IIA Updated IIA-CIA-Part2 Exam Questions and Answers by dilan

According to IIA guidance, an internal audit activity that provides overall assurance on governance, risk, and control, advises and influences senior management, and leverages the organization's management of risk is best described as being in the "Managed" stage of internal audit maturity. This stage indicates a well-established internal audit function that is integrated into the organization's governance framework and plays a proactive role in risk management and strategic decision-making. References:

The IIA’s Maturity Model for the Internal Audit Activity.

The IIA’s Practice Guide on Internal Audit’s Role in Governance, Risk, and Control.

When an internal auditor finds that the incidents of noncompliance exceed the organization's acceptable tolerance level, this should be included in the final engagement report. In this case, the 8 out of 90 desks found with sensitive information represent an 8.9% noncompliance rate, which exceeds the organization's tolerance limit of 4%. Reporting this observation in the final engagement report ensures that management is informed and can take necessary corrective actions to address the noncompliance.

References:

IIA Standards: 2410 - Criteria for Communicating

IIA Practice Guide: Reporting and Monitoring

During the planning stage of an assurance engagement, internal auditors should focus their attention on identifying and assessing inherent risks. Inherent risk is the risk of a material misstatement or noncompliance due to error or fraud that could occur before any controls are applied. Understanding inherent risk is crucial as it helps auditors identify areas that may need more extensive testing and ensures that audit resources are appropriately allocated to the highest risk areas.

References:

The Institute of Internal Auditors (IIA) Practice Guide: Assessing the Adequacy of Risk Management Using ISO 31000

IIA Standard 2010 - Planning

According to the IIA guidance, sufficient information is defined as information that is factual, adequate, and convincing. This means that the information gathered during an audit must be based on verifiable facts, must be enough to form a reasonable conclusion, and must be persuasive enough to support the audit findings and recommendations. Ensuring information meets these criteria is essential for the credibility and reliability of the audit process.

References:

IIA Standard 2310: "Identifying Information"

IIA Practice Advisory 2310-1: "Identifying Information"