Free IIA IIA-CIA-Part3-3P Practice Questions 2026 - Page 5

Explanation:
Assessing control risk and evaluating internal control effectiveness requires evidence about how controls operate on a day-to-day basis. Board minutes document high-level strategic decisions, approvals, and governance matters, but they rarely contain detailed evidence of routine control performance (e.g., segregation of duties, authorizations, reconciliations).

Correct Option:

C. Reading the board's minutes.
Board minutes provide information on major policies, strategic directions, and significant approvals. However, they do not demonstrate whether internal controls are actually functioning effectively in daily operations. Minutes lack the operational detail needed to assess control risk or control effectiveness.

Incorrect Option:

A. Interviewing the organization's employees.
Interviews provide evidence of how controls are performed, whether employees understand their responsibilities, and whether procedures are followed. This directly helps assess control design and operating effectiveness, thus providing assurance on internal controls.

B. Observing the organization's operations.
Direct observation allows the auditor to see controls in action (e.g., watching a two-person authorization process). This is powerful evidence of whether controls are actually performed as designed, directly supporting control risk assessment.

D. Inspecting manuals and documents.
Policy manuals describe control procedures; completed forms, signatures, and reconciliation records provide evidence of control performance. Inspecting such documentation helps the auditor assess whether controls are designed properly and operating effectively.

Reference:
IIA International Professional Practices Framework (IPPF) – Standard 1210.A1 (evidence gathering); Practice Guide: Control Risk Assessment; audit evidence hierarchy – board minutes are not operational control evidence.

Explanation:
Zero-based budgeting (ZBB) requires managers to justify every expenditure from zero (or a "clean slate") for each new budget period, rather than basing the new budget on the previous period's actual spending. This forces critical evaluation of all activities and costs, eliminating unnecessary or outdated expenses.

Correct Option:

C. A zero-based budget is prepared each year and requires each item of expenditure to be justified.
This is the defining characteristic of ZBB. Unlike traditional budgeting (incremental approach), ZBB starts from zero, requiring managers to build the budget by justifying each cost based on needs, benefits, and alternatives, not historical spending patterns.

Incorrect Option:

A. Provides estimates of costs under different activity levels.
This describes flexible budgeting, not zero-based budgeting. Flexible budgets adjust cost estimates based on actual output volumes. ZBB focuses on justification of activities, not variance prediction across activity levels.

B. Maintains focus on the budgeting process.
This is vague and not a distinguishing characteristic. Many budgeting methods focus on the process. ZBB's unique feature is justification from zero, not merely maintaining process focus.

D. Uses input from lower-level and middle-level managers.
Participative budgeting involves managers at various levels, but this is common to many budgeting approaches (e.g., bottom-up budgeting). It is not unique to ZBB, nor is it the key characteristic.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Budgeting / Managerial Accounting section); Horngren, Datar, & Rajan, Cost Accounting (zero-based budgeting definition); Pyhrr, P. (1970) "Zero-Base Budgeting" – justification from zero.

Explanation:
Effective risk management requires controls that promote compliance (addressing legal/regulatory risks) and monitoring systems that detect unexpected events (providing early warning). However, addressing all identified risks is impossible (cost-benefit), and key controls should be reviewed for changes in risk, not remain consistent if risks evolve.

Correct Option:

B. 1 and 4.
1: Controls promoting compliance with laws/regulations indicate effective risk management for legal and regulatory risks. 4: Monitoring systems that alert management to unexpected events provide real-time detection of emerging risks or control failures, a hallmark of effective risk management.

Incorrect Option:
2. Control environment designed to address all identified risks. This is unrealistic and not an indicator of effective risk management. Organizations prioritize material risks and accept some risks due to cost-benefit. Addressing all identified risks would be inefficient and unnecessary.

3. Key controls for significant risks remain consistent over time. This is a weakness indicator, not effective management. Risks change (new regulations, technology, competition). Effective risk management requires periodic review and adjustment of key controls. Static controls become obsolete or misaligned with current risks.

Why not A, C, or D?

A (1 and 3) includes #3 (undesirable static controls).

C (2 and 3) includes both unrealistic #2 and static #3.

D (2 and 4) includes unrealistic #2.

Reference:
IIA International Professional Practices Framework (IPPF) – Standard 2120: Risk Management; COSO Internal Control – Integrated Framework (control environment addresses significant risks, not all; monitoring systems detect unexpected events).

Explanation:
A value-added tax (VAT) is a consumption tax levied on the incremental value added at each stage of production or distribution. Businesses collect VAT on sales, pay VAT on purchases, and remit the difference to the government. The final consumer bears the economic burden because VAT is embedded in the final purchase price.

Correct Option:

B. The consumer ultimately bears the cost of the tax through higher prices.
VAT is designed as a consumption tax. Although collected by businesses at each stage, the tax is passed forward along the supply chain. The final consumer pays the full accumulated VAT as part of the purchase price and cannot recover it.

Incorrect Option:

A. Businesses must pay a tax only if they make a profit.
VAT applies regardless of profit. A business pays VAT on its value added (sales minus purchases) even if it operates at a loss. Profitability is irrelevant to VAT liability; it is a transaction-based tax, not an income tax.

C. Consumer savings are discouraged.
VAT may discourage consumption because it raises prices, but it does not directly discourage savings. VAT is imposed on goods/services purchased, not on savings accounts, investments, or interest income. Savings are not subject to VAT.

D. Value added = sales –
cost of goods sold (COGS). This is incorrect for VAT purposes. Value added under VAT is sales minus purchases from other businesses (inputs), not COGS. COGS includes labor, depreciation, and other non-purchase costs that are not deductible for VAT calculation.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Taxation / Public Finance section); VAT literature (final consumer bears burden, businesses act as collectors); IMF/World Bank VAT guidelines.

Explanation:
The percentage-of-sales method (income statement approach) estimates bad debt expense as a fixed percentage of credit sales. This directly matches bad debt expense with the sales revenue that caused it in the same period. It emphasizes the matching principle (expenses recognized in same period as related revenues) rather than receivables valuation.

Correct Option:

D. Use a method that approximates the matching principle.
Percentage-of-sales focuses on the income statement, matching bad debt expense to the sales period. Percentage-of-receivables focuses on balance sheet accuracy (net realizable value). When matching is the priority, percentage-of-sales is preferred.

Incorrect Option:

A. Use an aging schedule to more closely estimate uncollectibles.
Aging schedules are used with the percentage-of-receivables method, not percentage-of-sales. Aging provides more precise estimates of collectibility by categorizing receivables by due date.

B. Eliminate the need for an allowance for doubtful accounts.
Neither method eliminates the allowance. Both require an allowance account (contra-asset). The allowance reflects estimated uncollectibles under both approaches.

C. Emphasize accuracy of net realizable value of receivables.
Percentage-of-receivables (balance sheet approach) emphasizes net realizable value. Percentage-of-sales emphasizes expense matching. If balance sheet accuracy is the goal, percentage-of-receivables is used, not percentage-of-sales.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Financial Accounting / Receivables section); GAAP (ASC 310 – Receivables); Matching principle vs. net realizable value emphasis in bad debt estimation methods.

Explanation:
Risk responses include acceptance (tolerating risk), sharing (transferring via insurance/outsourcing), avoidance (eliminating the activity), and reduction (mitigating likelihood or impact). Enhanced failure detection and backup systems reduce the likelihood of undetected data corruption and the impact of system failures, directly lowering risk exposure.

Correct Option:

D. Risk reduction.
Implementing failure detection (identifies errors quickly) and backup systems (restores data after loss) reduces both the probability of data integrity failure causing harm and the severity of consequences. This is active mitigation, not avoidance, sharing, or mere acceptance.

Incorrect Option:

A. Risk acceptance.
Acceptance means taking no action because risk is within tolerance or cost of mitigation exceeds benefit. Implementing detection and backup systems is the opposite – it is active mitigation, not passive acceptance.

B. Risk sharing.
Sharing transfers risk to another party (e.g., insurance, outsourcing, hedging). Detection and backup systems keep risk within the organization but reduce it. No third party assumes the risk; therefore, it is not sharing.

C. Risk avoidance.
Avoidance eliminates the risk by discontinuing the activity that creates it (e.g., not using the system at all). Enhanced detection/backup retains the activity but makes it safer. Avoidance would require shutting down the system, which is not the case here.

Reference:
IIA International Professional Practices Framework (IPPF) – Standard 2120: Risk Management (risk responses); COSO ERM (risk reduction/mitigation includes controls, detection, backup). ISO 31000 risk treatment options.

Explanation:
Interpersonal conflict often arises from mismatched or unspoken expectations. Open and honest discussion allows parties to articulate what they expect from each other, identify gaps, and negotiate mutual understanding. This proactive communication can prevent many expectation-based conflicts from occurring or escalating, though it may not eliminate all conflict.

Correct Option:

A. Unrealized expectations can be avoided with open and honest discussion.
Many conflicts stem from assumptions about what others will do or provide. When parties openly discuss roles, deadlines, deliverables, and needs upfront, they surface hidden expectations, align understanding, and reduce the likelihood of disappointment and subsequent conflict.

Incorrect Option:

B. Reorganization would probably not help ambiguous or overlapping jurisdictions.
This is false. Reorganization (clarifying reporting lines, revising job descriptions, consolidating functions) can directly resolve conflicts caused by ambiguous or overlapping authority by removing structural ambiguity. It is often a useful intervention.

C. Deferring action should be used until there is sufficient time to fully deal with the issue.
Deferring action typically worsens interpersonal conflict, allowing resentment to build. Timely intervention is generally recommended. Delaying gives the false impression that the issue is unimportant, escalating tensions.

D. Timely and unambiguous clarification of roles and responsibilities will eliminate most interpersonal conflict.
While this reduces role-based conflict, it does not eliminate most conflict overall. Personality clashes, value differences, competition for resources, and communication styles still cause conflict regardless of role clarity. This overstates the effectiveness.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Interpersonal Skills / Conflict Resolution section); Fisher & Ury, Getting to Yes (interests vs. positions, expectations); organizational behavior literature (sources of conflict: role ambiguity, unrealistic expectations).

Explanation:
Operational assurance means obtaining confidence that a computer system is functioning correctly, securely, and as intended. Activities like auditing, compliance testing, and monitoring provide evidence of proper operation. Making system changes introduces modifications to the system; it does not provide assurance of proper operation and may, in fact, disrupt it.

Correct Option:

B. Making system changes.
System changes (patches, upgrades, configuration modifications) are necessary but do not provide assurance of proper operation. Changes introduce risk of errors, instability, or security gaps. Assurance comes from testing and validating changes after they are made, not from the act of changing itself.

Incorrect Option:

A. Performing a system audit.
Audits independently evaluate whether the system operates according to policies, standards, and control objectives. Audit findings provide objective assurance about proper operation, identifying deficiencies or confirming compliance.

C. Testing policy compliance.
Compliance testing verifies that system configurations, access controls, and processes adhere to established policies. Successful compliance testing provides operational assurance that the system meets required standards.

D. Conducting system monitoring.
Continuous monitoring (logs, performance metrics, intrusion detection) provides real-time or periodic evidence that the system is operating within normal parameters. Monitoring alerts to anomalies, failures, or security events, offering ongoing operational assurance.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Operations / Assurance section); NIST SP 800-37 (continuous monitoring, auditing as assurance; change management as separate process, not assurance).

Explanation:
In a mature ERM environment, management owns risk identification, evaluation, and response. The board oversees. Internal audit's core role is to provide independent, objective assurance that the risk management process is designed effectively and operating as intended, including whether risks are evaluated correctly. The IIA strongly supports this role.

Correct Option:

A. Giving assurance that risks are evaluated correctly.
This is the primary core internal audit role in mature ERM. Internal audit evaluates the design and operating effectiveness of risk management processes, including whether risk identification, assessment, and prioritization are appropriate, and provides assurance to the board and senior management.

Incorrect Option:

B. Developing the risk management strategy for the board's approval.
This is management's role, not internal audit's. Developing strategy impairs independence and objectivity. Internal audit may review the strategy but cannot create it.

C. Facilitating the identification and evaluation of risks.
This is permitted only as a consulting role, and even then with caution to avoid management responsibility. In mature ERM, internal audit does not facilitate; management performs this function. Over-facilitation impairs objectivity.

D. Coaching management in responding to risk.
Coaching is a consulting activity that may be appropriate but is not a core internal audit role in mature ERM. The core role is assurance. Coaching risks blurring lines between audit and management.

Reference:
IIA International Professional Practices Framework (IPPF) – Position Paper: The Role of Internal Auditing in Enterprise Risk Management (core role = assurance on risk management processes, not ownership or development).

Explanation:
Heat maps visually display risks based on likelihood and impact. They are useful but have limitations: they focus primarily on known risks (struggling with emerging risks) and lose relevance in rapidly changing environments where probability and impact shift quickly. They rely on subjective assessments (not purely objective) and are generally simple to understand.

Correct Option:

B. 1 and 4 only.

Statement 1: True. Heat maps typically plot identified, assessed risks. They do not easily capture unknown or emerging risks, limiting identification of new threats.

Statement 4: True. In rapidly changing environments (e.g., tech, crisis), historical or current risk assessments become outdated quickly, reducing heat map value.

Incorrect Option:

Statement 2: False. Heat maps often rely heavily on subjective judgments from managers or experts about likelihood and impact, not purely objective assessments. Risk tolerance overlay may be objective, but the core risk rankings are subjective.

Statement 3: False. Heat maps are widely valued for their simplicity and visual clarity. They present key risks in an easy-to-understand matrix format (color-coded), which is their primary advantage, not a limitation.

Why not A, C, or D?

A (1 and 2) includes false statement 2.

C (2 and 3) includes two false statements.

D (3 and 4) includes false statement 3.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Risk Assessment Tools / Heat Maps section); IIA Practice Guide: Risk Assessment in Internal Auditing (heat map limitations: known risks only, subjective inputs, less dynamic).