Free IIA IIA-CIA-Part3 Practice Exam with Questions & Answers | Set: 4

When multiple organizations co-own shopping malls, their primary strategy is to increase market synergy, meaning they combine resources and expertise to enhance market presence, attract more customers, and improve competitive positioning.

(A) To exploit core competence.

Incorrect: Core competencies refer to unique internal capabilities, whereas co-owning shopping malls is a collaborative market strategy.

(B) To increase market synergy. (Correct Answer)

Market synergy occurs when businesses collaborate to create greater market impact than they could individually.

Shared ownership enhances customer traffic, brand reach, and business opportunities.

IIA Standard 2110 – Governance highlights the importance of strategic partnerships in achieving synergy.

(C) To deliver enhanced value.

Incorrect: While value is a benefit, the main goal of co-ownership is strategic market advantage and synergy.

(D) To reduce costs.

Incorrect: Cost reduction may be a secondary benefit, but the primary goal is market synergy through shared resources and customer base expansion.

IIA Standard 2110 – Governance: Encourages strategic collaborations for business growth.

COSO ERM – Strategy and Objective-Setting: Highlights market synergy as a key factor in strategic partnerships.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because co-ownership of shopping malls primarily aims to increase market synergy, allowing organizations to leverage shared resources and customer networks for greater market impact.

Manufacturing costs are classified into three main categories: direct materials, direct labor, and manufacturing overhead. These categories help organizations determine product costs, pricing strategies, and financial reporting.

Why Option B (Overhead costs, direct labor, direct materials) is Correct:

Direct materials: Raw materials used directly in production (e.g., wood for furniture).

Direct labor: Labor costs directly tied to production (e.g., factory workers assembling a product).

Manufacturing overhead: Indirect costs related to production (e.g., depreciation, factory utilities, maintenance).

These categories align with GAAP, IFRS, and cost accounting standards.

Why Other Options Are Incorrect:

Option A (Direct materials, indirect materials, raw materials):

"Indirect materials" and "raw materials" are part of manufacturing overhead and direct materials, respectively, but do not form a primary cost classification.

Option C (Direct materials, direct labor, depreciation on factory buildings):

Depreciation on factory buildings is an overhead cost, not a separate category.

Option D (Raw materials, factory employees' wages, production selling expenses):

Selling expenses are not part of manufacturing costs; they are part of operating expenses.

IIA Practice Guide – Auditing Cost Management: Defines manufacturing cost classifications.

IFRS & GAAP Cost Accounting Standards: Outline manufacturing cost components.

COSO Framework – Cost Control Guidelines: Emphasizes accurate cost allocation in financial reporting.

IIA References:

A database administrator (DBA) should not perform duties that compromise segregation of duties (SoD). A conflict arises when a DBA has both design and security responsibilities, as this creates a risk of unauthorized changes, fraud, or data breaches.

(A) Designing and maintaining the database.

Incorrect: These tasks are related but do not create a major conflict, as maintenance follows the design phase.

(B) Preparing input data and maintaining the database.

Incorrect: While data preparation is typically a business function, maintaining the database does not create a direct security risk.

(C) Maintaining the database and providing its security.

Incorrect: Maintenance involves technical upkeep, and while security controls are crucial, they do not inherently conflict.

(D) Designing the database and providing its security. (Correct Answer)

A DBA responsible for both design and security could create backdoors or override security settings, leading to potential data manipulation or fraud.

IIA Standard 2120 – Risk Management requires proper control segregation to prevent fraud and security risks.

IIA GTAG 4 – Management of IT Auditing recommends separation of design, security, and administration functions to minimize risks.

IIA Standard 2120 – Risk Management: Encourages proper separation of duties to mitigate risks.

IIA GTAG 4 – Management of IT Auditing: Recommends strict control over database access and security roles.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) because combining database design and security responsibilities creates a significant conflict of interest, increasing security risks.

Two-level (or multi-factor) authentication (MFA) is the most efficient and effective security control for authenticating customers when accessing online shopping accounts. It provides an extra layer of security beyond just passwords, making it more difficult for unauthorized users to gain access.

Stronger Authentication – It requires two independent verification methods, such as:

Something you know (password, PIN)

Something you have (one-time code, mobile device, smart card)

Something you are (biometric feature)

Reduces Risk of Credential Theft – Even if hackers obtain a user's password, they still need the second factor to gain access.

Meets Regulatory Standards – Many cybersecurity frameworks (NIST, ISO 27001, PCI-DSS) recommend or mandate MFA for customer authentication.

Enhanced Customer Trust – Provides users with better security, reducing risks of fraud or account takeovers.

A. 12-digit password feature – Longer passwords improve security, but they can still be compromised through phishing or brute force attacks.

B. Security question feature – These are often weak because users choose predictable answers (e.g., mother's maiden name).

C. Voice recognition feature – Biometric authentication is useful, but voice recognition can be bypassed using deepfake or recorded audio.

IIA’s GTAG (Global Technology Audit Guide) on Information Security Management – Recommends multi-factor authentication for access control.

IIA’s International Professional Practices Framework (IPPF) – Standard 2110.A2 – Highlights the need for strong security controls to protect customer data.

NIST SP 800-63 (Digital Identity Guidelines) – Encourages multi-factor authentication as a best practice for securing user accounts.

Why Two-Level Sign-On (MFA) Is the Best Choice?Why Not the Other Options?IIA References:✅ Final Answer: D. Two-level sign-on feature (Most effective for online customer authentication).

===============

E-commerce transactions involve multiple security layers to ensure the protection of customers' sensitive financial information. The correct answer is D, as payment gateways serve as intermediaries that authorize online credit card transactions by securely transmitting the payment details to the bank or card networks for approval. Let’s examine each option carefully:

Option A: HTTP sites provide sufficient security to protect customers' credit card information.

Incorrect. HyperText Transfer Protocol (HTTP) does not provide encryption, meaning that data transmitted over an HTTP connection can be intercepted by malicious actors. Instead, Secure HTTP (HTTPS), which uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS), is required to encrypt the data.

IIA Reference: Internal auditors evaluating e-commerce security should verify that organizations use HTTPS for secure transactions. (IIA GTAG: Information Security Governance)

Option B: Web servers store credit cardholders' information submitted for payment.

Incorrect. While web servers may temporarily process customer data, they should not store sensitive credit card information due to security risks. Instead, organizations follow the Payment Card Industry Data Security Standard (PCI DSS), which mandates secure storage and encryption protocols.

IIA Reference: IIA Standards recommend compliance with PCI DSS to protect sensitive payment information. (IIA Practice Guide: Auditing IT Governance)

Option C: Database servers send cardholders’ information for authorization in clear text.

Incorrect. Transmitting cardholder data in clear text is a severe security vulnerability. Secure encryption protocols such as SSL/TLS or tokenization must be used to protect data in transit.

IIA Reference: Internal auditors should ensure encryption measures are in place for financial transactions. (IIA GTAG: Auditing Cybersecurity Risk)

Option D: Payment gateways authorize credit card online payments.

Correct. Payment gateways act as secure intermediaries between merchants and payment processors, verifying the transaction details before authorization. This ensures a secure transaction by encrypting sensitive data before transmitting it for approval.

IIA Reference: IIA guidance on IT controls emphasizes the importance of secure payment processing through payment gateways. (IIA GTAG: Managing and Auditing IT Vulnerabilities)

To effectively mitigate and manage risks during a crisis, organizations must implement a combination of preventive and reactive measures:

Preventive measures: These are proactive steps taken before a crisis to reduce the likelihood of occurrence (e.g., risk assessments, internal controls, security protocols).

Reactive measures: These are actions taken after a crisis occurs to minimize damage, restore operations, and recover from the event (e.g., business continuity plans, incident response strategies).

(A) Incorrect – Only preventive measures.

While prevention is essential, not all crises can be avoided. Organizations also need response mechanisms.

(B) Incorrect – Alternative and reactive measures.

Alternative measures (e.g., backup systems) are part of risk management, but without prevention, risks may escalate.

(C) Incorrect – Preventive and alternative measures.

Alternative measures (e.g., backup resources) help maintain operations but do not directly address crisis response.

(D) Correct – Preventive and reactive measures.

Best practice in risk management includes both preventing crises and responding effectively when they occur.

IIA’s Global Internal Audit Standards – Crisis Management and Business Resilience

Emphasizes the need for both prevention and response strategies.

COSO’s ERM Framework – Risk Management in Crisis Situations

Recommends a combination of risk avoidance, mitigation, and crisis response.

ISO 22301 – Business Continuity Management

Highlights the importance of preventive controls and reactive response planning.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Cybersecurity controls are primarily designed to protect the Confidentiality, Integrity, and Availability (CIA) of data. These are the three fundamental principles of cybersecurity and are essential for protecting organizational information assets. Let’s analyze each option:

Option A: Veracity, velocity, and variety.

Incorrect. These attributes are commonly associated with big data and data analytics rather than cybersecurity. Cybersecurity controls focus on ensuring that data is secure, rather than on its volume, speed, or diversity.

IIA Reference: Cybersecurity risk management frameworks emphasize the CIA triad over big data attributes. (IIA GTAG: Auditing Cybersecurity Risk)

Option B: Integrity, availability, and confidentiality.

Correct. These three principles are at the core of cybersecurity:

Confidentiality: Ensures that sensitive information is only accessible to authorized individuals.

Integrity: Protects data from unauthorized modifications or corruption.

Availability: Ensures that data and systems are accessible when needed.

IIA Reference: The IIA’s guidance on IT governance highlights the CIA triad as the foundation of cybersecurity. (IIA GTAG: Information Security Governance)

Option C: Accessibility, accuracy, and effectiveness.

Incorrect. While these attributes are important in data management and usability, they do not directly define cybersecurity controls.

Option D: Authorization, logical access, and physical access.

Incorrect. While these are essential security components, they fall under broader IT security measures rather than forming the fundamental principles of cybersecurity.

When reporting internal audit findings related to Enterprise Resource Planning (ERP) systems, IT audit findings must be relevant to business objectives. Business leaders may not fully understand technical IT risks, so reports should translate IT risks into business impacts to ensure actionable decision-making.

(A) Draft separate audit reports for business and IT management.

Incorrect: Fragmenting reports could create misalignment, reducing the effectiveness of integrated risk management.

(B) Connect IT audit findings to business issues. (Correct Answer)

IT auditors should explain how IT risks impact operations, financial reporting, and strategic goals.

IIA Standard 2410 – Criteria for Communicating requires audit findings to be clear, relevant, and actionable for all stakeholders.

IIA GTAG 8 – Auditing Application Controls emphasizes aligning IT controls with business risks.

(C) Include technical details to support IT issues.

Incorrect: While technical details help IT teams, business executives need risk-based insights, not just technical specifics.

(D) Include an opinion on financial reporting accuracy and completeness.

Incorrect: While ERP systems impact financial data, IT auditors should focus on system risks, not directly on financial reporting opinions (which is the role of financial auditors).

IIA Standard 2410 – Criteria for Communicating: Requires clear and business-relevant communication of audit findings.

IIA GTAG 8 – Auditing Application Controls: Advises IT auditors to relate technical risks to business objectives.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because IT audit findings should be framed in a way that connects technical risks to business implications, making them more relevant to management.

Transfer pricing regulations aim to prevent tax evasion and ensure that intercompany transactions reflect fair market value, preventing profit shifting to low-tax jurisdictions. Selling inventory at fair value (arm’s length price) aligns with regulatory requirements, reducing the risk of non-compliance.

(A) Correct – The organization sells inventory to an overseas subsidiary at fair value.

Ensuring that transactions reflect fair market value prevents regulatory violations.

Adhering to the arm’s length principle minimizes transfer pricing risks and potential tax penalties.

(B) Incorrect – The local subsidiary purchases inventory at a discounted price.

A discounted price could be seen as an attempt to shift profits between entities, increasing regulatory scrutiny.

(C) Incorrect – The organization sells inventory to an overseas subsidiary at the original cost.

Selling at the original cost does not account for market conditions, potential markup, and fair valuation.

Regulators may view this as non-compliance with the arm’s length principle.

(D) Incorrect – The local subsidiary purchases inventory at the depreciated cost.

Depreciated cost may not represent fair market value and could be interpreted as a tax avoidance mechanism.

IIA’s Global Internal Audit Standards – Compliance with Tax and Transfer Pricing Regulations

Emphasizes fair pricing in intercompany transactions to prevent regulatory violations.

OECD Transfer Pricing Guidelines

Reinforces the arm’s length principle as the standard for pricing related-party transactions.

COSO’s ERM Framework – Compliance Risk Management

Highlights the need for adherence to tax laws and fair-value pricing in financial transactions.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

The Define, Measure, Analyze, Improve, and Control (DMAIC) methodology is the core framework of Six Sigma, a data-driven process improvement approach that aims to reduce defects, enhance efficiency, and optimize performance.

(A) Correct – Six Sigma.

DMAIC is a structured Six Sigma methodology used for problem-solving and process improvement.

It helps organizations identify inefficiencies, eliminate errors, and standardize processes.

(B) Incorrect – Quality circle.

A quality circle is a group of employees who meet to discuss and resolve work-related issues, but it does not follow the structured DMAIC approach.

(C) Incorrect – Value chain analysis.

Value chain analysis focuses on evaluating business activities to improve competitive advantage, not structured process improvement like Six Sigma.

(D) Incorrect – Theory of constraints.

The Theory of Constraints (TOC) focuses on identifying and eliminating bottlenecks in processes, but it does not use the DMAIC approach.

IIA’s Global Internal Audit Standards – Process Improvement and Risk Management

Emphasizes methodologies like Six Sigma for operational efficiency.

COSO’s ERM Framework – Continuous Improvement and Quality Management

Discusses the role of Six Sigma in improving processes and reducing risks.

IIA’s Guide on Business Process Auditing

Recommends structured approaches such as Six Sigma for evaluating process efficiency.

Analysis of Answer Choices:IIA References and Internal Auditing Standards: