Skip Ribbon Commands
Skip to main content
The Institute of Internal Auditors North AmericaBreadcrumb SeparatorCertificationBreadcrumb SeparatorCIA CertificationBreadcrumb SeparatorSample Exam Questions
Certifications & Qualifications
Expand/CollapseNew to Certification?

Expand/CollapseCurrently Enrolled?

Expand/CollapseAlready Certified?

Expand/CollapseCIA Certification
Get Started
Internal Audit Practitioner
Internal Audit Practitioner FAQ
Eligibility Requirements
Exam Syllabus
Sample Exam Questions
CPE Requirements
Prepare and Practice for Exams
Practice Tests
Exam Review Courses

Expand/CollapseQIAL Qualification

Expand/CollapseCGAP Certification
Expand/CollapseCFSA Certification
Expand/CollapseCCSA Certification
Expand/CollapseCRMA Certification
Expand/CollapseCPSA and CPEA Certification

Access CCMS & User Guide
Administrative Directives
CBT Exam Tutorial
CCMS Single Sign On
Certification Corner News
Certifications Merchandise
Candidate Eligibility Extension
Document Upload Portal
Download Handbook
Exam Language Offerings
Exam Security
Pricing Structure
Recognized CPE Providers
Social Media & Open Badging
Certification FAQ

Certified Internal Auditor® (CIA®) Sample Exam Questions​

Part 1 Sample Exam Questions
  •   According to IIA guidance, which of the following should be defined in the internal audit activity’s (IAA’s) charter?

    1.  The scope of internal audit activities.
    2.  The risk assessment model to be used.
    3.  The IAA’s authority to access records and personnel.
    4.  The IAA’s position within the organization.

    1. 1 and 2 only.
    2. 1 and 3 only.
    3. 1, 3, and 4.
    4. 2, 3, and 4.

    View answer
    1. Correct. According to the Interpretation of Standard 1000, the internal audit charter “defines the scope of internal audit activities.”
    2. Incorrect. This is an audit process that is part of the IAA's operating procedures, defined by the chief audit executive.
    3. Correct. According to the Interpretation of Standard 1000, the internal audit charter “authorizes access to records, personnel, and physical properties …”
    4. Correct. According to the Interpretation of Standard 1000, the internal audit charter “establishes the internal audit activity’s position within the organization.”
  •   During the past three years, an organization’s ratio of accounts receivable to total assets has increased, and its accounts receivable turnover ratio has decreased. Which of the following is not a plausible explanation for these changes?
    1. Fictitious sales have been recorded.
    2. Sales returns for credit have been overstated.
    3. Credit and collection procedures have become ineffective.
    4. Allowance for bad debts is understated.

    View answer
    1. Incorrect. Fictitious sales would be a plausible explanation, as they would generate additional uncollectible accounts receivable that are not necessarily being reflected in the allowance for bad debts.
    2. Correct. Overstated sales returns for credit would not be a plausible explanation, as they would understate (not overstate) accounts receivable. This would result in especially lower (not higher) net accounts receivable balances as a percentage of total assets.
    3. Incorrect. Ineffective credit and collection procedures would be a plausible explanation, as they could contribute to increases in uncollectible accounts receivable that are not necessarily being reflected in the allowance for bad debts.
    4. Incorrect. An understated allowance for bad debts would be a plausible explanation, as it would contribute to overstatements in net accounts receivable and decreases in the accounts receivable turnover ratio.
  •   Which of the following enterprise risk management (ERM) components influences the risk consciousness of an organization’s people and is the basis for all other ERM components?
    1. Internal Environment.
    2. Objective Setting.
    3. Information and Communication.
    4. Risk Assessment.

    View answer
    1. Correct. According to COSO ERM, the Internal Environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an organization’s people, including risk management philosophy and risk appetite.
    2. Incorrect. Objective Setting is a precondition to event identification, risk assessment, and risk response.
    3. Incorrect. Information and Communication deals with identifying, capturing, and communicating information in a form and timeframe that enable people to carry out their responsibilities.
    4. Incorrect. Risk Assessment comes after setting the tone at the top, objective setting, and event identification.
Part 2 Sample Exam Questions
  •   A new staff auditor has been assigned to audit cash management operations. The auditor has no background in cash management. According to IIA guidance, which of the following would be the most appropriate solution for staffing the engagement?
    1. The staff auditor performs the work and prepares a report, which is reviewed in detail by the chief audit executive.
    2. A senior auditor who is skilled in the area closely supervises the staff auditor during the engagement.
    3. The engagement is performed by the staff auditor according to the prior year’s audit program for the project.
    4. The staff auditor carefully studies the organization’s cash management policies prior to the initiation of the engagement.

    View answer
    1. Incorrect. The audit would not be conducted in accordance with the Standards because the staff auditor might not have noted significant deviations to include in the audit report. The review by the director at the time the report is generated would be too late. This approach would violate Standards 1200 & 1210.
    2. Correct. The internal audit activity would, in composite, have the requisite skills to perform the audit. The other key element is that the staff auditor is carefully supervised such that significant deviations from good business practices would be noted. This practice is consistent with Practice Advisory 2340-1 and Standards 1210 & 1210.A1.
    3. Incorrect. Adhering to the prior year's audit program is not sufficient, as it would not address the auditor's lack of skills and capabilities needed to perform the engagement.
    4. Incorrect. Studying the organization's cash management policies would not be enough to ensure that the auditor has the requisite audit skills to perform the engagement.
  •   Which of the following is not a responsibility of the chief audit executive?
    1. Communicate the internal audit activity's plans and resource requirements to senior management and the board for review and approval.
    2. Coordinate with other internal and external providers of audit and consulting services to ensure proper coverage and minimize duplication.
    3. Oversee the establishment, administration, and assessment of the organization's system of risk management processes.
    4. Follow up on whether appropriate management actions have been taken on significant reported risks.

    View answer
    1. Incorrect. This is a responsibility of the chief audit executive (CAE), according to Standard 2020.
    2. Incorrect. This is a responsibility of the CAE, according to Standard 2050.
    3. Correct. Practice Advisory 2120-1 states that this is the role of senior management, not the CAE.
    4. Incorrect. This is a responsibility of the CAE, according to Standard 2500.
  •   Which of the following would be the strongest indicator of possible fraudulent activity in the production process?
    1. Employee overtime has increased 50 percent during the past year.
    2. According to employee interviews, workers believe that productivity could be greatly improved if management listed to them.
    3. Inventory has decreased at the same time that the cost of goods sold has increased.
    4. Although scrap is generated, there is no income reported from the scrap sales.

    View answer
    1. Incorrect. Fluctuations in demand could have caused the overtime pay increase.
    2. Incorrect. The interviews indicate a dissatisfaction with management's ability, but do not indicate a fraud.
    3. Incorrect. This would not necessarily be a fraud indicator given all the other problems identified. Cost of goods sold could be increasing because of higher sales, which are drawing down inventory.
    4. Correct. If scrap is generated, there should be some evidence of scrap sales taking place.
Part 3 Sample Exam Questions
  •   Everything else being equal, the internal rate of return of an investment project will be lower if which of the following is true?
    1. Cash inflows are received later in the life of the project.
    2. The investment cost is lower.
    3. The project has a shorter payback period.
    4. Cash inflows are larger.

    View answer
    1. Correct. Cash inflows that occur later in the project have a lower present value than cash inflows that occur earlier, because the present value of a dollar is higher the sooner it is received. Projects with later cash flows will have lower net present values, for any given discount rate, than will projects with earlier cash flows, everything else being equal. Hence, projects with later cash flows will have a lower internal rate of return.
    2. Incorrect. The IRR is the discount rate that sets the net present value of a project equal to zero. Net Present Value is calculated as follows: Net Present Value =present value of cash inflows - investment cost. The present value of the cash inflows is inversely related to the discount rate. That is, if the discount rate is higher, the present value of the cash inflows is lower. If the investment cost is lower, a higher discount rate will be required to set the net present value to zero.
    3. Incorrect. Projects with shorter payback periods have higher cash inflows early in the life of the project. Projects with earlier cash flows have higher internal rates of return.
    4. Incorrect. The larger the cash inflows, the higher will be the internal rate of return. Higher cash inflows have a higher present value at any given discount rate. A higher discount rate will be required to set the net present value to zero.
  •   Franchising and horizontal mergers are commonly used strategies in which of the following industry environments?
    1. An entrepreneurial focus.
    2. An aversion to risk.
    3. Effective leadership.
    4. A diverse product mix.

    View answer
    1. Incorrect. An organization with an entrepreneurial focus would tend to embrace, rather than avoid, uncertainty. Cultures low in uncertainty avoidance are reflected operationally in greater behavioral flexibility and weaker adherence to standard operating procedures (SOPs).
    2. Correct. High uncertainty avoidance cultures (those that have an aversion to risk) are more likely to follow SOPs to reduce risk of failure.
    3. Incorrect. Individualists may be less likely to feel tied to SOPs in pursuing organizational goals.
    4. Incorrect. Low power distance cultures are less likely to accept authority, weakening the potential for adherence to SOPs.
  •   Which of the following hiring procedures would provide the most control over the accuracy of information submitted on an employment application?
    1. Applicants are required to submit unofficial copies of their transcripts along with the application as verification of their educational credentials.
    2. Letters of recommendation that attest to the applicant's character must be mailed directly to the hiring organization rather than being submitted by the applicant.
    3. The hiring organization calls the last place of employment for each finalist to verify the employment length and position held.
    4. Applicants are required to sign a statement indicating that the information on the application is true and correct, as a confirmation of the truth of the information in the application.

    View answer
    1. Incorrect. The applicant would be providing the transcript, which leads to a loss of independence. In addition, the transcript would be unofficial, making it very easy to change the information and send a photocopy of the altered transcript.
    2. Incorrect. There is nothing to prevent the applicants from writing the letters themselves, putting fraudulent return address information on the letters, and mailing them.
    3. Correct. Calling the last place of employment would represent an independent verification of employment, as the hiring organization would be performing the verification procedures.
    4. Incorrect. If an applicant is going to lie about information, there is no reason to believe that the applicant would not sign the applicant's own name to the fraudulent information. This is not an independent verification.

Get Started on Your CIA!

IMPORTANT! CCMS users go here to prepare for Single Sign On.

Access CCMS

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:


The information contained on this website pertains to all other countries.