when working with other executives and managers in
establishing effective risk management in their areas of responsibility. This risk officer can work
with other managers in establishing effective risk management practices, monitoring progress,
and assisting those managers in reporting. Senior management has an oversight role. The CAE is
not responsible for managing risk. Risk knowledge at the line level would be specific only to that
area of the organization.
20. All of the following would be part of a factory’s control system to prevent release of waste
water that does not meet discharge standards except
A. periodically flushing sinks and floor drains with a large volume of clean water to ensure
pollutants are sufficiently diluted.
B. specifying (by policy, training, and advisory signs) which substances may be disposed of via sinks
and floor drains within the factory.
C. establishing a preventive maintenance program for the factory’s pretreatment system.
D. performing chemical analysis of the water, prior to discharge, for components specified in the
permit.
Periodic dilution may not always prevent the release of pollutants which exceed the discharge
limits. Each of the other options are different but effective ways to address the risk.
21. Which of the following groups has the primary responsibility for the establishment,
implementation, and monitoring of adequate controls in the posting of accounts receivable?
A. Accounting management
B. Accounts receivable staff
C. External auditors
D. Internal auditors
Management is responsible for controls.

lOMoARcPSD|28560950
CIA EXAM Part 3
22. Which of the following statements is not true regarding risk assessment as the term is used in
internal auditing?
A. Risk assessment is a judgmental process of assigning dollar values to the perceived level of
risk found in an auditable activity. These values allow directors to select the auditable entities most
likely to result in identifiable audit savings.
B. The chief audit executive (CAE) should incorporate information from a variety of sources into
the risk assessment process, including discussions with the board, management, and external auditors;
review of regulations; and analysis of financial/operating data.
C. Risk assessment is a systematic process of assessing and integrating professional judgments

about probable adverse conditions and/or events, providing a means of organizing an internal audit
schedule.
D. As a result of an audit or preliminary survey, the chief audit executive (CAE) may revise the level
of assessed risk of an auditable entity at any time, making appropriate adjustments to the work
schedule.
Risk assessment does not necessarily involve the assignment of dollar values and is not intended
to identify the audit area with the greatest dollar savings.
classification for petty fraud is low likelihood and low impact. Based on this classification, the
organization should
A. prevent the risk.
B. pay little attention to the risk.
C. mitigate the risk with insurance or a backup plan.
D. contain and control the risk.
occur and how significant it would be if it did occur. Frauds that have low material impact and
low probability need less attention.

lOMoARcPSD|28560950
CIA EXAM Part 3
24. Which of the following is not an appropriate responsibility for the chief risk officer (CRO) in an
organization’ s enterprise risk management (ERM) process?
A. Monitor the enterprise risk profile, and ensure major risks are identified and reported upward.
B. Assist internal and external auditors relying on ERM output for the purposes of audit planning
and execution.
C. Validate that ERM is functioning in each business unit according to the approved risk
management policy and framework.
D. Maintain ultimate ownership for the ERM process, set the “tone at the top,” and ensure a
positive internal environment.
Ownership for the ERM process, the appropriate tone at the top, and a positive internal
environment rests with an organization’s chief executive officer (CEO). A chief risk officer (also
referred to as a risk officer or risk manager) provides central coordination for enterprise risk
management across the organization. Empowered by the CEO, a risk officer has the resources to
work with other managers in establishing effective risk management practices, monitoring
progress, and assisting those managers in reporting.
25. Organizations measure risk in terms of which of the following?
I. Opportunity
II. Uncertainty
III. Likelihood
IV. Impact
A. I and II only
B. I, II, and IV only
C. III and IV only
Risk is the possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.

lOMoARcPSD|28560950
CIA EXAM Part 3
SECTION III
Chapter A
1. Which of the following is not true with regard to a matrix structure for an organization?
A. It is akin to a functional structure in that it fosters specialization.
B. It only works well when the organization's projects or products have a short life cycle.
C. It is akin to a divisional structure in that it has an explicit focus on results.
D. The major disadvantage of a matrix structure is its potential for creating confusion and power
struggles.
A matrix can work regardless of whether the product life cycle is long or short.
2. Which particular type of organization structure will likely have unity-of-command problems
unless there is frequent and comprehensive communication between the various functional and
project managers?
A. Centralized
B. Matrix
C. Strategic business unit
D. Line and staff
The matrix structure allows authority to flow both vertically and horizontally. A line and staff
structure is designed to maximize unity-of-command by giving only line managers the authority
to make decisions affecting those in their chain of command. A centralized structure should not
have unity-of-command problems if management is organized in a line and staff fashion.
3. A "flat" organization structure is one with relatively few levels of hierarchy and characterized by
wide spans of management, while a "tall" organization has many levels of hierarchy and narrow
spans of management. Which of the following situations is consistent with a flat organization
structure?
A. Tasks are highly complex and varied.
B. Subordinates perform distinctly different tasks.

lOMoARcPSD|28560950
CIA EXAM Part 3
C. Tasks require little direction and control of subordinates.
D. Work areas are geographically dispersed.
For a flat structure to be successful, employees must be able to work unsupervised most of the
time because the manager, having many employees, has little time for each one.
4. A key advantage of an organization with a centralized configuration is that it
A. encourages motivation and learning.
B. is highly adaptable.
C. tends to empower employees.
D. supports management consistency.
A centralized configuration has several levels of authority, a long chain of command, and a
narrow span of control. All of these characteristics support management consistency and may
discourage innovation and employee involvement and empowerment.
5. Which of the following is not an advantage of decentralization?
A. Problems can be resolved immediately.
B. Motivation of managers increases.
C. Greater uniformity in decisions is achieved.
D. Decisions are more easily made.
Increased uniformity in decisions is an advantage of centralization. The other options are

advantages of decentralization.
6. An organization that combines strict adherence to the unity of command with high division of
labor may cause problems for customers trying to obtain information. Of the following, which is
the most probable type of internal environment this structure creates?
A. Compartmentalized and formal
B. Networked and informal
C. Networked and formal

lOMoARcPSD|28560950
CIA EXAM Part 3
D. Compartmentalized and informal
A high division of labor results in compartmentalization. Strict adherence to unity of command

results in formal relationships.
7. In which of the following situations would a narrower span of control be more appropriate?
A. Subordinates work in the same area, rather than being geographically dispersed.
B. Managers do not spend a great deal of time on planning or strategic management.
C. Work performed by subordinates is substantially identical.
D. Managers must spend a great deal of time coordinating with other managers.
If substantial coordination were required, a manager would benefit from reduced supervision
requirements. In addition, increased coordination implies that the work performed by
subordinates is not standardized.
8. Routine tasks, which have few exceptions and problems that are easy to analyze, are conducive
to
A. organic structures that emphasize adaptability and flexibility to changing circumstances.
B. high degrees of job satisfaction on the part of employees performing them.
C. a formalized structure where procedure manuals and job descriptions are common.
D. decentralized decision making where decisions are pushed downward in the organization.
Routine tasks are conducive to a formalized structure, but they have low job satisfaction and are
conducive to a centralized and mechanistic organization.
9. In what form of organization does an employee report to multiple managers?
A. Mechanistic
B. Departmental
C. Bureaucracy
D. Matrix

lOMoARcPSD|28560950
CIA EXAM Part 3
In a matrix organization project managers may "borrow" specialists from line managers. The
other options have subordinates report to a single manager.
10. An organization that operates in a highly competitive and changing market would most likely
use which of the following organizational structures?
A. Decentralized
B. Totally virtual
C. Centralized
D. Balanced hierarchy
In order to remain competitive and adaptable many organizations adopt a flatter organizational
structure.
Chapter B
11. Which of the following supply chain flows can move in the direction of customer-producer-
supplier?
I. Information flow
II. Reverse product flow
III. Primary product flow
IV. Primary cash flow
A. I and II only
B. II and IV only
C. I, II, and IV only
D. I, III, and IV only
Information flows in both directions of the supply chain, while cash and reverse products
(repair, recycling, returns, or disposal) are sent from the customer to the producer and/or the
producer to the supplier.
12. An internal auditor notes that the purchasing department for a medical device manufacturer
consistently buys certain parts from a company that does not offer the lowest price. The
supplier has had delays in its own production that have delayed shipments of parts to the

lOMoARcPSD|28560950
CIA EXAM Part 3
manufacturer. Yet the purchasing relationship persists. The auditor notes that there are fewer
returns to this supplier. What is the most likely explanation of the procurement relationship?
A. Fraud is occurring. Buyers are receiving incentives to specify the supplier’s products.
B. Procurement objectives emphasize proven quality of components.
C. The supplier is more reliable and responsive to the manufacturer’s requirements.
D. The supplier has developed more successful customer relationship management techniques.
Companies have different objectives for their procurement strategies, based on their own
business objectives. In this case, the manufacturer may place a higher value on the quality of the
components than price or reliability of supply. The low rate of component returns to the
supplier indicates that delivered components are within specifications and have low failure
rates.
13. Which of the following is the primary focus of marketing?
A. Communication
B. Customer
C. Cost
D. Convenience
Strategic marketing is driven by customer needs.
14. One of the challenges of enterprise risk management (ERM) in an organization that has a
centralized structure is that
A. it may be difficult to raise awareness of impact of work actions on other employees or work
areas.
B. effective controls are more difficult to design and consistent application is more difficult to
achieve across the organization.
C. employees in these structures are inherently less risk averse.
D. managers have less incentive to implement and monitor controls.

lOMoARcPSD|28560950
CIA EXAM Part 3
In a centralized structure, most communication is vertical, up and down a hierarchical chain of

command. This impedes communication and awareness across functional lines, which can be an
obstacle for ERM.
15. A grocery store chain operates an ice-making facility, a soft drink bottling operation, an ice
cream-making plant, and a bakery that supplies its individual stores with everything from bagels
to birthday cakes. Their distribution channel arrangement is an example of a
A. multichannel marketing system.
B. conventional distribution channel.
C. horizontal marketing system.
D. vertical marketing system.
A vertical marketing system consists of producers, wholesalers, and retailers managed as a

coordinated or programmed system. Conventional distribution channels involve one or more
independent producers, wholesalers, and retailers, each acting as a separate business and
seeking to maximize its own profit.
16. Which of the following systems for organizing marketing channels offers the least ability to
manage channel conflict?
A. Conventional
B. Vertical
C. Horizontal
D. Multichannel
Conventional distribution systems consist of one or more independent producers, wholesalers,

and retailers, each of which is a separate profit-maximizing business. The profit objective of
each independent channel member may result in actions that are not profit-maximizing for the
system as a whole, and the conventional distribution system offers no means for controlling
channel conflict.

lOMoARcPSD|28560950
CIA EXAM Part 3
17. What are the two most common supply chain management approaches?
A. Vertical and lateral
B. Customer-driven and supplier-driven
C. Synchronous and strategic
D. Conventional and unconventional
Although the vertical and lateral approaches are the most widely used supply chain
management approaches globally, there are other methods in existence. Japanese companies
favor an intermediate form of integration called "keiretsu," in which suppliers and customers
are not completely independent but instead own significant stakes in one another.
18. The operating cycle shows
A. how resources are obtained and converted back into cash.
B. cashflow levels as the result of resource purchases and account collections.
C. the integration of the organization with its suppliers and distributors.
D. the interrelationship between organizational functions in a specific business process.
The operating cycle shows the intended result of operations, from purchase of resources and/or
materials, through production, sales, and collection cycles. The cycle is also known as the cash-
to-cash cycle, since it shows how cash disbursed is converted back into cash received.
19. In a distribution channel, the primary purpose of marketing intermediaries is to
A. communicate product availability, location, features, and benefits.
B. reduce the number of transactions for producers and end users.
C. help meet buyers’ time-of-purchase and variety preferences.
D. eliminate geographical/location gaps between buyers and sellers.
The answer defines the primary purpose of marketing intermediaries. The other answers
describe other roles in the distribution process.

lOMoARcPSD|28560950
CIA EXAM Part 3
Chapter C
20. A corporation has four retail outlets. The corporation can ship each store a half truckload on
demand, or it can combine two half truckload orders for any two stores into a full truckload,
which is half as expensive per store. However, each retail outlet has additional costs due to
stockouts or excess inventory when it has to wait for a full truck shipment. All else being equal,
which of the following combinations would save the corporation the most money if linear
programming concepts are used?
A. Combine W + X into a full truck shipment, and combine Y + Z into a full truck shipment.
B. Combine W + X into a full truck shipment, and send Y and Z half truck shipments.
C. Combine X + Y into a full truck shipment, and combine W + Z into a full truck shipment.
D. Combine X + Y into a full truck shipment, and send W and Z half truck shipments.
Combining X + Y = $50 + $30 + $100 + $90 = $270. W = $100, Z = $200 for a total of $570, the
lowest possible cost combination.
21. Which of the following would be the best tool that operating personnel could provide to
internal auditors so that they can “see” the operations in order to identify inefficiencies,
ineffective steps, and control weaknesses?
A. Critical Path Method (CPM) chart
B. Process flowchart
C. Gantt chart
D. Six Sigma DMAIC char
Operating personnel are concerned with operations, and a process flowchart shows operations.
CPM and Gantt charts are for project management. Six Sigma DMAIC refers to the phases of this
quality improvement plan

lOMoARcPSD|28560950
CIA EXAM Part 3
22. Reconfiguring the order of a manufacturing process has minimized the amount of waste and
reduced the amount of time and cost of manufacturing a product. Which of the following best
describes this reconfigured process?
A. It is high quality.
B. It is effective.
C. It is flexible.
D. It is efficient.
Efficiency is related to the cost of a process relative to the value it creates. An efficient process
achieves results with minimal waste, expense, and/or cycle time (the time it takes from the
beginning to end to complete a process), and has a high ratio of output to input.
23. A city analyzes its freeway traffic on a particular stretch of freeway and determines that traffic
flow is most congested around a 90-degree bend in the freeway but that three other locations
also have less significant slowdowns. According to the theory of constraints (TOC), which of the
following is true of this system?
A. The constraint limits the traffic flow in one area, but not the entire system.
B. Fixing the problem at the 90-degree bend will remove all constraints from the system.
C. The only constraint is the 90-degree bend.
D. The city should address all of the locations that have slowdowns because only a system-wide fix
will have tangible results.
The TOC philosophy holds that there is only one constraint in a system at any given time and
that each constraint limits the output of the entire system. It is important to concentrate on
addressing specific constraints rather than trying to fix the entire system, which may or may not
have tangible results.
24. An organization is beginning a continuous improvement initiative using the Six Sigma process.
The organization has determined that there are too many defects occurring as part of the
current manufacturing process. What should the organization do next?
A. Monitor the performance of the existing process.

lOMoARcPSD|28560950
CIA EXAM Part 3
B. Measure the performance of the existing process.
C. Motivate employees to improve the existing process.
D. Mitigate the processes that are producing the defects.
The Six Sigma process for conducting continuous improvement is referred to by the initials
DMAIC. Once the organization has defined the nature of the problem, the next step is to
measure existing performance and begin recording data and facts that provide information
about the underlying causes of the problem.
25. Which of the following tools would best give a graphical representation of a sequence of
activities and decisions?
A. Histogram
B. Run chart
C. Flowchart
D. Control chart
A flowchart, also called a process-flow analysis, is a graphical representation of an operation in

terms of the sequence of activities and decisions throughout a process. A control chart is a
statistical process that illustrates variations from normal in a situation over time. A histogram is
a measurement of the frequency of particular elements contributing to an overall set of data. A
run chart tracks trends and results over a specified period of time.
26. A company wants to improve the speed of its manufacturing process. A flowchart of the
manufacturing process shows that a subprocess is taking the most time to complete and the
work in process is idle for too long. What should the organization do next to address this
constraint?
A. Buy new machines to change the subprocess completely.
B. Change the scheduling of the subprocess and redeploy employees.
C. Redesign the entire manufacturing process.
D. Hire new employees

lOMoARcPSD|28560950
CIA EXAM Part 3
Once the constraint is identified, the next step is to "exploit" the constraint by utilizing every bit
of the constraining component without committing to potentially expensive changes or
upgrades.
27. Which of the following has potential for being developed into a linear programming application?
A. Processes X, Y, and Z each have the same objective of maximizing customer acceptance.
B. Processes J, K, and L appear to have random relationships between each of the elements.
C. Processes A, B, and C each result in the same output, but each has qualitative factors that can be
judged as better or worse.
D. Processes R, S, and T each use exactly one unit of rare Component X per unit, and no other
process uses this component.
Linear programming requires a clear objective, a limited resource that can be put to different
use or distributed differently to optimize efficiency, problems whose solutions can be measured
quantitatively, and linear or proportional relationships between elements of the problem. The
incorrect answers are each disqualified for not meeting one of these requirements.
Chapter D
28. An appropriate technique for planning and controlling manufacturing inventories, such as raw
materials, components, and subassemblies, whose demand depends on the level of production
is
A. regression analysis.
B. linear programming.
C. capital budgeting.
D. materials requirements planning.
Materials requirements planning (MRP) is a planning and controlling technique for managing
dependent-demand manufacturing inventories.

lOMoARcPSD|28560950
CIA EXAM Part 3
29. A company manufactures banana hooks for retail sale. The bill of materials for this item and the
parts inventory for each required material are as follows:
An incoming order calls for delivery of 2,000 banana hooks in two weeks. The company has 200 finished
banana hooks in current inventory. If no safety stocks are required for inventory, what are the
company's net requirements for swag hooks and screws needed to fill this order?
A. 1,800 swag hooks and 3,600 wood screws
B. 1,700 swag hooks and 3,600 wood screws
C. 1,500 swag hooks and 3,200 wood screws
D. 1,500 swag hooks and 1,400 wood screws
30. The economic order quantity, Q, is the size of the order that minimizes total inventory costs.
These costs, which are comprised of ordering and holding costs, can be computed using the
following expression:

lOMoARcPSD|28560950
CIA EXAM Part 3
Where TC = total inventory costs, Q = size of each order, D = annual demand in units, p = cost of placing
one order, and s = holding cost per year for one unit of inventory.
The following inventory information is available for a company:
• Annual demand (D) = 20,000 units
• Cost of placing one order (p) = US $100
• Holding cost per unit (s) = US $1
• Economic order quantity (Q) = 2,000 units
If the company decides to order 4,000 units at a time rather than 2,000 units, by how much will its total
inventory costs change?
A. US $500 increase
B. US $1,000 increase
C. US $1,000 decrease
D. US $2,000 increase
31. Which of the following is correct about the assumptions made in the economic order quantity
(EOQ) model?
A. Lead time is variable.
B. Replenishment is instantaneous.
C. Demand fluctuates seasonally with an unpredictable component.
D. Stockouts occur at predictable intervals.

lOMoARcPSD|28560950
CIA EXAM Part 3
EOQ is a fixed order model that depends on the assumptions that lead time is constant, demand
occurs at a relatively stable and known rate, operating and storage costs are known,
replenishment is instantaneous, and there are no stockouts.
32. A major justification for investments in computer integrated manufacturing (CIM) projects is
A. lower book value and depreciation expense for factory equipment.
B. stabilization of market share.
C. reduction in the costs of spoilage, reworked units, and scrap.
D. increased working capital.
CIM involves a manufacturing system that completely integrates all factory and office functions
within an organization throughout the life cycle of a product or service. CIM can help an
organization reduce costs of spoilage and scrap, increase productivity, improve quality, and
increase its overall responsiveness to customers.
33. When the economic order quantity (EOQ) decision model is employed, which of the following
cost combinations would be most likely to occur?
A. Purchase costs offset or balance quality costs.
B. Purchase costs offset or balance carrying costs.
C. Ordering costs offset or balance stockout costs.
D. Ordering costs offset or balance carrying costs.
The EOQ decision model calculates the optimum quantity of inventory to order by incorporating
only the ordering costs and carrying costs into the model. These costs behave opposite each
other. Purchase costs, quality costs, and stockout costs are not incorporated into the EOQ
model.

lOMoARcPSD|28560950
CIA EXAM Part 3
34. Which of the following is a characteristic of just-in-time (JIT) inventory management systems?
A. JIT is applicable only to large companies.
B. JIT does not really increase overall economic efficiency because it merely shifts inventory levels
further up the supply chain.
C. JIT users determine the optimal level of safety stocks.
D. JIT relies heavily on good quality materials.
Poor quality materials cause major problems in a JIT system because it retains no safety stock to
use for replacing defective materials. Substandard materials cause major production disruptions
in JIT systems and defeat its benefits, which include lowering cost and lead time while increasing
product quality.
35. Which of the following is not considered a cost of carrying inventory?
A. Shipping and handling
B. Property tax
C. Depreciation and obsolescence
D. Insurance
Inventory shipping and handling costs are classified as ordering costs, not as carrying costs.
Property tax, insurance, and depreciation and obsolescence are all classified as inventory
carrying costs.
36. A mass merchandiser withholds from sale a number of units to avoid out-of-stocks while
awaiting new inventory. This is referred to as
A. safety stock.
B. pipeline inventory.
C. price hedging inventory.
D. work-in-process inventory.

lOMoARcPSD|28560950
CIA EXAM Part 3
One reason to hold inventory is to fill the pipeline, called pipeline or transportation inventory; it
covers the transportation time required for new inventory to reach its destination. A mass
merchandiser generally does not carry work-in-process inventory (raw materials or components
in the process of being transformed into completed units). The purpose of carrying the stock is
not speculation about movement of prices or fears of unanticipated demand.
37. A tropical storm has wiped out all transportation systems in an area of the world providing raw
materials to several different production facilities. Which of the following companies is most
likely to fare the best in the short run?
A. One using an economic order quantity (EOQ) model
B. One using a materials requirement planning (MRP) system
C. One using computer integrated manufacturing (CIM)
D. One using a just-in-time (JIT) manufacturing system
Although a lack of available raw materials would challenge all the companies, the one least
affected in the short run would be the one using a materials requirement planning (MRP)
system, which would have more raw materials inventory on hand than companies using systems
that encourage less on-hand inventory and more dependence on suppliers.
38. The formula for optimal order quantity (EOQ) is as follows:
In this formula, AR is the annual requirement, OC is the order cost per order, and CC is the carrying cost
per unit. Furthermore total cost (TC) = total OC + total CC. The following inventory requirements for a
retail location are as follows:
• AR = 300 units of paper towels
• OC = $2 per 10 units ordered
• CC = $1 per 30 units
What is the EOQ and what is the TC?
A. EOQ = 63; TC = $23
B. EOQ = 60; TC = $70

lOMoARcPSD|28560950
CIA EXAM Part 3
C. EOQ = 35; TC = $3
D. EOQ = 10; TC = $3
39. A manufacturing company is attempting to implement a just-in-time (JIT) purchase policy

system by negotiating with its primary suppliers to accept long-term purchase orders that result
in more frequent deliveries of smaller quantities of raw materials. If the JIT purchase policy is
successful in reducing the total inventory costs of the manufacturing company, which of the
following combinations of cost changes would be most likely to occur?
A. Quality costs increase and ordering costs decrease.
B. Stockout costs increase and carrying costs decrease.
C. Purchasing costs increase and stockout costs decrease.
D. Purchasing costs increase and quality costs decrease.
In this situation, the company will be receiving fewer materials at any point in time, increasing
the likelihood of stockout and a subsequent increase in stockout costs. At the same time, the
average inventory will be less, resulting in a reduction in the carrying costs. It is possible that the
supplier may ask for a concession in its selling price, which would raise the manufacturer's
purchasing costs. And with fewer purchase orders being processed by the manufacturer, the
ordering costs are likely to decrease. However, the costs of quality would not necessarily be
affected by the JIT purchasing system.
Chapter E
40. Electronic data interchange (EDI) offers significant benefits to organizations, but it is not without
certain major obstacles. Successful EDI implementation begins with which of the following?
A. Selecting reliable vendors for translation and communication software
B. Standardizing transaction formats and data
C. Mapping the work processes and flows that support the organization's goals
D. Purchasing new hardware for the EDI system

lOMoARcPSD|28560950
CIA EXAM Part 3
Marked benefits come about when EDI is tied to strategic efforts that alter, not mirror, previous
practices. Applying EDI to an inefficient process results in the ability to continue doing things
wrong at a faster pace. The prerequisite for EDI success is an understanding of the mission of
the business and the processes and flows that support its goals, followed by cooperation with
external partners.
41. A company using electronic data interchange (EDI) made it a practice to track the functional
acknowledgments from trading partners and to issue warning messages if acknowledgments did
not occur within a reasonable length of time. What risk was the company attempting to address
by this practice?
A. Transactions that have not originated from a legitimate trading partner may be inserted into the
EDI network.
B. Transmission of EDI transactions to trading partners may sometimes fail.
C. There may be disagreement between the parties as to whether the EDI transactions form a legal
contract.
D. EDI data may not be accurately and completely processed by the EDI software.
Transmission of EDI transactions to trading partners may sometimes fail.
42. An audit of e-commerce activities should direct internal auditors to look for
A. transaction histories such as time codes and receipt confirmations.
B. a list of all e-commerce applications within the enterprise.
C. physical security controls that limit access to e-commerce machines.
D. logical security controls that restrict unauthorized access to transmitted data.
Internal auditors should look for network security controls, user identification systems, privacy
and confidentiality controls, a list of all e-commerce applications within the enterprise,
maintenance activities to ensure continued operation, failure detection and automated repair
features, application change management controls, and business continuity plans.
43. An electronic funds transfer (EFT) set of controls includes physical security to limit access, logical
security controls to limit data access, transaction histories, business continuity plans, and
application controls to assure accuracy and reliability. Which of the following should also be
included to complete this set of controls?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Failure detection and automated repair features
B. Controls for compliance with local regulations
C. Controls to determine whether automated clearing house (ACH) settlement was instantaneous
D. Intermittent or random testing of equipment to assure reliable transmission
The incorrect choices are all examples of operations, systems data backup and recovery
controls, and application controls that auditors should assess during an audit of an EFT system.
44. Which of the following is a risk that is higher when an electronic funds transfer (EFT) system is
used?
A. Improper change control procedures
B. Insufficient online edit checks
C. Unauthorized access and activity
D. Inadequate backups and disaster recovery procedures
Unauthorized access is a risk which is higher in an EFT environment. The other risks are common
to each IT environment.
Chapter F
45. In which stage of a firm's development is it most likely to seek and obtain external equity
financing in the form of venture capital?
A. Maturity to decline
B. Emergence to growth
C. Growth to maturity
D. Decline to emergence
At the emergence and growth stages, a reasonably profitable company will usually experience
financing needs in excess of funds available either internally or from trade or bank credit.
Additional debt financing would often result in an unreasonable amount of financial leverage at
this stage of development, and public equity financing is not yet available to the company. This
is the stage at which the company is most likely to seek and obtain venture capital financing.

lOMoARcPSD|28560950
CIA EXAM Part 3
46. During which of the following phases of the business development life cycle would an auditor
expect to find employees using workarounds to expedite numerous back orders, sometimes
creating control gaps?
A. Emergence
B. Maturity
C. Decline
D. Growth
The growth phase is a time of rapid changes in personnel, facilities, and policies as organizations
adapt to a growing market share. Problems in this phase are often in demands on capacity,
resulting in backlogs, and employees could be tempted to use workarounds.
47. If an internal auditor recognizes that his or her organization has moved from the maturity to the
decline stage of the business development life cycle, the best thing he or she can do is to
A. help management cut labor costs without endangering segregation of duties or the stability of
internal controls.
B. help entrenched bureaucracy see the need for change but monitor for earnings manipulations
and stability of internal controls.
C. make sure that employees aren’t using workarounds and that internal controls are part of the
rationale for software and policies.
D. make sure that management has internal controls in place and that the risks to business
continuity are established within an internal control framework.
In this stage, demand declines due to obsolescence or competitors in growth phases erode
market share with lower prices and costs due to newer equipment and more efficient processes.
The root cause of the decline is entrenched bureaucracy that resists seeing the need to change
as changes become necessary. Organizations in decline will use drastic measures to prevent
further loss of business, either by investing heavily in marketing or product enhancement or by
severe cost cutting, plant closings, and layoffs. In either case, desperate organizations need to
be monitored for earnings manipulations to hide losses as well as for changes that remove
internal controls or segregations of duties.
Chapter G

lOMoARcPSD|28560950
CIA EXAM Part 3
48. Which of the following International Organization for Standardization (ISO) models of the ISO
9000 series is auditable?
A. ISO 9000: 2005
B. ISO 19011
C. ISO 9001: 2008
D. ISO 9004: 2009
ISO 9001: 2008 describes the requirements of a quality management system and is the only
auditable standard.
49. Which of the following is true of the standards or certifications of the International Organization
for Standardization (ISO)?
A. The ISO has different sets of standards tailored for service versus manufacturing industries.
B. The ISO issues qualitative standards that are not intended to be quantitatively measured.
C. The ISO certifications have yet to break into countries outside of the United States and Europe.
D. The ISO certification is used by many buyers to reject noncertified suppliers regardless of
price.
The ISO certification standards represent a stamp of approval on the quality of products and
services, and many companies will buy only from ISO-certified suppliers.
50. Which of the following categories of the International Organization for Standardization (ISO)
9000 series (2008 revision) on quality assurance emphasizes identifying customer needs,
expectations, and requirements?
A. Measurement, analysis, and improvement
B. Resource management
C. Management responsibility
D. Product/service realization
ISO 9001 has 20 requirements that fall under four general categories that reflect key changes in
the 2000 revisions, and each of the answer choices displays one of these categories.

lOMoARcPSD|28560950
CIA EXAM Part 3
Product/service realization emphasized identifying customer needs, expectations, and

requirements and developing a process for communicating with customers.
51. Which of the following is a key element of ISO 9001 requirements?
A. The organization must ensure fully trained, qualified, competent staff and adequate
resources.
B. The quality control system must include adherence to environmental management processes.
C. The quality control system must produce documented results for five years or more.
D. The quality control system must adhere to rigorous standards set by an organization's board of
directors.
An organization's quality control system requires fully trained and competent staff and
adequate resources. Management must also assume responsibility for defining quality
objectives. Processes must recognize the needs and goals of customers. Results must be
gathered continually and fed back into the system for continual improvement.
Chapter H
52. An online entertainment company is considering out-sourcing storage and delivery (via
streaming) of its games. The vendor would assume these functions, manage online payment and
operate online customer support for customers having trouble downloading games. In this way
the company avoids the expense associated with purchasing and operating its own storage and
transmission functions. It retains game design and development and customer support related
to actual game function on customer systems. What cost other than service-related monthly
charges should the company add to the out-sourcing side in its total cost of ownership analysis
of this out-sourcing scenario?
A. Auditing of payments process
B. Training of customer support personnel
C. Contingency arrangements in the event of loss of service from vendor

lOMoARcPSD|28560950
CIA EXAM Part 3
D. Expansion of servers necessary to accommodate gaming catalogue
The vendor assumes costs associated with maintaining its own hardware and software systems
and with training personnel to perform contracted services. These costs are included in its fees.
The company would probably assume costs for auditing payment under both options, either
internally or through an external auditor. The company will, however, need to set up
contingency agreements with other vendors in the event that the original vendor cannot
provide service.
53. In a review of an electronic data interchange (EDI) application using a third-party service
provider, the auditor should:
I. Ensure encryption keys meet ISO standards.
II. Determine whether an independent review of the service provider's operation has been
conducted and assure that the user’s regulatory and operational requirements are met.
III. Verify that only public-switched data networks are used by the service provider.
IV. Verify that the service provider's contracts include necessary clauses, such as the right to audit.
A. I and II only
B. I and IV only
C. II and III only
D. II and IV only
In determining whether an independent review of the third-party service provider has been
performed (with appropriate follow-up), reviewing the third-party provider's contract is an
appropriate audit step. However, using a third-party service provider does not mean encryption
is utilized. Also, public-switched data networks are not directly related to EDI applications.
54. Which of the following should be considered a core competency that should not be out-
sourced?
A. Building management in a financial services headquarters
B. Manufacturing a sub-assembly for a product in a commodity market
C. Marketing strategy function that perceives itself as integral to the organization’s strategy

lOMoARcPSD|28560950
CIA EXAM Part 3
D. Product design in category where design often distinguishes products from competition
If product design is a critical competitive edge, it is probably a core competency that should not
be out-sourced. Perception of value does not make a process a core competency. Building
management is a support service for a financial services company. Manufacturing is not a core
competency in a commodity market. Internal auditing may help organizations identify real core
competencies that can be out-sourced.
SECTION IV
Chapter A
1. What is the term for barriers in the sender-to-receiver and receiver-to-sender message
processes?
A. Selective perception
B. Faulty feedback
C. Communications noise
D. Misread body language
Communications noise can happen anywhere along the communications spectrum. Both
senders and receivers need to be careful about the intent of the message, the medium, and the
interpretation.
2. A group leader made a suggestion. One group member interpreted the suggestion differently
than the others. This difference is likely related to which of the following?
A. The feedback channel

B. Encoding
C. The message channel
D. Decoding
Decoding is how the receiver of a message interprets that message. Interpretations can vary
widely given cultural backgrounds.
3. When evaluating communication, the internal auditor should be aware that nonverbal
communication

lOMoARcPSD|28560950
CIA EXAM Part 3
A. always conveys less information than verbal communication.

B. is often imprecise.
C. is independent of a person's cultural background.
D. always conveys a more truthful response.
Nonverbal communication is often imprecise. It is influenced heavily by culture and can

sometimes convey more information than verbal communication.
4. Which of the following is deductive reasoning?

A. Reasoning on a post-hoc basis
B. Reasoning from the general to the particular
C. Reasoning through the development of a carefully constructed hypothesis
D. Reasoning from one or more particular facts to reach a general conclusion
Deductive reasoning or deduction is the process of reasoning from general principles to

particular examples. Inductive reasoning or induction is the process of reasoning from detailed
facts to a general principle.
5. An employee knows that the procedures the department manager promotes are actually not as
effective as the manager believes. The employee could set the manager straight on this
situation. The manager is friendly and not likely to react badly. Still the employee holds back.
What could be inhibiting this communication?
A. A perceived imbalance in organizational power

B. Poor training
C. Lack of an anonymous whistleblower channel
D. Lack of a credible solution to offer
In both organizations and cultures the distribution of organizational power can interfere with
communication. The person who perceives himself or herself as having little power or authority
will be less likely to initiate discussion, even of important topics. The manager needs to find
ways to encourage employee communication, perhaps by rewarding ideas.
6. Which of the following is considered a disadvantage of electronic communication?

lOMoARcPSD|28560950
CIA EXAM Part 3
I. Information overload
II. Misrepresentation of feelings and emotions
III. Reduced transmission time
IV. Lack of a paper trail
A. I and II only
B. I, II, III, and IV
C. I, III, and IV only
D. IV only
Information overload (I) and misrepresentation of feelings and emotions (II) are considered
drawbacks of electronic communication. Information overload, such as numerous electronic
mail messages, may lead to lost time and inefficiencies and is considered a drawback of
electronic communication. Reduced transmission time (III) is considered a positive result of
electronic communication, and electronic communication generally results in an adequate paper
trail (such as saved "sent mail").
7. Internal auditors should be active listeners to gain the most information in an internal audit
interview. Which of the following best describes how an active listener behaves in an interview?
The listener
A. avoids looking directly at the speaker and interrupting his or her train of thought.
B. formulates arguments and conclusions as pieces of the speaker's information fit together.
C. judges and evaluates the information as it is presented.
D. listens with empathy and intensity.
Listening with empathy to the speaker's ideas allows for objective, not judgmental, listening.
Empathy puts the listener in the speaker's shoes, so the listener understands what the speaker
wants to communicate rather than what the listener wants to understand. A listener must
concentrate intensely to avoid being distracted.
8. Employees became upset when their manager conveyed layoff announcements via an e-mail
message. The manager made what type of communications error?
A. Communication flow
B. Communication channel
C. Communications network
D. Communication style

lOMoARcPSD|28560950
CIA EXAM Part 3
The e-mail medium was less personal and supportive than face-to-face meetings would have
been.
9. Nonverbal communication consists of messages conveyed by
I. the physical distance between the sender and the receiver.

II. the facial expressions used when speaking.
III. electronic means of communication such as e-mail.
IV. unconscious actions of the speaker while speaking.
V.
A. I and II only
B. I, II, and IV only
C. III only
D. IV only
Options I, II, and IV are part of the nonverbal message each speaker sends to a listener. E-mail
consists of written messages transmitted electronically and is not a form of nonverbal
communication.
10. "But I mailed the order four weeks ago giving the supplier plenty of time," said the parts
manager when asked why a critical part was not available. The most likely reason for this failed
communication between the parts manager and supplier was
A. lack of feedback.
B. perceptual selectivity.
C. inappropriate medium.
D. confusing language.
If the parts manager had received feedback in the form of an order acknowledgement from the
supplier, he would have known that the part would not be available in time.
11. During a performance review, an employee focuses on seemingly negative comments from the
supervisor and disregards any positive comments. Which term best describes this situation?
A. Communications noise
B. Selective perception
C. Misread body language
D. Communication style conflict

lOMoARcPSD|28560950
CIA EXAM Part 3
Selective perception is the process of selecting some information and filtering out other
information as it is received based on an individual's needs, interests, values, opinions, and past
experiences.
12. Listening effectiveness is best increased by

A. factoring in biases to evaluate the information being given.
B. resisting internal and external distractions.
C. tuning out messages that do not seem to fit the meeting's purpose.
D. waiting to review key concepts until the speaker has finished talking.
Concentrating on what the speaker is saying is critical to effective listening. Because a person
listens faster than a speaker talks, reviewing the speaker's key concepts silently will help the
listener to remember them better without notes.
13. All of the following are true about business memos except which statement?
A. They should be concise, clear, and readable.
B. They are usually short.
C. They should be written in active voice.
D. The tone should be casual to get the reader's attention.
Memos can vary considerably in tone, depending on what they are about and how they will be
circulated. Some are quite formal, while others are informal.
14. A company is rumored to be considering downsizing. Because a manager stops the use of all
temporary employees, the staff concludes that some jobs will be lost. Which of the following is
true about the manager's communication about job losses?
A. The lack of a formal message had a negative impact on staff.
B. The staff decoded the formal communication sent by the manager correctly.
C. The channel through which the message was sent was appropriate.
D. The manager properly encoded the idea in a message.
The message sent by the manager was nonverbal (i.e., layoff of temporary employees). The
reaction of the full-time employees was to become upset. Because there was no formal
communication sent by the manager, the message was not encoded properly nor could staff
decode it correctly.
15. Auditors must be effective listeners, especially when asking complex questions. To improve their
listening skills, auditors should do all of the following except
A. stop talking. It is difficult to listen and talk at the same time.
B. be patient. Allow the speaker ample time to respond.
C. avoid all questions until the speaker has concluded.
D. put the speaker at ease. A nervous speaker will be difficult to understand.

lOMoARcPSD|28560950
CIA EXAM Part 3
Intermittent questioning conveys that the listener is actively listening and affords the
respondent an opportunity to clarify or expand on any areas of confusion.
16. In performing an audit, auditors who want to be perceived as credible should try to make sure
that their verbal and nonverbal messages
A. occur in clusters.
B. reinforce each other.
C. are ambiguous.
D. contain a lot of variety.
Experts say that between 70 percent and 90 percent of a sender's meaning is transmitted
nonverbally. If the sender says one thing verbally while nonverbally conveying something else,
listeners are most likely to believe the nonverbal message.
17. Which of the following steps works against effective listening?

A. Asking appropriate questions
B. Helping the speaker to complete the point
C. Recognizing the speaker’s emotion
D. Understanding the speaker’s steps to reach a solution
By interrupting the speaker, even with good intentions, the listener may inhibit further
communication and may be jumping to unwarranted conclusions. The other steps support
effective listening.
18. An organization has decided to partner in a joint venture. What is perhaps the most critical first
step in establishing effective communications through technology?
A. Agree upon security and data privacy concerns.
B. Link all of the partner technology networks for efficiency.
C. Set up a common information management software system.
D. Set up systems training for employees who need it.
While training and establishing good network systems is important, this will be an ongoing
dynamic process. Of utmost importance is first determining what will be made available
electronically and how the data can be protected.
Chapter B

lOMoARcPSD|28560950
CIA EXAM Part 3
19. A chief audit executive is hired from another organization. During the next planning cycle, the
CAE offers for the board’s approval an audit charter and plan based on the CAE’s work in his
previous position. What is the most likely result?
A. Increased risk of the organization’s non-compliance with local laws and regulations
B. An increase in the quality of internal audit work, based on the infusion of external perspectives
and procedures
C. Decreased efficiency in the activity’s ability to fulfill its annual objectives
D. Conflict between internal audit activities and board/senior management’s expectations and
risk appetite
The audit charter and annual plan must be aligned with the organization’s strategic objectives
and risk appetite. If not, the annual plan, even if approved, will not meet the board’s and senior
management’s expectations. The risk of non-compliance will probably not be strongly affected
as long as compliance audits continue. Efficiency may not suffer, although the effectiveness of
the internal audit activity will. The quality of internal audit work must be tied to its strategic
alignment.
20. In which of the following situations is the internal audit activity most likely to deliver added
value to its organization?
A. The board supports its verbal commitment to governance, risk management, and control with
resources and direction.
B. Historically, internal audit has refrained from forming relationships with other functional areas.
C. Senior and line management are primarily interested in confirming the strength of existing
controls.
D. The chief audit executive has been with the organization less than one year but has significant
knowledge of new, automated auditing techniques.
For internal audit to add value to an organization, it must go beyond assessing present controls
towards identifying root causes of problems and recommending solutions and changes. This will
require support from the board and senior management in the form of example, resources, and
direction. To add value, internal audit must have organizational knowledge and relationships. A
new CAE would be less likely to have sufficient organizational and industry knowledge.
SECTION V

lOMoARcPSD|28560950
CIA EXAM Part 3
Chapter A
1. When an organization has determined that its business operations will be positively affected by
acquisitions or strategic alliances, it is likely considering which move?
A. Vertical integration
B. Expansion
C. New business entry
D. Horizontal integration
An organization may decide to enter a new business in the same or a different industry when
the benefits outweigh entry costs and other legal and administrative barriers.
2. An organization adopts a new open source software system in which to develop its online
content. The project manager has content for five clients that is similar in scope, but notices a
20 percent reduction in costs between work for the first and second clients, a 30 percent
reduction in costs between the second and third, but only a 10 percent reduction in costs
between the third and fourth, and no reduction in costs for the last client. Which of the
following is true of this situation?
A. Learning curve analysis cannot be used because it is primarily for individuals, and these projects
do not show a constant learning rate.
B. Learning curve analysis can be applied to projects, and these projects show a typical learning
curve.
C. Sensitivity analysis can be applied to projects, and these projects would likely show the cost
changes were due to larger forces such as economies of scale.
D. Sensitivity analysis cannot be used because it is not appropriate for identifying the best decision
alternative among situations that have variations in costs such as this scenario.
The organization is learning to use a new software system and has several very similar projects,
so the learning curve analysis is the most appropriate model to use to estimate or assess the
differences in successive projects. Sensitivity analysis is appropriate for identifying the best
decision alternative among situations with variations in the payoffs, but it is not the best choice
among the alternatives.
3. The price charged on a consistent basis for a specific product would most likely be lowest during
which stage of the product life cycle?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Decline stage
B. Growth stage
C. Maturity stage
D. Introduction stage
During the maturity stage, competition is at its greatest, and costs are at their lowest; thus,
prices would be at their lowest.
4. Globalization assists in achieving economies of scale, which is a
A. learning benefit.
B. cost benefit.
C. arbitrage benefit.
D. timing benefit.
Cost benefits are obtained from economies of scale owing to standardization of products and/or
processes, as well as increased bargaining power over suppliers of raw materials, components,
and services.
5. Which of the following is a market-oriented definition of a business versus a product-oriented

definition of a business?
A. We supply energy.
B. We make air conditioners and furnaces.
C. We produce movies.
D. We sell clothing.
“We supply energy” is a market-oriented definition as opposed to the other definitions, which
are product-oriented definitions.
6. When the plan-do-check-act cycle is applied to benchmarking, during which of the following
phases is the organization’s own baseline performance measured and other process measures
determined?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Do
B. Check
C. Act
D. Plan
During the do/analyze phase, organizations create a baseline of their own performance, develop
process measures, measure, identify target companies, and gather data.
7. Governments restrict trade in order to
I. foster national security.

II. develop new industries.
III. protect declining industries.
IV. increase tax revenues.
A. I and IV only
B. II and III only
D. II, III, and IV only
The government normally restricts trade in order to foster national security, develop new
industries, and protect declining industries. Increasing tax revenues would not be an impetus for
governments to restrict trade because tax revenues would decrease with lessened trade.
8. The most important component of quality control is
A. conforming to ISO-9000 specifications.

B. ensuring that goods and services conform to the design specifications.
C. determining the appropriate timing of inspections.
D. satisfying upper management.
Quality is the reliability of a product or service for its users. To ensure a reliable level of quality
throughout an organization, every individual, department, and subdivision of an organization
must conform to design specifications set by customer expectations. Conformance means
reducing and eliminating variations (defects) from the desired outcome (the target value).
Chapter B
9. Which of the following is not an advantage of group decision making as compared to individual
decision making?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Group decision making is consistent with democratic methods.

B. Group members bring more complete information and knowledge into the decision process.
C. Groups obtain an increased degree of solution acceptance so the solution may be implemented
more easily.
D. Group members avoid expressing opinions that deviate from what appears to be the group
consensus.
This answer describes the groupthink phenomenon, which is undesirable. Some group members
go along with what appears to be the group consensus rather than giving their honest input.
10. In many jobs, excessive specialization eventually can lead to poor motivation, boredom, and
alienation. To cope with the potential problems in such situations, managers should
A. focus on their employees' higher-level needs to help them achieve self-actualization.

B. implement an optimal organizational rewards system and provide all needed training to keep
employees up-to-date on technology.
C. change the jobs to fit the employees' needs or rotate employees to jobs that satisfy their
needs.
D. remove job "dissatisfiers" such as low salary, bad supervision, lack of job security, and poor
working conditions.
Job design theories of motivation specifically address the issue of over-specialization. These
theories focus on the match between the person and the job as the key to motivation. If there is
over-specialization and boredom, the recommendation is to either enrich the job or move the
employee to a job that provides the appropriate level of challenge.
11. Which of the following are examples of organizational productivity?
I. An increase in inputs and a decrease in outputs

lOMoARcPSD|28560950
CIA EXAM Part 3
II. An increase in production process efficiency

III. An increase in outputs given the same resources
IV. The same level of outputs using fewer resources
A. I and II only
B. I and III only
C. II and IV only
D. II, III, and IV only
An increase in the level of resources used, with a resulting decrease in the quantity of outputs, is
not a productive outcome.
12. To make goal setting in performance appraisals effective and worthwhile, internal audit
supervisors need to set goals
A. that are based on the output of superior performers.

B. that are qualitative and approximate.
C. that are just beyond what subordinates are likely to reach.
D. that are specific, objective, and verifiable.
The supervisor should know enough about the employee's job to set specific and objective
goals, as well as communicate to the employee how each goal will be measured or verified.
Goals should not be set beyond the employee's reach.
13. A small group is established to conduct a cost analysis for an area of the organization and will
disband when the analysis is completed. What type of group is this?
A. Informal
B. Task
C. Structural
D. Functional
A task group is charged with completion of a task, and the group will disband once the task is
complete. Informal groups also may have a task to complete, but they may not be formally
appointed. Structural and functional groups usually are embedded in the organization's
structure and are ongoing.
14. A chief audit executive is developing an audit charter and annual plan. The organization is a non-
profit that focuses on improving living standards in developing countries. The organization is
very goal driven, has a flat structure with quick and easy access to leaders, and committed to
respectful, supportive relationships among staff members. Employees are highly motivated by

lOMoARcPSD|28560950
CIA EXAM Part 3
the organization’s goals and values and are highly engaged in their work. Which of the following
characteristics is one likely to see in the internal audit charter and annual plan?
A. In the end, the annual audit plan will be based on the board’s and senior management’s wishes.
B. There will be proportionately more control self-assessment (CSA) audits.
C. Audit objectives will emphasize compliance with policies and procedures.
D. Audit team members will be discouraged from deviating from the CAE’s directions.
The organization appears to use a more collegial management style, which emphasizes
teamwork and engagement rather than centralized power and control. The audit focus will be
on control frameworks and CSA audits may predominate the plan.
15. Which of the following is designed to identify company values, measure desired work behavior,
and provide feedback to employees?
A. Performance plans
B. Behaviorally anchored rating scale (BARS)
C. 360-degree feedback
D. Performance standards
The question describes a performance plan.
16. Why is a structured interview especially helpful in an initial screening to limit the number of
applicants?
A. It tests an applicant's ability to respond to stressful situations.

B. It tends to be reliable and valid.
C. It can provide useful insights about the abilities of applicants not determined by other methods.
D. It uses a set of standardized questions.
A structured interview uses a set of standardized questions asked of all applicants so that
comparisons among candidates can be made easily. It allows the interviewer to prepare
questions in advance and then complete an evaluation form after each interview that
documents why one applicant was selected over another.
17. Which of the following is the best measure of productivity to use to evaluate several
departments in a large retail store?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Average number of units stocked per month per department

B. Number of units sold per department per day
C. Revenue per square foot
D. Number of customers served per employee per day
A critical output of interest is revenue per square foot. The floor space in the store is a limited
resource whose productivity should be analyzed. The number of items stocked in a given
department says nothing about productivity. Number of customers or units is not the best
measure to use. For example, a department that sells books may serve a lot of customers or sell
many units, but that does not mean that it is more productive than a department that sells
furniture.
18. Which motivational theory relates to the balance of employee input and output rewards in
comparison to other employees?
A. Goal-setting theory
B. Equity theory
C. Reinforcement theory
D. Expectancy theory
Equity theory refers to employees' expectations that they will be treated fairly based on their
contributions and as compared to the contributions and rewards of others.
Chapter C
19. Order the following Likert leadership styles. Start with the style where leaders strongly keep
decision-making power and end with the style where leaders strongly delegate decision-making
power.
I. Consultative
II. Benevolent-authoritative
III. Exploitive-authoritative
IV. Participative
A. I, III, II, and IV

B. II, III, IV, and I
C. II, IV, I, and III
D. III, II, I, and IV

lOMoARcPSD|28560950
CIA EXAM Part 3
The Likert progression moves from leaders exhibiting strong authority in the exploitive-
authoritative style to the benevolent-authoritative, consultative, and participative styles.
Participation places full trust in employees, with much communication and teamwork.
20. What distinguishes a work team from a work group?
A. Teams are larger in membership.

B. Teams are managed closely.
C. Teams are slower to achieve results.
D. Teams have stated performance objectives.
Teams are organized with specific performance objectives and expectations, are usually smaller
and self-directed, and achieve results more quickly.
21. To successfully implement empowerment at an organization, managers should do which of the

following?
A. Accept or reject ideas based on the authority of the individual offering the advice.
B. Promote the concept from the bottom up.
C. Shift responsibility to the direct managers of those who actually perform the business processes.
D. Give freedom for others to act on their own authority, but retain an appropriate amount of
personal control.
To successfully implement empowerment in an organization, leaders must balance their need

for personal control with providing freedom for others to act on their own authority.
22. In the managerial grid theory, which leader style is a circumstance where work is done with
minimal effort and minimal leadership direction?
A. Country club management

B. Authority-compliance management
C. Impoverished management
D. Team management
In the Blake and Mouton theory, this is described as low concern for people and a low concern
for tasks.

lOMoARcPSD|28560950
CIA EXAM Part 3
23. What is the most effective way for an audit supervisor to delegate a task to a staff auditor?
A. Let the auditor try to perform the task for a defined period of time, and then meet to critique
the approach, clarifying the assignment as needed.
B. Give the assignment in general terms, have the auditor develop the desired outcome and
approach, and then review and critique the auditor's decisions.
C. Define the desired outcome and the approach precisely and in writing.
D. Define the desired outcome precisely, discuss possible approaches with the staff auditor, and
reach an agreement on the approach to be taken.
Precisely defining the desired outcome in writing makes the supervisor's expectations clear. It
also involves the staff auditor in working out how to reach the desired outcome, thus increasing
his or her acceptance and understanding of the assignment.
24. Which of the following are characteristics of a well-functioning team?
I. Continual evaluation
II. Suppression of group differences
III. Strong task versus people orientation
IV. Voicing of opinions and conflict
A. I and II only
B. I and IV only
C. II and III only
D. III only
Positive team characteristics are continual evaluation and improvement, honest

communication, which stimulates some conflict, a balance of task and people orientations, and
recognition of differences in diverse groups.
Chapter D
25. After completing an audit of a company's major operation, the auditor is certain that a proposed
recommendation should be made in the audit report. However, the auditor also understands
that the recommendation will result in conflict between the audited department and the
accounting department. The organization is not bureaucratic and encourages the development
of informal relationships across departments. Which of the following statements is correct
regarding the nature of conflict in the organization?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Conflict is healthy unless it clearly points out differences in the goals and objectives of the
organization's operating units.
B. Conflict reduces the likelihood that an acceptable solution can be implemented in highly
structured organizations. Thus, the auditor should consider revising the recommendation to
avoid conflict.
C. Conflict should be viewed as a healthy way to facilitate growth in an organization. Thus, the
auditor should accept conflict that may result from normal audit recommendations.
D. Conflict is more likely to be functional in a bureaucratic organization than in a less formal (i.e.,
organic-type) organization.
The interactionist view of conflict holds that conflict is a necessary part of organizational growth.
Conflict is much more functional in organic, open organizations, than in highly structured,
bureaucratic organizations. Conflict can be functional or dysfunctional. Conflict which points
outs differences in goals and objectives can be healthy in organic organizations by facilitating
discussion and eventual growth.
26. Keeping a conflict from surfacing at all is an example of following which conflict management
strategy?
A. Avoidance
B. Confrontation
C. Defusion
D. Containment
An avoidance strategy aims to resolve the conflict by ignoring it or imposing a solution. It is

appropriate if the conflict is trivial or if quick action is needed to prevent the conflict from
arising.
27. Which of the following would not be considered a conflict trigger?
A. Status differential
B. Superordinate goals
C. Ambiguous jurisdictions
D. Competition for scarce resources
Superordinate goals are not a conflict trigger as are the other options.
28. All of the following except which is true about added-value negotiating?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. The process is longer given the many steps.

B. The parties present exchanges of value.
C. Much research and preparation is involved.
D. The last step is to perfect the deal.
The process usually takes less time because of the multiple offers presented at the beginning.
29. What is a primary disadvantage of forcing another party to accept terms in a negotiation?
A. Reduction in internal support for the negotiator’s tactics

B. Damage of the relationship between the negotiators
C. Lack of achievement of the negotiator’s goals
D. Increased time involved in reaching an agreement
In future negotiations, the forced opponent will be less likely to work with the negotiator to
achieve mutual goals. Negotiations in which one or both parties feel they must win at the
expense of the other party ultimately do not build a relationship of trust and cooperation.
30. All but which of the following describe principled negotiation?
A. Separation of people from the problem

B. Competing positions clearly outlined
C. Generation of multiple options
D. Results based on objective standards
In principled negotiation, a key tactic is to focus on the interests of the parties coming to the
table and not on preprescribed positions.
Chapter E
31. If an internal auditor discovers that a project manager has been “crashing” to affect a project’s
critical path, the internal auditor should also examine
A. the cost of project resources against its budgeted costs.
B. the expense reports of the project manager to look for unusual travel or expenditures.
C. the slack time of the project.
D. the ethics guidelines to determine if a conflict of interest has occurred.
The process of adding additional resources to shorten the length of a task on the critical path is
called “crashing.” If the project manager is using this technique, it is unlikely that the project has
any slack time, but the auditor should examine the cost of the resources against the budgeted
costs to determine the relative costs of shortening the project’s time line in this way.

lOMoARcPSD|28560950
CIA EXAM Part 3
32. A project manager gathers estimates from each team member on the earliest start date of each
task as well as the estimated task duration and whether the tasks are parallel or sequential.
Given just this information, which of the following project management tools could the manager
create?
A. Gantt chart
B. Critical path method (CPM)
C. Sensitivity analysis
D. Program evaluation review technique (PERT)
The question lists the necessary information to create a Gantt chart. To calculate CPM or PERT
the manager would also need to know the latest start time for each task and the earliest and
latest finish times.
33. Why are Program Evaluation and Review Technique (PERT)/Critical Path Management (CPM)
charts useful for managing complex projects?
A. They identify and prioritize tasks which must be completed on time for the whole project to
be completed on time.
B. They divide each project into sequential activities with estimated start and completion times.
C. They provide a basis for scheduling when tasks will be executed.
D. Their simplicity allows for easy schedule modifications.
PERT/CPM charts are used for large, complex projects that have a high degree of inter-task
dependency. They graphically illustrate the critical path, which determines the total time
required to complete the project and the critical activities on that path.
34. The process of organizational change can be impeded if the organization has a strong culture in
place. Which of the following is not an effective step for changing a strong organizational
culture?
A. Revamp selection and reward criteria to promote a different set of organizational values.
B. Provide assurance to existing executives that their positions and prospects are secure.
C. Create an awareness that the organization is faced with a serious crisis.
D. Prepare a comprehensive cultural "audit" to identify the existing dimensions of the
organization's culture.
Ensuring job security would tend to further entrench the existing culture. The other answers
would be helpful in changing the existing organizational culture.

lOMoARcPSD|28560950
CIA EXAM Part 3
35. An organization is changing to a quality assurance program that incorporates quality throughout
the process. This is very different from its years of dependence on quality control at the end of
the process. This type of change is a
A. product change.
B. structural change.
C. organizational change.
D. cultural change.
The described change is cultural because it involves a change in attitudes and mindset.
36. Internal auditors are on an assurance engagement involving a company that is implementing
business process reengineering. Auditors have not found any employee to have shirked his or
her required duties for the change initiative, but they have noted that there is a poor attitude
about the change in general. Which of the following would be most likely to correct the issue?
A. Readdress the need for change, and find ways to connect to employees through values.
B. Reinvigorate the process with new projects, themes, and change agents.
C. Foster a "silo" mentality so that individuals can see the scope of their portion of the project
better.
D. Flatten organizational structures to promote better communication between management
levels.
Change is often intensely personal and, fundamentally, it involves feelings. Organizations that
want to get their employees on board have to accept that managing emotions is often a big part
of the process. Most successful change initiatives reveal that organizations clearly communicate
the need for change and connect with their employees through values.
SECTION VI

lOMoARcPSD|28560950
CIA EXAM Part 3
Chapter A
1. Which of the following alerts an internal auditor that the organization may have a risk of
exposure to computer viruses?
A. The ability to download public-domain or unauthorized software

B. The presence of data-encrypted files
C. The need for daily backups of the system
D. The control of user access
One of the most frequent problems with viruses is unauthorized or uncontrolled installation of software.
The auditor should document this situation as a problem in his or her findings.
2. A programmer accumulating roundoff errors into one account, which is later accessed by the
programmer, is a type of computer fraud. The best way to prevent this type of fraud is to
A. use control totals and check the results of the computer.

B. independently test programs during development and limit access to the programs.
C. segregate duties of systems development and programming.
D. build in judgment with reasonableness tests.
The accumulation of roundoff errors into one person's account is a procedure written into the program.
Independent testing of a program will lead to discovery of this programmed fraud. If access to programs
is not limited, it would be possible for a programmer to change a program without approval.
Reasonableness tests will not overcome this error because in this particular type of fraud, all the
amounts will balance. Segregation of duties between systems development and programming would not
generally prevent this type of error because the skills required to construct the program are possessed
by programmers. Since the particular fraud results in a balanced entry, control totals would not detect
the fraud.
3. A legitimate user with fraudulent intent forces a total system error that requires a system
shutdown and reboot. During the reboot process, the user changes a key parameter in a
financial server’s basic input/output system (BIOS) that alters the restart parameters allowing
the user to later change a file extension for an accounts payable log and then alter it at leisure
without being detected. Which of the following correctly describes what the user
perpetrated?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Asynchronous attack followed by installing a backdoor

B. Wardriving followed by installing a backdoor
C. Wardriving followed by data hiding
D. Asynchronous attack followed by data hiding
Asynchronous attacks cause an initial system action and then a subsequent system reaction. For
example, after a system has been shut down and before it restarts automatically, changes may be made
to the restart parameters that weaken security. When the computer restarts, intrusion is now easier.
Data hiding is manipulation of file names or extensions or other tricks to hide a file from its normal
location so that it can be manipulated at leisure (e.g., hiding an audit log).
4. To reduce security exposure when transmitting proprietary data over communication lines, a
company should use
A. asynchronous modems.
B. authentication techniques.
C. cryptographic devices.
D. call-back procedures
Cryptographic devices protect data in transmission over communication lines.
5. A company with several hundred stores has a network for the stores to transmit sales data to
headquarters. The network is also used for:
•Vendors to submit reorders.

•Stores to transmit special orders to headquarters.
•Regional distribution centers to communicate delivery and out-of-stock information to
the stores.
•The national office to distribute training materials.
•Store, regional, and national personnel to share any information they think is helpful.
In order to accommodate the large volume of transmissions, large stores have their own
satellite receiving/transmitting stations. Small stores use leased lines.
The information systems and audit directors agreed on the need to maintain security and
integrity of transmissions and the data they represent. The best means of managing the
confidentiality of satellite transmissions would be
A. monitoring software.
B. access control.
C. encryption.
D. cyclic redundancy checks

lOMoARcPSD|28560950
CIA EXAM Part 3
Encryption is the best means of managing the confidentiality of satellite transmissions because even if
an unauthorized individual recorded the transmissions, they would not be intelligible. Cyclic redundancy
checks are complex computations performed with the data bits and the check bits in data transmissions
to ensure the integrity, but not the confidentiality, of the data. Access control applies to gaining
entrance to the application systems, not to the format of transmissions. Monitoring software is designed
to monitor performance (human or machine) for specified functions such as the number of tasks
performed or capacity utilized.
6. Which of the following is true regarding data security?
A. Storing data on the user's own computer hard drive is safer than storage on a common
server.
B. All staff with control responsibilities should be briefed on the location of the
organization's off-site storage facility.
C. Consistent data structure standards are a necessary prerequisite to uniform
interapplication security.
D. Electronic vaulting can be used to avoid needing a physical off-site storage location.
Data structure standards are rules for consistency of data definitions, or the programming tags that
define a data item's use and its place in a data hierarchy. If all applications use the same data standards,
seamless interfaces can be created and security controls uniformly applied. Because servers are more
likely to be regularly backed up, they are safer than the user's hard drive.
7. Which of the following types of malicious software (malware) uses social engineering tactics
to deceive e-mail receivers?
A. Trojan horses
B. Worms
C. Viruses
D. Root kits
Trojan horses are malicious programs that try to appear harmless by using social engineering (rhetorical
techniques designed to make messages appear to be friendly, innocent, or sent by familiar contacts).
Chapter B
8. Which of the following is the policy on change and patch management that most high-
performing IT organizations follow?
A. Have IT staff perform those patches that department heads feel are important.

lOMoARcPSD|28560950
CIA EXAM Part 3
B. Manually install every patch as soon as it is available.

C. Wait to install routine patches until enough are ready for simultaneous testing and
installation.
D. Have patches automatically install as soon as they are released by the vendor.
When a possible patch or change comes up, IT staff and management should sort out the true
emergency situations from the routine. Multiple changes should be bundled for cost-effective testing in
a sandbox environment. IT staff should not rely on department heads to set their priorities as every pet
project could be requested.
9. Which of the following are risks inherent in the use of online programming that must be
controlled?
I. Creation of multiple versions of programs

II. Unauthorized access
III. Dummy data for development dissimilar to real data
IV. Overwriting of valid code
A. I, II, and IV only

B. I, III, and IV only
C. II and III only
D. I, II, III, IV
Online programming, performed on workstations, allows programmers to write and compile code using
real data. It also speeds development time. However, it does introduce risks that must be controlled.
•Creation of multiple versions of programs
•Unauthorized access
•Overwriting of valid code
10. A validation check used to determine if a quantity ordered field contains only numbers is an
example of a(an)
A. audit trail control.

B. data security control.
C. input control.
D. processing control

lOMoARcPSD|28560950
CIA EXAM Part 3
A validation check at data entry that verifies that a quantity field contains only numbers is an example of
a programmatic means of ensuring the accuracy of the value in that no nonnumeric characters are
permitted; this is an input control.
11. Which of the following is the least risky method of converting from the existing payroll system
to the new system?
A. Modular/phased method
B. Prototyping method
C. Direct cut-over method
D. Parallel method
The parallel method allows a comparison between the old and new system outputs.
12. Several years ago a senior member in the accounting area developed a software application
that automates a simple, yet time-saving task. Over time, the application has been adopted by
other users in accounting, and these other users have encouraged the original author to
maintain the application, adapting it as needed when new systems are introduced. Which of
the following controls for this situation would be most effective and efficient?
A. Recommend that the application be replaced by a commercially developed product.

B. Ensure complete, accurate, and updated documentation of the application.
C. Analyze the application to ensure that it is, in fact, the most efficient solution to the work
problem.
D. Recommend policy changes that freeze further adoption and work on the software.
The application appears to do the task well, so limiting its use, verifying its effectiveness, and replacing it
are probably not the most the effective and efficient controls. Ensuring that the application’s design and
subsequent modifications are documented would be most effective. This helps protect the function
against the eventual loss of its author’s expertise if the employee retires or leaves the organization, as
well as control the impact of modifications to the program. If the application does not include
application authentication controls, this would also be a good recommendation.
13. Within an integrated financial system, which of the following is not a major risk consideration
associated with the accounts receivable component of the system?
A. Transactions may occur with unauthorized vendors.

B. Updates of credit ratings may be untimely.
C. Financial or management reporting may be inaccurate.
D. Credits may be applied to improper accounts.

lOMoARcPSD|28560950
CIA EXAM Part 3
Transactions with unauthorized vendors is a risk associated with the accounts payable component of an
integrated system. The other risks are associated with the accounts receivable component.
14. Which of the following controls would assist in detecting an error when the data input clerk
records a sales invoice as US $12.99 when the actual amount is US $122.99?
A. Echo check
B. Sign check
C. Batch control totals
D. Limit check
The other controls listed would not find this error. A limit check would only work if the two amounts
were reversed, and there was a dollar limit on invoices. An echo check is a hardware control that checks
for accuracy in data transmission; it is not an input control. A sign check looks for positive or negative
field restrictions.
Chapter C
15. Which of the following information technology functions are most likely to be included within
the operations area of the systems department?
A. Librarian and production control

B. Technical support
C. Application/systems development
D. Local area network (LAN) administrator
Librarian and production control responsibilities are subareas of the computer operations function.
Within organizations, these subareas typically have reporting responsibility to computer operations.
Technical support, LAN administrator operations, and application/systems development are separate
functions with distinct responsibilities.
16. Internal control guidelines for information technology (IT) risks at Acme Incorporated state
that all pervasive risks identified must have a robust internal control but that specific risks
need controls when the significance of the risk warrants the cost of the requirements of
creating a control. Internal auditors are looking at a known but rare feedback loop condition
that can occur in a specific type of router software the organization developed. The loop
occurs only if each of several things go wrong, and it is very difficult to detect if all of these
elements are possible. If the feedback loop occurs, it adds small data errors into every
transaction sent through the router. The internal auditor should recommend to
A. not implement this control and omit it from the audit plan regardless of its cost as it is
very rare, difficult to detect, and produces only small data errors if it does occur.
B. implement the needed control and include it in the audit plan even if it is expensive, in
conformance with the control framework.

lOMoARcPSD|28560950
CIA EXAM Part 3
C. not implement this control and omit it from the audit plan if it is more expensive than the
benefit of the lowered risk because the control framework gives the auditor this leeway.
D. implement the needed control and include it in the audit plan even if it is expensive, even
though the control framework allows the auditor leeway in deciding whether or not to
implement this control.
To identify and assess the control of IT risks properly, an internal auditor must balance the risk posed
with the requirements of creating a control and must recommend to implement an appropriate control
framework and auditing plan. A pervasive risk is not limited to one system or activity but affects the
enterprise as a whole. The sending of small data errors to every system is a pervasive risk and could
have disastrous consequences if the errors were too small to be detected immediately. Therefore this is
a pervasive risk, and the control framework indicates this risk should have controls without exceptions.
17. Remote employees operating over the Internet but wanting to access the corporate intranet
site would most likely use a
A. fiber optic Internet connection.

B. virtual private network (VPN).
C. demilitarized zone (DMZ).
D. wireless connection using wireless application protocol (WAP)
VPNs encrypt data and provide authentication, thus allowing remote connections to the protected files
of a corporation.
18. All of the following are sound steps for purchasing software from an auditor's perspective
except
A. select the best vendor based on how well its sales presentation shows the product
meets specific organizational needs.
B. have potential vendors sign a nondisclosure agreement before they get the organization's
request for proposal (RFP).
C. choose a product based less on price and more on the satisfaction of at least 80 percent of
requirements and/or the top ten requirements.
D. perform an internal evaluation for straightforward off-the-shelf applications.
Auditors can be involved in software purchases by ensuring that the organization does not rely solely on
marketing information. They should see a functioning model that proves vendor claims, preferably set
up as a walkthrough on the organization's own systems and data.

lOMoARcPSD|28560950
CIA EXAM Part 3
19. When an operating system (O/S) needs to be upgraded, all of the following should be
performed except
A. make the change in a sandbox environment prior to full release.

B. ensure that any software hooks are omitted from the next version.
C. make a back out plan and implement change in off hours.
D. maintain a detailed log of all changes
Because an O/S affects an entire data center, it is high risk and upgrades should be performed in a
sandbox area first or done at night with a back out plan available (reversing the changes). A log of all
changes is key. Sometimes an O/S is customized with software called "hooks," and these will need to be
reinstalled at each upgrade.
20. Which of the following is true of Web services and service-oriented architecture (SOA)?
A. Such systems need to validate an additional type of user, the external application itself.
B. Such systems cannot function alongside a firewall.
C. Such systems cannot work with traditional applications unless they employ middleware.
D. Such systems should only be allowed to communicate over secure port 80.
Using SOA, two parties can automate their trading. Therefore, some of the segregations of duties
created by user interaction will be missing. A compensating control is to designate the machine or
system making the interface as a user in its own right with its own role-based access.
21. Which of the following allows the use of batch totals and other controls, while simultaneously
allowing changes to be viewed immediately?
A. Online transaction processing (OLTP)

B. Online analytical processing (OLAP)
C. Batch processing
D. Memo posting
Memo posting is used by banks for financial transactions and others to create real-time entries that are
posted to a temporary memo file. The memo file allows the updated information to be viewed; at a
designated time, the memo file is batch processed to update the master file. Data is available
immediately for viewing, but batch processing controls are applied before the changes become
permanent.
22. Management of a financial services company is considering a strategic decision concerning the
expansion of its existing local area network (LAN) to enhance the firm's customer service
function. Which of the following aspects of the expanded system is the least significant
strategic issue for management?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. How the expanded system will contribute to the reduction of operating costs
B. How the expanded system can contribute to the firm's long-range business plan
C. How the expanded system would support daily business operations
D. How indicators can be developed to measure how well the expanded system achieves its
business objectives
Cutting costs, per se, is the least important issue. Payoff, or return on costs, is a more relevant strategic
consideration.
23. When combining two databases into one, an organization decides to apply the United Nations
Standard Products and Services Code (UNSPC) taxonomy to the names of their products.
Which type of data cleansing does this example illustrate?
A. Categorization
B. Normalization
C. Deduping
D. Concatenation
Normalization is making data assume common standards including taxonomy standards such as the
UNSPC to the data in a database.
24. Users making database queries often need to combine several tables to get the information
they want. One approach to combining tables is known as
A. projecting.
B. joining.
C. pointing.
D. mail merge.
Joining is the combining of one or more tables based on matching criteria. For example, if a supplier
table contains information about suppliers and a parts table contains information about parts, the two
tables could be joined on supplier number (assuming both tables contained this attribute) to give
information about the supplier of particular parts.
25. Which of the following statements about the role and nature of servers is correct?
A. A server is like a mainframe computer but is smaller.

B. Servers can provide clients access both to database and applications.
C. A server is a hardware component only.

lOMoARcPSD|28560950
CIA EXAM Part 3
D. The use of servers makes increasing network capacity more difficult.
A server provides access to network clients to databases and/or applications. It usually includes a
software component. A server is more compact than a mainframe but is also conceptually different. It
represents distributed information—information residing on networked servers. Servers and their
software should be scalable; it should be possible to add memory or increase processing speed.
Chapter D
26. Which of the following is true of business continuity management (BCM) and associated
business impact analyses (BIA)?
A. Critical business processes should have been defined prior to using a BIA.
B. A BIA separately defines recovery time objectives (RTO) and recovery point objectives
(RPOs) for each process and resource.
C. A BIA is restricted to internal resources for recovery since external resources should not
be considered reliable.
D. A BCM plan is communicated to key employees in the organization, and these employees
are trained in crisis procedures and communications strategies.
A BIA defines RTOs and RPOs for critical business processes and resources, both internal and external.
BCM plans must be communicated throughout the organization, not just to key employees.
27. A chief audit executive wants to build the strength of the function in the area of IT business
continuity. The best way to accomplish this goal would be to
A. purchase software systems designed to assess IT risks.

B. conduct a business impact analysis (BIA) for a test function.
C. provide consulting engagements on appropriate IT contingency plans.
D. ask management to include internal audit in debrief sessions after an IT loss of service.
The best path mentioned is to request that internal auditors be included in debriefing sessions after
incidents. This would allow the internal audit staff to learn more about the IT risks specific to the
organization, the recovery needs for business processes, and the strengths and weaknesses of different
contingency plans. The function cannot perform IT contingency planning audits without more expertise
in this area and more knowledge about the organization’s needs and goals. A BIA would provide a

lOMoARcPSD|28560950
CIA EXAM Part 3
greater sense of risks, but not necessarily of controls. Software systems are useful assessment tools but
would not provide organizational BCM knowledge on their own.
28. Management acted on the internal auditor's recommendation to prepare a contingency plan.
The most critical aspect of the plan would be to provide for
A. monitoring for fraud or abuse during recovery.

B. continuation of mortgage servicing.
C. security and control over information assets.
D. minimizing expenses during recovery periods.
The most critical aspect of the planning would be to provide for continuation of mortgage servicing
because without mortgage servicing, the company would be out of business. Deterring and detecting
fraud or abuse, control over information assets while processing in recovery mode, and minimizing
expenses during recovery periods are important, but they are not the most critical aspects to consider.
SECTION VII
Chapter A
1. An auditor performs an analytical review of division operations and notes the following:
•Current ratio - increasing

•Quick ratio - decreasing
•Number of days sales in inventory - increasing
•Sales - constant
•Current liabilities – constant
From this, the auditor can conclude that:

I. The company has produced fewer products this year than last year.
II. Cash or accounts receivable have decreased.
III. The gross margin has decreased.
A. I only
B. II only
C. I and III only
D. II and III only
The only way the quick ratio could be decreasing while the current ratio is increasing is if cash or
accounts receivable have decreased. There is no information given regarding the gross margin. Sales are

lOMoARcPSD|28560950
CIA EXAM Part 3
constant, but number of days sales in inventory has increased. Therefore, production or raw materials
would have increased.
2. Which of the following is true of the argument between valuing assets and liabilities at fair
market value versus historical cost?
A. The use of fair market value for most assets would be a more accurate measure of current
value but at a higher risk of misrepresentation or fraud.
B. For nonmonetary exchanges of assets, each party uses the asset being acquired as the fair
market value of the exchange.
C. Historical cost provides an accurate valuation of most long-term assets.
D. The price paid for assets received from a failing bank is those assets’ fair market value
According to the principle of historical cost, using the values actually paid or received is more reliable
than estimates of current value. For example, until an asset is actually sold, its value to the organization
remains amorphous. Aside from the high cost of constantly reassessing the values of all assets and
liabilities, such a practice would allow for easier manipulation of the financial statement elements.
3. An organization has net sales of $4,500,000, cost of goods sold (COGS) of $3,900,000, and total
indirect costs of $200,000. What is this organization's gross profit margin?
A. 0.089
B. 0.133
C. 0.154
D. Insufficient information is presented to calculate the gross profit margin.
The gross profit margin is calculated as follows:
Gross Profit Margin = Gross Profit / Net Sales = ($4,500,000 - $3,900,000)/$4,500,000 = 0.133
4. When purchasing an asset using debt, which of the following transactions occurs?
A. Debit assets (increase) and credit liabilities (increase).

B. Debit assets (decrease) and credit liabilities (increase).
C. Debit liabilities (decrease) and credit assets (increase).
D. Debit liabilities (increase) and credit assets (increase).
An asset account is debited, increasing it by the value of the additional assets. A liability account is
credited, increasing it by the amount of the loan.
5. Which of the following would be a typical capital budgeting decision?
A. How many tons of steel will be required this quarter?

lOMoARcPSD|28560950
CIA EXAM Part 3
B. Should new equipment be leased or purchased?

C. How much should the new secretary be paid?
D. Should the selling price of a new line of products be US $5.99 or US $6.99?
Capital budgets are concerned with long-term investments and projects that require large amounts of
funding and provide benefits far into the future. A typical capital budgeting decision involves whether
new equipment should be leased or purchased.
6. In a two-tier merger offer, shareholders receive a higher amount per share if they
A. agree to purchase newly issued bonds in the combined firm.

B. agree to sell back to the firm any bonds that they currently own.
C. tender their stock earlier.
D. tender their stock later.
An offer that is "two-tier" involves two different offer prices for the shares acquired. In a two-tier offer,
shareholders are enticed to sell to the bidder early by a higher stock price offer for those who tender
their stock earlier. The terms of the share acquisition do not relate to the issuance or repurchase of
bonds in the company.
7. A company has US $650,000 of 10 percent debt outstanding and US $500,000 of equity

financing. The required return of the equity holders is 15 percent, and there are no retained
earnings currently available for investment purposes. If new outside equity is raised, it will cost
the firm 16 percent. New debt would have a before-tax cost of 9 percent, and the corporate tax
rate is 50 percent. When calculating the marginal cost of capital, the company should assign a
cost of [List A] to equity capital and [List B] to the after-tax cost of debt financing.
A. List A = 15 percent, List B = 4.5 percent

B. List A = 15 percent, List B = 5.0 percent
C. List A = 16 percent, List B = 4.5 percent
D. List A = 16 percent, List B = 5.0 percent
The marginal cost of equity financing is 16 percent, and the after-tax cost of new debt financing is 9
percent [1 - 0.5] or 4.5 percent.
8. An organization performs a capital budgeting process. It defines project boundaries and

identifies potential projects that would fit in those bounds. Then it proceeds to analyze each
project until the one with the most net financial and nonfinancial benefits is selected. After
selection, the process moves on to determine the next opportunity for investment. Which of the
following is a key step omitted from this process description?
A. The project selected must be monitored and modified as needed.

B. The costs and cash flows for the project’s entire life cycle must be determined when
selecting the project.

lOMoARcPSD|28560950
CIA EXAM Part 3
C. The project identification stage should clearly define what the project will do and what it
will not do.
D. The next opportunity for investment must include all projects that were considered viable
but rejected.
There are three successive steps in a capital budgeting process: identify and define potential projects,
evaluate and select the projects, and monitor and review the projects. The third step is not mentioned.
9. What is a company’s accounts receivable (A/R) turnover if its receivables collection period is
17.36 days?
A. 0.048 days
B. 0.048 times
C. 21.03 days
D. 21.03 times
The receivables collection period calculation can be rearranged to solve for the A/R turnover ratio:
10. A company's average credit sale is US $5,000, and it has a cost of capital of 10 percent (0.1 or
0.00027 per day). They are considering offering a cash discount of 3 percent for early payment
within seven days, or the customer can pay the full amount at the end of 30 days. Which of the
following is the net present value (NPV) of this cash discount?
A. ($119)
B. ($105)
C. $105
D. $119
The net present value of a cash discount calculation follows.

lOMoARcPSD|28560950
CIA EXAM Part 3
11. The tax base is
A. every citizen of a country in total.

B. the tax paid on the last dollar of income earned.
C. everything a taxpayer earns, spends, and owns.
D. the percentage charged to taxpayers by a government before any allowances or writeoffs.
Everything a taxpayer earns, spends, and owns is called the tax base.
12. The amount of cash that a firm keeps on hand in order to take advantage of any bargain
purchases that may arise is referred to as its
A. compensating balance.
B. transactions balance.
C. precautionary balance.
D. speculative balance.
Speculative cash balances are held to enable the firm to take advantage of any bargain purchases that
might arise.
13. The DuPont return on equity (ROE) or modified DuPont formula takes into account all of the
following factors except
A. total asset turnover.
B. profit margin.
C. operating leverage.
D. equity multiplier.

lOMoARcPSD|28560950
CIA EXAM Part 3
DuPont ROE is profit margin x total asset turnover x equity multiplier. It factors in three categories:
earnings from sales, efficiency of asset use, and amount of financial leverage used to finance assets.
14. An organization that produces video games has US $100,000 to invest in a new game developed
by a third party. The organization knows that the risk of game obsolescence is very high in this
industry and makes its choice accordingly. Which of the following games should the organization
invest in if each can be produced for the same US $100,000 investment?
A. Game A has projected cash inflows per year of US $50,000 for one year and US $25,000 per
year for three years after that.
B. Game B has projected cash inflows per year of US $30,000 for four years.
C. Game C has projected cash inflows per year of US $20,000 for seven years.
D. Game D has projected cash inflows per year of US $40,000 for three years.
The project has a high risk of obsolescence, so the project considered least risky is the one that has the
shortest payback period. Game D has the shortest payback period as calculated below.
15. An organization is using capital budgeting techniques to compare two independent projects. It
could accept one, both, or neither of the projects. Which of the following statements is true
about the use of net-present-value (NPV) and internal-rate-of-return (IRR) methods for
evaluating these two projects?
A. If the first project's IRR is higher than the organization's cost of capital, the first project will
be accepted but the second project will not.
B. If the NPV criterion leads to accepting or rejecting the first project, one cannot predict
whether the IRR criterion will lead to accepting or rejecting the first project.
C. If the NPV criterion leads to accepting the first project, the IRR criterion will never lead to
accepting the first project.
D. If the NPV and IRR methods disagree about the worthiness of a project, it might be wiser
to use the data from the NPV method.
The NPV method makes a more realistic assumption about the rate of return that can be earned on cash
flows from a project. Therefore, if the NPV and IRR methods disagree about the worthiness of a project,
it might be wiser to use the data from the NPV method.

lOMoARcPSD|28560950
CIA EXAM Part 3
16. Which must be part of any risk model involving inventory valuation?
A. Vendor pricing policies

B. Product warranty policies
C. Inventory shrinkage expense
D. Annual sales forecasts
The amount of inventory loss through shrinkage directly impacts inventory valuation. Inventory
shrinkage must be considered in risk models involving inventory valuation. Product warranties and sales
forecasts have no impact on inventory valuation. Vendor pricing policies have no impact on inventory
valuation until goods are purchased. The price at the time of purchase is the only price that matters in
inventory valuation, and changes in vendor pricing policies would not necessarily impact valuation.
17. The activity of trading futures with the objective of reducing or controlling risk is called
A. hedging.
B. short-selling.
C. insuring.
D. factoring.
Hedging is the use of future contracts to limit risk exposure on exchange rates.
18. Given the following portion of a U.S. company’s balance sheet, if the company’s total equity in
Year 1 is US $534,498, which of the following lists the company’s debt ratio correctly?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. 0.24
B. 0.34
C. 0.66
D. Insufficient information is presented to calculate the debt ratio.
Total Assets = Total Liabilities + Total Equity or Total Liabilities = Total Assets - Total Equity = $809,458 -
$534,498 = $274,960. The debt ratio is calculated as follows:
19. A company's balance sheet is as follows:

lOMoARcPSD|28560950
CIA EXAM Part 3
A horizontal common-sized statement would list which of the following percentages for inventories in
Year 2?
A. 21.7 percent
B. 25.2 percent
C. 27.8 percent
D. 29.1 percent

lOMoARcPSD|28560950
CIA EXAM Part 3
20. An internal auditor is working with accounts payable and is trying to determine if the
organization is properly taking advantage of cash discounts on trade credit. The organization's
cost of capital is 16 percent, and the supplier in question has terms of 1/15 n30. Which of the
following should the auditor recommend, assuming the organization would need to use
financing to pay the receivable early?
A. Pay early because the cost of not taking the discount is less than the cost of capital.
B. Pay when net is due because the cost of not taking the cash discount is greater than the cost
of capital.
C. Pay early because the cost of not taking the discount is greater than the cost of capital.
D. Paying early or when net is due are equal options because the costs are the same
The cost of paying early even after use of 16 percent external credit to pay is significantly lower than the
cost of using the trade credit terms of 24.58 percent.
Chapter B
21. Which of the following is an example of a relevant cost?
A. Joint costs in a sell or process further decision

B. Variable costs associated with a special order also incurred in the regular production process
when making a decision whether to accept the special order
C. Common fixed expenses for a company deciding whether to drop a product from the sales
mix after a net operating loss for the product
D. Opportunity costs such as reducing fixed overhead in a make or buy decision
Opportunity costs should also be part of the decision-making process. Common make or buy
opportunity costs include:
•Whether some part of the fixed overhead could be reduced by out-sourcing.
•Whether some part of the space being used during internal production could be used for some other
purpose.
22. Place the steps in preparing a production report for a process costing system in the correct
order.
•Calculate equivalent units(EU)

lOMoARcPSD|28560950
CIA EXAM Part 3
•Assign total manufacturing costs

•Analyze physical flow of production units: beginning work-in-process (WIP), units entering the
department, units completed and transferred out, and units in ending WIP
•Compute unit costs (overall and for direct materials, direct labor, and factory overhead)
•Determine total costs to account for (current costs incurred and cost of units in WIP)
A. III, I, V, IV, II
B. III, V, I, II, IV
C. IV, I, III, V, II
D. IV, III, II, I, V
After analyzing the physical flow of units, the equivalent units are calculated and from these the total
costs to account for can be determined. From the total costs to account for the per unit costs can be
calculated and then used to assign total manufacturing costs in each phase of the manufacturing
process.
23. Which of the following best describes responsibility accounting?
A. Managers are held responsible for controlling costs, generating revenues, and making new
investments.
B. Managers are not held personally responsible for deviations between goals and actual
results.
C. Managers choose which responsibilities will be linked to performance measures.
D. Managers are held responsible for line items they control.
Responsibility accounting is the process of recognizing responsibility centers (subunits) within an

organization, assigning responsibilities to the managers of those subunits, and evaluating the
performance of those managers. It links specific responsibilities and specialized knowledge to specific
performance measures, and it holds managers responsible for deviations between budgeted goals and
actual results.

lOMoARcPSD|28560950
CIA EXAM Part 3
24. A company harvests, packs, and ships all of its own produce. The company operates three
packing lines. A summary of completed inventory costs is as follows:
At the end of the reporting period, 600,000 units had been packed and shipped. No inventory
remained on hand. If the company used process costing, what would the cost per unit be?
A. US $0.197
B. US $0.275
C. US $0.315
D. US $0.59
Process costing is the average cost per unit produced.
Process costing includes all costs and does not allocate costs per packing line.
25. Abnormal spoilage is
A. not expected to occur under efficient operating conditions.

B. not expected to occur when standard costs are used.
C. not usually controllable by the production supervisor.
D. the result of unrealistic production standards.
Abnormal spoilage is not expected under efficient operating conditions. It is not an inherent part of the
production process. Abnormal spoilage is a function of the production process, not a function of the
costing system. Abnormal spoilage may result from any of a variety of conditions or circumstances,
which are not necessarily related to standards but are generally controllable by first-line supervisors.

lOMoARcPSD|28560950
CIA EXAM Part 3
26. Internal auditors have noted the following warning signs in a nonprofit organization: managers
have too much staff, are creating busywork for their employees, and are purchasing hardware
and software upgrades every year, even though it isn't necessary to accomplish the work. Which
of the following budget types likely contributed to this behavior?
A. Project budgeting
B. Kaizen budgeting
C. Activity-based budgeting
D. Zero-based budgeting
A zero-based budget starts with zero dollars allocated to budget items rather than making incremental
changes to already existing allocations. These budgets focus on constant cost justification by forcing
managers to conduct in-depth reviews of each area under their control. Zero-based budgeting also
encourages managers to exhaust all their resources during a budget period for fear they will be
allocated less during the next budget cycle.
27. A retail sales organization usually makes a [List A] rather than a production budget and its last
line is [List B] rather than budgeted production in units.
A. List A: merchandise purchases budget, List B: budgeted purchases

B. List A: direct materials budget, List B: budgeted direct materials inventory
C. List A: merchandise cost of goods sold (COGS) budget, List B: budgeted COGS
D. List A: planned inventory budget, List B: budgeted inventory
A merchandising organization does not have a production budget. Instead, the production budget is
replaced by a merchandise purchases budget. The basic format of a merchandise purchases budget is
the same as the production budget. Instead of budgeted production in units, the last items in a
merchandise purchases budget are budgeted purchases.
28. Consider the following attributes. Which attribute describes which costing system?
I Can smooth out cost fluctuations in cost per unit

II Can be used to reduce the chance of incorporating past inefficiencies
III Can distort period costs due to items that are only billed in specific periods
A. Attribute I: normal costing; Attribute II: standard costing; Attribute III: actual costing
B. Attribute I: standard costing; Attribute II: normal costing; Attribute IIII: actual costing
C. Attribute I: actual costing; Attribute II: normal costing; Attribute III: standard costing
D. Attribute I: standard costing; Attribute II: actual costing; Attribute III: normal costing
Organizations interested in smoothing out cost fluctuations in cost per unit turn to normal costing.
Standard costing is less likely to incorporate past inefficiencies. Actual costing can distort period costs
due to overhead items such as property taxes that are billed once or twice a year. Overhead costs in
those billing periods would be higher than in other periods.

lOMoARcPSD|28560950
CIA EXAM Part 3
29. A hydraulic press can produce 14 siding panels per hour. One operator can run the machine and
is paid US $20 per hour or US $30 per hour overtime (over 40 hours per week). A second
machine can be rented for a month for US $2,000. Part-time workers are available for the same
rates but add US $1,000 to general overhead for each new hire. Keeping the plant open more
than 40 hours per week adds US $500 to overhead. Which of the following is the most profitable
method of producing 3,360 panels in one four-week month if the panels will sell for a profit of
US $3 per panel?
A. Ask the current operator to work 12-hour shifts all month long on the original press.
B. Indicate that the relevant range of panel productions is 2,240 panels per month and that no
choice for increasing capacity would be cost-effective.
C. Rent a second press, and hire a second operator to work 20 hours per week during the day.
D. Hire a second operator to work 20 hours per week in the evenings on the original press.
Given a 40-hour week and four-week month, one operator can produce 2,240 panels in a month. The
order for 3,360 is 1.5 times this amount, so an extra 80 hours of overtime for one employee would
increase costs by US $2,400 for one month, plus US $500 for the late hours increase in fixed costs equals
US $2,900. The second operator would be paid $1,600 for 80 hours, plus the $1,000 hiring costs, plus
either the $2,000 for the extra press or $500 for the late hours increase is US $4,600 or US $3,100
respectively. Creating an additional 1,120 panels this month will add US $3,360 to profits, less the US
$2,900 in extra costs leaves additional profit of US $460.
SECTION VIII
Chapter A
1. Which is a primary advantage of a multilocal strategy?
A. Relatively higher costs

B. Smaller-scale production
C. More headquarters coordination
D. Differentiation
Products can be differentiated and adapted to local customs and cultures. Smaller-scale production and
higher costs can be a disadvantage. There is more control locally and less coordination with
headquarters.
2. What is a primary advantage of operating with a multinational strategy?
A. Comparative advantage benefits

B. Customization for targeted markets
C. High level of integration
D. Faster development of products

lOMoARcPSD|28560950
CIA EXAM Part 3
Multinational strategy affords cost and quality benefits through comparative advantage. The high level
of integration is a disadvantage. Products are more standardized, but they are not necessarily produced
faster.
3. The following are important to training initiatives in any organization. Which factors are
particular challenges for a global organization?
I Relevant job orientation strategies

II Geographically dispersed locations
III Language and communication barriers
IV Appropriate content and delivery methods
A. I and II only
B. I and IV only
C. II and III only
D. III and IV only
There are greater challenges of communication with geographically dispersed locations and the
corresponding language and communication barriers between cultures.
Chapter B
4. What are key ways that a multinational organization can manage global and local complexities?
I Make use of cultural informants.

II Change the organizational structure.
III Shelter organizational knowledge at headquarters.
IV Minimize use of new technologies.
A. I and II only
B. I and III only
C. II and III only
D. II and IV only
Using cultural informants assists with planning and communication. It may be necessary to change the
organization's formal structure. Knowledge should be shared, and technology maximized, to the extent
possible.
5. While all of the following are necessary for effective teams, which is especially important to
multicultural team management?

lOMoARcPSD|28560950
CIA EXAM Part 3
A. Clear direction
B. Member motivation
C. Proper member selection
D. Effective leadership
A manager must be aware that cultural differences impact motivation and the value individuals place on
incentives and rewards.
6. When initiating international ventures, an organization should consider cultural dimensions to

prevent misunderstandings. Which of the following does not represent a recognized cultural
dimension in a work environment?
A. Power
B. Self-control
C. Masculinity
D. Uncertainty avoidance
Personal mastery or self-control is a personal dimension rather than a cultural one. All of the other
options are cultural dimensions.
7. For a multinational firm, which of the following is a disadvantage of an ethnocentric staffing

policy in which all key management positions are filled by parent-company nationals?
A. It produces resentment among the firm’s employees in host countries.

B. It significantly raises the compensation, training, and staffing costs.
C. It isolates headquarters from foreign subsidiaries.
D. It limits career mobility for parent-country nationals.
When all key management positions are filled by parent-company nationals it often produces
resentment among the firm’s employees in host countries and is the key disadvantage of an
ethnocentric staffing policy.
8. Which of the following represents a significant impediment to merging customer databases

across international boundaries?
A. Taxation issues
B. Response time
C. Privacy regulations
D. Backup and recovery
Country-specific privacy laws can be very stringent about customer data crossing borders. The other
options are not significant impediments.

lOMoARcPSD|28560950
CIA EXAM Part 3
Chapter C
9. Which of the following economic policies will increase the amount of money in circulation and
thus encourage growth by increasing demand?
A. Deregulate industries to remove the costs associated with compliance with regulations.
B. Increase government spending.
C. Raise taxes.
D. Create incentives for businesses to expand production through saving, investment, and
entrepreneurship
Demand-side policies involve manipulating total demand for goods and services in order to affect the
economy’s total output, employment, and inflation. Demand is increased by lowering taxes or increasing
government spending.
10. Which of the following is one of the three main institutions governing the European Union?
A. The European Investment Bank

B. The European Commission
C. The European Directorate General
D. The European Council
The European Commission (EC) is the executive body of the European Union. Alongside the European
Parliament and the Council of the European Union (EU), it is one of the three main institutions governing
the European Union. Its primary roles are to propose and implement legislation, and to guard the
treaties which provide the legal basis for the European Union.
11. Which of the following leading economic indicators would be considered a positive sign for the
gross domestic product (GDP)?
A. Decrease in money supply

B. Decrease in stock market prices
C. Increase in inventory
D. Increase in building permits
An increase in housing starts or building permits is considered a positive sign for the GDP because it
indicates growing confidence on the part of builders that should translate into greater GDP. The other
answers are negative signs for the GDP.

lOMoARcPSD|28560950
CIA EXAM Part 3
12. In a period of continuous upward growth over the last few years and predicted for the
foreseeable future by economists, many politicians talk about sustaining the growth and
keeping the economy always strong through effective policy. These politicians are ignoring
A. lagging economic indicators.

B. leading economic indicators.
C. business cycles.
D. Inflation
The economy tends to move in a series of ups and downs, called business cycles, rather than in a steady
pattern. Business cycles are a regular pattern of expansion (recovery) and contraction (recession)—a
series of gains and slowdowns in the level of economic activity extending over several years that affect
growth, employment, and inflation. On a macroeconomic scale these trends have continued to occur.
Chapter D
13. Antitrust policies generally prohibit which of the following?
A. Nonreciprocal dealing arrangements

B. Trust busting
C. Competitive mergers
D. Price discrimination
Antitrust policies generally prohibit price discrimination, exclusivity that restricts a buyer's ability to buy
from a seller's competitors, reciprocal dealing arrangements, tying arrangements, and anticompetitive
mergers.
14. During an economic crisis in which banks are perceived to be at risk of failure, which of the
following is most likely at risk of being waived or ignored?
A. Antitrust policies
B. Accounting and reporting regulations for securities markets
C. Existing banking regulations
D. Antiracketeering legislation
Antitrust policies generally regulate anticompetitive mergers, but during times of economic crisis, a
merger of two large but currently unprofitable banks could be quickly passed with little oversight.

Iia Part 3 Master Quiz Internal Auditing Techniques and Controlsto Better Reflect Where The Profession

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iia Part 3 Master Quiz Internal Auditing Techniques and Controlsto Better Reflect Where The Profession

Uploaded by

Copyright:

Available Formats

lOMoARcPSD|28560950

IIA Part 3 Master Quiz - Internal Auditing techniques and

Studocu is not sponsored or endorsed by any college or university

CIA EXAM Part 3

IIA Part 3 Master Quiz

A. Provide whistleblower hotlines for reporting incidents.

2. Which of the following best represents a governance structure?

Operating management is responsible for risk management, executive management is

A. Discuss areas of significant risks.

Quiz Questions and Answers Page 1

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

C. Support the board in enterprise-wide risk assessment.

4. A board’s role in organizational governance is best described as

A. serve as the focal point.

Quiz Questions and Answers Page 2

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

C. As part of a routine control evaluation

I. Ethics and values are promoted.

8. Which of the following statements about The International Finance Corporation’s

Quiz Questions and Answers Page 3

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

9. A realistic outcome of a privacy framework evaluation is

A. assurance of compliance with specific laws and/or standards.

In conducting an evaluation of the privacy framework, Practice Advisory 2130.A1-2 recommends

Chapter C – Corporate Social Responsibility

Quiz Questions and Answers Page 4

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

Mere adoption of a CSR framework is not sufficient; an organization’s processes must be

1. A chief audit executive is reviewing the following enterprise-wide risk map:

A. Risk B, Risk C, Risk D, Risk A

B. Risk B, Risk C, Risk A, Risk D

C. Risk A, Risk B, Risk C, Risk D

D. Risk D, Risk B, Risk C, Risk A

Quiz Questions and Answers Page 5

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

D. defining how ERM relates to international best practice frameworks.

Quiz Questions and Answers Page 6

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

II. Enhances the organizational risk culture

III. Facilitates building a risk management framework from the ground up

IV. Supports effective communications with regulatory agencies

C. I, II, and III only

D. I, II, and IV only

5. In a risk assessment process, if a control objective is to ensure employees protect their

Quiz Questions and Answers Page 7

Downloaded by Kaan Kayar (exelance331@gmail.com)

CIA EXAM Part 3

6. In a risk assessment process regarding the possibility of management override of controls to

A. Management turnover levels

B. Complexity of accounting methods

C. Harm to the firm's reputation

D. Loose ethical standards set at the top

A. pay little attention to the risk.

B. mitigate the risk with insurance or a backup plan.

C. prevent the risk.

D. contain and control the risk.

A. contain and control the risk.