IIA-CIA-Part3-3P CIA Exam Part Three: Business Knowledge for Internal Auditing Questions and Answers

Diversification

Vertical integration

Risk avoidance

Differentiation

Control environment.

Control activities.

Information and communication.

Monitoring.

PKI uses an independent administrator to manage the public key.

The public key is authenticated against reliable third-party identification.

PKI ' s public accessibility allows it to be used readily for e-commerce.

The private key uniquely authenticates each party to a transaction.

$1.480.000

$1 500 000

$1,610.000

$1650 000

1 and 2 only

2 and 3 only

1, 2, and 3 only

1, 2, 3, and 4

Facilitates communication between primary functions.

Helps to focus on the achievement of organizational goals.

Provides for efficient use of specialized knowledge .

Accommodates geographically dispersed companies

A contract is a tool used by both suppliers and customers, the model and complexity of which generally remains constant

Collaboration during contract negotiation encourages stakeholders to develop consensus but typically increases cycle times and the likelihood that the contract will fail

Differing legal requirements affect the attitudes of contracting parties as well as the length content and language of contracts

A contract is a tool used by both suppliers and customers though it offers commercial assurance of the relationship, purely from a customer perspective

An application control review

A source code review

A design review

An access control review

Visibility, validity, vulnerability

Velocity, variety volume.

Complexity completeness constancy

Continuity, control convenience

System software that acts as an interface between a user and a computer.

A standardized set of guidelines that facilitates communication between computers on different

networks.

System software that translates hypertext markup language to allow users to view a remote webpage.

A network of servers used to control a variety of mission-critical operations.

A slower response to external change.

Less controlled decision making.

More burden on higher-level managers.

Less use of employees ' true skills and abilities.

Controls that focus on segregation of duties, financial and change management

Personnel policies that define and enforce conditions for staff in sensitive IT areas

Standards that support IT policies by more specifically defining required actions

Controls that focus on data structures and the minimum level of documentation required

Identity data anomalies and outliers

Define questions to be answered

identify data sources available

Determine the scope of the data extract

Open-book management

Quality control circles

Self-managed teams

Cross-functional teams

Rooting.

Eavesdropping.

Man in the middle.

Session hijacking.

Cost of sales increased relative to sales.

Total sales increased relative to expenses.

The organization had a higher dividend payout rate in year two.

The government increased the corporate tax rate.

Forming stage.

Performing stage.

Norming stage.

Storming stage.

Use of a formal systems development lifecycle.

End-user involvement.

Adequate software documentation.

Formalized non-regression testing phase.

End users have their read-only applications approved by the information systems department before accessing the database.

Concurrency update controls are in place.

End-user applications are developed on personal computers before being implemented on the

mainframe.

A hierarchical database model is adopted so that multiple users can be served at the same time.

Government pressure on organizations to increase or maintain employment.

Production orientation of management.

Lack of credible market leader in the industry.

Company diversification.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Basing performance evaluations on the number of projects completed.

Comparing results with those of other engineering departments.

Creating a quality council within the engineering department.

Conducting post-project surveys on performance.

A flexible budget.

Variance analysis.

A contribution margin income statement by segment.

Residual income.

2 only

3 and 4 only

1, 3, and 4 only

1, 2, 3, and 4

Lack of awareness of the state of processing.

Increased cost and complexity of network traffic.

Interference of the mirrored data with the original source data.

Confusion about where customer data are stored.

1 and 2 only

3 and 4 only

1, 2, and 4 only

2, 3, and 4 only

Outsourced business processes should not be considered in the internal audit universe because the controls are owned by the external service provider.

Generally, independence is improved when the internal audit activity reviews outsourced business processes.

The key controls of outsourced business processes typically are more difficult to audit because they are designed and managed externally.

The system of internal controls may be better and more efficient when the business process is

outsourced compared to internally sourced.

Data integrity risks

Compliance risks.

Physical security risks

Privacy risks

The bargaining power of buyers is forcing a drop in market prices.

There is pressure from the competitor ' s substitute products.

Strategic analysis by the organization indicates feasibility of expanding to new market niches.

The competitor announces a new warranty program.

$100,000

$200,000

$275,000

$500,000

1 and 3 only.

1 and 4 only.

2 and 3 only

3 and 4 only.

Block unauthorized traffic.

Encrypt data.

Review disaster recovery test results.

Provide independent assessment of IT security.

Full or near capacity in processes.

Smooth workflow among processes.

Few or no defects.

Lowered inventory levels.

Cold recovery plan.

Outsourced recovery plan.

Storage area network recovery plan.

Hot recovery plan.

Cost of raw material inventory items is decreasing.

Process to manufacture goods is more efficient.

Labor productivity to produce goods is increasing.

Write-off of inventory is increasing.

Y should be listed as an investment asset on X ' s balance sheet

X must consolidate the financial statements for both organizations

Y should be reported as a footnote to X ' s financial statements

Y should not be reported by X as X does not have a controlling interest

Network

Database

Operating system

Server

Providing fire detection and suppression equipment

Establishing a physical security policy and promoting it throughout the organization

Performing business continuity and disaster recovery planning

Keeping an offsite backup of the organization ' s critical data

Change management controls

Physical and environmental controls.

System software controls

Organization and management controls

An employee receives an email that appears to be from the organization ' s bank, though it is not. The employee replies to the email and sends the requested confidential information.

An organization ' s website has been hacked. The hacker added political content that is not consistent with the organization ' s views.

An organization ' s systems have been compromised by malicious software. The software locks the organization ' s operating system until d ransom is paid.

An organization ' s communication systems have been intercepted. A communication session is controlled by an unauthorized third party.

Implementation and transition phase.

Monitoring and reporting phase

Decision-making and business-case phase.

Tendering and contracting phase.

Project portfolio.

Project development.

Project governance.

Project management methodologies.

Management by objectives is most helpful in organizations that nave rapid changes.

Management by objectives is most helpful in mechanistic organizations with rigidly defined tasks.

Management by objectives helps organizations to keep employees motivated.

Management by objectives helps organizations to distinguish clearly strategic goals from operational goals

The lack of legal and industry frameworks on privacy.

The absence of generally accepted privacy principles.

The rapid growth and evolution of technology.

The legislated need to retain sensitive personal information.

Assets liabilities and owners ' equity would be understated

Assets net income and owners ' equity would be unaffected

Assets and liabilities would be understated

Assets net income and owners ' equity would be understated, but liabilities would be overstated

Digital analysis for statistically unlikely occurrences that may indicate system tampering.

Verification of the completeness and integrity of the obtained data.

Detailed review of the data contents to strategize the best analytical techniques.

Calculation of statistical parameters to identify outliers requiring further scrutiny.

Validation of the achievement of their goals and objectives.

Increased knowledge through the performance of additional tasks.

Support for personal growth and a meaningful work experience.

An increased opportunity to manage better the work done by their subordinates.

Operations can continue after the liquidation if all partners agree

Partnership liquidation ends both the legal and economic life of an entity

Partnership liquidation occurs when there is capital deficiency Stable

When a partnership is liquidated, each partner pays creditors from cash received

26 days.

90 days.

100 days.

110 days.

Access control via biometric authentication.

Access control via passcode authentication.

Access control via swipe pattern authentication.

Access control via security question authentication.

Authorization

Architecture model

Firewall

Virtual private network

To inform the classification of the data population.

To determine the completeness and accuracy of the data.

To identify whether the population contains outliers.

To determine whether duplicates in the data inflate the range.

Production information maintained in relational tables.

Tweets and posts of users on social media.

Photos and videos stored in hard drive catalogs.

Sales reports documented in word processing software.

The valuation will be incorrect it the inventory includes goods m transit shipped free on board (FOB) destination to another organization

The valuation will be correct if the inventory includes goods received on consignment from another organization

The valuation will be incorrect it the inventory includes goods in transit shipped FOB shipping point from another organization

The valuation will be correct it the inventory includes goods sent on consignment to another

organization

Documentation of each system and its interactions, interfaces, and dependencies with other systems and databases is not gathered and maintained.

Batch processing jobs include key financial data that is not posted to the accounting system until the next day. preventing real-time queries.

The job scheduling tool frequently malfunctions, causing scheduled jobs not to run. An error message is sent to IT personnel when a job fails.

The implementation of a major update for a key application is delayed until any potential

interdependencies are identified and analyzed.

Backup media is not properly stored, as the storage facility should be off-site.

Backup procedures are adequate and appropriate according to best practices.

Backup media is not properly indexed, as backup media should be indexed by system, not date.

Backup schedule is not sufficient, as full backup should be conducted daily.

Focus

Cost leadership

Innovation

Differentiation

$266.667

$416,667

$3.750.000

$5 000.000

Company A owns Company B; Company B sells goods to Company A.

Company A does not own Company B. Company A charges Company B a fee to sell Company B ' s goods without taking ownership of the goods.

Company A owns both Company B and Company C; all three companies sell goods to the public.

Company A moves goods internally from one location to another.

Monitoring network traffic.

Using whitelists and blacklists to manage network traffic.

Restricting access and blocking unauthorized access to the network.

Educating employees throughout the company to recognize phishing attacks.

Direct product costs

Indirect product costs

Direct period costs

Indirect period costs.

Assigning new roles and responsibilities for senior IT management.

Growing use of bring your own devices tor organizational matters

Expansion of operations into new markets with united IT access

Hiring new personnel within the IT department tor security purposes

Approval of identity request.

Access logging.

Monitoring privileged accounts.

Audit of access rights.

Process mining is a type of data analysts where the data subject is a process

Process analysis is a type of data mining where the data subject is a designated area of a process

Data mining is a type of data analysis that focuses on finding statistical relationships in order to create

profiles

Data mining involves examining small amounts of structured data in a systematic manner

It uses the same products in all countries.

It centralizes control with little decision-making authority given to the local level.

It is an effective strategy when large differences exist between countries.

It provides cost advantages, improves coordinated activities, and speeds product development.

Identify redundant controls.

Improve budgeting accuracy.

Enhance assurance provided to management.

Assist in developing audit programs.

Product departmentalization.

Process departmentalization.

Functional departmentalization.

Customer departmentalization.

A higher initial investment level.

A higher discount rate.

Cash inflows that are larger in the later years of the life of the project.

Cash inflows that are larger in the earlier years of the life of the project.

1 and 2 only

1 and 3 only

2 and 3 only

2 and 4 only

Relatively fast market entry.

Improved cash flow of the acquiring organization.

Increased diversity of corporate culture.

Opportunity to influence local government policy.

Decreasing gross profit margins over time.

Foregone contribution margin on lost sales.

Defective units shipped to customers.

Excessive time to convert raw materials into finished goods.

$34,000

$51,000

$60,000

$320,000

1 only

2 only

3 only

2 and 3 only

Zone that separates an organization ' s servers from outside forces.

Area in which messages are scrutinized to determine if they are authorized.

Area where communication and transactions occur between trusted parties.

Zone where data is encrypted, users are authenticated, and user traffic is filtered.

Resisting both internal and external distractions.

Waiting to review key concepts until the speaker has finished talking.

Tuning out messages that do not seem to fit the meeting purpose.

Factoring in biases in order to evaluate the information being given.

COBIT helps management understand and manage the risks associated with information technology (IT) processes.

Management needs to determine the cost-benefit ratio of adopting COBIT control objectives.

COBIT control objectives are specific to various IT platforms and help determine minimum controls.

COBIT provides management with the capability to conduct self-assessments against industry best practices.

The percentage of cases flagged by the model and confirmed as positives.

The development and maintenance costs associated with the model

The feedback of auditors involved with developing the model

The number of criminal investigations initiated based on the outcomes of the model

Cash payback technique.

Annual rate of return technique.

Internal rate of return method.

Net present value method.

Boundary defense

Malware defense

Penetration tests

Wireless access controls

Process analysis.

Process mining.

Data analysis.

Data mining.

Due to their small size and portability smart devices and their associated data are typically less susceptible to physical loss

The Bluetooth and WI-FI features of smart devices enhance the security of data while in transit

The global positioning system (GPS) capability of smart devices could be exploited to plan cyberattacks

When the user fads to perform jailbreaking or rooting, data security and privacy risks we increased

Cost method

Equity method

Consolidation method

Fair value method

Duplicate testing.

Joining data sources

Gap analysis

Classification

Conduct a risk assessment regarding the effectiveness of the data analytics process.

Analyze possible and available sources of raw data

Define the purpose and the anticipated value

Select data for cleaning and normalization procedures.

Plenum.

Biometric lock.

Identification card.

Electromechanical lock.

1, 2, 3, 4

2, 1, 4, 3

2, 4, 1, 3

4, 2, 1, 3

Data relationships are assumed to exist and to continue where no known conflicting conditions exist.

Analytical procedures are intended primarily to ensure the accuracy of the information being examined.

Data relationships cannot include comparisons between operational and statistical data

Analytical procedures can be used to identify unexpected differences but cannot be used to identify the absence of differences

Liquidity.

Profitability.

Solvency.

Efficiency.

Project plan development.

Project plan execution.

Integrated change control.

Project quality planning.

Initiation phase.

Bidding phase.

Development phase.

Negotiation phase

Readiness assessment.

Project risk assessment.

Post-implementation review.

Key phase review.

Cybersecurity risks are identical across all organizations regardless of industry

Installation of antivirus and malware software prevents cybersecurity risks

Deployment of proper cybersecurity measures assures business success

Information value extends the emergence of cybersecurity risks

Cybercriminals hacking into the organization ' s time and expense system to collect employee personal data.

Hackers breaching the organization ' s network to access research and development reports.

A denial-of-service attack that prevents access to the organization ' s website.

A hacker accessing the financial information of the company.

Normalization.

Velocity.

Structurization.

Veracity.

An internal auditor analyzed electricity production and sales interim reports and compiled a risk assessment.

An internal auditor extracted sales data to a spreadsheet and applied judgmental analysis for sampling.

An internal auditor classified solar panel sales by region and discovered unsuccessful sales

representatives.

An internal auditor broke down a complex process into smaller pieces to make it more understandable.

Troubleshoot end user problems

Provide production support.

Provide physical security of databases

Maintain database integrity

Has the longest duration in time.

Costs the most money.

Requires the largest amount of labor

Is deemed most important to the project.

Workflow and data capture technology

Data visualization applications.

Software integrated with central data warehouse

Spreadsheets.

Fragmented industries.

Declining industries.

Mature industries.

Emerging industries.

Malware resulting in data leakage.

Exposure of sensitive data.

Lack of data encryption.

Lack of data back up.

Globally accepted standards for industries and processes.

Bridging the gaps among control requirements, technical issues, and business risks.

Practical guidance and benchmarks for all organizations that use information systems.

Frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.

Invest in marketing.

Invest in research and development.

Control costs.

Shift toward mass production.

Use an aging schedule to more closely estimate uncollectible accounts.

Eliminate the need for an allowance for doubtful accounts.

Emphasize the accuracy of the net realizable value of the receivables on the balance sheet.

Use a method that approximates the matching principle.

1 and 3 only

2 and 4 only

1, 2, and 3 only

1, 2, and 4 only

Reasonableness check.

Transaction log.

Input error correction.

Authorization for access.

Firewalls can protect against computer viruses.

Firewalls monitor attacks from the Internet.

Firewalls provide network administrators tools to retaliate against hackers.

Firewalls may be software-based or hardware-based.

The process is not sustained and is not optimized as planned.

There is a lack of alignment to organizational strategies.

The operational quality is less than projected.

There is increased potential for loss of assets.

Access to read application logs is restricted to authorized users.

Account balance information is encrypted in the database.

The web server used to host the application is located in a physically secure area.

Sensitive data, such as account numbers, are submitted using encrypted communications.

Exception report identifying payment anomalies.

Documented policy and procedures.

Periodic account reconciliation of contractor charges.

Monthly management review of all contractor activity.

Giving assurance that risks are evaluated correctly.

Developing the risk management strategy for the board ' s approval.

Facilitating the identification and evaluation of risks.

Coaching management in responding to risk.

Antivirus software, firewall, data encryption.

Firewall, data encryption, backup procedures.

Antivirus software, firewall, backup procedures.

Antivirus software, data encryption, change logs.

Cash discounts.

Quantity discounts.

Functional discounts.

Seasonal discounts.

Risk acceptance.

Risk sharing.

Risk avoidance.

Risk reduction.

Accommodating.

Compromising.

Collaborating.

Competing.

$170,000

$280,000

$300,000

$540,000

Both the key used to encrypt the data and the key used to decrypt the data are made public.

The key used to encrypt the data is kept private but the key used to decrypt the data is made public.

The key used to encrypt the data is made public but the key used to decrypt the data is kept private.

Both the key used to encrypt the data and the key used to decrypt the data are made private.

Identifying risks to the organization ' s operations.

Observing and analyzing controls.

Prioritizing known risks.

Reviewing organizational objectives.

1 and 4 only

2 and 3 only

1, 2, and 3 only

1, 2, and 4 only

An effective internal audit function is one of the four cornerstones of good governance.

Those performing governance activities are accountable to the customer.

Accountability is one of the key elements of organizational governance.

Governance principles and the need for an internal audit function are applicable to governmental and not-for-profit activities.

Users determine the optimal level of safety stocks.

They are applicable only to large organizations.

They do not really increase overall economic efficiency because they merely shift inventory levels further up the supply chain.

They rely heavily on high quality materials.

Direct cutover.

Parallel.

Pilot.

Test.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Second-mortgage financing from a bank.

An issue of commercial paper.

Pledged accounts receivable.

Asset-based financing.

A time-sensitive just-in-time purchase environment.

A large volume of custom purchases.

A variable volume sensitive to material cost.

A currently inefficient purchasing process.

Intranet.

Extranet.

Digital subscriber line.

Broadband.

Scope and initiation phase.

Business impact analysis.

Plan development.

Testing.

Each party ' s negotiator presents a menu of options to the other party.

Each party adopts one initial position from which to start.

Each negotiator minimizes the information provided to the other party.

Each negotiator starts with an offer, which is optimal from the negotiator ' s perspective.

A zero-based budget provides estimates of costs that would be incurred under different levels of activity.

A zero-based budget maintains focus on the budgeting process.

A zero-based budget is prepared each year and requires each item of expenditure to be justified.

A zero-based budget uses input from lower-level and middle-level managers to formulate budget plans.

Specific guidance must be followed when interacting with nongovernmental organizations.

Disclosure laws tend to be consistent from one jurisdiction to another.

There are several internationally recognized standards for dealing with financial donors.

Legal representation should be consulted before releasing internal audit information to other assurance

In a matrix organization, conflict between functional and product managers may arise.

In a matrix organization, staff under dual command is more likely to suffer stress at work.

Matrix organizations offer the advantage of greater flexibility.

Matrix organizations minimize costs and simplify communication.

Forming stage.

Norming stage.

Performing stage.

Storming stage.

Consult on project design and implementation of the CSR program.

Serve as an advisor on internal controls related to CSR.

Identify and prioritize the CSR issues that are important to the organization.

Evaluate the effectiveness of the organization ' s CSR efforts.

Review and acquire the external audit service.

Assess the appraisal and actuarial services.

Determine the selection criteria.

Identify regulatory requirements to be considered.

Priority over common stock with regard to dilution of shares.

Priority over common stock with regard to earnings.

Priority over common stock with regard to dividend payment.

Priority over common stock with regard to assets.

Determining the cost of the product.

Developing pricing objectives.

Evaluating prices set by the competitors.

Selecting a pricing method.

Merger.

Strategic fit.

Joint venture.

Strategic goal.

The auditor should focus on the audit client as a person and understand him, rather than just

concentrating on the problem.

The auditor should make recommendations based on objective criteria, rather than based on a subjective assessment.

The auditor should explore alternative solutions to address the audit problem, so the audit client has options.

The auditor should take a flexible position on the recommendations and focus on resolving the issue by addressing the interests of the people concerned.

Both copies are legal.

Only copy 1 is legal.

Only copy 2 is legal.

Neither copy is legal.

Cash budget.

Production budget.

Sales budget.

Selling and administrative expenses budget.

Motivation.

Performance.

Organizational structure.

Communication.

Interviewing the organization ' s employees.

Observing the organization ' s operations.

Reading the board ' s minutes.

Inspecting manuals and documents.

Database management systems handle data manipulation inside the tables, rather than it being done by the operating system itself in files.

The database management system acts as a layer between the application software and the operating system.

Applications pass on the instructions for data manipulation which are then executed by the database

management system.

The data within the database management system can only be manipulated directly by the database management system administrator.