CIA Cheat Sheet 2026

The 30 highest-yield CIA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

125 questions
150 min time limit
60% to pass
  1. What continuing education requirement supports estate planning competence? Ongoing education in regulatory changes, market developments, and best practices
  2. Which of the following is the most common type of occupational fraud according to the ACFE Report to the Nations? Asset misappropriation
  3. A CIA examiner reviewing a company's IT controls finds that system administrators also perform end-user functions. This is an example of a failure in: Segregation of duties
  4. In evaluating IT general controls, which test procedure would an internal auditor most likely use to assess user access management? Reviewing a listing of user accounts and comparing to HR termination records
  5. How should risk assessment performance be reported to clients? Provide accurate, complete, and timely performance reporting with appropriate benchmarks
  6. In IT auditing, what does 'segregation of duties' within the IT function typically require? Separation of system development, operations, and security roles
  7. What should an accountant do when facing an ethical dilemma? Refer to the code of ethics and seek guidance
  8. During audit planning, what must the auditor assess? Risk of Material Misstatement
  9. An employee who steals cash before it is recorded in the accounting system is committing which type of fraud? Skimming
  10. What is a closing entry? Transferring temporary account balances
  11. Confidentiality in accounting requires that professionals: Protect sensitive information unless required by law
  12. What regulatory compliance requirement applies to financial planning? Full compliance with all applicable federal, state, and industry regulations
  13. How should tax strategies performance be reported to clients? Provide accurate, complete, and timely performance reporting with appropriate benchmarks
  14. Under the Sarbanes-Oxley Act (SOX), which section requires management to assess and report on the effectiveness of internal controls over financial reporting? Section 404
  15. In an IT audit, a 'segregation of duties' weakness most commonly occurs when a single user can both: Initiate transactions and approve them
  16. In a well-designed corporate governance structure, which of the following relationships best reflects sound practice? The audit committee provides independent oversight of both internal and external auditors
  17. What is the purpose of a trial balance? To ensure debits equal credits
  18. Which internal control activity involves management comparing actual results to budgets or forecasts? Performance Reviews
  19. Which control activity is specifically designed to prevent a single employee from both authorizing and recording transactions? Segregation of duties
  20. Under accrual accounting, when are revenues recognized? When goods are shipped or services rendered
  21. What does 'RPO' stand for in business continuity planning, and what does it measure? Recovery Point Objective; the maximum tolerable data loss measured in time
  22. Which fraud detection method relies on the statistical principle that in naturally occurring datasets, leading digits follow a predictable distribution? Benford's Law
  23. What is considered a conflict of interest in accounting? Auditing a company you own shares in
  24. What is the purpose of a business continuity plan (BCP) from an IT audit perspective? Enable the organization to continue critical operations after a disruptive event
  25. Which of the following best describes 'tone at the top' in the context of fraud prevention? The ethical culture and values modeled by senior leadership and the board
  26. According to the fraud triangle, which three elements must be present for fraud to occur? Pressure, opportunity, and rationalization
  27. What regulatory compliance requirement applies to investment analysis? Full compliance with all applicable federal, state, and industry regulations
  28. When assessing IT controls for SOX compliance, an internal auditor must evaluate controls over: All IT systems that have a material impact on financial reporting
  29. Which of the following best describes a 'data dictionary' in the context of IT general controls? A repository defining the structure, format, and relationships of data elements
  30. A 'fictitious vendor' scheme is best detected by: Matching vendor addresses and bank accounts against employee records
Turn these facts into recall: