IIA-CIA-Part3-3P CIA Exam Part Three: Business Knowledge for Internal Auditing Questions and Answers

Penetration test.

Social engineering test.

Vulnerability test.

Physical control test.

Access is approved by the supervising manager.

User accounts specify expiration dates and are based on services provided.

Administrator access is provided for a limited period.

User accounts are deleted when the work is completed.

Systems-based preventive control.

People-based preventive control.

Systems-based detective control.

People-based detective control.

1 and 2 only

1 and 3 only

2 and 3 only

2 and 4 only

Lost sales, lost customers, and backorder.

Lost sales, safety stock, and backorder.

Lost customers, safety stock, and backorder.

Lost sales, lost customers, and safety stock.

It uses the same products in all countries.

It centralizes control with little decision-making authority given to the local level.

It is an effective strategy when large differences exist between countries.

It provides cost advantages, improves coordinated activities, and speeds product development.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Does not require testing for user acceptance.

Allows applications to be portable across multiple system platforms.

Is less expensive since it is self-documenting.

Better involves users in the design process.

Giving assurance that risks are evaluated correctly.

Developing the risk management strategy for the board's approval.

Facilitating the identification and evaluation of risks.

Coaching management in responding to risk.

A flexible budget.

Variance analysis.

A contribution margin income statement by segment.

Residual income.

Times interest earned, return on assets, and inventory turnover.

Accounts receivable turnover, inventory turnover in days, and the current ratio.

Accounts receivable turnover, return on assets, and the current ratio.

Inventory turnover in days, the current ratio, and return on equity.

The total liabilities and total stockholder equity both increased.

The total liabilities and total stockholder equity both decreased.

The total liabilities decreased, and the total stockholder equity increased.

The total liabilities increased, and the total stockholder equity decreased.

1 only

4 only

1 and 4 only

1, 2, and 3 only

Determine the optimal amount of resources for the organization to invest in CSR.

Align CSR program objectives with the organization's strategic plan.

Integrate CSR activities into the organization's decision-making process.

Determine whether the organization has an appropriate policy governing its CSR activities.

Ensuring that the other party has a personal stake in the agreement.

Focusing on interests rather than on obtaining a winning position.

Considering a few select choices during the settlement phase.

Basing the agreement on negotiating power and positioning leverage.

Outsourced business processes should not be considered in the internal audit universe because the controls are owned by the external service provider.

Generally, independence is improved when the internal audit activity reviews outsourced business processes.

The key controls of outsourced business processes typically are more difficult to audit because they are designed and managed externally.

The system of internal controls may be better and more efficient when the business process is

outsourced compared to internally sourced.

Marketing.

Finance.

Production.

Diversification.

Globally accepted standards for industries and processes.

Bridging the gaps among control requirements, technical issues, and business risks.

Practical guidance and benchmarks for all organizations that use information systems.

Frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

Offer a standard product that is targeted in the recognized market.

Invest in commodity or commodity-like product businesses.

Enter into a slow-growing market.

Use an established distribution relationship.

Scope and initiation phase.

Business impact analysis.

Plan development.

Testing.

Access to read application logs is restricted to authorized users.

Account balance information is encrypted in the database.

The web server used to host the application is located in a physically secure area.

Sensitive data, such as account numbers, are submitted using encrypted communications.

Lack of awareness of the state of processing.

Increased cost and complexity of network traffic.

Interference of the mirrored data with the original source data.

Confusion about where customer data are stored.

Management assurance on risks.

Implementing risk responses on behalf of management.

Providing assurance that risks assessed are correctly evaluated.

Setting the risk appetite.

Forming stage.

Norming stage.

Performing stage.

Storming stage.

Observation.

Inspection.

Original cost.

Vouching.

Exception report identifying payment anomalies.

Documented policy and procedures.

Periodic account reconciliation of contractor charges.

Monthly management review of all contractor activity.

Forming stage.

Performing stage.

Norming stage.

Storming stage.

Promote closer linkage between organizational strategy and information.

Provide users with greater online access to information systems.

Enhance the functionality of application systems.

Expand the use of automated controls.

Fixed cost.

Variable cost.

Total maintenance cost.

Patient days.

Zone that separates an organization's servers from outside forces.

Area in which messages are scrutinized to determine if they are authorized.

Area where communication and transactions occur between trusted parties.

Zone where data is encrypted, users are authenticated, and user traffic is filtered.

Identifying the processes at the activity level.

Analyzing the organization's strategic plan where the business processes are defined.

Analyzing the organization's objectives and identifying the processes needed to achieve the objectives.

Identifying the risks affecting the organization, the objectives, and then the processes concerned.

Priority over common stock with regard to dilution of shares.

Priority over common stock with regard to earnings.

Priority over common stock with regard to dividend payment.

Priority over common stock with regard to assets.

Version control

Privacy

Portability

Secure authentication

Workstation contains software that prevents unauthorized transmission of information into and out of the organization's network.

Workstation contains software that controls information flow between the organization's network and the Internet.

Workstation contains software that enables the processing of transactions and is not shared among users of the organization's network.

Workstation contains software that manages user's access and processing of stored data on the organization's network.

Cost of sales increased relative to sales.

Total sales increased relative to expenses.

The organization had a higher dividend payout rate in year two.

The government increased the corporate tax rate.

Conduct periodic reviews of the privacy policy to ensure that the existing policy meets current

legislation requirements in both regions.

Include a "right to audit" clause in the contract and impose detailed security obligations on the

outsourced vendor

Implement mandatory privacy training for management to help with identifying privacy risks when outsourcing services

Develop an incident monitoring and response plan to track breaches from internal and external sources

Hot recovery plan

Warm recovery plan

Cold recovery plan.

Absence of recovery plan

The maximum tolerable downtime after the occurrence of an incident.

The maximum tolerable data loss after the occurrence of an incident.

The maximum tolerable risk related to the occurrence of an incident.

The minimum recovery resources needed after the occurrence of an incident.

Information integrity risk.

Privacy risk

Access risk

Software risk

Block unauthorized traffic.

Encrypt data.

Review disaster recovery test results.

Provide independent assessment of IT security.

Identity data anomalies and outliers

Define questions to be answered

identify data sources available

Determine the scope of the data extract

All financial budgets

All operating budgets

Only the cash budget and budgeted balance sheet

Only the sales and production budgets

Requested backup tapes were not returned from the offsite vendor in a timely manner

Returned backup tapes from the offsite vendor contained empty spaces

Critical systems have been Backed up more frequently than required.

Critical system backup tapes are taken off site less frequently than required.

Performance results, deficiencies, and remediation should not be used as criteria for ongoing vendor evaluation.

Turn-around time cannot always be defined for each level of service in complex environments.

Ongoing monitoring procedures that measure and compare actual performance to the expected service-level parameters must be set by the service provider.

Any problems troubleshooting can be categorized as a help desk service.

Determining the frequency with which backups will be performed.

Prioritizing the order in which business systems would be restored.

Assigning who in the IT department would be involved in the recovery procedures.

Assessing the resources needed to meet the data recovery objectives

1 2. and 3 only.

1. 2 and 4 only

1, 3. and 4 only.

1,2. 3, and 4

Contribution margin is the amount remaining from sales revenue after fixed expenses have been deducted.

Breakeven point is the amount of units sold to cover variable costs.

Breakeven occurs when the contribution margin covers fixed costs

Following breakeven, net operating income will increase by the excess of fixed costs less the variable costs per units sold

That those employees who do not consent to MDM software cannot have an email account.

That personal data on the device cannot be accessed and deleted by system administrators.

That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them.

That employee consent includes appropriate waivers regarding potential breaches to their privacy.

Cold recovery plan.

Outsourced recovery plan.

Storage area network recovery plan.

Hot recovery plan.

Non-disclosure agreements between the firm and its employees

Logs of user activity within the information system

Two-factor authentication for access into the information system

Limited access to information based on employee duties

Production information maintained in relational tables.

Tweets and posts of users on social media.

Photos and videos stored in hard drive catalogs.

Sales reports documented in word processing software.

Residual income.

A flexible budget.

Variance analysis.

A contribution margin income statement by segment.

Use a behaviorally anchored rating scale to Break down jobs into their components.

Analyze and compare the ratings for different classes or groupings of employees.

Compare the ratings of selective employees with their previous appraisals.

Analyze the number and percentages of employee appraisals that fall into each rating category

It is particularly helpful to management when the organization is facing rapid change

It is a more successful approach when adopted by mechanistic organizations

It is more successful when goal-setting is performed not only by management, but by an team members, including lower-level staff.

It is particularly successful in environments that are prone to having poor employer-employee relations

Database review

Data center review

Network configuration review

Operating systems review

Operating system.

Control environment.

Network.

Application program code.

An application control review

A source code review

A design review

An access control review

Input controls

Output controls

Integrity controls

Processing controls

Horizontal analysis

Vertical analysis

Common-size analysis

Ratio analysis

Preventing database administrators from initiating program changes.

Blocking technicians from getting into the network room.

Restricting system programmers' access to database facilities.

Using encryption for data transmitted over the public internet.

A unity-of-command concept requires employees to report technically, functionally, and administratively to the same manager

A combination of product and functional departments allows management lo utilize personnel from various functions

Authority responsibility and accountability of the units involved may vary based on the project's life, or the organization's culture

It is best suited for firms with scattered locations or for multi-lira. large-scale firms

Standards used for evaluation and control are determined at local subsidiaries, not set by headquarters.

Orders, commands and advice are sent to the subsidiaries from headquarters.

People of local nationality are developed for the best positions within their own country

There is a significant amount of collaboration between headquarters and subsidiaries.

Verify whether the organization uses the most recent database software version

Verify whether the database software version is supported by the vendor.

Verify whether the database software version has been recently upgraded

Verify whether access to database version information is appropriately restricted

To inform the classification of the data population.

To determine the completeness and accuracy of the data.

To identify whether the population contains outliers.

To determine whether duplicates in the data inflate the range.

Focus

Cost leadership

Innovation

Differentiation

Key performance indicators

Reports of software customization

Change and patch management

Master data management

Visibility, validity, vulnerability

Velocity, variety volume.

Complexity completeness constancy

Continuity, control convenience

Review the the call center script used by customer service agents to interact with callers and update the script rf necessary

De-emphasize the importance of call center employees completing a certain number of calls per hour

Retrain call center staff on area processes and common technical issues that they will Likely be asked to resolve

Increase the incentive for call center employees to complete calls quickly and raise the number of calls completed daily

The leader searches for deviations from the rules and standards and intervenes when deviations exist.

The leader intervenes only when performance standards are not met.

The leader intervenes to communicate high expectations.

The leader does not intervene to promote problem-solving.

Cost of raw material inventory items is decreasing.

Process to manufacture goods is more efficient.

Labor productivity to produce goods is increasing.

Write-off of inventory is increasing.