Questions for the IIA-IAP were updated on : Dec 01 ,2025
Which of the following conditions involving the chief audit executive (CAE) is most likely to impair
the independence of the internal audit activity?
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Reporting to the Controller: Independence is compromised when the CAE reports to an operational
management role such as the controller, as this creates a conflict of interest and undermines
objectivity. The IIA Standards recommend that the CAE report functionally to the board and
administratively to the CEO to preserve independence.
Reference: IIA Standard 1110: Organizational Independence requires the CAE to have direct access to
the board to maintain independence.
Other Options:
Option A: Participating in executive management meetings does not impair independence and is
encouraged to provide insights and recommendations.
Option B: Having access to records, personnel, and properties is necessary for effective auditing and
does not impair independence.
Thus, the correct answer is C. The CAE reports directly to the controller for the organization, and the
internal audit activity resides in the office of the comptroller.
Which of the following statements is true regarding root cause analysis?
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Root Cause Analysis: This method identifies underlying causes of issues rather than just addressing
symptoms, allowing internal auditors to recommend targeted improvements to controls and
processes. By identifying multiple causes, auditors can propose tailored control enhancements to
address each cause effectively.
Reference: IIA Practice Guide on Root Cause Analysis emphasizes its role in strengthening
governance, risk management, and controls by addressing underlying issues.
Other Options:
Option A: While accurate, this is a general description of the benefits of internal auditing, not specific
to root cause analysis.
Option B: Root cause analysis often requires subject matter expertise and careful analysis; it is not
always simple or straightforward.
Thus, the correct answer is C. Root cause analysis enables internal auditors to reveal multiple causes
and recommend control enhancements for each cause identified.
A senior internal auditor is using a risk and control matrix to facilitate an internal control assessment
of the fixed asset accounting process. Which of the following activities would aid the auditor in
determining inputs for the risk and control matrix?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Gathering Inputs for the Matrix: Interviews, walkthroughs, and questionnaires are primary tools for
gathering detailed insights into risks, controls, and processes. These activities provide the
information necessary to populate a risk and control matrix effectively.
Reference: IIA Practice Guide on Risk and Control Matrices highlights the importance of using
firsthand observations and management input to complete the matrix.
Other Options:
Option A: Results from control testing provide insights into control effectiveness but are not primary
sources for developing the matrix.
Option C: Cost-benefit analysis informs design decisions but does not directly provide matrix inputs.
Thus, the correct answer is B. Interviews with fixed asset management, control process
walkthroughs, and internal control questionnaires.
An internal auditor wants to establish the reasonableness of the current period’s total payroll costs
for the finance department. She divides the actual monthly payroll cost by the number of employees
to derive an average cost per employee. Which of the following comparisons to this average cost
would be considered trend analysis?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Trend Analysis: This involves comparing data across different periods to identify patterns,
fluctuations, or anomalies. Comparing the current average cost per employee to prior periods’ data
is a clear example of trend analysis.
Reference: IIA Practice Guide on Analytical Procedures highlights trend analysis as a key technique
for identifying inconsistencies over time.
Other Options:
Option A: The mean of actual salary amounts is a statistical calculation, not a trend analysis.
Option C: Comparing to another organization’s budget is benchmarking, not trend analysis.
Thus, the correct answer is B. Similar data for the department from two prior periods.
During a travel expense audit engagement, the internal auditor discovered that the accounts payable
staff spend a significant amount of time previewing expense reports before the reports are sent to
managers for review and approval. The total of all expense reports during a year represents less than
1% of the organization’s total budget. Which of the following best supports the auditor’s
recommendation to reduce the level of reviews?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Cost-Benefit Analysis: Controls should be cost-effective. Spending significant resources on a process
that accounts for less than 1% of the budget indicates that the cost of the control (extensive reviews)
outweighs the potential benefits.
Reference: IIA Standard 2100: Nature of Work states that internal audits should assist management
in improving the cost-effectiveness of operations.
Other Options:
Option A: While inherent risk is a factor, the primary justification here is the cost-benefit imbalance.
Option C: Duplication of effort is inefficient, but it does not directly address cost considerations.
Thus, the correct answer is B. The cost of the control outweighs the benefit.
Information collected and documented in audit workpapers should be sufficient to:
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Sufficient Documentation: Audit workpapers must support observations, conclusions, and
recommendations made during the engagement and align with engagement objectives.
Reference: IIA Standard 2330: Documenting Information requires that information be sufficient,
reliable, relevant, and useful to achieve engagement objectives.
Other Options:
Option A: While following up on recommendations is important, workpapers primarily support
observations and conclusions, not the implementation of management actions.
Option B: Repeatability is important but secondary to aligning documentation with objectives.
Thus, the correct answer is C. Support engagement observations and be consistent with engagement
objectives.
A senior police officer was in charge of the cash fund used for undercover operations. In this
situation, which of the following would likely be considered a red flag?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Living Beyond Means: This is a classic red flag for potential fraud. It suggests that the officer may be
using unauthorized funds to support an extravagant lifestyle, particularly when they have access to a
cash fund with limited oversight.
Reference: IIA Practice Guide on Fraud Risk Management identifies lifestyle changes and living
beyond means as primary fraud indicators.
Other Options:
Option A: Lack of professional qualifications may affect competence but is not directly linked to
fraudulent behavior.
Option C: Silence about operations may reflect confidentiality requirements rather than misconduct.
Thus, the correct answer is B. The officer appears to be living beyond his means.
Management has decided that transactions less than $50 no longer require authorization. Which of
the following risk management strategies does this represent?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Risk Acceptance: By deciding that transactions below $50 do not require authorization, management
is consciously accepting the low-level risk associated with this decision to streamline processes and
reduce administrative burdens.
Reference: IIA Practice Guide on Risk Management explains that risk acceptance involves tolerating
risks that fall within the organization’s risk appetite.
Other Options:
Option A: Risk avoidance would involve eliminating the activity altogether, which is not the case
here.
Option C: Risk reduction would involve implementing controls to mitigate the risk, not eliminating
authorization requirements.
Thus, the correct answer is B. Accept.
Which of the following scenarios would be the strongest indicator of fraud in an accounts payable
process?
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Address Matches an Employee’s Residence: This is a strong indicator of fraud, as it suggests the
possibility of a fictitious vendor created to divert funds to the employee.
Reference: IIA Practice Guide on Fraud Risk Management highlights vendor fraud as a common
scheme, often involving fake vendors with employee connections.
Other Options:
Option A: Missing documentation may indicate poor record-keeping but is not a strong indicator of
fraud on its own.
Option B: Delayed invoices might indicate inefficiencies, not fraud.
Thus, the correct answer is C. The address on one of the vendor invoices matches an employee’s
residential address.
Which of the following internal auditor attributes benefits the most from continuous professional
development?
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Competency: Continuous professional development ensures auditors maintain and enhance their
knowledge, skills, and expertise, directly supporting their ability to perform engagements effectively.
Reference: IIA Standard 1230: Continuing Professional Development requires internal auditors to
engage in lifelong learning to maintain proficiency.
Other Options:
Option A: Integrity is a foundational ethical principle but is not developed through training or
professional development.
Option B: Objectivity is influenced by ethical behavior and independence, not primarily by training.
Thus, the correct answer is C. Competency.
What are the typical elements of a risk and control matrix used in the engagement planning process?
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Risk and Control Matrix: A risk and control matrix links business objectives, the risks threatening
those objectives, and the likelihood and impact of the risks. It is used to prioritize areas for review
and identify necessary controls.
Reference: IIA Standard 2201: Planning Considerations encourages the use of tools like risk and
control matrices to align audit focus with organizational priorities.
Other Options:
Option A: While relevant factors for assessment, these do not represent the structure of a typical risk
and control matrix.
Option B: Inherent process risks are part of the matrix but need to be contextualized with objectives
and controls.
Thus, the correct answer is C. Business objectives, risks to the objectives, and impact and likelihood
of the risk occurring.
In a standard process mapping document, a diamond shape typically represents which of the
following?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Diamond Shape: In process mapping, a diamond typically represents a decision point where a choice
must be made based on conditions or criteria (e.g., "Yes" or "No").
Example: "Is the invoice valid?" If yes, the process continues to payment; if no, it is rejected.
Reference: IIA Practice Guide on Process Mapping emphasizes standard symbols such as diamonds
for decisions, rectangles for processes, and arrows for flow lines.
Other Options:
Option A: A process or operation is typically represented by a rectangle.
Option C: A flow line (arrow) indicates the direction of process flow, not a decision.
Thus, the correct answer is B. Decision.
Which of the following would best support the overall risk assessment?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Process Narratives and Maps: These provide a comprehensive view of the process, including
descriptions of risks and controls, making them the most relevant for supporting risk assessments.
They help identify gaps or weaknesses in the control environment.
Reference: IIA Practice Guide on Risk Assessments emphasizes using detailed process documentation
to evaluate risks and controls.
Other Options:
Option A: Policies and procedures provide general guidance but lack the specificity needed for risk
assessments.
Option C: Organizational charts are helpful for understanding roles but do not directly address risks
and controls.
Thus, the correct answer is B.
During an accounts payable audit engagement, the internal auditor identified a risk that vendor
invoices may be paid multiple times. Which of the following would be appropriate preventive
controls to mitigate this risk?
B
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Preventive System Controls: Identifying duplicate invoice numbers and dates is a robust preventive
control, as it helps flag duplicate invoices before payment is processed.
Reference: IIA Practice Guide on Accounts Payable emphasizes leveraging automated controls to
mitigate duplicate payment risks.
Other Options:
Option A: Identical invoice amounts alone may not always indicate duplicates, as different invoices
can share the same amount.
Option C: Manual reconciliations are detective controls, not preventive ones.
Thus, the correct answer is B.
Which of the following tools would assist with the coordination of efforts between the internal audit
team and operational management?
C
Explanation:
Comprehensive and Detailed Step-by-Step Explanation:
Control Self-Assessment (CSA): This tool involves management and staff in evaluating controls and
risks, fostering collaboration between operational teams and internal audit. CSA supports shared
responsibility for risk management and control improvement.
Reference: IIA Practice Guide on Control Self-Assessment highlights its role in enhancing
communication and coordination.
Other Options:
Option A: Automated workpapers improve audit documentation but do not directly coordinate
efforts with management.
Option B: Continuous auditing focuses on ongoing monitoring rather than collaborative efforts with
management.
Thus, the correct answer is C.