CIA Cheat Sheet 2026
The 30 highest-yield CIA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
125 questions
150 min time limit
60% to pass
- What continuing education requirement supports estate planning competence? → Ongoing education in regulatory changes, market developments, and best practices
- Which of the following is the most common type of occupational fraud according to the ACFE Report to the Nations? → Asset misappropriation
- A CIA examiner reviewing a company's IT controls finds that system administrators also perform end-user functions. This is an example of a failure in: → Segregation of duties
- In evaluating IT general controls, which test procedure would an internal auditor most likely use to assess user access management? → Reviewing a listing of user accounts and comparing to HR termination records
- How should risk assessment performance be reported to clients? → Provide accurate, complete, and timely performance reporting with appropriate benchmarks
- In IT auditing, what does 'segregation of duties' within the IT function typically require? → Separation of system development, operations, and security roles
- What should an accountant do when facing an ethical dilemma? → Refer to the code of ethics and seek guidance
- During audit planning, what must the auditor assess? → Risk of Material Misstatement
- An employee who steals cash before it is recorded in the accounting system is committing which type of fraud? → Skimming
- What is a closing entry? → Transferring temporary account balances
- Confidentiality in accounting requires that professionals: → Protect sensitive information unless required by law
- What regulatory compliance requirement applies to financial planning? → Full compliance with all applicable federal, state, and industry regulations
- How should tax strategies performance be reported to clients? → Provide accurate, complete, and timely performance reporting with appropriate benchmarks
- Under the Sarbanes-Oxley Act (SOX), which section requires management to assess and report on the effectiveness of internal controls over financial reporting? → Section 404
- In an IT audit, a 'segregation of duties' weakness most commonly occurs when a single user can both: → Initiate transactions and approve them
- In a well-designed corporate governance structure, which of the following relationships best reflects sound practice? → The audit committee provides independent oversight of both internal and external auditors
- What is the purpose of a trial balance? → To ensure debits equal credits
- Which internal control activity involves management comparing actual results to budgets or forecasts? → Performance Reviews
- Which control activity is specifically designed to prevent a single employee from both authorizing and recording transactions? → Segregation of duties
- Under accrual accounting, when are revenues recognized? → When goods are shipped or services rendered
- What does 'RPO' stand for in business continuity planning, and what does it measure? → Recovery Point Objective; the maximum tolerable data loss measured in time
- Which fraud detection method relies on the statistical principle that in naturally occurring datasets, leading digits follow a predictable distribution? → Benford's Law
- What is considered a conflict of interest in accounting? → Auditing a company you own shares in
- What is the purpose of a business continuity plan (BCP) from an IT audit perspective? → Enable the organization to continue critical operations after a disruptive event
- Which of the following best describes 'tone at the top' in the context of fraud prevention? → The ethical culture and values modeled by senior leadership and the board
- According to the fraud triangle, which three elements must be present for fraud to occur? → Pressure, opportunity, and rationalization
- What regulatory compliance requirement applies to investment analysis? → Full compliance with all applicable federal, state, and industry regulations
- When assessing IT controls for SOX compliance, an internal auditor must evaluate controls over: → All IT systems that have a material impact on financial reporting
- Which of the following best describes a 'data dictionary' in the context of IT general controls? → A repository defining the structure, format, and relationships of data elements
- A 'fictitious vendor' scheme is best detected by: → Matching vendor addresses and bank accounts against employee records
Turn these facts into recall: