• Home
• IIA Exams
• IIA-CIA-Part1 - CIA Part 1 - Essentials of Internal Auditing

IIA-CIA-Part1 IIA Practice Test Questions and Exam Dumps

Question 1:

The top three sales representatives for a company consistently include non-allowable charges on their expense reports. Line management is reluctant to deny reimbursement of the charges for fear of losing the sales representatives. This situation has the greatest negative impact on which of the following internal control components?

A. Monitoring
B. Control environment
C. Information and communication
D. Control activities

Answer: B

Explanation:

The situation described in the question involves a conflict where sales representatives are including non-allowable charges in their expense reports, and line management is reluctant to deny reimbursement due to fear of losing these key employees. This lack of action directly affects the control environment, which is one of the five key components of internal control as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Let’s break down the rationale for B being the correct answer:

• B. Control environment: The control environment refers to the overall attitude, awareness, and actions of employees, management, and the board of directors regarding the importance of internal controls. It encompasses the company’s ethical culture, its commitment to integrity, and the willingness of management to enforce policies and procedures. In this case, the reluctance of line management to deny reimbursement of non-allowable charges, despite knowing it is wrong, demonstrates a weakness in the control environment. The sales representatives are aware that their behavior won’t be corrected, and management is not enforcing the rules, which undermines the tone at the top and creates a poor control environment.

Now, let’s review why the other options are less applicable:

• A. Monitoring: Monitoring refers to the ongoing assessments of the internal control system’s performance to ensure its effectiveness. While the failure to monitor the expense reports properly could be a contributing factor, the primary issue here is the unwillingness to act on known issues, which relates more directly to the control environment. Monitoring focuses more on the detection and review processes rather than the organizational culture or management's response to unethical behavior.

• C. Information and communication: Information and communication pertain to the systems in place to ensure that relevant information is communicated effectively across the organization. While this issue might involve a lack of proper communication, the key concern here is the decision not to enforce policies, which points to a deeper issue with the control environment rather than communication systems.

• D. Control activities: Control activities refer to the specific actions and procedures put in place to mitigate risks and ensure that the organization’s internal controls are being followed. Although the failure to deny the reimbursement could be seen as a breakdown in control activities, the underlying problem is that line management is not enforcing the controls due to concerns over losing top salespeople, which affects the control environment more than the control activities themselves.

In conclusion, the situation primarily affects the control environment, as it reflects a weakness in the ethical tone set by management and a failure to maintain integrity in the enforcement of company policies. Therefore, the correct answer is B.

Question 2:

Which of the following factors affects the control risk of a company?

A. Potential problems like technological obsolescence.
B. Unusual pressures on management.
C. Complex accounts that require expert valuations.
D. Segregation of duties.

Answer: D

Explanation:

In auditing and risk assessment, control risk is the risk that a company's internal controls will fail to prevent or detect material misstatements in financial reporting on a timely basis. It is one of the three components of the audit risk model, alongside inherent risk and detection risk. Control risk focuses specifically on the effectiveness of a company’s internal control systems, such as policies, procedures, and practices that ensure reliable financial reporting and compliance.

To understand which factor affects control risk, let’s evaluate each of the options:

A. Potential problems like technological obsolescence

Incorrect. This factor is more relevant to inherent risk than control risk. Inherent risk is the susceptibility of an assertion to a misstatement due to error or fraud, before considering any related controls. Issues like technological obsolescence, complex products, or volatile markets are examples of conditions that increase inherent risk, because they are naturally more prone to errors regardless of internal controls.

B. Unusual pressures on management

Incorrect. While this could increase the risk of fraud, it again relates more to inherent risk or fraud risk rather than control risk. Unusual pressures, such as the need to meet earnings targets or secure financing, can incentivize management to override controls or misrepresent information, but this pressure itself doesn’t affect the design or implementation of the controls. It is an environmental or circumstantial factor affecting risk, not a characteristic of the control system.

C. Complex accounts that require expert valuations

Incorrect. This also increases inherent risk, not control risk. Complex accounts—such as financial instruments, pensions, or goodwill valuations—are inherently risky due to the high level of judgment and estimation required. While effective controls may mitigate some of that risk, the complexity itself relates more to the nature of the account rather than the strength or weakness of internal controls.

D. Segregation of duties

Correct. Segregation of duties is a critical internal control designed to prevent or detect errors and fraud by ensuring that no single individual has control over all aspects of a financial transaction. For example, separating responsibilities for authorizing transactions, recording them, and maintaining custody of the related assets reduces the risk of misappropriation and misstatement. If segregation of duties is strong, control risk is reduced. Conversely, if duties are not properly segregated, the control risk increases significantly. Auditors pay close attention to whether key controls like segregation of duties are in place and functioning effectively.

Only segregation of duties directly relates to control risk because it is a fundamental part of a company’s internal control structure. It is a designed control activity that auditors assess to determine the effectiveness of internal controls. The other options relate to inherent risk, which stems from the nature of the business environment or transactions themselves. Therefore, the correct answer is D.

Question 3:

Human resources and payroll are separate departments. Which of the following combinations would provide the best segregation of duties?

A. Human resources personnel add employees, payroll personnel process hours, and human resources personnel deliver paychecks to employees.
B. Human resources personnel add employees, review and submit payroll hours to the payroll department for processing, and deliver paychecks to employees.
C. Human resources personnel add employees, and payroll personnel process hours and enter employee bank account numbers. Paychecks are automatically deposited in the employee's bank account.
D. Payroll personnel add employees and enter employee bank account numbers but process hours only as approved by the human resources department.

Answer: C

Explanation:

The segregation of duties (SoD) is a key principle in internal control that ensures no single individual is responsible for all aspects of a transaction. It aims to prevent errors or fraud by dividing responsibilities among multiple individuals or departments. In the context of human resources and payroll, the goal is to ensure that the authorization (e.g., adding employees), the processing (e.g., payroll calculations), and the delivery (e.g., distributing paychecks or making payments) are handled by separate people or departments to minimize the risk of misappropriation or mistakes.

Now, let’s examine why C provides the best segregation of duties:

• C. Human resources personnel add employees, and payroll personnel process hours and enter employee bank account numbers. Paychecks are automatically deposited in the employee's bank account:
  This combination ensures a clear division of roles. Human resources is responsible for adding employees to the system, while payroll personnel handle the processing of hours and the entering of sensitive financial information such as bank account numbers. The automatic deposit system further limits the risk of human intervention in delivering paychecks. This scenario provides strong segregation because HR is not involved in processing payroll or handling the financial transactions, while payroll is not involved in creating or modifying employee records. It effectively separates the authorization of employee records from the processing of payroll and disbursement of funds.

Now, let's analyze why the other options are less optimal:

• A. Human resources personnel add employees, payroll personnel process hours, and human resources personnel deliver paychecks to employees:
  Although this setup separates the responsibility for adding employees and processing payroll hours, human resources is involved in delivering paychecks. This creates a potential conflict of interest because HR could modify employee data (such as pay rates or bank account details) before delivering paychecks, which weakens the segregation of duties.
  
  

• B. Human resources personnel add employees, review and submit payroll hours to the payroll department for processing, and deliver paychecks to employees:
  While this combination keeps HR from directly processing payroll, the involvement of HR in reviewing and submitting payroll hours introduces a single point of failure for potential errors or fraud, as HR is reviewing the payroll data and can potentially manipulate it. Additionally, HR delivering paychecks increases the chance of improper handling of payroll distributions.

• D. Payroll personnel add employees and enter employee bank account numbers but process hours only as approved by the human resources department:
  In this case, payroll personnel are involved in adding employees and entering sensitive financial details, which is a poor segregation of duties. Payroll personnel should not have the ability to modify employee records. Instead, HR should handle adding employees, and payroll should strictly handle the calculation and payment processes. Having payroll personnel responsible for entering bank details creates a conflict of interest and can lead to fraudulent activities, as they could manipulate financial data.

In conclusion, C is the best option because it ensures a proper segregation of duties between human resources and payroll functions, with minimal risk of conflict or fraud. HR is responsible for employee records, while payroll handles the financial transactions, and automatic deposits further minimize the potential for human error or fraud. Therefore, the correct answer is C.

Question 4:

Which of the following is an appropriate role for the board in governance?

A. Preparing written organizational policies that relate to compliance with laws, regulations, ethics, and conflicts of interest.
B. Ensuring that financial statements are understandable, transparent, and reliable.
C. Assisting the internal audit activity in performing annual reviews of governance.
D. Working with the organization's attorneys to develop a strategy regarding current litigation, pending litigation, or regulatory proceedings governance.

Answer: B

Explanation:

Corporate governance refers to the system of rules, practices, and processes by which a company is directed and controlled. At the heart of this structure is the board of directors, whose key responsibility is to provide oversight and strategic guidance to management, ensuring that the organization acts in the best interest of stakeholders. One of the most critical areas of this oversight is ensuring the integrity and transparency of financial reporting.

Let’s examine each option to determine which aligns best with the board’s governance responsibilities:

A. Preparing written organizational policies that relate to compliance with laws, regulations, ethics, and conflicts of interest

Incorrect. While these topics are certainly important to governance, preparing written policies is generally considered a management function. The board of directors is responsible for overseeing these policies, ensuring they are in place, effectively implemented, and aligned with the organization's objectives and values. However, writing or drafting policies falls more appropriately under senior management’s responsibilities, not the board's.

B. Ensuring that financial statements are understandable, transparent, and reliable

Correct. This is a core governance responsibility of the board of directors, often exercised through the audit committee. Boards are expected to provide oversight of financial reporting, ensuring that the financial statements accurately reflect the organization’s financial position and are free from material misstatement, whether due to fraud or error. The board's role here includes ensuring transparency, accountability, and reliability of the financial information used by stakeholders, which is essential for sound decision-making and maintaining investor confidence.

C. Assisting the internal audit activity in performing annual reviews of governance

Incorrect. While the board may review and respond to internal audit findings, it does not assist in performing audits or reviews. The internal audit function is independent and typically reports directly to the board (often via the audit committee) to maintain objectivity. The board’s role is to oversee the internal audit function, ensure adequate resourcing, and use its findings to improve governance—not to actively participate in audit reviews.

D. Working with the organization's attorneys to develop a strategy regarding current litigation, pending litigation, or regulatory proceedings

Incorrect. Developing legal strategies is typically the role of management and legal counsel. While the board may be informed about significant legal matters and might be involved in high-risk or high-impact decisions, it does not generally work directly with attorneys to formulate legal strategies. Its role is more about oversight—ensuring that the organization complies with laws and has appropriate legal risk management policies.

The board's appropriate role in governance involves strategic oversight, risk management, and ensuring integrity in financial reporting. Among the options given, the most direct and accurate responsibility of the board is to ensure that financial statements are understandable, transparent, and reliable. This aligns with its duties to shareholders and the broader public to provide trustworthy financial information. Therefore, the correct answer is B.

Question 5:

According to the International Professional Practices Framework, which of the following is the appropriate division of responsibilities for the coordination of internal and external audit efforts?

I. Oversight of Work - Chief audit executive
Coordination of Activities - Senior management

II. Board - Chief audit executive

III. Chief financial officer - Chief audit executive

IV. Board - Chief financial officer

A. I
B. II
C. III
D. IV

Answer: B

Explanation:

The International Professional Practices Framework (IPPF) provides guidance on the roles and responsibilities of various parties in managing internal and external audit functions. The purpose of coordinating these efforts is to avoid duplication of work, ensure effective use of resources, and provide a comprehensive assessment of the organization’s risk and control environment.

Let’s go through each option:

• I. Oversight of Work - Chief audit executive / Coordination of Activities - Senior management:
  This option suggests that the Chief Audit Executive (CAE) should oversee the work of both internal and external audit activities, while senior management should coordinate activities. While the CAE does play an important role in oversight, the coordination of internal and external audits is typically not the responsibility of senior management but rather the Board or the CAE directly. Therefore, this division is not entirely appropriate based on the IPPF’s guidelines.

• II. Board - Chief audit executive:
  This division is correct because, according to the IPPF, the Board has the responsibility for overseeing the overall governance of audit activities. The Chief Audit Executive (CAE) is responsible for overseeing the internal audit function and ensuring coordination with external auditors. This division correctly identifies the roles for oversight (Board) and execution (CAE) of audit functions. The CAE should report to the Board on audit matters, and the coordination between internal and external auditors is facilitated by the CAE in alignment with the Board's governance responsibilities.

• III. Chief financial officer - Chief audit executive:
  While the Chief Financial Officer (CFO) plays a significant role in the financial reporting and internal controls environment, the responsibility for coordinating internal and external audits typically does not rest with the CFO. Instead, it is the responsibility of the Chief Audit Executive in collaboration with the Board. This option does not align with the IPPF’s guidelines, as the CFO’s role is primarily focused on financial operations rather than audit coordination.

• IV. Board - Chief financial officer:
  The Board does have oversight responsibilities, but the Chief Financial Officer (CFO) is not typically responsible for coordinating internal and external audits. The CFO focuses on financial reporting, risk management, and compliance, but audit coordination is more appropriately managed by the Chief Audit Executive. Therefore, this division does not align with the best practices set out by the IPPF.

In conclusion, Option II (Board - Chief audit executive) is the most appropriate division of responsibilities for the coordination of internal and external audit efforts. The Board provides oversight, while the Chief Audit Executive (CAE) is responsible for coordinating the activities of both internal and external auditors. Therefore, the correct answer is B.

Question 6:

According to the Standards, the organizational status of the internal audit activity:

A. Must be sufficient to permit the accomplishment of its audit responsibilities.
B. Is best when the reporting relationship is direct to the board of directors.
C. Requires the board's annual approval of the audit schedules, plans, and budgets.
D. Is guaranteed when the charter specifically defines its independence.

Answer: A

Explanation:

The International Standards for the Professional Practice of Internal Auditing (referred to as "the Standards") published by the Institute of Internal Auditors (IIA) provide guidance on the structure, function, and operations of internal audit activities. One of the foundational components of an effective internal audit function is its organizational status, which refers to its placement within the company’s hierarchy and the nature of its authority, independence, and support.

Let’s analyze each option in detail:

A. Must be sufficient to permit the accomplishment of its audit responsibilities

Correct. According to Standard 1110 – Organizational Independence, the chief audit executive (CAE) must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities effectively. The organizational status must be sufficient to allow internal auditors to access the records, personnel, and physical properties relevant to performing engagements. This status enables internal audit to carry out its mission independently and objectively, which is essential for the credibility and effectiveness of the function.

This concept means that the internal audit function needs enough authority, recognition, and support from senior management and the board to carry out its responsibilities fully, including reporting findings, recommending improvements, and following up on corrective actions.

B. Is best when the reporting relationship is direct to the board of directors

Incorrect. While direct functional reporting to the board (or audit committee) is recommended and strongly encouraged to support independence, the Standards do not mandate that this structure is the only valid one. It is indeed a best practice, as it enhances objectivity and oversight, but the actual requirement is that the status be sufficient to fulfill audit responsibilities—not necessarily that it reports directly to the board in all organizations.

C. Requires the board's annual approval of the audit schedules, plans, and budgets

Incorrect. The Standards recommend that the audit plan be reviewed and approved by the board or audit committee, but they do not require annual approval of all three: schedules, plans, and budgets. This option exaggerates the formal expectations set forth by the Standards. The key requirement is that the board approves the internal audit plan and has oversight—not necessarily over the fine details like budget line items or schedules.

D. Is guaranteed when the charter specifically defines its independence

Incorrect. Although the internal audit charter should clearly state the purpose, authority, and responsibility of the internal audit activity (as required by Standard 1010), simply defining independence in the charter does not guarantee it in practice. Organizational independence is a functional reality, not just a documented aspiration. Independence must be reflected in reporting lines, access to management and records, and actual practice—not just formal wording.

According to the IIA Standards, the internal audit activity must have sufficient organizational status to allow it to operate independently, access necessary information, and report findings without interference. This status is crucial to ensure that the internal audit function can fulfill its mission and responsibilities effectively. Therefore, the correct answer is A.

Question 7:

A high-volume retailer of consumer goods has used point-of-sale data to record sales and update inventory records for several years. When price changes are scheduled, corporate headquarters downloads a price change file to a computer server system at each store. Each store's assistant manager is responsible for checking the server for downloads and running the program that updates the store's price file at the authorized price update time. In comparison with having headquarters initiate the price update centrally, this approach to price updating will most likely:

A. Decrease the risk that customers will be undercharged consistently for sales items.
B. Decrease the risk that item prices will sometimes be inaccurate.
C. Increase the risk that customers will be undercharged consistently for sales items.
D. Increase the risk that item prices will sometimes be inaccurate.

Answer: D

Explanation:

In the scenario described, the price update process requires each store’s assistant manager to manually check for downloads and run the update program. This decentralized approach introduces several risks compared to having corporate headquarters directly initiate price updates for all stores. Let’s break down the potential outcomes of this system:

• A. Decrease the risk that customers will be undercharged consistently for sales items:
  This is unlikely because the decentralized approach increases the risk of errors, such as price updates not being executed correctly or at the right time. Undercharging may occur more frequently if the store’s assistant manager forgets to run the update program or encounters issues with the server or the file download.

• B. Decrease the risk that item prices will sometimes be inaccurate:
  This is also unlikely. Since the responsibility for updating prices lies with the individual store’s assistant manager, there is greater potential for mistakes or delays in the process. This could result in inaccurate pricing, as the store might not receive or apply the correct price file on time, especially in a high-volume environment where there are frequent price changes.

• C. Increase the risk that customers will be undercharged consistently for sales items:
  This is a possible but less likely outcome. The process as described may lead to inconsistent price updates, but it is more likely to increase the risk of inaccurate prices in general, rather than consistently undercharging customers. However, undercharging could still happen if price updates are missed or not executed correctly.

• D. Increase the risk that item prices will sometimes be inaccurate:
  This is the most accurate assessment. The decentralized approach introduces several risks that could lead to inaccurate item prices, including human error, failure to run the update program, or delays in downloading the price change file. Given that each store’s assistant manager is manually responsible for executing the updates, this system introduces more room for mistakes, leading to a higher likelihood that item prices will sometimes be inaccurate.

In conclusion, the approach described most likely increases the risk that item prices will sometimes be inaccurate due to the reliance on individual store managers to carry out the updates. Therefore, the correct answer is D.

Question 8:

An internal auditor is reviewing a new automated human resources system. The system contains a table of pay rates which are matched to the employee job classifications. The best control to ensure that the table is updated correctly for only valid pay changes would be to:

A. Limit access to the data table to management and line supervisors who have the authority to determine pay rates.
B. Require a supervisor in the department, who does not have the ability to change the table, to compare the changes to a signed management authorization.
C. Ensure that adequate edit and reasonableness checks are built into the automated system.
D. Require that all pay changes be signed by the employee to verify that the change goes to a bona fide employee.

Answer: B

Explanation:

In the context of reviewing controls over automated systems, particularly those that involve critical data like pay rates, the most effective approach to ensure that only valid and authorized changes are made is to establish a control that is independent, verifiable, and segregated from the function performing the change. Let's analyze each option through this lens.

A. Limit access to the data table to management and line supervisors who have the authority to determine pay rates

Incorrect. While limiting access is an important preventive control, this option still allows authorized personnel direct access to make changes. This creates the potential for unverified or accidental modifications, especially if the same individuals who determine pay rates can also input them into the system. This lacks segregation of duties, which is a key principle in internal control frameworks. Without independent verification, errors or fraud could go undetected.

B. Require a supervisor in the department, who does not have the ability to change the table, to compare the changes to a signed management authorization

Correct. This is the strongest control among the options because it incorporates two essential internal control principles:

1. Independent verification, where a party separate from those entering the data validates the change.

2. Authorization controls, where changes must be based on documented and signed approvals.

By ensuring that someone who cannot modify the data is responsible for reviewing and confirming the legitimacy of changes, the organization significantly reduces the risk of unauthorized or incorrect updates. This provides a deterrent against fraud, supports accountability, and ensures compliance with HR policies.

C. Ensure that adequate edit and reasonableness checks are built into the automated system

Incorrect. While system checks (like edit and reasonableness validations) are good preventive controls, they are not enough to ensure that changes are valid and authorized. Such checks may catch out-of-range values or format errors, but they will not detect if an authorized person changed a pay rate without proper approval. Thus, while useful, this control alone doesn't address the authorization aspect.

D. Require that all pay changes be signed by the employee to verify that the change goes to a bona fide employee

Incorrect. This control focuses more on employee verification, not on the validity or authorization of the pay rate change. Employees generally do not authorize their own pay; that’s the responsibility of HR or management. Requiring employee signatures does little to prevent errors or fraud in pay rate entries and might even introduce privacy or workflow inefficiencies without adding real control value.

The most effective control to ensure that only valid pay changes are made is to implement a process that includes independent review of changes against authorized documentation, carried out by someone who cannot directly alter the system data. This control mitigates both errors and potential fraud, supports a sound internal control environment, and ensures that changes are made with appropriate oversight. Therefore, the correct answer is B.

Question 9:

According to the International Professional Practices Framework, internal auditors should possess which of the following competencies?

 I. Proficiency in applying internal auditing standards, procedures, and techniques.
II. Proficiency in accounting principles and techniques.
III. An understanding of management principles.
IV. An understanding of the fundamentals of economics, commercial law, taxation, finance, and quantitative methods.

A. I only
B. II only
C. I and III only
D. I, III, and IV only

Answer: D

Explanation:

The International Professional Practices Framework (IPPF), developed by the Institute of Internal Auditors (IIA), defines the core principles and standards for internal audit professionals. It outlines the essential competencies that internal auditors should possess to perform their duties effectively, ethically, and with the appropriate level of professional care.

Let’s examine each of the listed competencies:

• I. Proficiency in applying internal auditing standards, procedures, and techniques:
  This is fundamental to the internal auditor’s role. According to the IPPF, internal auditors must demonstrate proficiency in using internal auditing methodologies, which include understanding the International Standards for the Professional Practice of Internal Auditing, as well as effectively applying auditing tools and techniques. This competency is essential and is clearly required by the framework.

• II. Proficiency in accounting principles and techniques:
  While internal auditors should have an understanding of accounting, proficiency in accounting is not a universally required competency under the IPPF, particularly for auditors who are not focused on financial audits. Internal audit is a broader function than just financial review, and professionals from various backgrounds (e.g., IT, operations, compliance) may be involved. Therefore, this item does not accurately reflect a requirement for all internal auditors and is not as universally applicable as the others.

• III. An understanding of management principles:
  This is a required competency. Internal auditors are expected to assess and advise on risk management, governance, and control processes, all of which require an understanding of how organizations are managed. This includes organizational behavior, strategic planning, and general management theory. The IPPF recognizes this as an important area of knowledge for internal auditors.

• IV. An understanding of the fundamentals of economics, commercial law, taxation, finance, and quantitative methods:
  The IPPF also recognizes that internal auditors should have a foundational understanding of business-related disciplines that can impact organizational performance and risk. These areas support auditors in analyzing operational effectiveness and compliance with laws and regulations. While deep expertise in each area isn't necessary, a broad understanding is considered an important competency.

• I is absolutely essential and directly stated in the IPPF.

• III and IV are both recognized by the IPPF as areas in which internal auditors should be competent to understand and assess a wide range of business and operational issues.

• II, while important in some contexts (particularly financial audits), is not universally required to the level of proficiency stated here.

Therefore, the correct answer, which best reflects the IPPF’s guidance on internal auditor competencies, is D.

Question 10:

Which of the following is not an appropriate role for internal auditors after a disaster occurs?

A. Monitor the effectiveness of the recovery and control of operations.
B. Correct deficiencies of the entity's business continuity plan.
C. Recommend future improvements to the entity's business continuity plan.
D. Assist in the identification of lessons learned from the disaster and the recovery operations.

Answer: B

Explanation:

Internal auditors play an essential role in providing independent assurance and advisory services to management and the board, especially after disruptive events such as disasters. However, their activities must remain within the scope of independence, objectivity, and oversight—as outlined by the International Professional Practices Framework (IPPF) and the IIA’s Standards. Internal auditors evaluate and advise, but they do not execute or manage operational responsibilities.

Let's review each option to identify which one falls outside the appropriate role for internal audit:

A. Monitor the effectiveness of the recovery and control of operations

Appropriate. This is fully aligned with internal audit’s responsibility to provide assurance on whether key processes and controls are functioning effectively. After a disaster, auditors may review how well the business continuity and disaster recovery plans were executed, determine whether operations were properly restored, and assess how internal controls functioned during the recovery phase. Monitoring effectiveness is consistent with their oversight and evaluation role.

B. Correct deficiencies of the entity's business continuity plan

Not appropriate. This is the correct answer because it violates a core principle of internal auditing: maintaining independence from management activities. Correcting deficiencies implies that internal auditors are actively modifying, designing, or implementing controls, which compromises their objectivity and could impair future audit effectiveness. According to IIA Standard 1100 – Independence and Objectivity, internal auditors must not assume management responsibilities, such as correcting problems or owning business processes.

While auditors can and should identify deficiencies and recommend improvements, it is the responsibility of management (such as the business continuity team, IT, or risk management function) to implement corrective actions. If internal auditors take part in executing those corrections, they cannot later independently evaluate whether those corrections were effective.

C. Recommend future improvements to the entity's business continuity plan

Appropriate. Recommending enhancements is a natural advisory function of internal audit. After reviewing the effectiveness of the disaster response, auditors often provide feedback and suggestions for strengthening future readiness. This maintains the balance between being helpful and independent, without taking over operational roles.

D. Assist in the identification of lessons learned from the disaster and the recovery operations

Appropriate. Participating in post-mortem analyses and lessons-learned workshops is a reasonable and valuable internal audit activity. It allows auditors to contribute insights based on observations and evidence gathered during their evaluation, and supports continuous improvement. This is part of their role in promoting effective governance, risk management, and control.

Internal auditors are expected to provide independent assurance and advisory support, not to correct or manage the systems and controls they evaluate. While they can monitor, recommend, and assist in learning from incidents, actually correcting deficiencies crosses the line into management responsibility, which is inconsistent with the Standards and compromises independence. Therefore, the correct answer is B.