CIA Part 1 mocktest comprehensive/Gmsisuccess
*CIA Part 1 case-based MCQs* covering Internal Audit Foundation, Charter, Ethics, IC, Governance, Risk, AIS, Fraud. Each has the IIA "trigger point" explanation.
*Topic 1: Audit Charter & Mandate*
*Case*: New CAE joins. Audit committee asks IA to perform due diligence on a merger target. Charter only mentions “assurance & consulting on risk, control, governance.” No mention of M&A. CFO says “IA must do it, you report to me.”
*Q*: What should CAE do first?
A. Accept engagement to maintain relationship with CFO
B. Decline because M&A is outside IA scope
C. Review charter with audit committee to confirm mandate and independence
D. Accept if additional budget is provided
*Answer: C*
*Trigger*: *Audit charter = IA mandate*. Only audit committee can amend scope. Reporting to CFO creates independence threat. IIA Standard 1000.
---
*Topic 2: Internal Audit Effectiveness - Independence*
*Case*: IA department budget is approved by CFO. CAE’s bonus is 30% based on cost savings identified by IA. CFO can reassign CAE to other projects.
*Q*: Which condition most impairs IA independence?
A. Budget approved by CFO
B. Bonus tied to findings
C. CFO can reassign CAE
D. All equally impair
*Answer: B*
*Trigger*: *Bonus tied to findings = self-interest threat*. Budget/reassignment are threats but common. Tying comp to audit results compromises objectivity per IIA 1120.
---
*Topic 3: Ethics - IIA Code*
*Case*: Internal auditor finds control gap in procurement. Vendor is auditor’s brother-in-law. Auditor discloses to CAE and recuses from audit. CAE assigns auditor to review vendor’s invoices anyway because “you know the process best.”
*Q*: Which IIA Code principle is violated?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency
*Answer: B*
*Trigger*: *Objectivity = no conflict of interest*. Disclosure doesn’t cure conflict if auditor still works on engagement. Standard 1120.
*Topic 4: Internal Control - COSO Components*
*Case*: Company has code of conduct, whistleblower hotline, auth limits, and quarterly board review of IA reports. Cashier can approve & record & reconcile bank.
*Q*: Which COSO component is deficient?
A. Control Environment q
B. Control Activities
C. Information & Communication
D. Monitoring
*Answer: B*
*Trigger*: *Control Activities = SOD failure*. Other components exist but can’t overcome lack of SOD. Cashier has authorization + custody + recordkeeping.
---
*Topic 5: IC Limitations - Collusion*
*Case*: Warehouse requires 2 signatures to release goods >$10K. Investigation finds storekeeper + security guard colluded: one signs, other removes goods. Loss $200K.
*Q*: What IC limitation is shown?
A. Human error
B. Management override
C. Collusion
D. Cost/benefit
*Answer: C*
*Trigger*: *Collusion* defeats SOD. IC provides _reasonable_, not absolute assurance. IIA Standard 2120.A1.
---
*Topic 6: Governance - 3 Lines Model*
*Case*: 1st line: Ops mgmt owns risks. 2nd line: Compliance writes policy. 3rd line: IA audits. CFO asks IA to design new AP control then audit it next quarter.
*Q*: What governance principle is violated?
A. First line accountability
B. Second line independence
C. Third line independence
D. No violation if documented
*Answer: C*
*Trigger*: *3rd line can’t design + audit same control*. Impairs independence. IA can advise, not own/design. IIA Standard 1112.
---
*Topic 7: Risk Universe vs Risk Assessment*
*Case*: CAE presents audit plan. Board asks “How do you know you covered all key risks?” CAE shows risk universe with 200 risks from ERM, regulatory, strategic, ops. Plan covers 25 audits.
*Q*: What links universe to plan?
A. Risk Matrix
B. Risk Assessment
C. Heat Map
D. Audit Charter
*Answer: B*
*Trigger*: *Risk Assessment* prioritizes universe → audit plan based on likelihood/impact. Universe = inventory. Assessment = prioritization. Standard 2010.
---
*Topic 8: Heat Map - Interpretation*
*Case*: Heat map shows Cyber Risk: Likelihood = 4/5, Impact = 5/5 = Red. Supply Chain Risk: L=2/5, I=5/5 = Yellow. Mgmt spends 80% of budget on supply chain.
*Q*: What does heat map indicate about resource allocation?
A. Aligned with risk
B. Misaligned, cyber needs more resources
C. Misaligned, supply chain over-funded
D. B & C are correct
*Answer: D*
*Trigger*: *Red > Yellow* in heat map. Resources should follow risk rating. Cyber = high/high needs priority. Standard 2120.
---
*Topic 9: AIS - Application Controls*
*Case*: Payroll system: 1. Input rejects hours >24/day. 2. System calculates OT automatically. 3. Exception report for net pay variance >10% vs last month.
*Q*: Which is a processing control?
A. 1 only
B. 2 only
C. 3 only
D. 1 & 3 only
*Answer: B*
*Trigger*: *Processing = automated calc*. Input = edit check. Output = exception report. CIA tests control categories.
---
*Topic 10: Fraud Risk - Fraud Triangle*
*Case*: AR clerk has gambling debt (pressure), can issue credit memos without approval (opportunity), believes “company owes me” (rationalization). $80K credit memos issued to fake customers.
*Q*: Which element of fraud triangle is “can issue without approval”?
A. Pressure
B. Opportunity
C. Rationalization
D. Detection
*Answer: B*
*Trigger*: *Opportunity = weak IC*. IA focuses here because it’s the only element mgmt controls. Standard 2120.A2.
---
*Topic 11: Risk Logs vs Risk Register*
*Case*: During audit, PM says “We tracked that vendor delay risk in the project risk log and closed it.” IA finds no entry in ERM risk register. Risk reoccurred.
*Q*: What control gap exists?
A. No risk assessment
B. No integration between project log & ERM register
C. No heat map
D. No risk appetite
*Answer: B*
*Trigger*: *Risk log = project level. Risk register = enterprise level*. Lack of escalation/integration = gap. CIA tests enterprise vs silo risk mgmt.
---
*Topic 12: Assurance vs Consulting - Nature of Work*
*Case*: Audit committee asks IA to: 1. Test if new vendor payments comply with policy. 2. Facilitate workshop to design better vendor onboarding.
*Q*: Classify 1 & 2.
A. Both assurance
B. Both consulting
C. 1=Assurance, 2=Consulting
D. 1=Consulting, 2=Assurance
*Answer: C*
*Trigger*: *Assurance = independent assessment vs criteria*. *Consulting = advise/facilitate*, no mgmt decision. Standard 1000. C1 = audit, C2 = consulting.
---
*CIA Part 1 Trigger Points Summary*
Topic If you see... Think...
**Charter** “CFO told IA to…” Check audit committee mandate
**Independence** Bonus tied to findings Self-interest threat
**Objectivity** Related party + still on audit Disclosure ≠ cure
**SOD** 1 person does 2+ of Auth/Custody/Record Control Activities fail
**3 Lines** IA designs control it will audit 3rd line violation
**Heat Map** Red risk gets less budget than yellow Misalignment
**Fraud Triangle** “Can override, no approval” Opportunity = IA’s focus
**Assurance vs Consulting** “Test compliance” vs “help design” Assessment vs Advice
www.gmsisuccess.in
Got it — *Next 50 tricky CIA Part 1 MCQs* covering Internal Audit Foundation, Charter, Ethics, IC, Governance, Risk, AIS, Fraud. Each is case-based with the “trigger point” IMA/IIA loves to test.
I'll break into 5 batches of 10 for readability. Here's *Batch 1: Q1-10*
---
*CIA Part 1 Tricky MCQs - Batch 1 of 5*
*Q1: Audit Charter - Approval Authority*
*Case*: CAE drafts new audit charter expanding scope to include ESG audits. CEO approves and signs it. Audit committee not consulted.
*Q*: Is the charter valid per IIA Standards?
A. Yes, CEO is highest executive
B. No, board/audit committee must approve charter
C. Yes, if CAE agrees
D. No, IIA must approve
*Answer: B*
*Trigger*: *Standard 1000 – Audit committee approves charter*. CEO approval alone violates IPPF. CEO can endorse, not approve.
*Q2: Mission of Internal Audit*
*Case*: CAE tells staff: “Our mission is to find fraud and report to audit committee.” Charter says: “Enhance and protect organizational value by providing risk-based assurance, advice, insight.”
*Q*: What is wrong with CAE’s statement?
A. Nothing, fraud is key
B. Mission excludes consulting
C. Mission excludes objectivity
D. Mission is too narrow vs IIA definition
*Answer: D*
*Trigger*: *IIA Mission = enhance & protect value*. Not just fraud. Includes assurance + advice + insight on governance, risk, control.
*Q3: Independence - Functional vs Administrative Reporting*
*Case*: CAE reports functionally to CFO for pay/promotion and administratively to audit committee for audit plan.
*Q*: What Standard is violated?
A. 1100 – Independence
B. 1110 – Organizational Independence
C. 1120 – Objectivity
D. 1130 – Impairments
*Answer: B*
*Trigger*: *Functional reporting must be to board/audit committee*. Administrative to senior mgmt ok. Reversed here = violation of 1110.
*Q4: Objectivity Impairment - Cooling Off*
*Case*: New auditor transferred from AP dept last month. CAE assigns auditor to audit AP controls because “you know the area.”
*Q*: What does IIA require?
A. Ok if disclosed
B. Prohibited for 1 year per 1130.A1
C. Ok if supervised
D. Prohibited forever
*Answer: B*
*Trigger*: *Standard 1130.A1 – 1-year cooling off* if auditor had responsibility for area in previous year. Objectivity impaired.
*Q5: Ethics - Confidentiality*
*Case*: During lunch, IA shares with friend in Sales: “We’re auditing your bonus calc next month, better clean up those spreadsheets.”
*Q*: Which Code principle violated?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency
*Answer: C*
*Trigger*: *Confidentiality = no tipping off auditee*. Also creates audit scope limitation. Integrity violated too, but primary is Confidentiality.
*Q6: COSO - 5 Components vs 17 Principles*
*Case*: Co has: 1. Tone at top, 2. Risk assessment process, 3. Auth limits, 4. IT reports, 5. IA audits. Auditor says “We cover all 5 COSO components.”
*Q*: Is this sufficient for COSO compliance?
A. Yes, 5 components covered
B. No, must cover 17 principles
C. Yes, if documented
D. No, need external audit
*Answer: B*
*Trigger*: *COSO 2013 = 5 components + 17 principles*. Having 1 control per component ≠ effective. All 17 principles must be present & functioning.
*Q7: IC Limitation - Management Override*
*Case*: Policy: All wires >$50K need dual approval. CEO emails treasury: “Send $200K now, I’ll sign later. Board deal.” Treasury complies.
*Q*: What IC limitation occurred? What should IA report?
A. Collusion; recommend terminate treasury
B. Management override; control design ok, operation failed
C. Human error; need training
D. No limitation, CEO has authority
*Answer: B*
*Trigger*: *Management override* beats even best design. IA reports override + recommends monitoring of exceptions. Not an IC design flaw.
*Q8: Governance - Accountability*
*Case*: Board delegated risk oversight to audit committee. Audit committee delegated to CRO. CRO delegated to risk manager. Loss occurs. Who is accountable?
*Q*: Per governance principles?
A. Risk manager
B. CRO
C. Audit committee
D. Board
*Answer: D*
*Trigger*: *Board retains ultimate accountability*. Delegation ≠ abdication. Others have responsibility. Board is accountable to stakeholders.
*Q9: Risk Universe - Completeness*
*Case*: ERM risk universe built from finance + operations interviews only. Cyber breach occurs. Risk was not in universe. CAE says “Not IA’s fault, ERM owns universe.”
*Q*: What is IA’s responsibility per Standard 2120?
A. None, ERM owns universe
B. Evaluate adequacy of risk mgmt process, including completeness
C. Create risk universe
D. Only audit risks in plan
*Answer: B*
*Trigger*: *2120 – IA must assess risk mgmt process effectiveness*, including if universe is complete. IA doesn’t own it but must assess it.
*Q10: Heat Map - Residual vs Inherent Risk*
*Case*: Heat map shows “Cyber” as Yellow = Medium. Footnote: “After controls.” Inherent was Red. Mgmt says “We’re medium risk now.” Audit finds key control not operating.
*Q*: What should heat map show?
A. Keep as Yellow, controls designed
B. Move to Red until controls tested effective
C. Remove from map
D. Show both inherent and residual
*Answer: B*
*Trigger*: *Residual risk = after effective controls*. If control failed, residual = inherent. Common CIA trap: mgmt assumes design = operating.
---
*Batch 2: Q11-20*
*Q11: Risk Log - Aging*
*Case*: Project risk log: “Vendor bankruptcy” identified Day 1, probability Low. Day 90, vendor files Ch.11. Log still shows Low, no mitigation.
*Q*: What risk process failed?
A. Risk identification
B. Risk assessment update
C. Risk response
D. Risk monitoring
*Answer: B & D*
*Trigger*: *Risk assessment must be dynamic*. Likelihood changed but not updated. Monitoring failed. IIA 2120.
*Q12: Control Application - Preventive vs Detective*
*Case*: System auto-blocks invoice if PO > invoice tolerance 5%. Monthly report lists all overrides.
*Q*: Classify each control.
A. Both preventive
B. Block = preventive, Report = detective
C. Both detective
D. Block = detective, Report = preventive
*Answer: B*
*Trigger*: *Preventive stops error before posting. Detective finds after*. Overrides still possible, so report is detective.
*Q13: AIS - IT General Controls vs Application Controls*
*Case*: Finding: “Programmers have access to production to fix bugs faster.”
*Q*: What type of control deficiency?
A. Application control
B. IT General Control - Program Change
C. Input control
D. No deficiency if logged
*Answer: B*
*Trigger*: *ITGC = environment controls*. Program change/SOD in IT is ITGC. Affects all applications. Access to prod = major ITGC fail.
*Q14: Fraud Risk - Pressures*
*Case*: Sales team: 90% of comp is commission, quarter-end target missed 3x, VP says “No bonus unless we hit target, jobs at risk.”
*Q*: What fraud risk factor is highest?
A. Opportunity
B. Rationalization
C. Pressure/Incentive
D. Capability
*Answer: C*
*Trigger*: *Fraud Triangle: Pressure = unrealistic targets + personal consequences*. IA should test revenue cut-off, side agreements.
*Q15: Fraud Risk Assessment - Standard 2120.A2*
*Case*: Annual audit plan has no fraud-specific procedures. CAE says “External audit covers fraud, we focus on ops.”
*Q*: Does this comply with IIA Standards?
A. Yes, external audit has responsibility
B. No, IA must evaluate fraud risk mgmt per 2120.A2
C. Yes, if audit committee agrees
D. No, IA must investigate fraud
*Answer: B*
*Trigger*: *2120.A2 – IA must evaluate potential for fraud and how org manages fraud risk*. Not optional.
*Q16: Data Analytics - Completeness Test*
*Case*: IA gets AP data from ERP. Uses SUM of invoices to tie to G/L. Ties exactly. Concludes data complete.
*Q*: What risk remains?
A. None, tied to G/L
B. Invoices outside ERP not captured
C. Accuracy not tested
D. Both B & C
*Answer: D*
*Trigger*: *Completeness ≠ tied to G/L*. G/L could be incomplete too. Also SUM tests completeness, not accuracy. Need hash totals, record counts from source.
*Q17: Assurance vs Consulting - Impairment*
*Case*: IA facilitates control design workshop for new process. Next year, IA audits same process.
*Q*: Is independence impaired?
A. Yes, always
B. No, if safeguards met per 1130.C1
C. Yes, must wait 2 years
D. No, consulting never impairs
*Answer: B*
*Trigger*: *1130.C1 – Can audit if: 1. Nature disclosed, 2. No mgmt decisions made by IA, 3. Different staff preferred*. Safeguards required.
*Q18: Internal Control - Manual vs Automated*
*Case*: Control: “Clerk reviews all invoices >$5K for approval.” IA finds clerk reviews 2,000/month, 5 errors/month. IT offers auto 3-way match.
*Q*: Why is automated better?
A. Cheaper only
B. More consistent, less human error
C. Easier to override
D. Not better, manual has judgment
*Answer: B*
*Trigger*: *Automated controls more reliable if ITGCs strong*. Manual = fatigue, sample risk. CIA tests preference for automated.
*Q19: Risk Appetite vs Tolerance*
*Case*: Board: “We will not accept any cyber breach.” CISO: “We budget for 2 incidents/year <$100K each.”
*Q*: Which statement is risk appetite vs tolerance?
A. Board = tolerance, CISO = appetite
B. Board = appetite, CISO = tolerance
C. Both appetite
D. Both tolerance
*Answer: B*
*Trigger*: *Appetite = broad statement of risk willing to take. Tolerance = specific metrics*. “Zero breach” = appetite. “2 @ <$100K” = tolerance.
*Q20: Ethics - Competency*
*Case*: CAE assigns IT auditor to review complex derivative valuation. Auditor has no derivatives training but “will learn on job.”
*Q*: What Code principle at risk?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency
*Answer: D*
*Trigger*: *Competency = possess knowledge/skills or decline engagement*. Standard 1210. Learning on job ok only if supervised + disclosed.
---
Here are *Q21-Q50: Next 30 tricky CIA Part 1 MCQs* with case, answer, trigger point.
---
*CIA Part 1 Tricky MCQs - Batch 3: Q21-30*
*Q21: Audit Evidence - Sufficiency vs Appropriateness*
*Case*: Auditor tests 500 invoices, all from January, all under $100. Concludes “AP controls effective all year.”
*Q*: What audit evidence problem exists?
A. Not sufficient
B. Not appropriate - not relevant/reliable
C. Both A & B
D. No problem, large sample
*Answer: C*
*Trigger*: *Sufficiency = quantity. Appropriateness = quality/relevance*. Jan + small $ not representative. Standard 2310.
*Q22: Sampling - Statistical vs Judgmental*
*Case*: Population 10,000 items. Auditor haphazardly picks 50 “that look risky.” Finds 0 errors. Concludes “error rate <1%.”
*Q*: Can auditor project to population?
A. Yes, 0/50 = 0%
B. No, judgmental sample can’t be projected statistically
C. Yes, if approved by CAE
D. No, sample too small
*Answer: B*
*Trigger*: *Statistical sampling requires random + known probability*. Judgmental = no projection. CIA tests this distinction.
*Q23: CAATs - Parallel Simulation*
*Case*: IA re-performs AP 3-way match in IDEA using raw data. Results differ from production system.
*Q*: What CAAT is this? What does difference indicate?
A. Test data; program error
B. Parallel simulation; production logic error or data issue
C. Embedded audit module; fraud
D. Integrated test facility; no issue
*Answer: B*
*Trigger*: *Parallel simulation = re-perform with audit software*. Difference = production not working as intended. Strong evidence.
*Q24: ERM - COSO ERM vs ISO 31000*
*Case*: Risk mgr says “We follow ISO 31000 so we don’t need risk appetite statement.”
*Q*: Is this correct?
A. Yes, ISO 31000 prohibits appetite
B. No, both frameworks require risk appetite/criteria
C. Yes, only COSO ERM needs appetite
D. No, ISO 31000 is not ERM framework
*Answer: B*
*Trigger*: *Both COSO ERM & ISO 31000 require risk criteria/appetite*. ISO uses “risk criteria”, COSO uses “risk appetite.” Same concept.
*Q25: COSO Principle 10 - Selects & Develops Control Activities*
*Case*: Company has manual approvals for all transactions. No automated controls. Many errors.
*Q*: Which COSO principle is deficient?
A. Principle 6 – Specifies objectives
B. Principle 10 – Selects control activities including automation
C. Principle 12 – Deploys through policies
D. Principle 16 – Performs evaluations
*Answer: B*
*Trigger*: *P10 requires mix of controls + consider automation*. Manual-only in high volume = deficient design. CIA tests 17 principles.
*Q26: ITGC - Logical Access - Least Privilege*
*Case*: All accountants have SAP_ALL to “cover vacations.” IT says “We trust them.”
*Q*: What ITGC principle violated? What’s the risk?
A. Change mgmt; unauthorized changes
B. Least privilege; broad fraud/error risk
C. Backup; data loss
D. Physical security; theft
*Answer: B*
*Trigger*: *Least privilege = minimum access to do job*. SAP_ALL = segregation of duties destroyed. Trust ≠ control.
*Q27: ITGC - Program Change Management*
*Case*: Developer fixes bug directly in production on Friday night. Documents change Monday. No testing, no approval.
*Q*: What controls failed?
A. Physical security
B. Change management - approval, testing, separation
C. Backup
D. Logical access
*Answer: B*
*Trigger*: *Change mgmt = approval + test + migrate + document + SOD*. Emergency changes still need post-implementation review. High-risk ITGC fail.
*Q28: Backup & Recovery - RTO vs RPO*
*Case*: System crashes. Last backup 24h ago. Takes 6 hours to restore. Mgmt says “We can lose 1 day data, but must be up in 2 hours.”
*Q*: Which metric failed? What is RTO vs RPO?
A. RTO failed; RTO=2h, RPO=24h
B. RPO failed; RTO=6h, RPO=1d
C. Both failed; RTO=2h, RPO=0
D. No failure, within tolerance
*Answer: C*
*Trigger*: *RTO = time to restore, target 2h, actual 6h = fail. RPO = data loss tolerance, target 0, actual 24h = fail*. CIA tests BCP terms.
*Q29: Fraud Scheme - Lapping*
*Case*: AR clerk steals customer A check, covers with customer B check next day, covers B with C, etc. Month-end aging looks normal.
*Q*: What detective control best finds lapping?
A. Bank reconciliation
B. Review AR aging by customer, compare to deposits
C. Confirm receivables
D. Both B & C
*Answer: D*
*Trigger*: *Lapping = theft covered by next receipt*. Aging alone won’t catch if constantly rolling. Need deposit detail match + confirms.
*Q30: Whistleblower - Anti-Retaliation*
*Case*: Employee reports VP fraud via hotline. Next week employee gets poor review + demoted. HR says “Unrelated performance.”
*Q*: What governance risk exists? What should IA do?
A. No risk if HR documented
B. Retaliation risk, chills future reporting; IA should test hotline process
C. Only legal issue, not IA
D. Retaliation ok if fraud unproven
*Answer: B*
*Trigger*: *Retaliation destroys hotline effectiveness*. IA assesses governance/ethics program per 2110. Report weakness even if HR claims unrelated.
---
*Batch 4: Q31-40*
*Q31: Audit Reporting - Condition, Criteria, Cause, Effect, Recommendation*
*Case*: Finding: “3 invoices paid twice, $15K. Should not happen. Fix it.”
*Q*: What elements missing per Standard 2410?
A. Criteria, Cause
B. Cause, Effect, Recommendation
C. Criteria, Cause, Effect
D. All 5Cs present
*Answer: C*
*Trigger*: *5Cs required*. Missing: Criteria = policy says no duplicate pay. Cause = why happened? Effect = $15K loss + risk. “Fix it” not specific recommendation.
*Q32: Follow-up - Standard 2500*
*Case*: IA issued 10 findings. Mgmt agreed to all, due dates passed. IA has not followed up 6 months later. New audit starts.
*Q*: What Standard violated?
A. 2400 – Communicating Results
B. 2500 – Monitoring Progress
C. 2600 – Communicating Risk Acceptance
D. None, mgmt owns remediation
*Answer: B*
*Trigger*: *2500 – CAE must establish follow-up process*. IA can’t ignore open findings. Mgmt owns fix, IA owns follow-up.
*Q33: QAIP - Internal vs External Assessment*
*Case*: QAIP includes annual self-assessment by CAE. No external assessment in 7 years. CAE says “Self-assessment is enough.”
*Q*: Does this comply with Standard 1312?
A. Yes, self-assessment meets QAIP
B. No, external assessment required every 5 years
C. Yes, if audit committee approves
D. No, external needed every 3 years
*Answer: B*
*Trigger*: *1312 – External assessment at least once every 5 years*. Internal ongoing + periodic not enough.
*Q34: Risk Assessment - Inherent vs Control vs Detection Risk*
*Case*: Audit plan prioritizes areas with weak controls. Board asks “Why not audit high inherent risk areas with strong controls?”
*Q*: Best response?
A. Strong controls mean low audit risk, skip
B. High inherent risk + strong controls = still test due to detection risk + control could fail
C. Agree, remove from plan
D. Audit only fraud risks
*Answer: B*
*Trigger*: *Audit Risk = Inherent × Control × Detection*. Strong controls lower control risk, but inherent risk still high + controls may fail. Can’t ignore.
*Q35: Consulting Engagement - Objectivity Safeguards*
*Case*: IA facilitates risk workshop, recommends specific control. Mgmt implements. 2 years later IA audits it.
*Q*: Is objectivity impaired?
A. Yes, always if IA recommended
B. No, if >12 months passed + disclosed + no mgmt decision made by IA
C. Yes, need 3 years
D. No, consulting never impairs
*Answer: B*
*Trigger*: *1130.A2 – Impairment if audit within 1 year or if IA made mgmt decisions*. After 12 mo + safeguards = ok. Disclose prior involvement.
*Q36: COSO Principle 13 - Uses Relevant Information*
*Case*: Mgmt decisions based on Excel with manual data entry, no validation, 10 tabs linked. Errors frequent.
*Q*: Which principle deficient?
A. P11 – Selects general IT controls
B. P13 – Uses relevant, quality information
C. P14 – Communicates internally
D. P17 – Evaluates & communicates deficiencies
*Answer: B*
*Trigger*: *P13 = info must have quality: complete, accurate, timely*. Spreadsheet hell = quality fail. Drives bad decisions.
*Q37: Fraud Triangle - Rationalization*
*Case*: Employee steals inventory. Says “Company is insured, no one gets hurt. They underpay me anyway.”
*Q*: Which element? Why can IA least control this?
A. Pressure; IA can’t control personal debt
B. Opportunity; IA can’t control org structure
C. Rationalization; IA can’t control personal ethics
D. Capability; IA can’t control skills
*Answer: C*
*Trigger*: *IA can influence Opportunity via controls*. Can’t control Pressure or Rationalization directly. Focus on opportunity.
*Q38: AIS - Input Controls - Field Check*
*Case*: Date field accepts “2026-02-30”.
*Q*: What input control failed?
A. Existence check
B. Reasonableness check
C. Validity check
D. Format check
*Answer: C*
*Trigger*: *Validity check = valid calendar date*. Feb 30 invalid. Format check would pass if format correct. Existence = field not blank.
*Q39: Governance - Board Committees*
*Case*: Company has no audit committee. Board has 5 members: CEO, CFO, COO, Sales VP, HR VP. CAE reports to CFO.
*Q*: What governance deficiency exists?
A. No deficiency if board active
B. No independent directors, no audit committee = independence impaired
C. CAE should report to CEO
D. Need more board members
*Answer: B*
*Trigger*: *Best practice = audit committee of independent directors*. All executives = no independence. CAE reporting compromised.
*Q40: Risk Matrix - Qualitative vs Quantitative*
*Case*: Risk matrix: Impact = “High, Med, Low”. One manager says “My project loss is $10M, that’s High.” Another: “My $10M loss is Medium, we’re bigger.”
*Q*: What’s the problem with matrix?
A. No problem, judgment ok
B. Lack of quantitative criteria/definition
C. Should use colors only
D. Should use numbers 1-5 only
*Answer: B*
*Trigger*: *Qualitative scales need definitions*. $10M High for one, Medium for another = inconsistent. Need $ criteria per level.
---
*Batch 5: Q41-50*
*Q41: Control Self-Assessment CSA*
*Case*: IA facilitates workshop where mgmt identifies risks & controls. Mgmt signs off “controls effective.” IA issues audit report “controls effective” without testing.
*Q*: Is this acceptable per Standards?
A. Yes, CSA is sufficient evidence
B. No, CSA ≠ audit evidence, must test
C. Yes, if mgmt competent
D. No, CSA prohibited
*Answer: B*
*Trigger*: *CSA = control technique, not audit evidence*. IA can use CSA, but assurance requires independent testing. Standard 2310.
*Q42: Embedded Audit Module*
*Case*: IT installs code in ERP to flag >$100K invoices to log file for IA. Runs continuously.
*Q*: What CAAT is this? Benefit?
A. Parallel simulation; point-in-time
B. Embedded audit module/EAM; continuous monitoring
C. Test data; design test
D. ITF; periodic
*Answer: B*
*Trigger*: *EAM = code in live system, continuous*. Allows real-time exception monitoring vs periodic audit.
*Q43: Fraud - Kiting*
*Case*: Company transfers $100K from Bank A to Bank B on Dec 31, records deposit in B but not withdrawal in A until Jan 2. Cash overstated $100K at year-end.
*Q*: What fraud scheme? Best detection?
A. Lapping; AR aging
B. Kiting; bank transfer schedule + cutoff bank statements
C. Channel stuffing; sales cut-off
D. Bill & hold; inventory count
*Answer: B*
*Trigger*: *Kiting = exploiting float between banks*. Detect via bank transfer schedule + cutoff statements showing both sides.
*Q44: COSO Principle 8 - Considers Fraud Risk*
*Case*: Risk assessment covers ops, compliance, reporting risks. No fraud risks listed. Mgmt says “External audit covers fraud.”
*Q*: What COSO principle gap?
A. P6 – Specifies objectives
B. P7 – Identifies risks
C. P8 – Considers potential for fraud
D. P9 – Identifies changes
*Answer: C*
*Trigger*: *P8 specifically requires fraud risk assessment*. Can’t delegate to external audit. Mgmt owns fraud risk.
*Q45: Ethics - Competency - Due Professional Care*
*Case*: Auditor tests 5 items, standard says 25. Concludes “no issues.” Working papers show no sampling rationale.
*Q*: What violated?
A. Integrity
B. Objectivity
C. Confidentiality
D. Competency & Due Professional Care 1220
*Answer: D*
*Trigger*: *1220 – Due professional care = adequate planning, supervision, evidence*. 5 vs 25 without rationale fails.
*Q46: Risk Appetite - Zero Tolerance*
*Case*: Policy: “Zero tolerance for safety incidents.” Plant has 2 minor injuries, no lost time. VP not reported to board per policy.
*Q*: What issue with “zero tolerance” statement?
A. None, good tone
B. Unrealistic, causes non-reporting
C. Should say “low tolerance”
D. B & C
*Answer: D*
*Trigger*: *“Zero tolerance” often backfires*. Creates hiding. Better: “Low appetite, all incidents reported, investigated.” Risk appetite must be achievable.
*Q47: AIS - Output Controls*
*Case*: Payroll report distributed to all managers shows employee SSNs and pay rates.
*Q*: What control failed?
A. Input control
B. Processing control
C. Output control - distribution/security
D. ITGC - change mgmt
*Answer: C*
*Trigger*: *Output controls = distribution, privacy, retention*. SSNs = PII breach. Need report security, masking, limited distribution.
*Q48: Governance - Whistleblower Hotline Ownership*
*Case*: Hotline administered by HR. HR investigates all complaints including HR fraud. Reports to CEO.
*Q*: What governance best practice violated?
A. None, HR owns people issues
B. Hotline should be independent, not investigated by subject of complaint
C. Should report to audit committee, not CEO
D. Both B & C
*Answer: D*
*Trigger*: *Best practice: Hotline independent, e.g., 3rd party or IA. Results to audit committee*. HR can’t investigate itself.
*Q49: Internal Control - Compensating Control*
*Case*: SOD not possible in small branch: 1 person does all cash. Mgmt installs camera + daily remote review of tape + surprise counts.
*Q*: What type of control is this?
A. Preventive
B. Detective
C. Compensating
D. Corrective
*Answer: C*
*Trigger*: *Compensating control = reduces risk when ideal SOD not feasible*. Camera + review compensates for SOD lack. Usually detective.
*Q50: Audit Charter - Access to Records*
*Case*: Auditee refuses IA access to legal files: “Attorney-client privilege, charter doesn’t override law.”
*Q*: Is auditee correct? What should CAE do?
A. Auditee correct, drop request
B. Charter grants access, but privilege may limit; escalate to audit committee + legal
C. CAE can force access
D. Subpoena records
*Answer: B*
*Trigger*: *Charter gives broad access, but legal privilege may trump*. CAE must escalate limitation of scope per 1130.A2 to audit committee. Don’t ignore.
www.gmsisuccess.in
