✅ DOMAIN 1 – FOUNDATIONS OF INTERNAL AUDITING (35%)

50 Scenario-Based, Tricky & Exam-Style MCQs

1. Independence

1. The CAE reports administratively to the COO and functionally to the audit committee. During an audit of operations, the COO pressures the CAE to delay issuing the final report. What is MOST appropriate?
A. Delay the report because operational matters fall under the COO.
B. Inform the audit committee about the pressure.
C. Remove the COO’s comments and issue the report immediately.
D. Escalate to external auditors.
Answer:

2. Objectivity

2. An internal auditor previously worked in the procurement department two years ago. He is assigned to audit procurement this year. What should he do?
A. Proceed normally.
B. Refuse the assignment due to impairment.
C. Disclose the prior role and accept if CAE approves.
D. Perform only consulting services.
Answer:

3. Mandatory Guidance

3. Which element of the IPPF is mandatory?
A. Practice Guides
B. Code of Ethics
C. Supplemental Guidance
D. Position Papers
Answer:

4. Mission of Internal Audit

4. An audit team only reports control weaknesses but does not evaluate organizational value creation. What IPPF element is violated?
A. Core Principles
B. Mission of Internal Audit
C. Implementation Guidance
D. Performance Standards
Answer:

5. Core Principles

5. An audit report is technically accurate but delivered 4 months late, reducing management acceptance. Which Core Principle is violated?
A. Objectivity
B. Standards
C. Timeliness & Quality
D. Adds value & improves operations
Answer:

6. Governance

6. Who is primarily responsible for establishing governance processes?
A. Internal audit
B. CAE
C. Senior management
D. Board
Answer:

7. Governance Failures

7. During an audit, the internal auditor notices that whistleblowing cases are not reviewed for months. What should IA do first?
A. Report immediately to regulators.
B. Discuss with management responsible for governance.
C. Inform the board directly.
D. Investigate the cases themselves.
Answer:

8. Three Lines Model

8. Who owns controls in the Three Lines Model?
A. Internal Audit (Third Line)
B. External Audit
C. Management (First Line)
D. Audit Committee
Answer:

9. Board Responsibilities

9. The board requests internal audit to approve risk appetite. Is this appropriate?
A. Yes – IA has risk expertise.
B. No – setting risk appetite is management’s role.
C. Yes, if CAE signs only after consulting management.
D. Allowed only if noted in audit charter.
Answer:

10. Charter Requirements

10. Who must approve the internal audit charter?
A. CAE only
B. CEO and CFO
C. Board
D. External auditors
Answer:

11. Organizational Independence

11. The CAE’s performance appraisal is conducted solely by the CFO. What risk arises?
A. Fraud
B. Independence impairment
C. Inefficient audit planning
D. Conflict with HR
Answer:

12. Internal Audit Plan

12. The CAE prepares the annual audit plan but excludes new IT systems because management says they are not risky. What should CAE do?
A. Accept management’s decision
B. Include IT risks based on IA’s own assessment
C. Ask external audit
D. Perform only consulting activities
Answer:

13. Assurance vs Consulting

13. A department asks internal audit to design controls for a new system. What is allowed?
A. IA can design controls fully.
B. IA cannot give any advice.
C. IA can advise but cannot make decisions.
D. IA must decline completely.
Answer:

14. Resource Management

14. CAE identifies lack of cybersecurity expertise in the team. What is the BEST action?
A. Cancel cybersecurity audits.
B. Outsource or co-source.
C. Rotate staff internally.
D. Report to HR only.
Answer:

15. Proficiency

15. An auditor is assigned to audit a financial derivative valuation model but lacks expertise. The auditor should:
A. Learn quickly and continue.
B. Perform the audit anyway.
C. Decline or request expert support.
D. Skip testing complex areas.
Answer:

16. Due Professional Care

16. During fieldwork, an auditor identifies a red flag of fraud but lacks evidence. What should they do?
A. Report fraud immediately
B. Ignore because evidence is limited
C. Extend testing based on risk
D. Transfer case to HR
Answer:

17. Fraud Responsibility

17. Internal audit is reviewing an inventory theft case. Who is responsible for detecting fraud?
A. Internal audit
B. Every employee / management
C. External audit
D. Legal department
Answer:

18. Engagement Objectives

18. Engagement objectives must align MOST with:
A. Audit budget
B. Management preferences
C. Risk assessment
D. Auditor experience
Answer:

19. Planning

19. An auditor reviews prior audit reports before planning a new audit. Which standard is applied?
A. 1210
B. 2120
C. 2200
D. 2410
Answer:

20. Risk Management Evaluation

20. IA notes that management identifies risks but does not document mitigation measures. IA should:
A. Document risk appetite
B. Provide assurance on risk processes
C. Create mitigation plans
D. Report only to CEO
Answer:

21. Internal Control

21. IA observes that management performs controls inconsistently. Which COSO component is weak?
A. Monitoring
B. Control Environment
C. Control Activities
D. Information & Communication
Answer:

22. Control Environment Weakness

22. Employees fear retaliation for reporting issues. Which is affected?
A. Control activities
B. Governance
C. Ethical culture
D. Risk tolerance
Answer:

23. CAE Communication

23. The CEO wants to remove a finding from the draft report. CAE should:
A. Remove it
B. Inform audit committee
C. Delay reporting
D. Reduce severity
Answer:

24. Quality Assurance (QAIP)

24. External quality assessment must be performed:
A. Annually
B. Every 5 years
C. Every 3 years
D. Optional
Answer:

25. Non-conformance

25. If IA does not fully comply with Standards, what must occur?
A. Stop audits
B. Disclose non-conformance
C. Hire more auditors
D. Reset charter
Answer:

26. Reporting Results

26. Who approves the final audit report?
A. CAE
B. Board
C. Process owner
D. Audit team
Answer:

27. Engagement Supervision

27. Supervision ensures:
A. Recommendations are mandatory
B. Work meets objectives
C. Management cannot challenge findings
D. Auditors work independently
Answer:

28. Document Retention

28. Working papers should support:
A. Auditor opinions
B. CAE job evaluation
C. External audit reliance
D. Risk register
Answer:

29. Communication Quality

29. An audit report is technically correct but unclear. It violates:
A. Accuracy
B. Objectivity
C. Clarity
D. Finality
Answer:

30. Follow-Up

30. Follow-up is required for:
A. All findings
B. Only high-risk findings
C. Only management requests
D. Only consulting results
Answer:

31. Ethical Dilemma

31. An auditor is offered a gift during fieldwork. Best action?
A. Accept if below monetary threshold
B. Decline and disclose
C. Accept and inform CAE
D. Accept privately
Answer:

32. Disclosing Impairment

32. Auditor’s spouse works in the audited department. What should auditor do first?
A. Decline assignment
B. Continue normally
C. Disclose to CAE
D. Investigate spouse’s work
Answer:

33. Confidentiality

33. A former employee asks about findings in the audit report. Auditor must:
A. Provide summary
B. Provide report if they were responsible
C. Decline
D. Provide report after approval from management
Answer:

34. Engagement Scope

34. Scope changes during audit due to new risk. Auditor should:
A. Ignore changes
B. Modify engagement objectives
C. Stop audit
D. Continue with old plan
Answer:

35. Consulting Engagement

35. IA is asked to facilitate a risk workshop. This is:
A. Prohibited
B. Assurance service
C. Consulting service
D. Governance action
Answer:

36. Assessing Culture

36. IA notices employees bypass controls due to pressure for deadlines. This indicates:
A. Fraud
B. Poor control environment
C. Good efficiency
D. Appropriate risk appetite
Answer:

37. Governance Oversight

37. Audit committee asks IA to evaluate board performance. IA should:
A. Decline
B. Outsource
C. Perform assessment carefully
D. Only review documentation
Answer:

38. Rotation

38. To maintain objectivity, auditor rotation is recommended when:
A. Auditor likes the process
B. Auditor has audited same area for years
C. Budget cuts occur
D. Findings are repetitive
Answer:

39. Red Flags

39. During AP audit, an auditor finds multiple vendor accounts with similar bank details. Auditor should:
A. Report fraud immediately
B. Gather more evidence
C. Ignore
D. Delete vendors
Answer:

40. Root Cause Analysis

40. Repeated control failures mostly relate to:
A. Symptoms
B. Root causes
C. Audit report format
D. Ethical standards
Answer:

41. Workpaper Review

41. Manager reviewing workpapers must check:
A. Grammar
B. Evidence supports conclusions
C. Auditor handwriting
D. Location of files
Answer:

42. Assurance Engagement

42. Who determines the level of assurance?
A. Auditor
B. CAE
C. Management
D. Audit committee
Answer:

43. Conflict of Interest

43. An auditor owns shares in a company that is a major supplier. What is required?
A. Sell shares
B. Transfer auditor
C. Disclose & avoid the engagement
D. Ignore because minor issue
Answer:

44. Continuous Auditing

44. Continuous monitoring is responsibility of:
A. IA
B. Management
C. Board
D. External auditors
Answer:

45. Continuous Assurance

45. Continuous auditing focuses on:
A. Real-time monitoring
B. Financial statements
C. HR activities only
D. Bypassing controls
Answer:

46. Consulting Independence

46. After providing consulting, IA must ensure:
A. They do not audit that area
B. They audit after 3 months
C. Consulting does not impair future assurance
D. No recommendations are given
Answer:

47. Escalation

47. Serious risk not addressed by management must be reported to:
A. CFO
B. Audit committee
C. Process owners
D. HR
Answer:

48. Fraud Investigation

48. IA is asked to perform fraud investigation. IA should:
A. Decline always
B. Perform investigation if competent
C. Transfer to external audit
D. Outsource completely
Answer:

49. IT Controls

49. IA finds privileged access granted without approval. This is weakness in:
A. Change management
B. Logical access controls
C. Governance
D. Physical security
Answer:

50. Alignment with Strategy

50. IA should evaluate whether governance:
A. Focuses on short-term profits
B. Aligns objectives, values, and performance
C. Avoids risks completely
D. Delegates all responsibility to auditors
Answer:

www.gmsisuccess.in

ANSWERS....

50 Challenging & Scenario-Based MCQs on Domain 1 – Foundations of Internal Auditing (35%), fully aligned with the 2025 Revised CIA Part 1 syllabus.

Each question includes A–D options and correct answers with explanations.

✅ DOMAIN 1 – FOUNDATIONS OF INTERNAL AUDITING (35%)

50 Scenario-Based, Tricky & Exam-Style MCQs

1. Independence

2. Objectivity

3. Mandatory Guidance

3. Which element of the IPPF is mandatory?
A. Practice Guides
B. Code of Ethics
C. Supplemental Guidance
D. Position Papers
Answer: B

4. Mission of Internal Audit

5. Core Principles

6. Governance

6. Who is primarily responsible for establishing governance processes?
A. Internal audit
B. CAE
C. Senior management
D. Board
Answer: C

7. Governance Failures

8. Three Lines Model

8. Who owns controls in the Three Lines Model?
A. Internal Audit (Third Line)
B. External Audit
C. Management (First Line)
D. Audit Committee
Answer: C

9. Board Responsibilities

10. Charter Requirements

10. Who must approve the internal audit charter?
A. CAE only
B. CEO and CFO
C. Board
D. External auditors
Answer: C

11. Organizational Independence

11. The CAE’s performance appraisal is conducted solely by the CFO. What risk arises?
A. Fraud
B. Independence impairment
C. Inefficient audit planning
D. Conflict with HR
Answer: B

12. Internal Audit Plan

13. Assurance vs Consulting

14. Resource Management

15. Proficiency

16. Due Professional Care

17. Fraud Responsibility

17. Internal audit is reviewing an inventory theft case. Who is responsible for detecting fraud?
A. Internal audit
B. Every employee / management
C. External audit
D. Legal department
Answer: B

18. Engagement Objectives

18. Engagement objectives must align MOST with:
A. Audit budget
B. Management preferences
C. Risk assessment
D. Auditor experience
Answer: C

19. Planning

19. An auditor reviews prior audit reports before planning a new audit. Which standard is applied?
A. 1210
B. 2120
C. 2200
D. 2410
Answer: C – Engagement Planning

20. Risk Management Evaluation

21. Internal Control

22. Control Environment Weakness

22. Employees fear retaliation for reporting issues. Which is affected?
A. Control activities
B. Governance
C. Ethical culture
D. Risk tolerance
Answer: C

23. CAE Communication

23. The CEO wants to remove a finding from the draft report. CAE should:
A. Remove it
B. Inform audit committee
C. Delay reporting
D. Reduce severity
Answer: B

24. Quality Assurance (QAIP)

24. External quality assessment must be performed:
A. Annually
B. Every 5 years
C. Every 3 years
D. Optional
Answer: B

25. Non-conformance

25. If IA does not fully comply with Standards, what must occur?
A. Stop audits
B. Disclose non-conformance
C. Hire more auditors
D. Reset charter
Answer: B

26. Reporting Results

26. Who approves the final audit report?
A. CAE
B. Board
C. Process owner
D. Audit team
Answer: A

27. Engagement Supervision

27. Supervision ensures:
A. Recommendations are mandatory
B. Work meets objectives
C. Management cannot challenge findings
D. Auditors work independently
Answer: B

28. Document Retention

28. Working papers should support:
A. Auditor opinions
B. CAE job evaluation
C. External audit reliance
D. Risk register
Answer: A

29. Communication Quality

29. An audit report is technically correct but unclear. It violates:
A. Accuracy
B. Objectivity
C. Clarity
D. Finality
Answer: C

30. Follow-Up

30. Follow-up is required for:
A. All findings
B. Only high-risk findings
C. Only management requests
D. Only consulting results
Answer: A

31. Ethical Dilemma

31. An auditor is offered a gift during fieldwork. Best action?
A. Accept if below monetary threshold
B. Decline and disclose
C. Accept and inform CAE
D. Accept privately
Answer: B

32. Disclosing Impairment

32. Auditor’s spouse works in the audited department. What should auditor do first?
A. Decline assignment
B. Continue normally
C. Disclose to CAE
D. Investigate spouse’s work
Answer: C

33. Confidentiality

34. Engagement Scope

34. Scope changes during audit due to new risk. Auditor should:
A. Ignore changes
B. Modify engagement objectives
C. Stop audit
D. Continue with old plan
Answer: B

35. Consulting Engagement

35. IA is asked to facilitate a risk workshop. This is:
A. Prohibited
B. Assurance service
C. Consulting service
D. Governance action
Answer: C

36. Assessing Culture

36. IA notices employees bypass controls due to pressure for deadlines. This indicates:
A. Fraud
B. Poor control environment
C. Good efficiency
D. Appropriate risk appetite
Answer: B

37. Governance Oversight

37. Audit committee asks IA to evaluate board performance. IA should:
A. Decline
B. Outsource
C. Perform assessment carefully
D. Only review documentation
Answer: C

38. Rotation

39. Red Flags

40. Root Cause Analysis

40. Repeated control failures mostly relate to:
A. Symptoms
B. Root causes
C. Audit report format
D. Ethical standards
Answer: B

41. Workpaper Review

41. Manager reviewing workpapers must check:
A. Grammar
B. Evidence supports conclusions
C. Auditor handwriting
D. Location of files
Answer: B

42. Assurance Engagement

42. Who determines the level of assurance?
A. Auditor
B. CAE
C. Management
D. Audit committee
Answer: A

43. Conflict of Interest

43. An auditor owns shares in a company that is a major supplier. What is required?
A. Sell shares
B. Transfer auditor
C. Disclose & avoid the engagement
D. Ignore because minor issue
Answer: C

44. Continuous Auditing

44. Continuous monitoring is responsibility of:
A. IA
B. Management
C. Board
D. External auditors
Answer: B

45. Continuous Assurance

45. Continuous auditing focuses on:
A. Real-time monitoring
B. Financial statements
C. HR activities only
D. Bypassing controls
Answer: A

46. Consulting Independence

47. Escalation

47. Serious risk not addressed by management must be reported to:
A. CFO
B. Audit committee
C. Process owners
D. HR
Answer: B

48. Fraud Investigation

48. IA is asked to perform fraud investigation. IA should:
A. Decline always
B. Perform investigation if competent
C. Transfer to external audit
D. Outsource completely
Answer: B

49. IT Controls

49. IA finds privileged access granted without approval. This is weakness in:
A. Change management
B. Logical access controls
C. Governance
D. Physical security
Answer: B

Saturday, December 6, 2025