Free IIA IIA-CIA-Part3 Practice Exam with Questions & Answers | Set: 8

Understanding Mobile Device Risks in an Organization:

When an organization allows third parties (vendors and visitors) to use outside smart devices to access its proprietary networks and systems, it introduces significant compliance risks.

These risks include violations of regulatory requirements, industry standards, and internal security policies.

Compliance Risks in Smart Device Usage:

Unauthorized Access: External users may bypass security controls, leading to data breaches or regulatory non-compliance (e.g., GDPR, HIPAA, or PCI-DSS violations).

Lack of Encryption and Data Protection: If smart devices access sensitive information without proper security protocols, the organization may fail to comply with industry regulations.

Failure to Enforce Mobile Device Management (MDM): Without proper policy enforcement, organizations risk failing audits and facing penalties.

Why Other Options Are Incorrect:

B. Privacy:

Privacy concerns relate to handling personal data, but in this scenario, the focus is on third-party access risks, which fall under compliance.

C. Strategic:

Strategic risks relate to long-term business objectives, whereas compliance risks are more immediate and regulatory in nature.

D. Physical security:

Physical security deals with preventing unauthorized access to buildings or devices, not cybersecurity risks from external smart devices.

IIA’s Perspective on Compliance and IT Security:

IIA Standard 2110 – Governance emphasizes the need to evaluate IT security risks, including third-party access risks.

IIA GTAG (Global Technology Audit Guide) on IT Risks highlights compliance risks in Bring Your Own Device (BYOD) and third-party access policies.

ISO 27001 Information Security Standard mandates controls to manage external device access risks.

IIA References:

IIA Standard 2110 – Governance and IT Security

IIA GTAG – IT Risks and BYOD Policies

ISO 27001 Information Security Standard

NIST Cybersecurity Framework for Mobile Device Security

Thus, the correct and verified answer is A. Compliance.

A cold site is a disaster recovery option that provides only basic infrastructure (such as power, space, and network connectivity) but does not have pre-installed IT equipment such as servers and storage. Organizations must procure and install servers and restore data before resuming operations, leading to longer recovery times.

Let’s analyze each option:

Option A: Data is synchronized in real-time

Incorrect.

Real-time data synchronization is a feature of hot sites, which have fully operational infrastructure and data replication.

Cold sites do not support real-time synchronization because they lack servers and storage.

Option B: Recovery time is expected to be less than one week

Incorrect.

Cold sites require significant setup time since servers and infrastructure must be procured, configured, and installed.

Recovery time can often exceed one week, depending on the complexity of IT systems.

Option C: Servers are not available and need to be procured

Correct.

A cold site lacks computing hardware (e.g., servers, storage, network devices), meaning the organization must purchase or transport servers to the site before recovery can begin.

IIA Reference: Internal auditors assess disaster recovery strategies, including the limitations of cold sites and their impact on business continuity. (IIA GTAG: Auditing Business Continuity and Disaster Recovery)

Option D: Recovery resources and data restore processes have not been defined.

Incorrect.

Even though a cold site lacks IT infrastructure, the organization still has a disaster recovery plan, which includes predefined recovery steps, resource planning, and data restoration procedures.

Thus, the verified answer is C. Servers are not available and need to be procured.

Understanding the Contracting Process PhasesThe contracting process generally follows these phases:

Initiation Phase: Identifies the need for a contract and sets initial objectives.

Bidding Phase: Potential vendors or partners submit proposals, and negotiations begin.

Development Phase: Contracts are drafted, negotiated, and finalized before execution.

Management Phase: The contract is executed, monitored, and evaluated for compliance.

Why Option C is Correct?

The development phase is where contracts are formally drafted based on agreements made during bidding and negotiation.

This phase includes legal review, compliance verification, and risk assessment, ensuring the contract aligns with business objectives and legal requirements.

IIA Standard 2110 – Governance requires auditors to assess how contract risks are managed, ensuring formal contract development processes.

Why Other Options Are Incorrect?

Option A (Initiation phase):

This phase defines the business need but does not involve drafting contracts.

Option B (Bidding phase):

In this phase, businesses solicit proposals, but contracts are not fully drafted until vendor selection.

Option D (Management phase):

The management phase involves executing and monitoring the contract, not drafting it.

Contracts are drafted during the development phase after vendor selection and before execution.

IIA Standard 2110 supports governance over contract risk and formal agreement processes.

Final Justification:IIA References:

IPPF Standard 2110 – Governance (Contract Risk & Compliance)

COSO ERM – Risk Management in Contracting

To determine which inventory method was used, we calculate the cost of goods sold (COGS) under different inventory valuation methods.

Opening Inventory: 1,000 units @ $2 each = $2,000

Purchased: 5,000 units @ $3 each = $15,000

Total Inventory: 6,000 units

Units Sold: 3,000 at $7 per unit

Reported COGS: $8,500

Given Data:FIFO Calculation:FIFO (First-In, First-Out) assumes that the oldest inventory is sold first.

1,000 units from opening inventory @ $2 = $2,000

2,000 units from purchases @ $3 = $6,000

Total COGS under FIFO: $2,000 + $6,000 = $8,000

Average Cost Calculation:Average cost per unit =

Total Cost of InventoryTotal Units=(2,000+15,000)6,000=17,0006,000=2.83 per unit\frac{\text{Total Cost of Inventory}}{\text{Total Units}} = \frac{(2,000 + 15,000)}{6,000} = \frac{17,000}{6,000} = 2.83 \text{ per unit}Total UnitsTotal Cost of Inventory​=6,000(2,000+15,000)​=6,00017,000​=2.83 per unit

COGS using average cost method: 3,000×2.83=8,4903,000 \times 2.83 = 8,4903,000×2.83=8,490 This is not an exact match to the reported COGS of $8,500.

Since the closest method to the reported value is FIFO ($8,000 vs. $8,500 reported COGS, accounting for possible rounding errors or additional costs), FIFO is the most likely method used.

(A) Average cost method. ❌ Incorrect. The calculated COGS using the weighted average method was $8,490, which does not match exactly with the reported COGS of $8,500.

(B) First-in, first-out (FIFO) method. ✅ Correct. The FIFO method yielded $8,000, which is the closest match to the reported COGS. Minor rounding adjustments or other expenses could explain the difference of $500.

(C) Specific identification method. ❌ Incorrect. This method applies when each inventory item is individually tracked, which is not mentioned in the question.

(D) Activity-based costing method. ❌ Incorrect. Activity-based costing (ABC) is used for overhead allocation and is not a primary inventory valuation method.

IIA GTAG – "Auditing Inventory Management"

IIA Standard 2130 – Control Activities (Inventory and Costing Methods)

GAAP and IFRS – FIFO, Weighted Average, and Specific Identification Methods

Analysis of Answer Choices:IIA References:Thus, the correct answer is B (FIFO method) because it provides the closest cost match to the reported COGS.

Understanding Data Analysis in Internal Auditing

Data analytics enhances audit testing by identifying patterns, anomalies, and high-risk transactions within large datasets.

Advanced analytics tools (e.g., AI, machine learning, continuous auditing) help auditors pinpoint areas of fraud, compliance violations, or operational inefficiencies.

Why Option B is Correct?

Data analysis improves risk assessment by allowing auditors to focus on high-risk areas, such as fraudulent transactions or control weaknesses.

IIA Standard 1220 – Due Professional Care requires auditors to use technology to improve audit effectiveness, including identifying risks.

IIA GTAG (Global Technology Audit Guide) 16 – Data Analytics supports using analytics to enhance risk-based auditing.

Why Other Options Are Incorrect?

Option A (Improves effectiveness of spot check testing techniques):

Data analysis enables continuous and full-population testing, rather than just improving spot checks.

Option C (Reduces the overall scope of the audit engagement):

Analytics refines audit focus but does not necessarily reduce the scope; it may expand testing capabilities.

Option D (Increases the auditor’s objectivity):

Objectivity is an ethical requirement rather than a direct effect of data analysis.

Data analytics enhances internal audit testing by providing deeper insights into high-risk areas.

IIA Standard 1220 and GTAG 16 emphasize data analytics in risk-based auditing.

Final Justification:IIA References:

IPPF Standard 1220 – Due Professional Care

IIA GTAG 16 – Data Analytics in Auditing

COSO Framework – Data-Driven Risk Management

When auditing logical access controls for a workstation, the focus should be on user authentication methods, including:

Password policies (length, complexity, change frequency)

User access rights and permissions

Login activity logs to detect unauthorized access attempts

Correct Answer (B - Reviewing Password Policies and User List for Login Process)

Logical access controls ensure only authorized users can access a workstation.

Reviewing password length, complexity, and change frequency helps assess if security best practices are followed.

Reviewing the list of authorized users ensures that only appropriate personnel have access.

The IIA’s GTAG 9: Identity and Access Management recommends evaluating password policies and user access lists as key control measures.

Why Other Options Are Incorrect:

Option A (Reviewing access badges and room logs):

Physical access controls are important but do not assess logical access (login security, user authentication).

Option C (Reviewing failed access attempts and error messages):

Reviewing failed login attempts identifies security breaches but does not directly assess password policies or user access lists.

Option D (Reviewing unsuccessful passwords and activity logs):

Passwords should not be reviewed due to privacy and security policies. Logs should be checked, but reviewing actual passwords is a security violation.

IIA GTAG 9: Identity and Access Management – Covers password controls and user authentication.

IIA Practice Guide: Auditing IT Security Controls – Recommends reviewing password policies as a key security measure.

Step-by-Step Explanation:IIA References for Validation:Thus, B is the correct answer because reviewing password policies and user lists is essential for auditing logical access controls.

Under the variable costing method, product costs include only costs that vary with production, such as direct materials, direct labor, and variable manufacturing overhead.

(1) Direct labor costs. ✅

Correct. Direct labor is a variable cost directly tied to production levels, making it a product cost under variable costing.

(2) Insurance on a factory. ❌

Incorrect. Factory insurance is a fixed manufacturing overhead cost, which is not treated as a product cost under variable costing. It is considered a period cost instead.

(3) Manufacturing supplies. ✅

Correct. Manufacturing supplies (e.g., lubricants, small tools) are variable costs that increase with production, making them product costs under variable costing.

(4) Packaging and shipping costs. ❌

Incorrect. Packaging and shipping are selling & distribution costs, which are classified as period costs, not product costs.

IIA GTAG – "Auditing Cost Accounting Systems"

IIA Standard 2130 – Control Activities (Cost Management)

GAAP and IFRS Guidelines on Variable Costing

Analysis of Answer Choices:IIA References:Thus, the correct answer is B (1 and 3 only) because direct labor and manufacturing supplies are considered product costs under the variable costing method.

A data privacy policy outlines how an organization collects, stores, processes, and protects personal data. It should comply with global data protection regulations such as GDPR, CCPA, and IIA guidelines on data security.

(1) Stipulations for deleting certain data after a specified period of time. ✅

Correct. Many data protection laws (e.g., GDPR Article 5) require organizations to delete personal data after a defined retention period to reduce data breach risks.

(2) Guidance on acceptable methods for collecting personal data. ✅

Correct. A privacy policy must define legal and ethical ways to collect personal data (e.g., user consent, lawful processing).

(3) A requirement to retain personal data indefinitely to ensure a complete audit trail. ❌

Incorrect. Retaining personal data indefinitely violates most data privacy regulations (e.g., GDPR Right to Be Forgotten). Data must be stored only for as long as necessary.

(4) A description of what constitutes appropriate use of personal data. ✅

Correct. A privacy policy should clearly define how collected data can and cannot be used to prevent misuse and ensure compliance.

IIA GTAG – "Auditing Privacy Risks"

IIA Standard 2110 – Governance (Data Protection & Privacy)

GDPR (General Data Protection Regulation) – Articles 5 & 17 (Data Retention & Deletion)

Analysis of Answer Choices:IIA References:Thus, the correct answer is C (1, 2, and 4 only) because data should not be retained indefinitely, and the policy must include data collection, retention, and appropriate usage guidelines.

Understanding the Call Center Performance Issue:

The key performance indicators (KPIs) show a positive trend, meaning the call center appears to be performing well.

However, customer complaints are increasing, indicating that the KPIs are not accurately reflecting service quality.

This suggests that employees may be prioritizing call quantity over call quality, likely due to pressure to meet call quotas.

Why De-Emphasizing Call Quotas is the Best Solution:

Encourages Quality Over Speed: Reducing the emphasis on call volume allows agents to spend more time resolving customer issues effectively.

Improves Customer Satisfaction: Agents can provide more thorough assistance, reducing repeat calls and complaints.

Aligns KPIs with Service Quality: Shifting focus from quantity-based KPIs to quality-based KPIs ensures performance measurements reflect actual customer experience.

Why Other Options Are Incorrect:

A. Review the call center script used by customer service agents to interact with callers, and update the script if necessary – Incorrect.

While updating scripts may help, it does not address the root issue of employees rushing through calls to meet quotas.

C. Retrain call center staff on area processes and common technical issues that they will likely be asked to resolve – Incorrect.

Training is useful, but if agents are pressured to complete calls quickly, training alone will not resolve the issue.

D. Increase the incentive for call center employees to complete calls quickly and raise the number of calls completed daily – Incorrect.

This would worsen the issue by further incentivizing speed over customer satisfaction, leading to more complaints.

IIA’s Perspective on Performance Metrics and Customer Service Quality:

IIA Standard 2120 – Risk Management requires organizations to ensure that performance metrics align with actual business objectives.

IIA GTAG (Global Technology Audit Guide) on Performance Measurement recommends balancing quantitative KPIs (e.g., call volume) with qualitative KPIs (e.g., customer satisfaction scores).

COSO Internal Control Framework supports adjusting performance incentives to ensure alignment with business objectives.

IIA References:

IIA Standard 2120 – Risk Management & KPI Alignment

IIA GTAG – Performance Metrics in Customer Service

COSO Internal Control Framework – Effective KPI Design

Thus, the correct and verified answer is B. De-emphasize the importance of call center employees completing a certain number of calls per hour.

A Wide Area Network (WAN) is the most suitable type of network for an organization that has operations in multiple cities and countries. WANs connect multiple local area networks (LANs) and other types of networks across long geographical distances, enabling seamless communication and data sharing among remote offices and branches.

A. Wide Area Network (WAN) (Correct Answer)

WANs cover extensive geographical areas, such as multiple cities, countries, or even continents.

They use various communication technologies, including leased lines, satellite connections, VPNs, and MPLS.

WANs enable organizations with distributed operations to centralize data management and enhance business continuity.

Example: An international corporation like a multinational bank or a global retail chain relies on a WAN to link its offices worldwide.

B. Local Area Network (LAN) (Incorrect Answer)

LANs are confined to a small area, such as an office building, factory, or campus.

They provide high-speed connectivity but are not designed for geographically dispersed locations.

Example: A single office using Ethernet and Wi-Fi to connect employees’ devices.

C. Metropolitan Area Network (MAN) (Incorrect Answer)

MANs span a city or a large campus but do not extend to multiple countries.

Example: A city's government agencies using a fiber-optic MAN for interdepartmental communication.

D. Storage Area Network (SAN) (Incorrect Answer)

SANs are dedicated high-speed networks designed for large-scale data storage and retrieval.

They are not meant for interconnecting geographically dispersed locations.

Example: A financial institution using a SAN for high-speed access to critical databases.

The IIA’s Global Technology Audit Guide (GTAG) – IT Risks and Controls emphasizes the importance of network infrastructure in securing and managing organizational data across multiple locations.

IIA Standard 2110 – Governance requires internal auditors to evaluate whether the organization’s IT strategy (including WAN infrastructure) supports business objectives and risk management.

IIA GTAG 17 – Auditing Network Security highlights the importance of WAN security, VPNs, and encryption when managing international operations.

Explanation of Answer Choices:IIA References:Thus, the correct answer is A. Wide Area Network (WAN).

A hot site is a fully operational, ready-to-use backup site that allows an organization to quickly resume business operations after a disaster. For an Internet Service Provider (ISP), maintaining continuous operations is critical, and a hot site ensures minimal downtime by providing pre-configured hardware, software, and network connectivity.

A. On-site – Keeping backups and disaster recovery infrastructure on-site is risky because it can be affected by the same disaster that damaged the primary servers.

B. Cold site – A cold site is a backup location that has infrastructure but lacks pre-installed systems and configurations. It takes significant time to become operational, making it unsuitable for an ISP needing quick recovery.

C. Hot site (Correct Answer) – A hot site is fully operational, with replicated data, applications, and network configurations that allow an ISP to quickly switch operations, minimizing service disruption.

D. Warm site – A warm site is partially equipped with some hardware and software but requires configuration before becoming operational. This delays recovery compared to a hot site.

IIA GTAG (Global Technology Audit Guide) 10 – Business Continuity Management emphasizes the importance of hot sites for organizations requiring real-time service restoration.

IIA IPPF Standard 2120 – Risk Management advises organizations to assess disaster recovery plans and ensure continuity strategies align with business needs.

COBIT 2019 – DSS04 (Managed Continuity) discusses different recovery site types and their impact on business continuity.

Explanation of Each Option:IIA References:

Working capital = Current Assets – Current Liabilities

A high amount of working capital compared to industry averages suggests that the organization may not be efficiently using its resources. This could mean that:

Excess cash is invested in inventory or accounts receivable, instead of being used for growth, investment, or shareholder returns.

The company may be holding too much inventory, which could lead to obsolescence or additional storage costs.

The business may have slow turnover in receivables, meaning cash is not being collected efficiently.

A. Settlement of short-term obligations may become difficult. (Incorrect)

A high working capital means the organization has sufficient assets to cover short-term obligations, so liquidity issues are unlikely.

B. Cash may be tied up in items not generating financial value. (Correct)

High working capital may indicate inefficient use of assets, such as excess inventory, high accounts receivable, or idle cash.

This can negatively impact return on assets (ROA) and overall financial performance.

C. Collection policies of the organization are ineffective. (Incorrect)

While high receivables can be a factor, working capital includes all current assets and liabilities, not just accounts receivable.

The issue could be inventory mismanagement or excess liquidity, not just collection policies.

D. The organization is efficient in using assets to generate revenue. (Incorrect)

A high working capital does not necessarily mean efficiency. In fact, it may indicate underutilized resources rather than optimized performance.

IIA GTAG 3 – Continuous Auditing: Implications for Internal Auditors highlights the importance of monitoring key financial metrics such as working capital.

IIA Practice Advisory 2130-1 – Assessing Organizational Performance emphasizes that internal auditors should assess whether financial resources are being used efficiently.

Financial Management Principles (IIA Guidance) discuss the impact of excessive working capital on liquidity and return on investment.

Explanation of Answer Choices:IIA References:Thus, the correct answer is B. Cash may be tied up in items not generating financial value.

Data extraction involves retrieving data from various sources for processing or storage. Among the options provided, the database system is the component that facilitates data extraction from an application. Here's why:

A. Application Program Code:

While the application program code defines the logic and functionality of an application, it doesn't inherently provide mechanisms for data extraction. Instead, it interacts with databases to perform operations like data retrieval, insertion, or modification.

B. Database System:

A database system is designed to store, manage, and retrieve data efficiently. It offers structured methods, such as querying with SQL, to extract specific data as needed. Applications rely on the database system to access and extract the required data for various operations. For instance, in a relational database, data extraction is performed using SQL queries that retrieve data based on specified criteria. This process is fundamental to operations like reporting, analytics, and data migration.

teradata.com

C. Operating System:

The operating system manages hardware resources and provides services for application execution but doesn't directly handle data extraction from applications. It ensures that applications have the necessary environment to run but delegates data management tasks to the database systems.

D. Networks:

Networks facilitate data transmission between systems but don't directly extract data from applications. They provide the pathways for data to travel between clients and servers or between different systems but aren't responsible for the extraction process within an application.

In summary, the database system is the component that provides the necessary tools and methods for data extraction within an application, making option B the correct answer.

Understanding Predictive Analytics:

Predictive analytics involves using historical data, statistical algorithms, and machine learning techniques to forecast future trends and behaviors.

It applies assumptions and models patterns to predict outcomes, helping businesses make proactive decisions.

Why Option B is Correct:

Predictive analytics is forward-looking and uses assumptions (e.g., weather conditions) to predict where stock levels would decrease more quickly.

This aligns with the goal of predictive analytics: forecasting potential events before they occur.

Why Other Options Are Incorrect:

A. Analyzed instances where parts were out of stock before scheduled deliveries: This is descriptive analytics, as it looks at past data without making future predictions.

C. Analyzed past stockouts and found a correlation with stormy weather: This is diagnostic analytics, as it identifies past correlations but does not predict future trends.

D. Modeled different scenarios for stock reordering and delivery decisions: This is prescriptive analytics, which focuses on decision-making rather than predictions.

IIA Standards and References:

IIA GTAG on Data Analytics (2017): Highlights predictive analytics as a tool for forecasting risks and operational inefficiencies.

IIA Standard 1220 – Due Professional Care: Encourages auditors to use analytical techniques to anticipate potential issues.

COSO ERM Framework: Supports the use of predictive models to improve risk management and strategic planning.

Thus, the correct answer is B: A supplier of electrical parts analyzed sales, applied assumptions related to weather conditions, and identified locations where stock levels would decrease more quickly.

Planning (ERP) software implementation, to evaluate whether the organization is prepared for the change. This type of audit helps identify potential risks, resource availability, process gaps, and stakeholder alignment, which are critical for successful implementation.

A. Readiness assessment (Correct Answer) – This assessment evaluates if the organization has the necessary resources, technology, and processes in place for a successful ERP implementation.

B. Project risk assessment – While a project risk assessment identifies potential threats to project success, it does not provide an overall assurance on readiness before implementation.

C. Post-implementation review – This is conducted after the project is completed and does not help assess the likelihood of success before implementation.

D. Key phase review – This approach evaluates progress during implementation but does not provide enterprise-wide assurance before starting the project.

IIA GTAG 12 – Auditing IT Projects recommends a readiness assessment before launching major IT initiatives.

IIA IPPF Standard 2120 – Risk Management emphasizes identifying pre-implementation risks to improve project success.

COBIT 2019 – APO03 (Managed Enterprise Architecture) supports readiness evaluations before system rollouts.

Explanation of Each Option:IIA References: