Certified Internal Auditor (CIA) Part 2: Practice of Internal Auditing — Question 170

An internal audit activity is planning its first audit of IT shared services. Which of the following controls would typically be evaluated first?

Answer options

• A. Entity-level controls.
• B. Application controls.
• C. General controls.
• D. Transaction controls.

Correct answer: A

Explanation

Entity-level controls are foundational controls that affect the organization as a whole and set the tone for all other controls. They are typically evaluated first because they provide the framework for the effectiveness of other control types. The other options, while important, are usually assessed after entity-level controls to ensure that the overarching governance and risk management are in place.