*CIA Part 1 case-based MCQs* covering Internal Audit Foundation, Charter, Ethics, IC, Governance, Risk, AIS, Fraud. Each has the IMA/IIA "trigger point" explanation.
*Topic 1: Audit Charter & Mandate*
*Case*: New CAE joins. Audit committee asks IA to perform due diligence on a merger target. Charter only mentions “assurance & consulting on risk, control, governance.” No mention of M&A. CFO says “IA must do it, you report to me.”
*Q*: What should CAE do first?
A. Accept engagement to maintain relationship with CFO
B. Decline because M&A is outside IA scope
C. Review charter with audit committee to confirm mandate and independence
D. Accept if additional budget is provided
*Answer:
*Trigger*:
---
*Topic 2: Internal Audit Effectiveness - Independence*
*Case*: IA department budget is approved by CFO. CAE’s bonus is 30% based on cost savings identified by IA. CFO can reassign CAE to other projects.
*Q*: Which condition most impairs IA independence?
A. Budget approved by CFO
B. Bonus tied to findings
C. CFO can reassign CAE
D. All equally impair
*Answer
---
*Topic 3: Ethics - IIA Code*
*Case*: Internal auditor finds control gap in procurement. Vendor is auditor’s brother-in-law. Auditor discloses to CAE and recuses from audit. CAE assigns auditor to review vendor’s invoices anyway because “you know the process best.”
*Q*: Which IIA Code principle is violated?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency
*Answer:
*Topic 4: Internal Control - COSO Components*
*Case*: Company has code of conduct, whistleblower hotline, auth limits, and quarterly board review of IA reports. Cashier can approve & record & reconcile bank.
*Q*: Which COSO component is deficient?
A. Control Environment q
B. Control Activities
C. Information & Communication
D. Monitoring
*Answer:
---
*Topic 5: IC Limitations - Collusion*
*Case*: Warehouse requires 2 signatures to release goods >$10K. Investigation finds storekeeper + security guard colluded: one signs, other removes goods. Loss $200K.
*Q*: What IC limitation is shown?
A. Human error
B. Management override
C. Collusion
D. Cost/benefit
*Answer
*Topic 6: Governance - 3 Lines Model*
*Case*: 1st line: Ops mgmt owns risks. 2nd line: Compliance writes policy. 3rd line: IA audits. CFO asks IA to design new AP control then audit it next quarter.
*Q*: What governance principle is violated?
A. First line accountability
B. Second line independence
C. Third line independence
D. No violation if documented
*Answer
*Topic 7: Risk Universe vs Risk Assessment*
*Case*: CAE presents audit plan. Board asks “How do you know you covered all key risks?” CAE shows risk universe with 200 risks from ERM, regulatory, strategic, ops. Plan covers 25 audits.
*Q*: What links universe to plan?
A. Risk Matrix
B. Risk Assessment
C. Heat Map
D. Audit Charter
*Answer:
*Topic 8: Heat Map - Interpretation*
*Case*: Heat map shows Cyber Risk: Likelihood = 4/5, Impact = 5/5 = Red. Supply Chain Risk: L=2/5, I=5/5 = Yellow. Mgmt spends 80% of budget on supply chain.
*Q*: What does heat map indicate about resource allocation?
A. Aligned with risk
B. Misaligned, cyber needs more resources
C. Misaligned, supply chain over-funded
D. B & C are correct
*Answer
*Topic 9: AIS - Application Controls*
*Case*: Payroll system: 1. Input rejects hours >24/day. 2. System calculates OT automatically. 3. Exception report for net pay variance >10% vs last month.
*Q*: Which is a processing control?
A. 1 only
B. 2 only
C. 3 only
D. 1 & 3 only
*Answer:
*Topic 10: Fraud Risk - Fraud Triangle*
*Case*: AR clerk has gambling debt (pressure), can issue credit memos without approval (opportunity), believes “company owes me” (rationalization). $80K credit memos issued to fake customers.
*Q*: Which element of fraud triangle is “can issue without approval”?
A. Pressure
B. Opportunity
C. Rationalization
D. Detection
*Answer:
---
*Topic 11: Risk Logs vs Risk Register*
*Case*: During audit, PM says “We tracked that vendor delay risk in the project risk log and closed it.” IA finds no entry in ERM risk register. Risk reoccurred.
*Q*: What control gap exists?
A. No risk assessment
B. No integration between project log & ERM register
C. No heat map
D. No risk appetite
*Answer:
---
*Topic 12: Assurance vs Consulting - Nature of Work*
*Case*: Audit committee asks IA to: 1. Test if new vendor payments comply with policy. 2. Facilitate workshop to design better vendor onboarding.
*Q*: Classify 1 & 2.
A. Both assurance
B. Both consulting
C. 1=Assurance, 2=Consulting
D. 1=Consulting, 2=Assurance
*Answer:
---
*CIA Part 1 Trigger Points Summary*
Topic If you see... Think...
**Charter** “CFO told IA to…” Check audit committee mandate
**Independence** Bonus tied to findings Self-interest threat
**Objectivity** Related party + still on audit Disclosure ≠ cure
**SOD** 1 person does 2+ of Auth/Custody/Record Control Activities fail
**3 Lines** IA designs control it will audit 3rd line violation
**Heat Map** Red risk gets less budget than yellow Misalignment
**Fraud Triangle** “Can override, no approval” Opportunity = IA’s focus
**Assurance vs Consulting** “Test compliance” vs “help design” Assessment vs Advice
www.gmsisuccess.in
*CIA Part 1 Tricky MCQs - Batch 1 of 5*
*Q1: Audit Charter - Approval Authority*
*Case*: CAE drafts new audit charter expanding scope to include ESG audits. CEO approves and signs it. Audit committee not consulted.
*Q*: Is the charter valid per IIA Standards?
A. Yes, CEO is highest executive
B. No, board/audit committee must approve charter
C. Yes, if CAE agrees
D. No, IIA must approve
*Answer:
*Q2: Mission of Internal Audit*
*Case*: CAE tells staff: “Our mission is to find fraud and report to audit committee.” Charter says: “Enhance and protect organizational value by providing risk-based assurance, advice, insight.”
*Q*: What is wrong with CAE’s statement?
A. Nothing, fraud is key
B. Mission excludes consulting
C. Mission excludes objectivity
D. Mission is too narrow vs IIA definition
*Answer:
*Q3: Independence - Functional vs Administrative Reporting*
*Case*: CAE reports functionally to CFO for pay/promotion and administratively to audit committee for audit plan.
*Q*: What Standard is violated?
A. 1100 – Independence
B. 1110 – Organizational Independence
C. 1120 – Objectivity
D. 1130 – Impairments
*Answer:
*Q4: Objectivity Impairment - Cooling Off*
*Case*: New auditor transferred from AP dept last month. CAE assigns auditor to audit AP controls because “you know the area.”
*Q*: What does IIA require?
A. Ok if disclosed
B. Prohibited for 1 year per 1130.A1
C. Ok if supervised
D. Prohibited forever
*Answer:
*Q5: Ethics - Confidentiality*
*Case*: During lunch, IA shares with friend in Sales: “We’re auditing your bonus calc next month, better clean up those spreadsheets.”
*Q*: Which Code principle violated?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency
*Answer:
*Q6: COSO - 5 Components vs 17 Principles*
*Case*: Co has: 1. Tone at top, 2. Risk assessment process, 3. Auth limits, 4. IT reports, 5. IA audits. Auditor says “We cover all 5 COSO components.”
*Q*: Is this sufficient for COSO compliance?
A. Yes, 5 components covered
B. No, must cover 17 principles
C. Yes, if documented
D. No, need external audit
*Answer:
*Q7: IC Limitation - Management Override*
*Case*: Policy: All wires >$50K need dual approval. CEO emails treasury: “Send $200K now, I’ll sign later. Board deal.” Treasury complies.
*Q*: What IC limitation occurred? What should IA report?
A. Collusion; recommend terminate treasury
B. Management override; control design ok, operation failed
C. Human error; need training
D. No limitation, CEO has authority
*Answer:
*Q8: Governance - Accountability*
*Case*: Board delegated risk oversight to audit committee. Audit committee delegated to CRO. CRO delegated to risk manager. Loss occurs. Who is accountable?
*Q*: Per governance principles?
A. Risk manager
B. CRO
C. Audit committee
D. Board
*Answer:
*Q9: Risk Universe - Completeness*
*Case*: ERM risk universe built from finance + operations interviews only. Cyber breach occurs. Risk was not in universe. CAE says “Not IA’s fault, ERM owns universe.”
*Q*: What is IA’s responsibility per Standard 2120?
A. None, ERM owns universe
B. Evaluate adequacy of risk mgmt process, including completeness
C. Create risk universe
D. Only audit risks in plan
*Answer:
*Q10: Heat Map - Residual vs Inherent Risk*
*Case*: Heat map shows “Cyber” as Yellow = Medium. Footnote: “After controls.” Inherent was Red. Mgmt says “We’re medium risk now.” Audit finds key control not operating.
*Q*: What should heat map show?
A. Keep as Yellow, controls designed
B. Move to Red until controls tested effective
C. Remove from map
D. Show both inherent and residual
*Answer:
*Batch 2: Q11-20*
*Q11: Risk Log - Aging*
*Case*: Project risk log: “Vendor bankruptcy” identified Day 1, probability Low. Day 90, vendor files Ch.11. Log still shows Low, no mitigation.
*Q*: What risk process failed?
A. Risk identification
B. Risk assessment update
C. Risk response
D. Risk monitoring
*Answer:
*Q12: Control Application - Preventive vs Detective*
*Case*: System auto-blocks invoice if PO > invoice tolerance 5%. Monthly report lists all overrides.
*Q*: Classify each control.
A. Both preventive
B. Block = preventive, Report = detective
C. Both detective
D. Block = detective, Report = preventive
*Answer
*Q13: AIS - IT General Controls vs Application Controls*
*Case*: Finding: “Programmers have access to production to fix bugs faster.”
*Q*: What type of control deficiency?
A. Application control
B. IT General Control - Program Change
C. Input control
D. No deficiency if logged
*Answer:
*Q14: Fraud Risk - Pressures*
*Case*: Sales team: 90% of comp is commission, quarter-end target missed 3x, VP says “No bonus unless we hit target, jobs at risk.”
*Q*: What fraud risk factor is highest?
A. Opportunity
B. Rationalization
C. Pressure/Incentive
D. Capability
*Answer:
*Q15: Fraud Risk Assessment - Standard 2120.A2*
*Case*: Annual audit plan has no fraud-specific procedures. CAE says “External audit covers fraud, we focus on ops.”
*Q*: Does this comply with IIA Standards?
A. Yes, external audit has responsibility
B. No, IA must evaluate fraud risk mgmt per 2120.A2
C. Yes, if audit committee agrees
D. No, IA must investigate fraud
*Answer
*Q16: Data Analytics - Completeness Test*
*Case*: IA gets AP data from ERP. Uses SUM of invoices to tie to G/L. Ties exactly. Concludes data complete.
*Q*: What risk remains?
A. None, tied to G/L
B. Invoices outside ERP not captured
C. Accuracy not tested
D. Both B & C
*Answer:
*Q17: Assurance vs Consulting - Impairment*
*Case*: IA facilitates control design workshop for new process. Next year, IA audits same process.
*Q*: Is independence impaired?
A. Yes, always
B. No, if safeguards met per 1130.C1
C. Yes, must wait 2 years
D. No, consulting never impairs
*Answer:
*Q18: Internal Control - Manual vs Automated*
*Case*: Control: “Clerk reviews all invoices >$5K for approval.” IA finds clerk reviews 2,000/month, 5 errors/month. IT offers auto 3-way match.
*Q*: Why is automated better?
A. Cheaper only
B. More consistent, less human error
C. Easier to override
D. Not better, manual has judgment
*Answer:
*Q19: Risk Appetite vs Tolerance*
*Case*: Board: “We will not accept any cyber breach.” CISO: “We budget for 2 incidents/year <$100K each.”
*Q*: Which statement is risk appetite vs tolerance?
A. Board = tolerance, CISO = appetite
B. Board = appetite, CISO = tolerance
C. Both appetite
D. Both tolerance
*Answer:
*Q20: Ethics - Competency*
*Case*: CAE assigns IT auditor to review complex derivative valuation. Auditor has no derivatives training but “will learn on job.”
*Q*: What Code principle at risk?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency
*Answer:
---
Here are *Q21-Q50: Next 30 tricky CIA Part 1 MCQs* with case, answer, trigger point.
---
*CIA Part 1 Tricky MCQs - Batch 3: Q21-30*
*Q21: Audit Evidence - Sufficiency vs Appropriateness*
*Case*: Auditor tests 500 invoices, all from January, all under $100. Concludes “AP controls effective all year.”
*Q*: What audit evidence problem exists?
A. Not sufficient
B. Not appropriate - not relevant/reliable
C. Both A & B
D. No problem, large sample
*Answer:
*Q22: Sampling - Statistical vs Judgmental*
*Case*: Population 10,000 items. Auditor haphazardly picks 50 “that look risky.” Finds 0 errors. Concludes “error rate <1%.”
*Q*: Can auditor project to population?
A. Yes, 0/50 = 0%
B. No, judgmental sample can’t be projected statistically
C. Yes, if approved by CAE
D. No, sample too small
*Answer:
*Q23: CAATs - Parallel Simulation*
*Case*: IA re-performs AP 3-way match in IDEA using raw data. Results differ from production system.
*Q*: What CAAT is this? What does difference indicate?
A. Test data; program error
B. Parallel simulation; production logic error or data issue
C. Embedded audit module; fraud
D. Integrated test facility; no issue
*Answer:
*Q24: ERM - COSO ERM vs ISO 31000*
*Case*: Risk mgr says “We follow ISO 31000 so we don’t need risk appetite statement.”
*Q*: Is this correct?
A. Yes, ISO 31000 prohibits appetite
B. No, both frameworks require risk appetite/criteria
C. Yes, only COSO ERM needs appetite
D. No, ISO 31000 is not ERM framework
*Answer:
*Q25: COSO Principle 10 - Selects & Develops Control Activities*
*Case*: Company has manual approvals for all transactions. No automated controls. Many errors.
*Q*: Which COSO principle is deficient?
A. Principle 6 – Specifies objectives
B. Principle 10 – Selects control activities including automation
C. Principle 12 – Deploys through policies
D. Principle 16 – Performs evaluations
*Answer:
*Q26: ITGC - Logical Access - Least Privilege*
*Case*: All accountants have SAP_ALL to “cover vacations.” IT says “We trust them.”
*Q*: What ITGC principle violated? What’s the risk?
A. Change mgmt; unauthorized changes
B. Least privilege; broad fraud/error risk
C. Backup; data loss
D. Physical security; theft
*Answer:
*Q27: ITGC - Program Change Management*
*Case*: Developer fixes bug directly in production on Friday night. Documents change Monday. No testing, no approval.
*Q*: What controls failed?
A. Physical security
B. Change management - approval, testing, separation
C. Backup
D. Logical access
*Answer:
*Q28: Backup & Recovery - RTO vs RPO*
*Case*: System crashes. Last backup 24h ago. Takes 6 hours to restore. Mgmt says “We can lose 1 day data, but must be up in 2 hours.”
*Q*: Which metric failed? What is RTO vs RPO?
A. RTO failed; RTO=2h, RPO=24h
B. RPO failed; RTO=6h, RPO=1d
C. Both failed; RTO=2h, RPO=0
D. No failure, within tolerance
*Answer:
*Q29: Fraud Scheme - Lapping*
*Case*: AR clerk steals customer A check, covers with customer B check next day, covers B with C, etc. Month-end aging looks normal.
*Q*: What detective control best finds lapping?
A. Bank reconciliation
B. Review AR aging by customer, compare to deposits
C. Confirm receivables
D. Both B & C
*Answer:
*Q30: Whistleblower - Anti-Retaliation*
*Case*: Employee reports VP fraud via hotline. Next week employee gets poor review + demoted. HR says “Unrelated performance.”
*Q*: What governance risk exists? What should IA do?
A. No risk if HR documented
B. Retaliation risk, chills future reporting; IA should test hotline process
C. Only legal issue, not IA
D. Retaliation ok if fraud unproven
*Answer:
---
*Batch 4: Q31-40*
*Q31: Audit Reporting - Condition, Criteria, Cause, Effect, Recommendation*
*Case*: Finding: “3 invoices paid twice, $15K. Should not happen. Fix it.”
*Q*: What elements missing per Standard 2410?
A. Criteria, Cause
B. Cause, Effect, Recommendation
C. Criteria, Cause, Effect
D. All 5Cs present
*Answer:
*Q32: Follow-up - Standard 2500*
*Case*: IA issued 10 findings. Mgmt agreed to all, due dates passed. IA has not followed up 6 months later. New audit starts.
*Q*: What Standard violated?
A. 2400 – Communicating Results
B. 2500 – Monitoring Progress
C. 2600 – Communicating Risk Acceptance
D. None, mgmt owns remediation
*Answer:
*Q33: QAIP - Internal vs External Assessment*
*Case*: QAIP includes annual self-assessment by CAE. No external assessment in 7 years. CAE says “Self-assessment is enough.”
*Q*: Does this comply with Standard 1312?
A. Yes, self-assessment meets QAIP
B. No, external assessment required every 5 years
C. Yes, if audit committee approves
D. No, external needed every 3 years
*Answer:
*Q34: Risk Assessment - Inherent vs Control vs Detection Risk*
*Case*: Audit plan prioritizes areas with weak controls. Board asks “Why not audit high inherent risk areas with strong controls?”
*Q*: Best response?
A. Strong controls mean low audit risk, skip
B. High inherent risk + strong controls = still test due to detection risk + control could fail
C. Agree, remove from plan
D. Audit only fraud risks
*Answer
*Q35: Consulting Engagement - Objectivity Safeguards*
*Case*: IA facilitates risk workshop, recommends specific control. Mgmt implements. 2 years later IA audits it.
*Q*: Is objectivity impaired?
A. Yes, always if IA recommended
B. No, if >12 months passed + disclosed + no mgmt decision made by IA
C. Yes, need 3 years
D. No, consulting never impairs
*Answer:
*Q36: COSO Principle 13 - Uses Relevant Information*
*Case*: Mgmt decisions based on Excel with manual data entry, no validation, 10 tabs linked. Errors frequent.
*Q*: Which principle deficient?
A. P11 – Selects general IT controls
B. P13 – Uses relevant, quality information
C. P14 – Communicates internally
D. P17 – Evaluates & communicates deficiencies
*Answer:
*Q37: Fraud Triangle - Rationalization*
*Case*: Employee steals inventory. Says “Company is insured, no one gets hurt. They underpay me anyway.”
*Q*: Which element? Why can IA least control this?
A. Pressure; IA can’t control personal debt
B. Opportunity; IA can’t control org structure
C. Rationalization; IA can’t control personal ethics
D. Capability; IA can’t control skills
*Answer:
*Q38: AIS - Input Controls - Field Check*
*Case*: Date field accepts “2026-02-30”.
*Q*: What input control failed?
A. Existence check
B. Reasonableness check
C. Validity check
D. Format check
*Answer:
*Q39: Governance - Board Committees*
*Case*: Company has no audit committee. Board has 5 members: CEO, CFO, COO, Sales VP, HR VP. CAE reports to CFO.
*Q*: What governance deficiency exists?
A. No deficiency if board active
B. No independent directors, no audit committee = independence impaired
C. CAE should report to CEO
D. Need more board members
*Answer:
*Q40: Risk Matrix - Qualitative vs Quantitative*
*Case*: Risk matrix: Impact = “High, Med, Low”. One manager says “My project loss is $10M, that’s High.” Another: “My $10M loss is Medium, we’re bigger.”
*Q*: What’s the problem with matrix?
A. No problem, judgment ok
B. Lack of quantitative criteria/definition
C. Should use colors only
D. Should use numbers 1-5 only
*Answer:
---
*Batch 5: Q41-50*
*Q41: Control Self-Assessment CSA*
*Case*: IA facilitates workshop where mgmt identifies risks & controls. Mgmt signs off “controls effective.” IA issues audit report “controls effective” without testing.
*Q*: Is this acceptable per Standards?
A. Yes, CSA is sufficient evidence
B. No, CSA ≠ audit evidence, must test
C. Yes, if mgmt competent
D. No, CSA prohibited
*Answer:
*Q42: Embedded Audit Module*
*Case*: IT installs code in ERP to flag >$100K invoices to log file for IA. Runs continuously.
*Q*: What CAAT is this? Benefit?
A. Parallel simulation; point-in-time
B. Embedded audit module/EAM; continuous monitoring
C. Test data; design test
D. ITF; periodic
*Answer:
*Q43: Fraud - Kiting*
*Case*: Company transfers $100K from Bank A to Bank B on Dec 31, records deposit in B but not withdrawal in A until Jan 2. Cash overstated $100K at year-end.
*Q*: What fraud scheme? Best detection?
A. Lapping; AR aging
B. Kiting; bank transfer schedule + cutoff bank statements
C. Channel stuffing; sales cut-off
D. Bill & hold; inventory count
*Answer:
*Q44: COSO Principle 8 - Considers Fraud Risk*
*Case*: Risk assessment covers ops, compliance, reporting risks. No fraud risks listed. Mgmt says “External audit covers fraud.”
*Q*: What COSO principle gap?
A. P6 – Specifies objectives
B. P7 – Identifies risks
C. P8 – Considers potential for fraud
D. P9 – Identifies changes
*Answer:
*Q45: Ethics - Competency - Due Professional Care*
*Case*: Auditor tests 5 items, standard says 25. Concludes “no issues.” Working papers show no sampling rationale.
*Q*: What violated?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency & Due Professional Care 1220
*Answer:
*Q46: Risk Appetite - Zero Tolerance*
*Case*: Policy: “Zero tolerance for safety incidents.” Plant has 2 minor injuries, no lost time. VP not reported to board per policy.
*Q*: What issue with “zero tolerance” statement?
A. None, good tone
B. Unrealistic, causes non-reporting
C. Should say “low tolerance”
D. B & C
*Answer:
*Q47: AIS - Output Controls*
*Case*: Payroll report distributed to all managers shows employee SSNs and pay rates.
*Q*: What control failed?
A. Input control
B. Processing control
C. Output control - distribution/security
D. ITGC - change mgmt
*Answer:
*Q48: Governance - Whistleblower Hotline Ownership*
*Case*: Hotline administered by HR. HR investigates all complaints including HR fraud. Reports to CEO.
*Q*: What governance best practice violated?
A. None, HR owns people issues
B. Hotline should be independent, not investigated by subject of complaint
C. Should report to audit committee, not CEO
D. Both B & C
*Answer:
*Q49: Internal Control - Compensating Control*
*Case*: SOD not possible in small branch: 1 person does all cash. Mgmt installs camera + daily remote review of tape + surprise counts.
*Q*: What type of control is this?
A. Preventive
B. Detective
C. Compensating
D. Corrective
*Answer:
*Q50: Audit Charter - Access to Records*
*Case*: Auditee refuses IA access to legal files: “Attorney-client privilege, charter doesn’t override law.”
*Q*: Is auditee correct? What should CAE do?
A. Auditee correct, drop request
B. Charter grants access, but privilege may limit; escalate to audit committee + legal
C. CAE can force access
D. Subpoena records
*Answer:
www.gmsisuccess.in
