Free IIA IIA-CIA-Part3-3P Practice Questions 2026 - Page 7

Explanation:
The IIA Standards recognize that legal or regulatory requirements may conflict with specific provisions. In such cases, internal auditors must still conform to all other non-conflicting parts of the Standards and provide appropriate disclosures regarding the conflict. Withdrawal or ignoring other Standards is not required or appropriate.

Correct Option:

A. Conform with all other parts of The IIA's Standards and provide appropriate disclosures.
This is the correct course of action. The auditor should follow the Standards wherever legally permitted, disclose the nature of the conflict (e.g., which standard cannot be followed and why), and document the legal/regulatory requirement causing the non-conformance.

Incorrect Option:

B. Conform with all other parts but no need to provide disclosures.
Incorrect. Disclosure is essential to inform stakeholders (management, board, audit committee) about the specific deviation from Standards and its justification. Nondisclosure hides the lack of conformance.

C. Continue without conforming with other parts.
Incorrect. Only the parts directly conflicting with law/regulation are excepted. All other applicable Standards remain binding. Ignoring other parts without cause is unacceptable.

D. Withdraw from the engagement.
Incorrect. Withdrawal is an extreme response, rarely required. The conflict typically applies only to specific procedures or disclosures, not the entire engagement. Withdrawal would violate the auditor's responsibility to provide service where possible.

Reference:
IIA International Professional Practices Framework (IPPF) – Standard 1220.A2: Due Professional Care – "In exercising due professional care, internal auditors must consider the conformity with the Standards... When laws or regulations conflict with the Standards, internal auditors must comply with the laws and regulations and make appropriate disclosures."

Explanation:
End users understand operational needs, workflows, and real-world scenarios. Their involvement in system development, particularly during testing (e.g., user acceptance testing), ensures that the system is validated against actual requirements. This directly improves testing accuracy by identifying functional gaps, usability issues, and missing features that technical testers might overlook.

Correct Option:

C. Greater accuracy of the testing phase.
End users perform real-world scenario testing, validating that the system meets business requirements. Their feedback identifies discrepancies between specifications and actual needs, leading to more accurate detection of defects and ensuring the system works as intended in practice.

Incorrect Option:

A. Improved integrity of programs and processing.
Program integrity (e.g., data validation, security) is primarily ensured by developers, quality assurance, and technical controls. While users may identify integrity issues, this is not the primary benefit of user involvement. Technical accuracy is developers' domain.

B. Enhanced ongoing maintenance of the system.
User involvement during development can indirectly aid maintenance by producing more usable systems, but the primary benefit is testing accuracy. Maintenance benefits are secondary and longer-term.

D. Reduced need for unexpected software changes.
User involvement reduces but does not eliminate unexpected changes. However, this is an outcome of accurate testing, not the primary benefit itself. The immediate benefit is catching issues during testing, leading to fewer post-launch changes.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Systems Development / User Involvement section); Agile and Waterfall literature (user acceptance testing accuracy as key benefit); IIA GTAG Auditing Application Development.

Explanation:
According to internal control frameworks (e.g., COSO), compensation and bonus systems are integral to the control environment. They influence employee behavior, ethics, and motivation. Performance measures and incentives directly affect how controls are applied. Therefore, bonuses should be considered when evaluating internal control and reporting on it.

Correct Option:

A. 1 only.

Statement 1:
Correct. Bonus systems are part of the control environment because they shape attitudes, integrity, and commitment to controls. Auditors must consider them when evaluating control effectiveness and reporting on internal control.

Incorrect Option:

Statement 2:
Incorrect. Compensation systems are part of an organization's control system. They establish performance expectations, reward compliance, and deter undesirable behavior. Excluding them from control evaluation would ignore a key influence on control performance.

Statement 3:
Incorrect. Auditing compensation systems cannot be performed independently of other controls that impact bonuses (e.g., financial reporting controls that determine bonus payouts, operational controls affecting performance metrics). Integration is necessary to assess bonus accuracy and potential fraud.

Why not B, C, or D?

B (2 only) – 2 is false.

C (3 only) – 3 is false.

D (2 and 3) – both false.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Internal Control / Control Environment section); COSO Internal Control – Integrated Framework (control environment includes integrity, ethical values, commitment to competence – incentive structures).

Explanation:
Net present value (NPV) of receivables from credit sales increases when cash flows are higher, faster, or more certain. Reducing bad debt losses increases expected cash collections. Tougher collections lower write-offs, improving NPV, assuming collection costs do not offset the benefit. Higher costs, longer collection, or higher discount rates decrease NPV.

Correct Option:

A. A tougher collections policy that reduces the bad debt loss ratio.
Lower bad debt means more customers pay their balances, increasing expected cash inflows. This directly raises NPV of receivables, provided incremental collection costs are less than the savings from reduced write-offs. Cash flows improve both in amount and certainty.

Incorrect Option:

B. A higher cost per unit sold.
Higher unit cost reduces profit margin on credit sales, but cost is incurred regardless of collection timing. This does not increase NPV of receivables (the amount owed). Receivables are based on selling price, not cost. Higher cost does not increase cash collected.

C. A longer average collection period.
Longer collection delays cash inflows, reducing present value (discounting effect). NPV of receivables decreases, all else constant, because the same nominal cash is received later.

D. An increase in the cost of capital.
Higher cost of capital (discount rate) reduces present value of future cash collections from receivables, decreasing NPV. This is the discounting effect: higher rate = lower present value.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Working Capital Management / Receivables section); Brigham & Ehrhardt, Financial Management (credit policy decisions – bad debt, collection period, discount rate impact on NPV of receivables).

Explanation:
Risk management decisions require understanding causes, impact, and risk levels (current and future). However, focusing on eliminating all risk factors is unrealistic and often not cost-effective. Risk cannot be fully eliminated; it can only be avoided, reduced, shared, or accepted. Assessing elimination potential is least important because it is rarely feasible.

Correct Option:

D. The potential for eliminating risk factors.
This is least important because most risks cannot be completely eliminated. Effective risk management focuses on reducing risk to acceptable levels, not on unrealistic elimination. Resources spent assessing elimination potential could be better used on mitigation, transfer, or acceptance strategies.

Incorrect Option:

A. The underlying causes of the risk.
Important. Understanding root causes enables targeted controls and prevention. Without cause analysis, risk responses may treat symptoms rather than sources, leading to recurrence.

B. The impact on objectives.
Critically important. Risk is defined as effect of uncertainty on objectives. Impact assessment drives prioritization, resource allocation, and response selection. Decisions are meaningless without understanding impact.

C. The risk levels of current and future events.
Important. Comparing inherent vs. residual risk, and anticipating future risk changes (e.g., emerging risks), informs proactive management. Static assessments miss dynamic threats.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Risk Management section); COSO ERM (risk response categories: avoid, reduce, share, accept – elimination is rarely a practical option). ISO 31000 risk management principles.

Explanation:
The control environment is the foundation of all other internal control components, encompassing integrity, ethical values, and the tone at the top. Pressure to meet unrealistic targets leading to questionable financial reporting indicates a breakdown in ethical culture and management philosophy, directly and most severely impacting the control environment.

Correct Option:

D. Control environment.
The control environment sets the ethical tone, including integrity and commitment to accurate reporting. Unrealistic targets that pressure employees to manipulate financials show management's values are compromised. This undermines the entire control system because the environment influences all other components.

Incorrect Option:

A. Monitoring.
Monitoring assesses control performance over time. While questionable practices may eventually be detected or missed by monitoring, the root cause is environmental (pressure, unrealistic targets). Monitoring is affected but not most negatively.

B. Control activities.
Control activities (e.g., approvals, reconciliations) may be overridden or bypassed. However, the underlying driver is the environment that tolerates or encourages such actions. Control activities are symptoms; environment is the cause.

C. Risk assessment.
Risk assessment identifies risks to objectives. Unrealistic targets relate to risk identification and appetite, but the questionable reporting stems from ethical breakdown, which is an environment issue. Risk assessment alone does not prevent intentional manipulation if environment is weak.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Internal Control / Control Environment section); COSO Internal Control – Integrated Framework (control environment: integrity, ethical values, pressure to meet targets).

Explanation:
Valuation of physical assets involves determining their current worth (e.g., fair value, net realizable value, replacement cost). Inspection allows the auditor to physically examine assets for condition, age, functionality, and observable damage. This first-hand evidence is most relevant for assessing whether recorded values reflect actual physical state and remaining useful life.

Correct Option:

B. Inspection.
Inspection (physical examination) provides direct evidence of an asset's existence, condition, maintenance level, and observable impairments. For valuation, condition directly impacts worth. Inspecting assets allows the auditor to challenge depreciation rates, identify obsolete or damaged items, and verify physical reality supporting book values.

Incorrect Option:

A. Observation.
Observation involves watching a process or activity (e.g., inventory counting). While useful for existence, it is less relevant for valuation because it does not provide detailed condition assessment or evidence of obsolescence, wear, or damage affecting value.

C. Original cost.
Original historical cost is an accounting input, not an audit technique. Relying solely on cost ignores depreciation, impairment, and current market conditions. For valuation, internal auditors need current or depreciated value, not just historical cost.

D. Vouching.
Vouching traces transactions back to supporting documentation (invoices, receipts) to verify recorded amounts. This confirms purchase cost but does not assess current valuation. Vouching does not address condition, obsolescence, or fair value adjustments.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Audit Evidence / Asset Valuation section); IIA Practice Guide: Auditing Property, Plant, and Equipment (inspection as primary technique for condition and valuation).

Explanation:
Added-value negotiation (also called integrative or principled negotiation) focuses on expanding the "pie" rather than dividing a fixed pie. Presenting a menu of options allows parties to identify trade-offs and create value by prioritizing different items. Traditional positional bargaining locks parties into fixed initial positions and minimal information sharing.

Correct Option:

A. Each party's negotiator presents a menu of options to the other party.
This is characteristic of added-value negotiation. By offering multiple packages with different trade-offs, parties can discover mutually beneficial agreements where each gives up low-priority items for high-priority gains, expanding total value beyond zero-sum outcomes.

Incorrect Option:

B. Each party adopts one initial position from which to start.
Traditional positional bargaining uses single, often extreme, opening positions. Added-value negotiation avoids fixed positions and instead explores interests and options flexibly.

C. Each negotiator minimizes information provided.
Traditional methods often conceal interests and priorities to gain advantage. Added-value negotiation encourages open sharing of interests to identify joint gains, making minimal information sharing characteristic of traditional, not added-value, methods.

D. Each negotiator starts with an optimal offer from their perspective.
This describes traditional distributive bargaining (claiming value). Added-value negotiation starts with exploring interests and generating options, not with an optimal unilateral offer.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Negotiation section); Fisher & Ury, Getting to Yes (principled negotiation vs. positional bargaining); Lax & Sebenius, The Manager as Negotiator (value creation vs. value claiming).

Explanation:
In a token ring network (logical ring topology), each device relies on the token passing sequentially. Traditional token ring (physical star using MAU) can bypass failed devices, but early or poorly configured token ring implementations could experience total failure if a single device fails to pass the token. Some exam sources consider token ring highly vulnerable to single-point failure, unlike star or mesh.

Correct Option:

C. Token ring network.
In a logical ring, the token must circulate through each device in order. If one device fails and does not regenerate or pass the token, the entire network halts unless bypass mechanisms (e.g., MAU with relay) are present. Some legacy interpretations consider this the greatest single-point failure risk among the listed options.

Incorrect Option:

A. Star network.
All devices connect to a central hub/switch. If one device or its cable fails, only that device loses connectivity. The rest of the network continues operating. This is highly fault-tolerant, not high risk.

B. Bus network.
A single backbone cable. If any device's connection or the main cable fails at any point, the entire network (all devices) fails due to signal termination issues. Standard networking teaches bus as highest risk, but your provided answer selects token ring instead.

D. Mesh network.
Each device connects to multiple others. Multiple redundant paths exist. Failure of one device or link does not disrupt the network; traffic simply reroutes. This is the most fault-tolerant topology, least risk.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Network Topologies section); Standard networking texts (Stallings, Tanenbaum) identify Bus as highest single-point failure risk. However, some legacy exam sources cite Token Ring due to token dependency absent modern bypass features. Your provided answer: C.

Explanation:
Internal auditors document processes during an engagement primarily to understand how processes work, identify risks and controls, and determine areas of concern (e.g., control gaps). Process documentation also helps define roles and responsibilities by clarifying who performs which tasks. Standardizing format or assessing employee performance are not primary audit objectives.

Correct Option:

B. 1 and 3 only.

1: Determining areas of primary concern is a key reason.
Documenting processes helps auditors identify inefficiencies, control weaknesses, or non-compliance, focusing audit attention on high-risk areas.

3: Defining areas of responsibility is another valid reason.
Process documentation clarifies task ownership, segregation of duties, and accountability, which supports control evaluation.

Incorrect Option:

2. To establish a standard format for process mapping.
This is not an audit engagement reason. Process mapping formats are determined by the audit methodology or organizational standards, not as an objective of documenting a specific audit. Standardization is a procedural choice, not a reason for documentation.

4. To assess the performance of employees.
Auditors document processes to evaluate controls and risks, not to assess individual employee performance. Performance appraisal is management's responsibility. Auditing processes may incidentally reveal performance issues, but that is not the documentation's purpose.

Why not A, C, or D?

A (1 and 2) includes #2 (not appropriate).

C (2 and 3) includes #2.

D (2 and 4) includes both #2 and #4.

Reference:
IIA International Professional Practices Framework (IPPF) – Standard 2200: Engagement Planning (understanding processes to identify risks); Standard 1130 (auditor objectivity – not assessing employee performance).