IIA CIA Part 2 Practice Test

Certified Internal Auditor (CIA) Part 2 focuses on internal audit practice: engagement planning, fieldwork, evidence, sampling, communication, reporting, and monitoring.

Use these 12 original sample questions for initial self-assessment. They are not official IIA questions and do not reproduce a live exam; they are designed to preview engagement planning, evidence, fieldwork, communication, and follow-up judgment before you choose whether this Finance Prep route is the one you want next.

What CIA Part 2 practice should test

• planning engagements based on risk, scope, objectives, resources, and evidence needs
• choosing fieldwork procedures, sampling approaches, and documentation standards
• distinguishing finding, cause, effect, recommendation, and management action
• communicating audit results without overstating evidence or ownership

Sample Exam Questions

Use these questions to test the practical engagement decisions behind CIA Part 2: planning, evidence sufficiency, sampling, finding structure, report wording, and follow-up.

Question 1

Topic: engagement objectives

An internal audit engagement begins with a broad request to “review procurement.” What should the auditor define before fieldwork?

• A. Final report ratings before testing
• B. Every vendor’s future pricing
• C. Management’s preferred conclusion
• D. Engagement objectives, scope, risks, criteria, and planned procedures

Best answer: D

Explanation: Engagement planning should clarify what the audit is trying to achieve, which risks and processes are in scope, what criteria apply, and what procedures will provide evidence.

Question 2

Topic: evidence sufficiency

Management states that all high-value purchases are approved, but the auditor reviews only one example. What is the main concern?

• A. Oral management statements are always stronger than documents
• B. One example may not provide sufficient evidence for a broad conclusion
• C. Approvals are irrelevant to procurement risk
• D. The auditor should issue the report immediately

Best answer: B

Explanation: Evidence must be sufficient, reliable, relevant, and useful. One example may support process understanding but not a broad conclusion about all high-value purchases.

Question 3

Topic: sampling

An auditor wants to estimate the rate of missing approvals in a population of invoices. What sampling approach is most appropriate?

• A. Ignoring the population size
• B. Selecting only the easiest invoices
• C. Interviewing one employee and doing no testing
• D. Attribute sampling focused on approval presence or absence

Best answer: D

Explanation: Attribute sampling tests whether a control attribute exists, such as required approval. The auditor should define the population, attribute, confidence, tolerable deviation, and sample approach.

Question 4

Topic: root cause

Testing shows repeated late reconciliations. Management says staff were busy. What should the auditor do before finalizing the finding?

• A. Accept “busy staff” as the full root cause without further analysis
• B. Remove the finding because lateness is common
• C. Investigate whether workload, training, system design, accountability, or monitoring caused the delays
• D. Recommend hiring more staff without evidence

Best answer: C

Explanation: Root-cause analysis should go beyond a surface explanation. The recommendation should address the real cause, not just the visible symptom.

Question 5

Topic: finding structure

Which set best reflects a complete audit finding?

• A. Criteria, condition, cause, effect, and recommendation
• B. Opinion, slogan, and preferred vendor
• C. Budget, sales forecast, and share price
• D. Background only

Best answer: A

Explanation: A well-structured finding explains what should be happening, what is happening, why, why it matters, and what should be done. This helps management act on the issue.

Question 6

Topic: workpaper documentation

Why should workpapers clearly link procedures, evidence, and conclusions?

• A. To make the report longer
• B. To replace supervision
• C. To hide unresolved exceptions
• D. To let reviewers understand the basis for the audit conclusion

Best answer: D

Explanation: Workpapers should support conclusions and allow supervision, review, and quality assurance. They should document the work performed, evidence obtained, and rationale for conclusions.

Question 7

Topic: communication

An auditor identifies a control deficiency that is urgent and could expose the organization to immediate loss. What should the auditor consider?

• A. Waiting until the final report regardless of urgency
• B. Communicating significant urgent issues promptly through appropriate channels
• C. Posting the finding publicly
• D. Asking management to ignore it until next year

Best answer: B

Explanation: Significant urgent issues may need interim communication before the final report. The auditor should use appropriate channels and preserve accuracy and evidence support.

Question 8

Topic: recommendation quality

A recommendation says, “Management should improve controls.” What is the main weakness?

• A. It is too specific
• B. It removes all management responsibility
• C. It is vague and may not address the root cause or action needed
• D. It includes too much evidence

Best answer: C

Explanation: Recommendations should be actionable and connected to root cause. Vague language makes it difficult for management to implement and for audit to follow up.

Question 9

Topic: follow-up

Management agrees to remediate a high-risk finding by a specific date. What is internal audit’s follow-up role?

• A. Verify and report whether corrective action was implemented or risk was accepted through the proper process
• B. Perform management’s remediation work
• C. Delete the finding immediately
• D. Ignore the deadline because management agreed

Best answer: A

Explanation: Follow-up confirms whether management action has been completed and whether residual risk is addressed. Internal audit should not take over remediation ownership.

Question 10

Topic: scope limitation

Management refuses access to key records needed for an engagement. What should the auditor do?

• A. Accept the limitation silently
• B. Document and escalate the scope limitation according to internal audit protocols
• C. Issue an unqualified conclusion anyway
• D. Invent substitute evidence

Best answer: B

Explanation: Scope limitations can impair the engagement. The auditor should document the limitation, assess its effect, and escalate through appropriate channels.

Question 11

Topic: evidence reliability

Which evidence is generally more reliable?

• A. A system-generated report reconciled to source records and access-controlled
• B. An unsupported verbal assurance from the process owner
• C. A spreadsheet with no source or owner
• D. A draft policy never approved

Best answer: A

Explanation: Evidence reliability depends on source, independence, completeness, accuracy, controls, and corroboration. Controlled system evidence reconciled to source records is usually stronger than unsupported statements.

Question 12

Topic: residual risk

After testing, a control gap remains, but management accepts the risk within approved tolerance. What should internal audit do?

• A. Force management to implement the auditor’s preferred control
• B. Remove all evidence of the gap
• C. Document the acceptance and ensure it follows the organization’s risk-acceptance process
• D. Conclude there was no risk

Best answer: C

Explanation: Management may accept residual risk if authorized and within tolerance. Internal audit should verify that the acceptance is informed, documented, and approved through the right process.

CIA Part 2 quick checklist

• Can you define objective, scope, criteria, condition, cause, effect, and recommendation separately?
• Can you judge whether evidence is sufficient and reliable for the conclusion?
• Can you follow up without taking ownership of management’s remediation?

Related IIA pages

• CIA Part 1
• CIA Part 3
• IIA certification updates