Our only savior is our will power. Will is the switch that controls everything in this universe. If you don't exercise your will power, you will be a weakling, easily influenced by your environment. Development of the will is the secret of magnetism. Men of success are men of great will power. When you develop will, no matter how you are pounded down by life, you rise again and say, "I am successful. I can win." Regards from Prof Mahaley Head Gmsisuccess Your Career Mentor Gmsisuccess...

Thursday, November 27, 2025

Cybersecurity Audit Basic concept

Cybersecurity Audit:

cybersecurity audit basic concepts and process by CISA auditor

The basic concepts of a cybersecurity audit by a CISA auditor focus on risk-based assessment, strong access controls, and continuous monitoring of security policies and compliance with regulations. The audit process involves planning and scoping risks, evaluating cybersecurity controls like firewalls, encryption, and multi-factor authentication, and assessing the organization's incident response and recovery capabilities. A CISA auditor examines vulnerabilities, analyzes their impact, tests controls, reviews logs for unusual activities, and provides recommendations to improve security posture and ensure the confidentiality, integrity, and availability of information assets.

### Basic Concepts of Cybersecurity Audit by CISA

- Risk-based approach: Identifying, analyzing, and mitigating cybersecurity risks to protect business assets.

- Access controls: Ensuring only authorized users have access to sensitive data and systems through mechanisms like multi-factor authentication.

- Continuous monitoring: Regular review of system logs and security policies to detect and respond to suspicious activities.

- Compliance review: Checking adherence to standards (ISO 27001, GDPR, SOC 2) and regulatory requirements.

- Control evaluation: Assessing effectiveness of controls such as firewalls, encryption, and vulnerability management.

### Cybersecurity Audit Process by a CISA Auditor

- Planning and Scoping: Defining audit objectives, audit scope, and methodology based on risks and business needs.

- Risk Assessment: Identifying threats, vulnerabilities, and their potential impacts.

- Control Testing: Verifying logical, physical, and environmental security controls are effective.

- Evidence Collection and Analysis: Gathering audit evidence through testing and review of policies, processes, and logs.

- Reporting and Recommendations: Communicating findings, providing mitigation advice, and following up on implementation.

- Continuous Auditing: Incorporating ongoing monitoring practices to keep security posture updated with evolving threats.

### CISA Auditor Role in Cybersecurity Audit

- Implementing a risk-based audit strategy that aligns with organizational goals.

- Executing audits to evaluate the protection and management of IT assets.

- Reviewing incident response plans and security awareness training.

- Advising on improvements to strengthen governance and security controls.

- Performing follow-up audits to ensure remediation measures are effective.

This comprehensive approach by CISA auditors helps organizations proactively manage cybersecurity risks and enhance resilience against cyber threats

✅ Cybersecurity Audit – Key Points to Remember (CISA Exam)

1. Understand the Cybersecurity Governance Frameworks

NIST CSF – Identify, Protect, Detect, Respond, Recover
ISO/IEC 27001 – Information Security Management System (ISMS)
COBIT 2019 – Governance & management of enterprise IT
CIS Controls – Prioritized set of 18 controls
ITIL – Service management; incident/problem/change management

CISA may ask to identify which framework best supports governance, risk, or controls.

2. Cybersecurity Policies & Procedures

Information security policy → High-level, approved by board
Standards → Mandatory rules
Procedures → Step-by-step instructions
Guidelines → Recommended practices

Key policies:

Acceptable use policy (AUP)
Incident response policy
Access control policy
Data classification & retention policy

3. Risk Management in Cybersecurity

Steps: Identify → Analyze → Evaluate → Treat → Monitor
Risk = Threat × Vulnerability × Impact
Risk treatment options: Avoid, Mitigate, Transfer, Accept
CISA focuses on:
- ALMOST (Annualized Loss Expectancy)
- SLE (Single Loss Expectancy)
- ARO (Annual Rate of Occurrence)

4. Cybersecurity Controls

A. Preventive Controls

Firewalls
Encryption
MFA / 2FA
Access control (RBAC, ABAC, MAC, DAC)
Endpoint protection

B. Detective Controls

IDS/IPS
Log monitoring (SIEM)
Security alerts
File integrity monitoring

C. Corrective Controls

Incident response actions
Patching
Backups & restoration

5. Endpoint & Network Security Basics (Exam Favorite)

Firewall types: Packet filtering, Stateful, Proxy, NGFW
IDS vs IPS:
- IDS → Detect only
- IPS → Detect + block
VPN: Ensures confidentiality + integrity
DMZ: Hosts public-facing systems, isolates internal network

6. Identity & Access Management (IAM)

Authentication factors:
- Something you know / have / are
Authorization models:
- RBAC → Roles
- ABAC → Attributes
- MAC → High security environments
- DAC → Owner decides
Least privilege and Segregation of duties (SoD)
Privilege creep → common exam question

7. Cryptography Essentials

Encryption: AES, DES/3DES, RSA
Hashing: SHA-256, MD5 (weak)
Digital signatures: Integrity + Authentication + Non-repudiation
Key management: Most critical control in cryptography

8. Vulnerability & Penetration Testing

Vulnerability assessment: Identifies weaknesses
Penetration test: Attempts exploitation
Types: Black box, White box, Grey box
Steps: Planning → Discovery → Attack → Reporting
Evidence must be properly documented for the audit trail.

9. Cybersecurity Incident Management

Phases (NIST 800-61):
Preparation → Detection → Containment → Eradication → Recovery → Lessons learned
Key roles:
- Incident Response Team (IRT)
- Forensics experts
Chain of custody is essential to maintain evidence integrity.

10. Business Continuity & Disaster Recovery

Cybersecurity audit checks:
- Backup strategy
- DR plan testing
- RPO & RTO
- Alternate sites: Hot, Warm, Cold
Focus on resilience, redundancy, recovery.

11. Security Logging & Monitoring

Logs must be:
- Complete
- Tamper-proof
- Time synchronized
- Reviewed regularly
SIEM helps correlate events & detect anomalies.

12. Cloud Cybersecurity Controls

Shared responsibility model (IaaS, PaaS, SaaS differences)
Cloud risks:
- Misconfiguration
- Vendor lock-in
- Data residency
Controls:
- CASB
- Encryption
- IAM
- Logging & monitoring tools

13. Auditing Cybersecurity – What CISA Expects

Determine control design effectiveness.
Test operating effectiveness.
Ensure alignment with business objectives.
Evaluate compliance with:
- Policies
- Standards
- Regulatory requirements (GDPR, HIPAA, PCI-DSS)

14. Common Cyber Attacks (Must Memorize)

Phishing / Spear-phishing / Whaling
DoS / DDoS attacks
Man-in-the-middle (MITM)
SQL injection / XSS
Ransomware
Zero-day exploits

Know: attack → threat → control to mitigate.

🎯 Exam Tips (Golden Rules)

In CISA questions, auditors DO NOT perform operational security tasks (like patching). They evaluate controls.
The best answer typically focuses on:
✓ Risk-based approach
✓ Governance & management-level controls
✓ Policies > Procedures
✓ Preventive > Detective > Corrective (if choosing best control)
When asked “What should the IS auditor do FIRST?”
→ Answer typically involves understanding, reviewing, or risk assessment, NOT execution.

Define the audit scope and objectives for a CISA cybersecurity audit

The audit scope for a CISA cybersecurity audit defines the boundaries and extent of the evaluation, specifying which systems, networks, processes, and organizational units will be covered. It includes identifying the IT infrastructure components that will be assessed, such as network security, application security, data handling, access controls, and compliance with relevant regulations. The scope is risk-based and aligned with business and regulatory requirements to focus on areas of highest risk and importance.

The audit objectives clarify why the audit is conducted and what it aims to achieve. Common objectives include identifying vulnerabilities and weaknesses in cybersecurity controls, evaluating the effectiveness of existing security measures, ensuring compliance with laws and standards (e.g., GDPR, HIPAA, ISO 27001), assessing incident response preparedness, and verifying that information assets are adequately protected from unauthorized access, disclosure, alteration, or destruction. Objectives should align with the organization's cybersecurity and protection goals and be realistically limited to a manageable scope.

In summary:

- Audit Scope: Specifies the systems, processes, and locations included in the audit, based on risk assessment and compliance needs.

- Audit Objectives: Defines the purpose such as vulnerability detection, control effectiveness evaluation, regulatory compliance, risk reduction, and security assurance.

This clear definition guides the audit planning and execution phases to ensure focused, effective cybersecurity assessment by CISA auditors

Feel free 🆓 to discuss with me if you have any questions ‼️ Call or Text on 9773464206

www.gmsisuccess.in

Wednesday, November 26, 2025

Strategic Management with MCQ questions ‼️

📘 STRATEGIC PLANNING — BULLET POINT NOTES (US CMA PART 1)

1. Analysis of External & Internal Factors Affecting Strategy

A. External Environment Analysis

These factors are outside the organization’s control but influence strategic direction.

1. PEST / PESTEL Analysis

Political: regulations, taxes, trade policies, government stability.
Economic: inflation, interest rates, GDP growth, exchange rates.
Social: demographics, education levels, customer preferences, culture.
Technological: automation, innovation rate, digital disruption.
Environmental: sustainability, climate risk, resource shortages.
Legal: labor laws, data protection laws, compliance requirements.

2. Industry & Competitive Forces (Porter’s Five Forces)

Threat of new entrants — barriers to entry, capital needs, brand loyalty.
Threat of substitutes — alternative products/services.
Supplier power — availability of inputs, switching costs.
Buyer power — customer concentration, price sensitivity.
Competitive rivalry — industry growth rate, competitive intensity.

3. Market & Customer Analysis

Market size and growth
Customer segments
Trends and future demand
Competitor offerings

B. Internal Environment Analysis

Identifies the firm’s strengths & weaknesses.

1. Resource-Based View (RBV)

Tangible resources: assets, equipment, cash, factories.
Intangible resources: brand, patents, reputation, technology.
Capabilities: processes, skills, culture, management systems.

2. VRIO Framework (Value, Rarity, Imitability, Organization)

A resource creates sustainable competitive advantage if:

It is Valuable
It is Rare
It is Costly to Imitate
The company is Organized to exploit it

3. Value Chain Analysis

Primary activities: inbound logistics, operations, outbound logistics, marketing, service.
Support activities: HR, technology, procurement, firm infrastructure.
Helps detect cost drivers & areas to differentiate.

4. Internal Controls & Processes

Efficiency of operations
Cost structures
Productivity and capacity
Technology systems
Governance and risk management

2. Long-Term Mission and Goals

Mission Statement

Defines the organization’s core purpose, reason for existence, value to stakeholders.
Should be clear, future-oriented, and inspirational.

Vision Statement

Describes the desired future state (what the organization wants to become).
Long-term direction for strategy.

Organizational Values

Ethical principles
Cultural priorities
Behavior expectations

Long-Term Goals (Strategic Goals)

Derived from mission and vision
Set for 3–5 years or more
Examples:
- Market share growth
- Cost leadership
- Innovation leadership
- Expanding into new markets
- Long-term financing or capital structure targets

SMART Framework for goal setting

Specific
Measurable
Achievable
Relevant
Time-bound

3. Alignment of Tactics with Long-Term Strategic Goals

Hierarchy of Planning

Mission & Vision (Top level)
Long-term strategy (Corporate/Business strategy)
Tactical plans (1–2 years)
Operational plans (Daily/weekly/monthly)

How Alignment is Ensured

Every department plan must support overall strategic objectives.
KPIs should be linked to strategic goals through a Balanced Scorecard (BSC).
Budgeting must reflect strategic priorities (e.g., capital budgeting).
Resource allocation must favor strategic initiatives.

Examples of Alignment

Strategic goal: market expansion → Tactical plan: launch new product line.
Strategic goal: cost leadership → Tactical plan: implement lean production.
Strategic goal: digital transformation → Tactical plan: upgrade ERP system.

4. Strategic Planning Models & Analytical Techniques

A. Common Planning Models

1. SWOT Analysis

Strengths (internal)
Weaknesses (internal)
Opportunities (external)
Threats (external)

2. Porter’s Generic Strategies

Cost leadership
Differentiation
Focus (niche)

3. Balanced Scorecard (BSC)

Four perspectives:

Financial
Customer
Internal Processes
Learning & Growth
Used to align activities with long-term strategy.

4. Scenario Planning

Creates optimistic, pessimistic, and expected scenarios.
Helps in uncertainty and risk management.

5. Growth Strategies (Ansoff Matrix)

Market penetration
Market development
Product development
Diversification

B. Analytical Techniques

Trend analysis
Benchmarking
Break-even analysis
Sensitivity analysis
Predictive analytics
Ratio analysis
Cost-benefit analysis

5. Characteristics of a Successful Strategic-Planning Process

Key Characteristics

Top management commitment
Clear mission and vision
Data-driven decision making (internal + external analysis)
Cross-functional participation
Realistic and financially viable goals
Effective communication throughout the organization
Continuous monitoring and performance measurement
Flexibility and adaptability to change
Integration with budgeting and performance evaluation
Alignment with risk management and internal controls

Outcome Indicators of Successful Planning

Achievement of objectives
Strong competitive position
Sustainable profitability
Improved operational efficiency
Better resource allocation
Employee engagement and strategic clarity

www.gmsisuccess.in

1. Meaning of Strategic Management

Process of defining long-term direction and allocating resources to achieve organizational goals.
Integrates analysis, formulation, implementation, and control.
Focuses on sustainable competitive advantage.

2. Levels of Strategy

Corporate Level

Decisions on overall scope, long-term growth, mergers, diversification.

Business Level

How a business competes within a particular industry.
Includes differentiation, cost leadership, focus strategies.

Functional Level

Departmental strategies (marketing, HR, finance, production).

⭐ 3. External Environment Analysis (Macro) – PESTEL

P – Political: regulations, taxes, government stability.
E – Economic: inflation, interest rates, GDP, income levels.
S – Social: demographics, lifestyle changes.
T – Technological: innovation, automation, digital trends.
E – Environmental: climate change, sustainability norms.
L – Legal: labor laws, competition laws, compliance.

⭐ 4. Internal Environment Analysis

VRIO Framework

V – Valuable resources create value.
R – Rare resources not widely available.
I – Inimitable resources difficult to copy.
O – Organized to capture value.

Core Competencies

Unique strengths that provide competitive advantage.

Value Chain Analysis (Porter)

Primary Activities: inbound logistics, operations, outbound logistics, marketing & sales, service.
Support Activities: HRM, procurement, tech development, infrastructure.

⭐ 5. Porter’s Five Forces Model

Used to analyze industry attractiveness & competitive intensity.

Threat of New Entrants
- High when barriers to entry are low (low capital, weak regulation).
Bargaining Power of Suppliers
- High when few suppliers or unique inputs.
Bargaining Power of Customers
- High when customers are concentrated, price-sensitive.
Threat of Substitute Products
- High when alternatives are affordable, easily available.
Industry Rivalry
- Intense when many competitors, slow growth, high fixed costs.

⭐ 6. Generic Competitive Strategies (Porter)

Cost Leadership: lowest cost in industry.
Differentiation: unique features to charge premium price.
Focus/Niche: target narrow segment with cost or differentiation focus.

⭐ 7. Ansoff Growth Matrix

Market Penetration: increase share in existing markets.
Market Development: new markets for existing products.
Product Development: new products for existing markets.
Diversification: new products + new markets.

⭐ 8. BCG Matrix (Boston Consulting Group Matrix)

Used to manage a portfolio of business units based on market share and market growth.

Category	Market Growth	Relative Market Share	Strategy
Stars	High	High	Invest for growth
Cash Cows	Low	High	Maintain, harvest profits
Question Marks	High	Low	Selective investment or divest
Dogs	Low	Low	Divest or reposition

⭐ 9. GE McKinsey Matrix (9-Cell Matrix)

Dimensions: Industry Attractiveness vs. Business Unit Strength.
Strategies:
- Grow (high–high)
- Select/Invest selectively (medium zones)
- Harvest/Divest (low–low)

⭐ 10. SWOT Analysis

Internal:

Strengths, Weaknesses

External:

Opportunities, Threats

Basis for matching internal capabilities with external environment.

⭐ 11. Balanced Scorecard (BSC)

Performance measurement system with four perspectives:

Financial
Customer
Internal Processes
Learning & Growth

Aligns operations with long-term strategy.

⭐ 12. Strategic Planning Process

Define vision, mission, values.
Environmental scanning (external + internal).
Set long-term goals.
Formulate strategy.
Resource allocation.
Implementation.
Strategic control & performance monitoring.

⭐ 13. Strategic Implementation Issues

Resistance to change.
Lack of leadership.
Poor communication.
Insufficient resources.
Misaligned structure or culture.

⭐ 14. Competitive Advantage

Ability to outperform rivals consistently.
Focus on unique value, cost advantage, or innovation.
Must be valuable, rare, inimitable, non-substitutable.

www.gmsisuccess.in

⭐ BCG MATRIX – COMPLETE NOTES (US CMA Part 1)

(Boston Consulting Group Growth-Share Matrix)

The BCG Matrix is a portfolio analysis tool used to evaluate Strategic Business Units (SBUs) or product lines based on:

Market Growth Rate (Industry attractiveness) → HIGH / LOW
Relative Market Share (Competitive strength) → HIGH / LOW

It helps managers decide:
✔ Where to invest
✔ Where to grow
✔ Where to divest
✔ How to allocate resources

⭐ BCG Matrix Structure

BCG Quadrant	Market Growth	Market Share	Typical Strategy
Stars	High	High	Invest & grow
Cash Cows	Low	High	Maintain & harvest cash
Question Marks	High	Low	Selective investment or divest
Dogs	Low	Low	Harvest or divest

⭐ DESCRIPTION OF EACH QUADRANT

1. ⭐ Stars (High Growth, High Market Share)

Leaders in a fast-growing market
Need high investment to maintain leadership
Potential future cash cows

Strategy:
✔ Invest for growth
✔ Expand capacity
✔ Maintain competitive advantage

2. 💰 Cash Cows (Low Growth, High Market Share)

Industry growth slow but SBU dominates
Generates steady cash with low investment needs
Funds Stars & Question Marks

Strategy:
✔ Maintain leadership
✔ Maximize cash flow
✔ Cost efficiency

3. ❓ Question Marks (High Growth, Low Market Share)

High market potential but weak competitive position
Uncertain future → can become Star or Dog
Require high investment

Strategy:
✔ Invest selectively where chances of leadership exist
✔ Otherwise divest

4. 🐶 Dogs (Low Growth, Low Market Share)

Weak competitive position in a stagnant or shrinking market
Low cash generation
Often over-aged products

Strategy:
✔ Harvest (reduce investment)
✔ Liquidate/divest
✔ Do not invest further

⭐ How Companies Use the BCG Matrix

Resource allocation
Deciding which SBUs to grow or cut
Strategic planning (long-term)
Capital budgeting priorities
Monitoring product portfolio health

⭐ Critical Assumptions & Limitations of BCG Matrix

Assumptions

Market share → profitability
Market growth → investment need

Limitations

Oversimplified (only 2 variables: market share & growth)
Ignores synergies between SBUs
Industry growth rate may not reflect attractiveness
Relative market share may not always mean profitability
Static snapshot – not dynamic

⭐ FORMULA USED (Important for CMA Exam)

Relative Market Share = (Firm’s Market Share) / (Largest Competitor’s Market Share)

If RMS > 1 → HIGH market share
If RMS < 1 → LOW market share

⭐ CASE STUDY 1 – SIMPLE (Easy to Understand)

Company: Nova Electronics Ltd.

It produces 4 product lines:

Product	Market Growth	Market Share	Category
Smartphones	High	High	?
Earbuds	High	Low	?
TVs	Low	High	?
MP3 Players	Low	Low	?

Classification Using BCG Matrix

Smartphones

High growth + High market share
→ ⭐ Star

Earbuds

High growth + Low market share
→ ❓ Question Mark

TVs

Low growth + High market share
→ 💰 Cash Cow

MP3 Players

Low growth + Low market share
→ 🐶 Dog

Strategic Recommendations

Smartphones: Invest heavily to maintain leadership
Earbuds: Evaluate potential → invest selectively
TVs: Use profits to fund Stars and Question Marks
MP3 Players: Stop investment & consider divestment

⭐ CASE STUDY 2 – ADVANCED (CMA-LEVEL)

Company: Global Foods Pvt. Ltd.

A diversified food company with the following SBUs:

SBU	Market Growth Rate	Market Share	Notes
Frozen Meals	15%	35%	Leader in growing market
Instant Noodles	2%	50%	Mature industry
Energy Drinks	18%	5%	Competing against strong global brands
Biscuits	1%	4%	Highly competitive, saturated market
Plant-Based Meat	20%	10%	New market, rising demand

BCG Analysis

1. Frozen Meals → ⭐ Star

High market growth (15%)
High relative market share (dominant at 35%)

Strategy:
✔ Continue investment
✔ Expand distribution
✔ Maintain competitive advantage

2. Instant Noodles → 💰 Cash Cow

Low growth (2%)
High market share (50%)

Strategy:
✔ Maximize profit
✔ Reduce unnecessary investment
✔ Use cash to fund growth markets

3. Energy Drinks → ❓ Question Mark

High growth (18%)
Low market share (only 5%)
Competitors strong (Red Bull, Monster, etc.)

Strategy:
✔ Analyze feasibility of gaining share
✔ If branding or R&D can help → invest
✔ If gains unlikely → divest

4. Biscuits → 🐶 Dog

Low growth (1%)
Low market share (4%)

Strategy:
✔ Stop new investments
✔ Sell or discontinue product line

5. Plant-Based Meat → ❓ Question Mark (Potential Future Star)

High growth (20%)
Low share (10%)
Market is emerging

Strategy:
✔ Invest more due to strong future potential
✔ Improve production efficiency
✔ Build brand loyalty early

⭐ Portfolio Strategy Based on BCG Matrix Outcome

Heavy investment → Frozen Meals, Plant-based Meat
Maintain & Harvest → Instant Noodles
Selective investment → Energy Drinks
Divest/Harvest → Biscuits

This allows optimal capital allocation and long-term profit maximization.

Below are 50 high-quality MCQs with answers and explanations covering Mission, Vision, Strategic Management Process, Organizational Values & Culture, BCG Matrix, Porter’s Five Forces, Product Differentiation & Cost Leadership, Cost Competitiveness, Core Competencies, SWOT, PESTEL, Balanced Scorecard, Stakeholder Analysis, aligned with US CMA Part 1 – Strategic Planning.

✅ MCQ QUESTIONS WITH ANSWERS (50 Questions)

(All answers are provided at the end of each question)

1. A mission statement primarily answers which question?

A. Where do we want to be in 10 years?
B. What is our purpose and reason for existence?
C. What are the strategic business units?
D. What are our future financial targets?
Answer: B

2. A vision statement primarily focuses on:

A. Long-term future aspirations
B. Current operations and purpose
C. Product design decisions
D. Departmental budgets
Answer: A

**3. Which of the following is not part of the strategic management process?**

A. Strategy formulation
B. Strategy implementation
C. Strategy evaluation
D. Operational troubleshooting
Answer: D

4. Organizational values serve to:

A. Establish moral principles and decision guidelines
B. Define market share targets
C. Allocate budgets
D. Create marketing slogans
Answer: A

5. A strong organizational culture usually results in:

A. Higher employee turnover
B. Better alignment with strategy
C. More bureaucratic barriers
D. Lower motivation levels
Answer: B

**6. In the BCG Matrix, a business unit with high market growth and high market share is:**

A. Dog
B. Question Mark
C. Cash Cow
D. Star
Answer: D

7. In the BCG Matrix, which unit generates excess cash but has low growth?

A. Star
B. Cash Cow
C. Dog
D. Question Mark
Answer: B

8. According to Porter’s Five Forces, the threat of substitutes increases when:

A. Switching costs are high
B. Customers are loyal
C. Alternatives are readily available
D. Products are unique
Answer: C

9. A cost leadership strategy focuses on:

A. Providing standard products at the lowest cost
B. Offering highly unique products
C. Charging premium prices
D. Reducing value chain activities
Answer: A

10. Product differentiation allows firms to:

A. Achieve the lowest cost
B. Increase prices due to unique value
C. Eliminate competition entirely
D. Remove need for marketing
Answer: B

11. Cost competitiveness refers to a firm’s ability to:

A. Offer the cheapest product in the market
B. Manage cost structure efficiently
C. Focus only on cost reduction
D. Ignore quality
Answer: B

12. Core competencies must be:

A. Easy to imitate
B. Central to competitive advantage
C. Unrelated to customers
D. Short-term skills
Answer: B

13. SWOT analysis classifies internal factors as:

A. Opportunities and threats
B. Strengths and weaknesses
C. Profit and loss
D. Vision and mission
Answer: B

14. PESTEL analysis includes all except:

A. Technological
B. Legal
C. Ethical
D. Political
Answer: C
(Ethical is not part of standard PESTEL: Political, Economic, Social, Technological, Environmental, Legal)

15. Balanced Scorecard financial perspective includes:

A. Customer retention
B. ROI and revenue growth
C. Employee skills
D. Process efficiency
Answer: B

16. Stakeholder analysis determines:

A. Product prices
B. Key stakeholders’ needs and influence
C. Employee salary levels
D. Marketing strategies only
Answer: B

17. A mission statement should NOT include:

A. Purpose
B. Core values
C. Detailed financial forecast
D. Products/services
Answer: C

18. Which best describes strategy evaluation?

A. Choosing new markets
B. Monitoring performance and taking corrective action
C. Hiring employees
D. Setting vision
Answer: B

19. In Porter’s Five Forces, supplier power increases when:

A. Many suppliers exist
B. Switching suppliers is easy
C. Inputs are unique
D. Customers are powerful
Answer: C

20. A “Dog” business unit should typically be:

A. Expanded
B. Harvested or divested
C. Increased in investment
D. Merged with stars
Answer: B

21. Which is a characteristic of low-cost leadership?

A. Superior design innovation
B. High economies of scale
C. Expensive materials
D. Custom solutions
Answer: B

22. A firm uses unique packaging and branding. It is pursuing:

A. Focus strategy
B. Differentiation strategy
C. Cost leadership
D. Market penetration
Answer: B

23. A core competency must contribute directly to:

A. Short-term sales
B. Customer value
C. Asset depreciation
D. IT budgets
Answer: B

24. Which element belongs to the internal environment?

A. Government regulation
B. Organizational culture
C. Economic inflation
D. Technological trends
Answer: B

25. A company’s values guide:

A. Ethical behavior and decision-making
B. Organizational structure
C. Supply chain design
D. Tax planning
Answer: A

26. PESTEL “Environmental” factor includes:

A. Company’s carbon emission policies
B. Hiring rules
C. Employee bonuses
D. Customer satisfaction
Answer: A

27. Balanced Scorecard’s customer perspective focuses on:

A. Return on assets
B. Market share and satisfaction
C. Learning capacity
D. Employee training
Answer: B

28. Competitive rivalry is intense when:

A. Industry growth is high
B. Exit barriers are low
C. Many equal-sized competitors exist
D. Products are highly differentiated
Answer: C

29. A company that competes in niche markets using cost strategy follows:

A. Broad differentiation
B. Focused cost leadership
C. Cost leadership
D. Hybrid strategy
Answer: B

30. Strategy formulation includes:

A. Setting goals and selecting strategies
B. Monitoring employee performance
C. Daily scheduling
D. Customer complaints handling
Answer: A

31. Industry attractiveness is part of which analysis tool?

A. SWOT
B. BCG
C. Porter’s Five Forces
D. Balanced Scorecard
Answer: C

32. Which BSC perspective captures innovation and employee education?

A. Financial
B. Customer
C. Internal process
D. Learning & growth
Answer: D

33. Vision statements should be:

A. Quantified and measurable
B. Inspirational and future-oriented
C. Focused on internal operations only
D. Limited to financial goals
Answer: B

34. A “Question Mark” in BCG requires:

A. No further investment
B. Careful investment decisions
C. Immediate divestment
D. Cost-cutting
Answer: B

35. In SWOT analysis, “Threat” example is:

A. Strong brand
B. Skilled workforce
C. New competitors
D. New product launch
Answer: C

36. High buyer power occurs when:

A. Products are unique
B. Switching costs are low
C. Few buyers exist
D. Buyers are dependent on the firm
Answer: B

37. Organizational culture is best described as:

A. Corporate accounting rules
B. Shared beliefs and norms
C. Marketing strategy
D. Outsourcing plans
Answer: B

38. Cost leadership risk includes:

A. Becoming too expensive
B. Obsolescence
C. Losing margins due to price wars
D. Over-innovation
Answer: C

39. Differentiation strategy risk is:

A. Product too standardized
B. Imitation by competitors
C. Low brand loyalty
D. Lower margins
Answer: B

40. Stakeholder with high power and high interest should be:

A. Ignored
B. Monitored
C. Closely managed
D. Kept satisfied only
Answer: C

41. In PESTEL, tax policies belong to:

A. Political
B. Economic
C. Legal
D. Social
Answer: A

42. Learning and growth BSC includes:

A. Employee skills & motivation
B. Net profit margin
C. Quality control
D. Customer churn
Answer: A

43. Which is a strength in SWOT?

A. Declining industry
B. Poor customer service
C. Strong distribution network
D. New tax laws
Answer: C

44. Strategic planning begins with:

A. Implementation
B. Mission and vision
C. Budgeting
D. KPI measurement
Answer: B

45. Which is an external factor?

A. Employee turnover
B. New government regulations
C. Machinery efficiency
D. Company culture
Answer: B

46. High market share & low growth indicates:

A. Dog
B. Star
C. Cash Cow
D. Question Mark
Answer: C

47. Strategic control includes:

A. Monitoring environment changes
B. Selecting suppliers
C. Organizing staff schedules
D. Setting manufacturing plans
Answer: A

48. Core competency example:

A. Temporary price discount
B. Efficient supply chain
C. High turnover
D. Changing supplier contracts
Answer: B

49. Which force increases when customers can switch easily?

A. Threat of new entrants
B. Buyer bargaining power
C. Supplier power
D. Industry competition
Answer: B

50. Balanced Scorecard converts strategy into:

A. Financial statements
B. Operational metrics and performance measures
C. Legal compliance rules
D. HR policies
Answer B

Cashflow statement... CFAT CFO INDIRECT METHOD

Income statement format as per US GAAP/IFRS....

Sales. *****

Less COGS. (-)*****

= Gross profit. =******

Less Operating expa (-)****

=Net opearating income ******

+Non Opearating income+****

(-)Non Opearating expa(-)****

=Earning before int&tax*****

(-)Finance costs. (-)****

(-) Income tax expa. (-)****

=Net income (PAT). ********

NON OPEARATING INCOME Incldes Income from investment,Gain on disposal of fixed assets or investment

Non Opearating expenses includes Loss on sale of fixed assets or investment, impairement loss, Cash theft,plant destroyed etc

How to compute cashflow after tax CFAT,as per US GAAP (indirect Method, starting from profit after tax).... please refer...

Net income PAT. ******

Add: Non operating expenses :

Loss on sale of fix assets or inv***

Impairement loss. ****

Finance costs. *****

Income tax expense. ****. +****

Add:Non Cash expenses:

Depreciation. +*****

Less: Non operating income

Gain on sale of fixed assets,inv***

Income from investment. ***. (-)****

=Operating Cash Profit. =******

+Income fr investment received +******

(-) Finance costs paid. (-)*****

(-)Income tax paid. (-)*****

=CFAT. =+/-******

HOW TO COMPUTE CFO (INDIRECT METHOD) AS PER US GAAP.....

CFAT AS ABOVE. +/-******

+/- Increase/Decrease in current assets and current liabilities,except cash,bank balance,bank overdraft...

Increase in current assets. (-)*****

Decease in current assets. + *****

Increase in current liabilities +*****

Decrease in current liabilities. (-)****

=CASHFLOW FR OPERATION +/-****CFO

CASHFLOW FR OPERATION CFO BY DIRECT METHOD AS PER US GAAP....

CASH SALES. +******

COLLECTION FROM CUSTOMER +*****

CASH PURCHASES. (-)****

PAYMENT TO SUPPLIERS. (-)*****

WAGES PAID. (-)*****

OVERHEADS PAID. (-)****

INCOME FR INVESTMENT RECD +****

FINANCE COSTS/INTEREST PAID (-)***

INCOME TAX PAID. (-)****

= CFO. =+/-*****

NOW SOLVE FOLLOWING ILLUSTRATION.

Illustration :question ⁉️ on cashflow statement:

ILLUSTRATION.1..PREPARE INCOME STATEMENT AND COMPUTE CASHFLOW AFTER TAX... SALES 1500.000, COST OF GOOD SOLD 8,00,000 (INCL DEPRECIATION 120,000), OPERATING EXPS 100.000(INCL DEPRE 90.000), INCOME FROM INVESTMENT 100,000(ACTUAL RECEIVED 120,000),LOSS ON SALE OF PATENT 20,000 ,IMPAIREMENT LOSS 5,000, INTEREST ON BANK LOAN 50,000 (ACTUAL PAID 40,000) ,INCOME TAX EXPS 160,000 (ACTUAL TAX PAID 90,000)

ILLUSTRATION2: OPERATING CASH PROFIT +2,00,000 , INCOME RECEIVED FROM INVESTMENT 90,000, FINANCE COST PAID 40,000,INCOME TAX PAID 100,000, INCREASE IN INVENTORY 40,000,DECREASE IN TR RECEIVABLE 60,000,Increase IN TR PAYABLE 20,000,Sale OF INVESTMENT 100,000, purchase OF PLANTS 200,000,ISSUE OF EQUITY SHARES NOMINAL VALE 100,000 WITH PREMIUM 10%,PAYMENT OF EQUITY DIVIDENDS 50,000,REPAYMENT OF BANK LOAN 80,000,AQUISITION OF BUSINESS VALUED 500,000 BY ISSUING OUR EQUITY SAHRES T PAR400,000 & balance paid in cash,OP CASH BAL 100,000, CL CASH BAL 200,000, CL BANK OVERDRAFT 130,000, COMPUTE CASH GENERATED FROM ALL ACTIVITIES(CFO+CFI+CFF) & COMPUTE CLOSING CASH & CASH EQUIVALENTS

ILLUSTRATION 3: CASH SALES 600,000, PAYMENT TO SUPPLIER 300,000. COLLECTION FROM CUSTOMERS 400,000,CASH PURCHASES 200,000, WAGES PAID 90,000, OVERHEADS PAID 80,000, INTEREST PAID 60,000, INTEREST RECEIVED 70,000,INCOME TAX PAID 90,000, BUSINESS AQUISITION 300,000, REPURCHASE OF EQUITY SHARES 150,000, PAYMENT OF EQUITY DIVIDEND 50,000, OP CASH & CASH EQUIVALENTS (-)90,000 COMPUTE CL CASH & CASH EQUIVALENTS

ANSWER...Wait...you will get in the evening...

Best wishes 🍀 from Prof Mahaley Head Gmsisuccess Mumbai Tel 9773464206

Tuesday, November 25, 2025

MCQ on CIA Part 1: Foundations of Internal Auditing (35%)

Section ,A….. Difficult level...Simple

5 0 MCQ on CIA Part 1: Foundations of Internal Auditing (35%), focused on IPPF, governance, CAE responsibilities, QAIP, risk-based audit planning, agile auditing, assurance vs consulting, and reporting.

CIA Part 1 – Foundations of Internal Auditing

The internal audit activity reports functionally to the board to: A. Manage day-to-day administrative responsibilities

B. Support internal auditors’ continuing education programs

C. Ensure independence in determining audit scope

D. Approve staff performance evaluations

Answer:

Which role is most appropriate for the internal audit activity regarding the organization’s risk management process? A. Assume responsibility for managing key risks

B. Provide assurance on the effectiveness of risk management

C. Approve risk appetite

D. Develop risk response strategies

Answer:

The CAE is asked to justify resources and budget requirements for the upcoming year. Which standard applies? A. 2040

B. 2030

C. 2000

D. 1320

Answer:

A key difference between assurance and consulting engagements is: A. Assurance services require more documentation

B. Consulting engagements improve organizational operations and require client involvement

C. Assurance services must comply with the Code of Ethics, consulting does not

D. Consulting always reduces internal audit responsibility

Answer:

To maintain independence, significant impairments must be reported to: A. Senior management only

B. Board only

C. Both senior management and the board

D. Audit clients

Answer:

The internal audit charter should be reviewed: A. Every five years

B. Annually or when significant changes occur

C. Whenever external auditors request it

D. Only during a QAIP review

Answer:

Which of the following represents a governance responsibility? A. Designing internal controls

B. Evaluating risks during strategy development

C. Monitoring strategic direction and accountability

D. Developing policies and procedures

Answer:

A weakness identified during an engagement that may lead to material risk exposure should be communicated: A. Immediately to management

B. At the end of the engagement

C. Only in the final report

D. To external auditors first

Answer:

The CAE must ensure internal audit follows the Standards. This is primarily achieved through: A. Engagement supervision

B. Quality Assurance and Improvement Program

C. HR performance process

D. Monthly staff meetings

Answer:

10.

An internal audit engagement is delayed due to insufficient IT skills among the audit team. What should the CAE do? A. Ignore the problem

B. Outsource or co-source expertise

C. Cancel the engagement

D. Reduce scope to fit available skills

Answer:

11.

Which principle ensures internal auditors perform work without influence from others? A. Integrity

B. Objectivity

C. Confidentiality

D. Accountability

Answer:

12.

An agile audit framework emphasizes: A. Closed communication

B. Detailed documentation throughout

C. Early and continuous stakeholder collaboration

D. One final report at the end only

Answer:

13.

The CAE wants to provide assurance relating to governance processes. Which standard requires this? A. 2000

B. 2100

C. 2120

D. 2130

Answer:

14.

Which is part of Mandatory Guidance but not Recommended Guidance under the IPPF? A. Practice Advisories

B. Practice Guides

C. Implementation Guidance

D. Code of Ethics

Answer:

15.

Conflict of interest most directly threatens: A. Confidentiality

B. Integrity and Objectivity

C. Competency

D. Professional skepticism

Answer:

16.

The frequency of reporting to the board by the CAE should be: A. Monthly

B. As needed

C. At least annually

D. Only after QAIP assessments

Answer:

17.

Which professional requirement supports continuous improvement? A. Mandatory peer review

B. External assessment at least once every five years

C. Mandatory rotation of CAE

D. Annual workpaper review by the external auditor

Answer:

18.

The audit plan should be based on which principle? A. Cost of engagement hours

B. Risk-based approach

C. Availability of auditors

D. Historical audit schedules

Answer:

19.

When an auditor participates in system design to offer process insights, independence is impaired if they: A. Provide recommendations

B. Approve final design decisions

C. Perform post-go-live review

D. Attend meetings

Answer:

20.

Internal audit’s responsibility regarding fraud includes: A. Investigating every suspected fraud

B. Preventing employee fraud

C. Evaluating adequacy of controls to manage fraud risk

D. Acting as the fraud reporting hotline

Answer:

21.

Which best describes continuous auditing? A. Run annually as part of QAIP

B. Performs automated tests to identify exceptions in real-time

C. Replaces assurance engagements

D. Eliminates need for auditors

Answer:

22.

A well-designed audit observation must include: A. Cause, effect, and corrective action dates

B. Criteria, cause, effect, and recommendation

C. Scope, sample size, and timeline

D. Management responsibility only

Answer:

23.

Responsibility for selecting external QAIP assessors belongs to: A. CAE

B. Internal audit staff

C. Board

D. External auditors

Answer:

24.

Internal audit communicates an unacceptable risk to management but management refuses action. What must the CAE do next? A. Close issue as management accepted risk

B. Report to the board

C. Revise rating to moderate

D. Remove it from reporting

Answer:

25.

Which standard requires documenting work to support conclusions? A. 2010

B. 2330

C. 2400

D. 2600

Answer:

26.

The CAE wants to rely on work performed by external auditors. Which requirement must be evaluated? A. External auditors’ education, experience, independence, and approach

B. Audit software used

C. Number of external staff assigned

D. Fees paid

Answer:

27.

Which threat arises if an auditor audits an area where they previously worked? A. Advocacy threat

B. Self-review threat

C. Familiarity threat

D. Intimidation threat

Answer:

28.

The primary responsibility for communicating audit results to the board belongs to: A. Senior management

B. CAE

C. Lead auditor

D. Audit committee secretary

Answer:

29.

An agile audit sprint cycle concludes. What is the expected outcome? A. Detailed final report only

B. Immediate release of findings and next sprint decisions

C. Pause until year-end report

D. No stakeholder communication

Answer:

30.

To add value, internal audit should: A. Identify opportunities to improve governance, controls, and risk management

B. Focus only on compliance

C. Prioritize low-risk audits

D. Never provide recommendations

Answer:

31.

Independence is most compromised when: A. Internal auditor reports functionally to the board

B. Internal auditor reports administratively to the CFO

C. CAE reports hiring decisions to the HR

D. Audit budget must be approved by the board

Answer:

32.

Standard 2210 requires audit objectives to: A. Establish criteria to measure performance

B. Align with established risk priorities

C. Meet management expectations only

D. Avoid delays or budget overruns

Answer:

33.

Primary goal of conformance standards in the IPPF is to: A. Offer tools to external auditors

B. Describe behavior expected of internal auditors

C. Provide requirements and criteria for audit performance

D. Provide checklists

Answer:

34.

When providing consulting services, internal auditors must: A. Provide recommendations only

B. Avoid impairing independence for future assurance work

C. Focus on budget cost savings

D. Prevent changes in risk exposure

Answer:

35.

The responsibility for controlling day-to-day operations of the organization lies with: A. Board

B. CAE

C. Management

D. External auditors

Answer:

36.

The board’s primary role in internal audit involves: A. Oversight and accountability

B. Operating controls

C. Designing policies

D. Performing assurance engagements

Answer:

37.

Attribute Standard 2020 requires the CAE to: A. Obtain approval for engagement scope

B. Communicate audit plan and resource requirements to senior management and the board

C. Report audit results annually

D. Maintain audit procedures manual

Answer:

38.

Which is NOT a core principle of internal auditing? A. Demonstrates integrity

B. Aligns with organization’s strategy

C. Is collaborative and influential

D. Manages operational decisions

Answer:

39.

The CAE must report results of the QAIP to: A. Internal audit staff only

B. Senior management and the board

C. External quality assessment team

D. Finance committee

Answer:

40.

In agile auditing, documentation: A. Is eliminated

B. Is minimized but remains sufficient to support results

C. Must be more detailed than traditional audits

D. Is only required at the beginning

Answer:

41.

The CAE should remove an auditor from an engagement if: A. They disagree with audit findings

B. They have a conflict of interest

C. They are new to the team

D. They missed training

Answer:

42.

When auditors identify opportunities to improve controls, the correct approach is: A. Avoid recommendations to maintain independence

B. Provide recommendations but avoid implementation responsibility

C. Implement improvements directly

D. Report suggestions to external auditor

Answer:

43.

Governance, Risk, and Control responsibilities are mandatory under: A. Standard 2000

B. Standard 2100

C. Standard 2200

D. Standard 2300

Answer:

44.

The key purpose of internal audit reporting is to: A. Support documentation compliance

B. Communicate results and enable positive change

C. Validate process owners’ opinion

D. Reduce legal exposure

Answer:

45.

Which of the following best reflects the role of internal audit to support ethics within an organization? A. Create ethics policies

B. Provide assurance on ethics-related controls

C. Handle disciplinary action

D. Review employee recruitment

Answer:

46.

Who is responsible for establishing the organization’s risk appetite? A. CAE

B. Board

C. Management

D. Internal audit team

Answer:

47.

Implementation guidance under the IPPF is used to: A. Provide mandatory rules

B. Explain how to apply the standards

C. Replace practice advisories

D. Dictate audit scope

Answer:

48.

Internal audit engagement work programs must: A. Be developed by management

B. Document required audit procedures to achieve objectives

C. Be optional for experienced auditors

D. Be used only for consulting

Answer:

49.

Which is a performance standard? A. 1210

B. 1320

C. 2400

D. 1100

Answer:

50.

External assessments for QAIP must be conducted by: A. Internal audit staff

B. A qualified, independent assessor or assessment team

C. External auditor from financial statement audit

D. Audit committee chairperson

Answer:

www.gmsisuccsss.in

Section B….. Difficult level: moderately Difficult

10 challenging, logic-based MCQs on “Foundations of Internal Auditing” (CIA Part 1 Domain 1)

Note: Questions are original and based on the current CIA Part 1 syllabus and IIA resources, not copied from any source.

1) The board is concerned that internal audit’s work focuses heavily on low-risk compliance issues selected by the CFO. The CAE wants to realign with the Mission of Internal Audit and the Global Internal Audit Standards. Which action best demonstrates this alignment?

A. Ask the CFO to provide a list of required compliance audits for the next year.

B. Develop a risk-based audit plan and obtain approval from the board or audit committee.

C. Increase the number of surprise audits in high-fraud areas.

D. Request approval from senior management for each engagement’s scope and timing.

Answer:

2) An internal auditor discovers that a close family member has just been hired as a senior manager in an area scheduled for review next month. The auditor has no direct dealings with this relative at work. Which is the most appropriate response under the Code of Ethics and Standards?

A. Proceed with the engagement but disclose the relationship in the final report.

B. Request reassignment from the engagement due to an impairment to objectivity.

C. Perform only preliminary work and let another auditor complete testing.

D. Continue the engagement because there is no financial interest involved.

Answer:

3) The internal audit charter states that the CAE reports administratively to the CFO and functionally to the audit committee. Which situation would most seriously threaten organizational independence?

A. The CFO reviews the CAE’s performance evaluation.

B. The audit committee approves the internal audit budget.

C. The CFO revises the audit plan to remove a review of treasury operations.

D. The CAE meets privately with the audit committee twice a year.

Answer:

4) Management requests that internal audit design and implement new internal controls over a critical procurement process. The CAE wants to maintain conformance with the Global Internal Audit Standards regarding assurance versus consulting services. Which approach is most appropriate?

A. Decline all involvement because designing controls always impairs independence.

B. Design and implement the controls, then perform the assurance engagement.

C. Provide advisory input on control options while management makes final design and implementation decisions.

D. Take full ownership of control design but outsource implementation to an external consultant.

Answer:

5) During a board strategy session, the CAE is asked to “own the enterprise risk management (ERM) process” because internal audit has the strongest risk expertise. Which response best aligns with internal audit’s mandate and the Three Lines Model?

A. Accept ownership of ERM and report any risk issues directly to regulators.

B. Accept responsibility for coordinating risk registers but not for risk ownership.

C. Decline and explain that internal audit’s role is to provide independent assurance on ERM, not manage it.

D. Accept ownership of ERM only if the board approves changes to the audit charter.

Answer:

6) The CAE wants to demonstrate conformance with the core principles for the professional practice of internal auditing. Which of the following actions best evidences the principle of “Insightful, proactive, and future-focused”?

A. Issuing reports strictly limited to control deficiencies noted during fieldwork.

B. Recommending actions that address only historical noncompliance.

C. Identifying emerging risks and advising the board on how they could impact strategic objectives.

D. Limiting recommendations to low-cost, quick-win process improvements.

Answer:

7) An internal auditor is assigned to review cybersecurity. The auditor has strong general IT knowledge but limited experience in cybersecurity frameworks. To conform with proficiency and due professional care requirements, which action is most appropriate?

A. Perform the engagement as planned, relying only on existing knowledge.

B. Decline the assignment because internal audit must not review technical areas.

C. Seek targeted training and, if needed, use qualified experts while maintaining overall responsibility for the engagement.

D. Ask management to prepare a self-assessment and accept it without further work.

Answer:

8) The audit committee wants assurance that the internal audit activity itself complies with the Global Internal Audit Standards. Which approach best meets the requirement for quality assurance and improvement?

A. The CAE prepares an annual self-assessment, with no external review.

B. The internal audit activity commissions an external quality assessment at least once every five years, supported by ongoing internal assessments.

C. The external financial statement auditor evaluates internal audit quality each year.

D. Management reviews internal audit performance during the annual budgeting process.

Answer:

9) Internal audit has unrestricted access to records and personnel, yet management frequently delays responses and argues that certain operational reports are “not necessary” for audit work. Which action best uses internal audit’s authority under the charter?

A. Accept management’s position to preserve relationships.

B. Conduct the engagement using only the information that management voluntarily provides.

C. Escalate the issue to the audit committee, explaining how restricted access affects internal audit’s ability to fulfill its responsibilities.

D. Cancel the engagement and reallocate resources to other audits.

Answer:

10) A newly appointed CAE is redesigning the internal audit charter. To align with the Global Internal Audit Standards, which element is most critical to include?

A. A detailed list of all audits internal audit will perform each year.

B. A description of internal audit’s purpose, authority, and responsibility, including reporting lines to the board.

C. A requirement that internal audit report only to senior management.

D. A statement that internal audit is responsible for detecting all fraud.

Answer:

www.gmsisuccess.in

Section C……Difficult level: Challenging & tricky

Here MCQs for CIA Part 1 – Foundations of Internal Auditing, with suggested time per question. Each should be answered in about 1–1.5 minutes, in line with the exam’s overall timing of 125 questions in 150 minutes.

1) Time: 1.2 minutes

The CAE wants to revise the audit charter to align with the Global Internal Audit Standards. Which content is MOST critical to include?

A. A schedule of all engagements to be performed during the year

B. A statement that internal audit will support management in achieving profit targets

C. A description of internal audit’s purpose, authority, and responsibilities, including its reporting lines

D. A list of all laws and regulations to be tested for compliance

Answer:

2) Time: 1.2 minutes

Internal audit is requested to “own” the organization’s risk register and decide which risks each manager is responsible for. Which is the BEST response consistent with the Three Lines Model?

A. Accept the role and report any major changes directly to regulators

B. Decline to own the risk register but agree to review and provide assurance over risk management

C. Accept full ownership of the risk register as long as the board approves the charter

D. Accept the role temporarily and then outsource all assurance work

Answer:

3) Time: 1.2 minutes

Which scenario represents an impairment to organizational independence of the internal audit activity?

A. The CAE reports functionally to the audit committee and administratively to the CFO

B. Senior management reduces the approved audit budget without informing the board

C. The CAE attends executive committee meetings as a non-voting member

D. Internal audit uses guest auditors from operations for specialized reviews

Answer:

4) Time: 1.5 minutes

An auditor is assigned to review a complex new derivatives product. The auditor understands internal controls but has limited knowledge of derivatives. To conform with proficiency and due professional care, what should the auditor do FIRST?

A. Decline the assignment entirely because of lack of expertise

B. Perform the engagement using existing knowledge and learn during fieldwork

C. Discuss the skills gap with the CAE and arrange for training or expert assistance

D. Ask management to self-assess controls and rely on their evaluation

Answer:

5) Time: 1.2 minutes

Which activity MOST clearly aligns with the Mission of Internal Auditing and the core principles?

A. Performing only compliance audits requested by regulators

B. Providing insight on emerging risks that may affect achievement of strategic objectives

C. Limiting reports to listing control deficiencies without recommendations

D. Focusing solely on confirming adherence to policies and procedures

Answer:

6) Time: 1.3 minutes

During an engagement, an auditor discovers a control weakness that is unlikely to affect current objectives but could become significant if the entity expands into a new market next year. What is the MOST appropriate action?

A. Ignore it because it does not affect current objectives

B. Report it as an observation with an emphasis on potential future impact

C. Escalate it as a major finding requiring immediate remediation

D. Discuss it informally with staff only, without documentation

Answer:

7) Time: 1.3 minutes

Which situation MOST clearly impairs an individual internal auditor’s objectivity?

A. The auditor previously worked in the audited department three years ago

B. The auditor helped design key controls in the process being audited six months ago

C. The auditor receives training from the process owner before the engagement

D. The auditor has social interactions with staff in the area being audited

Answer:

8) Time: 1.5 minutes

A CAE wants to demonstrate that the internal audit activity conforms with the Global Internal Audit Standards. Which of the following approaches BEST satisfies the quality assurance and improvement program requirement?

A. An internal review of working papers every five years

B. Ongoing supervision plus periodic internal assessments and an external assessment at least once every five years

C. Reliance on the external financial auditor’s annual review of internal audit work

D. Annual satisfaction surveys of auditees only

Answer:

9) Time: 1.2 minutes

The Code of Ethics requires internal auditors to exercise due professional care. Which behavior BEST demonstrates this principle during an engagement?

A. Testing fewer items than planned to finish before the deadline

B. Adjusting the nature and extent of work based on risk and materiality

C. Relying entirely on management’s explanations when controls appear weak

D. Using only inquiry as a procedure when evidence is easily available

Answer:

10) Time: 1.5 minutes

Management asks internal audit to design and implement a new segregation-of-duties matrix and then perform an assurance review on it. What is the MOST appropriate response?

A. Accept both design and assurance roles because this improves control quality

B. Decline all involvement in segregation of duties to avoid any impairment

C. Agree to provide consulting input on the matrix design while ensuring management retains ownership, and decline providing assurance on this specific design work later

D. Outsource the engagement to external auditors and rely on their report

Answer:

www.gmsisuccess.in

Section D…. Difficult level: Moderately Difficult

Here are 40 original, exam-style CIA Part 1 MCQs focused on independence, objectivity, integrity, audit charter/mandate, internal audit mission, and efficiency, aligned with the 2025 syllabus and new Global Internal Audit Standards timing (Part 1: 125 Qs / 150 minutes ≈ 1.2 minutes per question).

Use about 1–1.5 minutes per question.

***

## A. Integrity (6 questions)

1) Time: 1.2 minutes

An internal auditor discovers that a popular manager has bypassed a key control to meet a tight deadline, with no apparent loss. Senior management pressures the auditor to omit this from the report to “avoid demoralizing a strong performer.” Which action best demonstrates integrity?

A. Remove the issue from the report but keep personal notes

B. Describe the issue factually in the report and stand by the professional judgment

C. Mention the issue only verbally to the CAE and not document it

D. Downgrade the issue to an informal comment in a private email

Answer:

2) Time: 1.2 minutes

Which situation is the clearest violation of integrity?

A. An auditor politely questioning management assumptions

B. An auditor signing off on workpapers known to be incomplete to meet a deadline

C. An auditor escalating concerns about interference to the CAE

D. An auditor asking a colleague for help on a complex issue

Answer:

3) Time: 1.2 minutes

An auditor uncovers a minor illegal act that management has already stopped and remediated. No law requires disclosure to authorities, but concealing it in the report could mislead the board. What is the most appropriate action, consistent with integrity?

A. Omit it entirely because it is already corrected

B. Report it to law enforcement without informing anyone internally

C. Include it in the report with context on remediation and residual risk

D. Tell the board informally but keep it out of official documentation

Answer:

4) Time: 1.0 minute

Integrity in the new standards is BEST described as:

A. Performing work quickly and at the lowest cost

B. Demonstrating honesty, courage, and legal/professional behavior

C. Ensuring that no audit report ever contains negative findings

D. Doing only what management explicitly requests

Answer:

5) Time: 1.2 minutes

Which action best illustrates “courage” as part of integrity?

A. Avoiding conflicts with management by softening report language

B. Agreeing to delay issuing a report indefinitely

C. Challenging a powerful executive’s misleading statement in front of the audit committee

D. Delegating all difficult conversations to junior staff

Answer:

6) Time: 1.0 minute

An internal auditor realizes after issuing a report that a key piece of evidence was misinterpreted, leading to an overstated finding. What is the MOST appropriate action consistent with integrity?

A. Ignore it because the report is already issued

B. Quietly adjust workpapers without informing anyone

C. Promptly inform the CAE and, if needed, issue a corrected communication

D. Wait until the next audit cycle to correct it

Answer:

***

## B. Independence & Objectivity (14 questions)

7) Time: 1.3 minutes

The CAE reports functionally to the audit committee and administratively to the CFO. Which scenario most seriously threatens organizational independence?

A. The CFO reviews the CAE’s expense reports

B. The CFO decides to cancel all audits of the treasury function

C. The audit committee approves the annual audit plan

D. The CAE attends executive committee meetings as an observer

Answer:

8) Time: 1.3 minutes

An auditor previously designed key controls in a process six months ago and is now assigned to audit that same process. What is the best course of action?

A. Proceed with the engagement but disclose involvement in the final report

B. Decline the engagement due to self-review threat to objectivity

C. Only review controls that were not personally designed

D. Proceed and rely on peer review to mitigate any issues

Answer:

9) Time: 1.2 minutes

Which is the BEST example of a familiarity threat to objectivity?

A. The auditor lacks technical knowledge of IT controls

B. The auditor is a close friend of the process owner being audited

C. The auditor previously worked in another department

D. The auditor is not certified but has many years of experience

Answer:

10) Time: 1.3 minutes

The CEO requests that the CAE “tone down” criticism in a draft report before it goes to the audit committee. What should the CAE do to preserve independence and objectivity?

A. Accept all changes to preserve relationships

B. Reject all changes and send the original draft without comment

C. Consider valid factual clarifications but escalate undue pressure to the audit committee if needed

D. Allow the CEO to write the executive summary while internal audit handles details

Answer:

11) Time: 1.1 minutes

Which statement best distinguishes independence from objectivity?

A. Independence is personal; objectivity is organizational

B. Independence is structural positioning; objectivity is individual mindset

C. Independence is optional; objectivity is mandatory

D. Independence and objectivity are identical concepts

Answer:

12) Time: 1.2 minutes

Which action best preserves organizational independence in line with the new standards?

A. Having the CAE functionally report to the board/audit committee

B. Having internal audit report solely to the CFO

C. Requiring management approval for every engagement’s scope

D. Allowing management to decide which findings are reported

Answer:

13) Time: 1.1 minutes

Which is the clearest example of a conflict of interest?

A. An auditor owns shares in a major supplier whose contracts are under review

B. An auditor has a professional certification from the IIA

C. An auditor previously worked in another company in the same industry

D. An auditor attends training paid by the employer

Answer:

14) Time: 1.3 minutes

Management insists internal audit use only interviews, not documents, when auditing a controversial project. How should the CAE respond?

A. Accept management’s request to avoid tension

B. Cancel the engagement due to lack of cooperation

C. Explain that limiting procedures may impair the reliability of conclusions and, if unresolved, escalate to the audit committee

D. Continue as requested and note the limitation only in workpapers

Answer:

15) Time: 1.2 minutes

An auditor is offered tickets to a major sporting event by a manager whose area is currently under review. The face value is modest, and the manager insists it is “a token of appreciation.” What is the MOST appropriate response?

A. Accept because it is modest and has no conditions

B. Accept but disclose in the report

C. Politely decline because it may be perceived as impairing objectivity

D. Accept and share with the audit team

Answer:

16) Time: 1.2 minutes

Which policy would BEST support maintaining individual objectivity for auditors rotating through operational roles?

A. Prohibiting any staff rotations between audit and operations

B. Allowing auditors to audit functions they worked in the previous month

C. Implementing a “cooling-off” period before auditors can audit areas they previously managed

D. Allowing only junior staff to audit their former departments

Answer:

17) Time: 1.3 minutes

An internal auditor is the only subject-matter expert available for a highly technical area and also recently helped management select a key system in that area. How can objectivity best be safeguarded?

A. Proceed as lead auditor without disclosure

B. Decline all involvement in that area permanently

C. Disclose the prior involvement, use an independent reviewer, and consider assigning another auditor as engagement lead

D. Let management perform a self-assessment and accept their conclusions

Answer:

18) Time: 1.1 minutes

Which of the following MOST directly threatens independence “from interference” as described in the new standards?

A. Limited training budget

B. Restrictions on which stakeholders internal audit may communicate results to

C. High staff turnover

D. Remote working arrangements

Answer:

19) Time: 1.2 minutes

The board requests that internal audit take over line management of the compliance department “for a year.” What is the BEST response?

A. Accept fully because it increases internal audit’s authority

B. Accept but immediately outsource all assurance work

C. Decline, explaining that managing compliance would compromise independence and future assurance

D. Accept only if the CAE receives a higher title

Answer:

20) Time: 1.2 minutes

An auditor consistently avoids reporting negative findings against a particular executive because of fear of retaliation. This behavior MOST directly violates:

A. Independence only

B. Objectivity only

C. Both integrity and objectivity

D. Confidentiality only

Answer:

***

## C. Audit Charter & Mandate (8 questions)

21) Time: 1.1 minutes

Which element is MOST essential in an internal audit charter under the Global Internal Audit Standards?

A. A list of all individual auditors and their credentials

B. A detailed three-year audit schedule

C. A statement of internal audit’s purpose, authority, and responsibility, including board-level oversight and access to records and personnel

D. A separate ethics policy for internal audit only

Answer:

22) Time: 1.2 minutes

The charter states that internal audit work must be approved by the CFO before starting any engagement. What is the BEST action?

A. Accept this as normal administrative oversight

B. Recommend revising the charter so the audit committee approves the plan and internal audit can determine engagement scopes without management veto

C. Request that only high-risk engagements need CFO approval

D. Ignore the charter language and operate independently in practice

Answer:

23) Time: 1.2 minutes

Which statement best describes an internal audit “mandate” as used in the new standards and CIA Part 1 syllabus?

A. The annual budget granted to internal audit

B. The legally binding regulations internal audit must enforce

C. The formal authority given to internal audit by the board, usually through the charter

D. Informal expectations communicated verbally by management

Answer:

24) Time: 1.1 minutes

Which provision would MOST clearly conflict with the principles of an effective audit charter?

A. Internal audit has unrestricted access to all records, personnel, and physical properties

B. Internal audit is authorized to allocate its resources and determine work techniques

C. Internal audit must obtain the COO’s written approval before issuing any report

D. The CAE has direct access to the board or audit committee

Answer:

25) Time: 1.3 minutes

The charter authorizes internal audit to “assist management in designing and implementing internal controls.” To align with the standards, how should the CAE interpret this clause?

A. As authorization to assume full responsibility for control design and implementation

B. As allowing advisory and consulting input while management retains responsibility for controls

C. As a requirement to approve every control change in the organization

D. As limiting internal audit to only consulting work

Answer:

26) Time: 1.2 minutes

Which party should formally approve the internal audit charter?

A. The CAE alone

B. Senior management only

C. The board or audit committee, after input from management and the CAE

D. The external auditor

Answer:

27) Time: 1.1 minutes

The charter is silent on internal audit’s right to communicate directly with regulators. Management insists all such communication must go through the legal department. What is the BEST first step for the CAE?

A. Ignore the restriction and contact regulators directly

B. Request a charter revision clarifying internal audit’s right to communicate independently with the board and, where appropriate, external parties

C. Accept the restriction as a normal legal safeguard

D. Resign from the organization

Answer:

28) Time: 1.3 minutes

Which statement best shows how the charter supports internal audit efficiency?

A. It limits the number of engagements per year

B. It clearly defines scope, authority, and reporting lines, reducing ambiguity and rework

C. It requires detailed approval signatures on each workpaper

D. It mandates that all audits be unannounced

Answer:

***

## D. Internal Audit Mission & Core Principles (6 questions)

29) Time: 1.1 minutes

The Mission of Internal Auditing focuses primarily on:

A. Maximizing internal audit revenue

B. Enforcing staff discipline across the organization

C. Enhancing and protecting organizational value by providing risk-based, objective assurance, advice, and insight

D. Minimizing the number of audit findings

Answer:

30) Time: 1.2 minutes

Which engagement best reflects being “insightful, proactive, and future-focused,” a core principle under the new standards?

A. Focusing only on historical compliance errors

B. Identifying emerging regulatory changes and advising on their potential impact on strategy

C. Repeating the same checklist annually without change

D. Limiting work to verifying signatures on documents

Answer:

31) Time: 1.2 minutes

Which activity would most likely undermine the Mission of Internal Auditing?

A. Aligning the audit plan with the organization’s key risks and objectives

B. Focusing solely on low-risk, easy engagements to improve completion statistics

C. Providing assurance on governance, risk management, and control

D. Communicating results clearly to the board

Answer:

32) Time: 1.1 minutes

Which statement best links the Mission with independence and objectivity?

A. The Mission can be achieved without independence if auditors are technically strong

B. Independence and objectivity are optional if internal audit focuses on consulting

C. Independence and objectivity are essential so that assurance and advice are trusted and value-adding

D. The Mission requires independence but not objectivity

Answer:

***

## E. Internal Audit Efficiency & Effectiveness (6 questions)

33) Time: 1.3 minutes

Which action best improves internal audit efficiency without compromising quality?

A. Reducing documentation so findings cannot be challenged

B. Applying risk-based sampling and focusing on key controls

C. Eliminating planning to spend more time in fieldwork

D. Performing the same procedures every year regardless of changes

Answer:

34) Time: 1.2 minutes

Which measure MOST directly reflects internal audit effectiveness rather than just efficiency?

A. Number of audit hours billed per year

B. Percentage of plan completed on time

C. Degree to which audit recommendations are implemented and reduce key risks

D. Number of pages in each audit report

Answer:

35) Time: 1.3 minutes

To optimize use of limited resources, which planning approach is MOST appropriate?

A. Equal audit hours for every department

B. Focusing primarily on areas with the loudest complaints

C. Using a risk-based plan approved by the board, updated as risks change

D. Auditing departments alphabetically each year

Answer:

36) Time: 1.1 minutes

Which practice would MOST likely reduce internal audit efficiency?

A. Using standardized workpaper templates

B. Conducting joint planning meetings with management

C. Re-performing all of management’s routine monitoring activities in detail

D. Leveraging data analytics to focus testing

Answer:

37) Time: 1.2 minutes

How does a strong Quality Assurance and Improvement Program (QAIP) contribute to efficiency?

A. By eliminating the need for supervision

B. By identifying process improvements and training needs that reduce rework and enhance consistency

C. By increasing documentation requirements for every step

D. By mandating external quality assessments every year

Answer:

38) Time: 1.2 minutes

Which KPI would be LEAST useful for assessing internal audit efficiency?

A. Cycle time per engagement phase (planning, fieldwork, reporting)

B. Percentage of automated tests versus manual tests

C. Number of hours each auditor spends in training

D. Ratio of completed engagements to planned engagements

Answer:

***

## F. Mixed Concepts – Scenario Practice (4 questions)

39) Time: 1.3 minutes

The CAE is pressured by the COO to exclude a significant control failure from the report and is offered a performance bonus if the report is “balanced” in tone. Which combination of principles is MOST at risk if the CAE agrees?

A. Integrity, independence, and objectivity

B. Confidentiality only

C. Proficiency and due professional care only

D. Mission and efficiency only

Answer:

40) Time: 1.3 minutes

An internal auditor is evaluating a new risk area with limited prior coverage. To align with the Mission and support efficiency, which sequence is BEST?

A. Perform extensive testing first, then identify objectives and risks

B. Identify objectives, assess risks with stakeholders, design focused procedures, then test key controls