Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorCertificationBreadcrumb SeparatorCCSA CertificationBreadcrumb SeparatorSample Exam Questions

​Certification in Control Self-Assessment® (CCSA®) Sample Exam Questions

Sample Questions
  •   Which is a basic philosophy underlying facilitated workshop approaches to CSA?
    1. Effective control should be a shared responsibility involving all employees.
    2. Internal control should be solely the responsibility of senior management.
    3. Operational personnel should be independently assessing internal control.
    4. The internal audit department should be primarily responsible for internal control evaluations.

    View answer
    1. Correct. Employees at all levels are responsible for internal control and getting together to discuss it in a facilitated workshop reinforces employees' responsibility.
    2. Incorrect. Internal control is a responsibility of senior management, but not solely their responsibility. While senior management is ultimately responsible for overall internal control, choice A is better because it is an underlying philosophy of CSA.
    3. Incorrect. While operational personnel will assess internal control in CSA, their assessments are not considered independent since they perform the work. Internal auditors are often called upon to provide independent assessment of internal control through validation or follow-up of CSA results.
    4. Incorrect. This is not an underlying philosophy of CSA results.
  •   Which phrase best describes a control-based CSA process?
    1. Evaluating, updating, and streamlining selected control processes.
    2. Examining how well controls are working in managing key risks.
    3. Analyzing the gap between control design and control frameworks.
    4. Determining the cost-effectiveness of controls.

    View answer
    1. Incorrect. This phrase best describes a process-based approach, although control processes are not the only processes reviewed in this approach.
    2. Correct. A control-based approach concentrates on how well controls are working to manage risks. The key risks and controls are generally identified before the workshop.
    3. Incorrect. While control design could be compared to control frameworks in a control-based approach, this does not adequately describe the process. A control-based process is more likely to examine the gap between control design and control effectiveness in managing risks.
    4. Incorrect. Cost-effectiveness could be discussed in a control-based CSA workshop, but it is not the primary focus of this process.
  •   Which is not an appropriate action for a CSA facilitator to take?
    1. Keep track of time ensuring the group remains on schedule.
    2. Concentrate on group dynamics and help the group remain focused.
    3. Conduct interviews to gather background information prior to the workshop.
    4. Provide the solutions to address control problems identified by the group.

    View answer
    1. Incorrect. This is an appropriate role of the facilitator.
    2. Incorrect. This is an appropriate role of the facilitator.
    3. Incorrect. This is an appropriate role of the facilitator.
    4. Correct. Facilitators should not offer solutions to control problems identified by the group or force their views on control on the group. The facilitator helps the group create its own solutions.
  •   Vertical integration to reduce supplier risk is an example of which risk technique?
    1. Sharing supplier risk.
    2. Avoiding supplier risk.
    3. Diversifying supplier risk.
    4. Hedging supplier risk.

    View answer
    1. Incorrect. Sharing risk between or among entities involves contractual arrangements (such as insurance).
    2. Correct. By changing the operation from purchasing supplies to making the parts (vertical integration), an entity avoids all the risks of supplier shortages (but then takes on some different risks as a manufacturer). One set of risks is generally eliminated, to be replaced by smaller and different risks.
    3. Incorrect. Diversifying risk (not putting all one's eggs in a single basket) involves setting up multiple processes. This might involve some of choice B and some of choice D.
    4. Incorrect. Hedging risk would involve protecting against loss by counterbalancing one measure against another. This might involve contracting with several suppliers, and therefore choice B would be a better description of the example given.
  •   What is the purpose of a control chart?
    1. To provide a visual summary of the organization's system of controls.
    2. To keep track of the major control concerns facing the organization.
    3. To signal when a process is outside the limits of acceptable variation.
    4. To assign responsibility for various processes to specific employees.

    View answer
    1. Incorrect. A control chart displays results of a process, not the system of controls.
    2. Incorrect. A control chart displays results of a process, not control concerns.
    3. Correct. A control chart is a graph, which displays the results of a process, along with the upper and lower control limits. When the process is outside these limits, it is outside the limits of acceptable variation.
    4. Incorrect. A control chart does not assign responsibility for a process--it simply displays the results of the process.

IMPORTANT! CCMS users go here to prepare for Single Sign On.

Access CCMS

Candidates from the following countries must refer to their local IIA Institute web-site or contact their local representative for more information about local certification processes:


The information contained on this website pertains to all other countries.