Pass IIA-CIA-Part2 Exam Guide

According to IIA guidance, a chief audit executive (CAE) may request external consultants to complement internal audit activity (IAA) resources when the audit universe is extensive and diverse. This justifies the need for additional expertise and resources that the internal team may not possess, ensuring comprehensive coverage and effective audit processes. External consultants can bring specialized skills and knowledge, enhancing the internal audit activity's ability to address a broad range of risks and issues within the organization. References: IIA Standard 1210 – Proficiency, IIA Practice Advisory 1210.A1-1

A. Decline the audit engagement, because the Standards prohibit internal auditors from performing engagements where they lack the necessary competencies:The Standards allow for outsourcing or co-sourcing to meet competency gaps. Declining outright is not necessary.

B. Accept the audit engagement and use the engagement as an opportunity to develop the audit team’s IT expertise while performing the audit work:This approach risks compromising audit quality as the team lacks expertise.

C. Temporarily hire an experienced and knowledgeable IT analyst from the organization's IT department to lead the audit:This could create independence issues, as the IT analyst is part of the auditee’s function.

D. Outsource the audit engagement to a reputable IT audit consulting firm:Correct. Outsourcing ensures that the engagement is performed by qualified professionals, maintaining quality and adherence to the Standards.

CIA Exam Syllabus Reference:

Domain IV: Managing the Internal Audit Function – Resourcing and Competency Management.

The chief audit executive (CAE) is responsible for ensuring that the conclusions reached by the external service provider are adequately supported. While the audit committee approves the audit plan and the CEO may approve the engagement of external service providers, it is the CAE's responsibility to oversee the entire audit process, including the quality and substantiation of the conclusions and recommendations made by the external auditors. References:

The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), specifically Standard 1312 - External Assessments.

The IIA’s Practice Guide on Outsourcing and Cosourcing of Internal Audit Activities.

The internal audit activity's role in regard to the organization's risk management program includes ensuring that a proper and effective risk management process is in place. This involves evaluating the risk management processes and providing assurance that risks are identified and managed effectively. The internal audit activity should not be responsible for managing risks (Option A), but should ensure there is a systematic process (Option B). Attaining an adequate understanding of key mitigation strategies (Option C) and identifying appropriate controls (Option D) are part of the audit process, but ensuring the existence of a proper process is the primary responsibility. References: IIA Standard 2120 – Risk Management