IIA-CIA-Part2 Practice Test

Which of the following would not be an appropriate step for an internal auditor to perform during an
assessment of compliance with an organization's privacy policy?

A.

Determine who can access databases containing confidential information.

B.

Evaluate the organization's privacy policy to determine if appropriate information is covered.

C.

Analyze access to permanent files and reports containing confidential information.

D.

Evaluate the government's security measures related to confidential information received from
the organization.

An internal auditor for a financial institution has just completed an audit of loan processing. Of the
81 loans approved by the loan committee, the auditor found seven loans which exceeded the
approved amount. Which of the following actions would be inappropriate on the part of the
auditor?

A.

Examine the seven loans to determine if there is a pattern. Summarize amounts and include in
the engagement final communication.

B.

Report the amounts to the loan committee and leave it up to them to correct. Take no further
follow-up action at this time and do not include the items in the engagement final communication.

C.

Follow up with the appropriate vice president and include the vice president's acknowledgment
of the situation in the engagement final communication.

D.

Determine the amount of the differences and make an assessment as to whether the dollar
differences are material. If the amounts are not material, not in violation of government
regulations, and can be rationally explained, omit the observation from the engagement final
communication.

During a systems development audit, software developers indicated that all programs were moved from the development environment to the production environment and then tested in the
production environment. What should the auditor recommend?
I. Implement a test environment to ensure that testing is not performed in the production
environment.
II. Require developers to move modified programs from the development environment to the test
environment and from the test environment to the production environment.
III. Eliminate access by developers to the production environment.

A.

 I only

B.

 III only

C.

I and II only

D.

I and III only

A post-audit questionnaire sent to audit clients is an effective mechanism for:

A.

Substantiating audit observations.

B.

Promoting the internal audit activity.

C.

 Improving future audit engagements.

D.

Validating process flow.

As part of an operational audit, an auditor compared records of current inventory with usage
during the prior two-year period and determined that the spare parts inventory was excessive.
What step should the auditor perform first?

A.

Determine the effects of a stock-out on the organization's profitability.

B.

Determine whether a clear policy exists for setting inventory limits.

C.

Determine who approved the purchase orders for the spare parts.

D.

Determine whether purchases were properly recorded