IIA-CIA-Part2 Online Practice Questions

Home / IIA / IIA-CIA-Part2

Latest IIA-CIA-Part2 Exam Practice Questions

The practice questions for IIA-CIA-Part2 exam was last updated on 2025-09-16 .

Viewing page 1 out of 35 pages.

Viewing questions 1 out of 176 questions.

Question#1

While conducting an information security audit, an internal auditor learns that the existing disaster recovery plan is four years old and untested. The auditor also learns that in the four years since the recovery plan was implemented, the information systems have undergone extensive changes.
Which of the following actions is most appropriate for the auditor to take?

A. Inform management and request that the plan be tested immediately.
B. Update the recovery plan for management, as part of the review.
C. Evaluate the recovery plan and report weaknesses to management.
D. Recommend that management and users update and test the recovery plan.

Explanation:
Step-by-Step Detailed Explanation
A . Inform management and request that the plan be tested immediately:
Testing without updating the plan could lead to irrelevant results given the significant changes to the systems.
B . Update the recovery plan for management, as part of the review:
The auditor’s role is to assess and recommend, not to perform management’s responsibilities.
C . Evaluate the recovery plan and report weaknesses to management:
Evaluation alone does not address the need for an update and testing of the outdated plan.
D . Recommend that management and users update and test the recovery plan:
Correct. This approach addresses the deficiencies in the plan and ensures alignment with current systems.
CIA Exam Syllabus
Reference: Domain II: Risk Management and Control C Disaster Recovery and Business Continuity Planning.

Question#2

An audit reveals that a manager's spouse is receiving paychecks, but is not employed by the organization. According to IIA guidance, which of the following actions should the internal auditor take?

A. Contact the external auditor and provide all relevant documentation.
B. Report the finding to senior management in a timely manner, following the normal chain of command.
C. Meet with the local manager to obtain more information on the finding before taking further action.
D. Bypass the normal chain of command and contact the board directly to report the finding.

Explanation:
When an internal auditor discovers a significant issue, such as a manager’s spouse receiving paychecks without being employed, it’s essential to follow the appropriate protocols for reporting the finding.
Detailed Explanation
IIA Standard 2060 C Reporting to Senior Management and the Board:
This standard mandates that the chief audit executive (CAE) must communicate significant risk exposures and control issues to senior management and the board. Following the normal chain of command ensures that the issue is escalated appropriately without bypassing necessary channels. Ethical Considerations and Confidentiality:
According to the IIA’s Code of Ethics, internal auditors must respect the confidentiality of the information they handle. Reporting through the established chain of command ensures that sensitive issues are handled discreetly and appropriately.
IIA Standard 2440 C Disseminating Results:
This standard requires that the results of the audit, including significant findings, should be communicated to the appropriate parties. Reporting to senior management first allows for an initial review and appropriate action before escalating to higher levels, if necessary.
Why Not Other Options?
Option A (Contacting the external auditor): While external auditors may need to be informed, this step should follow internal reporting protocols, not precede them.
Option C (Meeting with the local manager): This could compromise the investigation, as the local manager may be involved in the issue.
Option D (Bypassing the chain of command): This should only be done in extreme circumstances, such as when senior management is directly involved in the wrongdoing, which is not indicated in this scenario.

Question#3

Which of the following would not be a typical activity for the chief audit executive to perform following an audit engagement?

A. Report follow-up activities to senior management.
B. Implement follow-up procedures to evaluate residual risk.
C. Determine the costs of implementing the recommendations.
D. Evaluate the extent of improvements.

Question#4

According to IIA guidance, when would an interim report typically be produced?

A. During a standard audit engagement when management wants to address an issue before the final report is drafted.
B. Following each workshop conducted during a consulting engagement.
C. During lengthy audit engagements involving several organizational units.
D. Following management's update tor actions taken on outstanding recommendations.

Question#5

Following an audit, management developed an action plan to improve controls over the handling of scrap metal.
Which of the following would be the most appropriate course of action for the auditor to follow up?

A. Conduct another audit engagement to ensure all risks related to the sales of scrap metal have been mitigated.
B. Ensure new procedures have been documented, approved, and distributed to the employees responsible.
C. Perform retesting to confirm that new procedures address the previously identified deficient control activities.
D. Analyze the new procedures, then report to senior management whether the associated risks have been managed.

Explanation:
After management has implemented an action plan to improve controls, the most appropriate follow-up action for the auditor is to perform retesting. Retesting involves verifying that the new procedures are effective in addressing the control deficiencies identified during the initial audit .
Detailed Explanation
IIA Standard 2500 C Monitoring Progress:
This standard requires the internal audit activity to monitor and ensure that management actions have been implemented and are working as intended. Retesting is a critical component of this process because it confirms that the new controls effectively mitigate the risks.
Importance of Retesting:
Retesting allows the auditor to verify that the specific control activities, which were previously found to be deficient, have been corrected. This hands-on approach provides direct evidence of the effectiveness of the new procedures.
IIA Practice Advisory 2500-1:
The advisory emphasizes the need for follow-up activities to include retesting when necessary to confirm that management’s actions have resolved the issues identified.
Why Not Other Options?
Option A (Conduct another audit): Conducting a completely new audit might be excessive; follow-up and retesting are sufficient to confirm the effectiveness of the corrective actions.
Option B (Ensure procedures are documented): Documentation is important, but it does not confirm that the procedures are actually effective.
Option D (Analyze procedures and report to management): Analysis is useful, but retesting provides direct verification of effectiveness.
Conclusion: Option C is correct because retesting confirms that the new procedures effectively address the previously identified deficiencies, ensuring that the risks have been mitigated as intended, in line with IIA guidance.

Exam Code: IIA-CIA-Part2Q & A: 499 Q&AsUpdated:  2025-09-16

 Get All IIA-CIA-Part2 Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.