IIA-CIA-Part3-3P Sample Questions Answers

Which of the following is a key component of an organization's cybersecurity governance?

According to IIA guidance on IT. which of the following would be considered a primary control for a spreadsheet to help ensure accurate financial reporting?

Which of the following is a disadvantage in a centralized organizational structure?

in which of the following technical infrastructure audits should attention be turned to physical security and environmental controls?

A multinational organization allows its employees to access work email via personal smart devices. However, users are required to consent to the installation of mobile device management (MDM) software

that will remotely wipe data in case of theft or other incidents.

Which of the following should the organization ensure in exchange for the employees' consent?

An internal auditor is using data analytics to locus on high-risk areas during an engagement. The auditor has obtained data and is working to eliminate redundancies in the data. Which of me following statements is true regarding this scenario?

Which of the following concepts of managerial accounting is focused on allocating overheads to products?

An organization is developing a new online collaboration tool for employees. The tool includes a homepage that is customized to each employee according to his department and job function Which of the following engagements should be conducted to ensure that the organization has included all departments and job functions in the system before it is implemented?

Which of the following should be established by management during implementation of big data systems to enable ongoing production monitoring?

Which of the following is an example of a physical security control that should be in place at an organization's data center?

Which of the following risks would involve individuals attacking an oil company's IT system as a sign of solidarity against drilling in a focal area?

An organization suffered significant damage to its local file and application servers as a result of a hurricane. Fortunately, the organization was able to recover all information backed up by its overseas third-party contractor.

Which of the following approaches has been used by the organization?

Which of the following types of analytics would be used by an organization to examine metrics by business units and identity the most profitable business units?

Which of the following is an example of a nonfinancial internal failure quality cost?

Which of the following are typical responsibilities for operational management within a risk management program?

1) Implementing corrective actions to address process deficiencies.

2) Identifying shifts in the organization's risk management environment.

3)( Providing guidance and training on risk management processes.

4) Assessing the impact of mitigation strategies and activities.

Which of the following is likely to occur when an organization decides to adopt a decentralized organizational structure?

Which of the following options correctly defines a transmission control protocol/Internet protocol (TCP/IP)?

Much of the following authentication device credentials is the most difficult to revoke when an employee's access rights need to be removed?

Which of the following is a typical example of structured data?

During an audit of the organization's annual financial statements, the internal auditor notes that the current cost of goods sold percentage is substantially higher than in prior years. Which of the following is the most likely explanation for this increase?

An organization's account for office supplies on hand had a balance of S9,000 at the end of year one. During year two. the organization recorded an expense of $45,000 for purchasing office supplies. At the end of year two. a physical count determined that the organization has $11,500 in office supplies on hand. Based on this information, what would be recorded in the adjusting entry at the end of year two?

Which of the following assumptions regarding cost-volume-profit analysis is true?

According to MA guidance on IT. which of the following controls the routing of data packets to link computers?

Which of the following is improved by the use of smart devices?

Which of the following statements is true regarding user-developed applications (UDAs)?

An organization uses the management-by-objectives method, whereby employee performance is based on defined goals Which of the following statements is true regarding this approach?

During which phase of the contacting process ate contracts drafted for a proposed business activity?

During which of the following phases of contracting does the organization analyze whether the market is aligned with organizational objectives?

During a review of the accounts payable process, an internal auditor gathered all of the vendor payment transactions for the past 24 months. The auditor then used an analytics tool to identify the top five vendors that received the highest sum of payments.

Which of the following analytics techniques did the auditor apply?

A rapidly expanding retail organization continues to be tightly controlled by its original small management team. Which of the following is a potential risk in this vertically centralized organization?

The management of working capital is most crucial for which of the following aspects of business?

With regard to disaster recovery planning, which of the following would most likely involve stakeholders from several departments?

Which of the following security controls would be the most effective in preventing security breaches?

While auditing an organization's customer call center, an internal auditor notices that key performance indicators show a positive trend despite the fact that there have been increasing customer complaints over the same period Which of the following audit recommendations would most likely correct the cause of this inconsistency?

Which of the following performance measures disincentivizes engaging in earnings management?

Which of the following data security policies is most likely to be the result of a data privacy law?

While conducting audit procedures at the organization's data center, an internal auditor noticed the following:

Backup media was located on data center shelves.

Backup media was organized by date.

Backup schedule was one week in duration.

The system administrator was able to present restore logs.

Which of the following is reasonable for the internal auditor to conclude?

Which of the following is the first step an internal audit activity should undertake when executing a data analytics process?

Which of me following responsibilities would ordinary fall under the help desk function of an organization?

Which of the following organization structures would most likely be able to cope with rapid changes and uncertainties?

When using cost-volume-profit analysts which of the following will increase operating income once the break-even point has been reached?

Which of the following IT professionals is responsible for providing maintenance to switches and routers to keep IT systems running as intended?

Which of me following storage options would give the organization the best chance of recovering data?

An organization has a total asset turnover of 3.0 times and a total debt-to-total assets ratio of 80 percent. If the organization has total debt of $1 000 000 what is the organization's sales level?

Which of the following control features consists of a set of authorization codes that distinguishes among actions such as reading, adding, and deleting records?

Which of the following best describes the purpose of disaster recovery planning?

In accounting, which of the following statements is true regarding the terms debit and credit?

The leadership of an organization encourages employees to form voluntary problem-solving groups whereby several employees from the same work area meet regularity during work hours to discuss improvements and creative ways to reduce costs. Which of the following best describes this approach?

A remote location contains a data center with hardware available to support critical production systems as required in the recovery plan IT personnel periodically test and update systems at the data center. This is an example of which of the following recovery solutions?

A manager has allowed a subordinate employee to have greater control and responsibility over the tasks that he performs. This is an example of which of the following?

Which of the following is most important for an internal auditor to check with regard to the database version?

An internal auditor was asked to review an equal equity partnership In one sampled transaction Partner A transferred equipment into the partnership with a self-declared value of $10,000 and Partner B contributed equipment with a self-declared value of $15 000 The capital accounts of each partner were subsequently credited with S12,500. Which of the following statements is true regarding this transaction?

The balanced scorecard approach differs from traditional performance measurement approaches because it adds which of the following measures?

1) Financial measures

2) Internal business process measures.

3) Client satisfaction measures

4) Innovation and learning measures

An organization recently documented its procedures for recovering systems and data after a disaster How are these documented procedures most likely to be used during a disaster simulation exercise?

An internal auditor reviews a data population and calculates the mean, median, and range.

What is the most likely purpose of performing this analytic technique?

Which of the following is the most effective control to prevent unauthorized entrance of a former employee of the organization?

Which of the following authentication controls combines what a user knows with the unique characteristics of the user respectively?

Which of me following statements is true regarding the reporting of tangible and intangible assets?

How do data analysis technologies affect internal audit testing?

Which of the following is a primary objective of the theory of constraints?

According to IIA guidance, which of the following is a primary component of a network security strategy?

An organization invests excess snort-term cash in trading securities. When of the following actions should an internal auditor take to test the valuation of those securities?

Which of the following statements is true concerning the basic accounting treatment of a partnership?

What would be the effect if an organization paid one of its liabilities twice during the year in error?

According to IIA guidance on IT which of the following best describes a but recovery and restore processes have not been defined?

Which of the following security controls focuses most on prevention of unauthorized access to the power plant?

An internal auditor for a pharmaceutical company is planning a cybersecurity audit and conducting a risk assessment.

Which of the following would be considered the most significant cyber threat to the organization?

Which of me following application controls is the most dependent on the password owner?

An organization has an agreement with a third-party vendor to have a fully operational facility, duplicate of the original site and configured to the organization's needs, in order to quickly recover operational

capability in the event of a disaster.

Which of the following best describes this approach to disaster recovery planning?

The greatest advantage of functional departmentalization is that it:

Which of the following is a key responsibility of a database administrator?

An internal auditor is assessing the risks related to an organization's mobile device pokey She notes that the organization allows third parties (vendors and visitors) to use outside smart devices to access its proprietary networks and systems Which of the following types of smart device risks should the internal auditor be most concerned about?

Which of the following application software features is the least effective control to protect passwords?

An internal auditor is trying to assess control risk and the effectiveness of an organization's internal controls. Which of the following audit procedures would not provide assurance to the auditor on this matter?

A holding company set up a centralized group technology department, using a local area network with a mainframe computer to process accounting information for all companies within the group. An internal auditor would expect to find all of the following controls within the technology department except:

Which of the following purchasing scenarios would gain the greatest benefit from implementing electronic data interchange?

Which of the following should an organization consider when developing strategic objectives for its business processes?

1) Contribution to the success of the organization.

2) Reliability of operational information.

3) Behaviors and actions expected of employees.

4) How inputs combine with outputs to generate activities.

According to Porter's model of competitive strategy, which of the following is a generic strategy?

1 Differentiation.

2) Competitive advantage.

3) Focused differentiation.

4) Cost focus.

Multinational organizations generally spend more time and effort to identify and evaluate:

Which of the following techniques is the most relevant when an internal auditor conducts a valuation of an organization's physical assets?

An organization uses a database management system (DBMS) as a repository for data. The DBMS, in turn, supports a number of end-user developed applications which were created using fourth-generation programming languages. Some of the applications update the database. Which of the following is the most important control related to the integrity of the data in the database?

Which of the following are appropriate reasons for internal auditors to document processes as part of an audit engagement?

1) To determine areas of primary concern.

2) To establish a standard format for process mapping.

3) To define areas of responsibility within the organization.

4) To assess the performance of employees.

Capacity overbuilding is most likely to occur when management is focused on which of the following?

An internal auditor is reviewing physical and environmental controls for an IT organization. Which control activity should not be part of this review?

The economic order quantity can be calculated using the following formula:

Which of the following describes how the optimal order size will change if the annual demand increases by 36 percent?

Which of the following is the most likely reason an organization may decide to undertake a stock split?

Refer to the exhibit.

If the profit margin of an organization decreases, and all else remains equal, which of the following describes

how the "Funds Needed" line in the graph below will shift?

When writing a business memorandum, the writer should choose a writing style that achieves all of the following except:

Which of the following statements is correct regarding corporate compensation systems and related bonuses?

1) A bonus system should be considered part of the control environment of an organization and should be considered in formulating a report on internal control.

2) Compensation systems are not part of an organization's control system and should not be reported as such.

3) An audit of an organization's compensation system should be performed independently of an audit of the control system over other functions that impact corporate bonuses.

Preferred stock is less risky for investors than is common stock because:

Which of the following is an example of a risk avoidance response?

According to the International Professional Practices Framework, which of the following statements is true regarding a corporate social responsibility (CSR) program?

1) Every employee generally has a responsibility for ensuring the success of CSR objectives.

2) The board has overall responsibility for the effectiveness of internal control processes associated with CSR.

3) Public reporting on the CSR governance process is expected.

4) Organizations generally have flexibility regarding what is included in a CSR program.

In creating a risk-based plan, which of the following best describes a top-down approach to understanding business processes?

A key advantage of developing a computer application by using the prototyping approach is that it:

Which of the following statements accurately describes the responsibility of the internal audit activity (IAA) regarding IT governance?

1) The IAA does not have any responsibility because IT governance is the responsibility of the board and senior management of the organization.

2) The IAA must assess whether the IT governance of the organization supports the organization’s strategies and objectives.

3) The IAA may assess whether the IT governance of the organization supports the organization’s strategies and objectives.

4) The IAA may accept requests from management to perform advisory services regarding how the IT governance of the organization supports the organization’s strategies and objectives.

Import quotas that limit the quantities of goods that a domestic subsidiary can buy from its foreign parent company represent which type of barrier to the parent company?

Which of the following costs would be incurred in an inventory stockout?

Which of the following statements best describes the frameworks set forth by the International Standards Organization?

Which of the following is a strategy that organizations can use to stimulate innovation?

1) Source from the most advanced suppliers.

2) Establish employee programs that reward initiative.

3) Identify best practice competitors as motivators.

4) Ensure that performance targets are always achieved.

An organization is projecting sales of 100,000 units, at a unit price of $12. Unit variable costs are $7. If fixed costs are $350,000, what is the projected total contribution margin?

The most important reason to use risk assessment in audit planning is to:

All of the following are possible explanations for a significant unfavorable material efficiency variance except:

When applied to international economics, the theory of comparative advantage proposes that total worldwide output will be greatest when:

According to the International Professional Practices Framework, internal auditors who are assessing the adequacy of organizational risk management processes should not:

Which of the following performance measures would be appropriate for evaluating an investment center, which has responsibility for its revenues, costs, and investment base, but would not be appropriate for evaluating cost, revenue, or profit centers?

When developing an effective risk-based plan to determine audit priorities, an internal audit activity should start by:

Which of the following factors would reduce dissatisfaction for a management trainee but would not particularly motivate the trainee?

Presented below are partial year-end financial statement data (000 omitted from dollar amounts) for companies A and B:

If company A has a quick ratio of 2:1, then it has an accounts receivable balance of:

Which of the following would not impair the objectivity of internal auditor?

Which of the following does not provide operational assurance that a computer system is operating properly?

Which of the following steps should an internal auditor take during an audit of an organization's business continuity plans?

1) Evaluate the business continuity plans for adequacy and currency.

2) Prepare a business impact analysis regarding the loss of critical business.

3) Identify key personnel who will be required to implement the plans.

4) Identify and prioritize the resources required to support critical business processes.

In mergers and acquisitions, which of the following is an example of a horizontal combination?

When granting third parties temporary access to an entity's computer systems, which of the following is the most effective control?

A retail organization is considering acquiring a composite textile company. The retailer's due diligence team determined the value of the textile company to be $50 million. The financial experts forecasted net present value of future cash flows to be $60 million. Experts at the textile company determined their company's market value to be $55 million if purchased by another entity. However, the textile company could earn more than $70 million from the retail organization due to synergies. Therefore, the textile company is motivated to make the negotiation successful. Which of the following approaches is most likely to result in a successful negotiation?

Within an enterprise, IT governance relates to the:

1) Alignment between the enterprise's IT long term plan and the organization's objectives.

2) Organizational structures of the company that are designed to ensure that IT supports the organization's strategies and objectives.

3) Operational plans established to support the IT strategies and objectives.

4) Role of the company's leadership in ensuring IT supports the organization's strategies and objectives.

Which of the following statements regarding organizational governance is not correct?

Which of the following is a role of the board of directors in the governance process?

Which of the following local area network physical layouts is subject to the greatest risk of failure if one device fails?

Which of the following is a disadvantage of selecting a commercial software package rather than developing an application internally?

Which of the following price adjustment strategies encourages prompt payment?

Which of the following conflict resolution methods should be applied when the intention of the parties is to solve the problem by clarifying differences and attaining everyone's objectives?

Which of the following statements is in accordance with COBIT?

1) Pervasive controls are general while detailed controls are specific.

2) Application controls are a subset of pervasive controls.

3) Implementation of software is a type of pervasive control.

4) Disaster recovery planning is a type of detailed control.

Which of the following is a product-oriented definition of a business rather than a market-oriented definition of a business?

An organization accumulated the following data for the prior fiscal year:

Value of Percentage of

Quarter

Output Produced

Cost X

1

$4,750,000

2.9

2

$4,700,000

3.0

3

$4,350,000

3.2

4

$4,000,000

3.5

Based on this data, which of the following describes the value of Cost X in relation to the value of Output Produced?

In terms of international business strategy, which of the following is true regarding a multi-domestic strategy?

Which of the following descriptions of the internal control system are indicators that risks are managed effectively?

1) Existing controls promote compliance with applicable laws and regulations.

2) The control environment is designed to address all identified risks to the organization.

3) Key controls for significant risks to the organization remain consistent over time.

4) Monitoring systems are in place to alert management to unexpected events.

In which type of business environment are price cutting strategies and franchising strategies most appropriate?

According to the COSO enterprise risk management (ERM) framework, which of the following is not a typical responsibility of the chief risk officer?

A department purchased one copy of a software program for internal use. The manager of the department installed the program on an office computer and then made two complete copies of the original software.

Copy 1 was solely for backup purposes.

Copy 2 was for use by another member of the department.

In terms of software licenses and copyright law, which of the following is correct?

Which of the following is an element of effective negotiating?

The activity that involves a trial run of a product in a typical segment of the market before proceeding to a national launch is referred to as:

Which of the following control techniques would minimize the risk of interception during transmission in an electronic data interchange system?

1) Encryption.

2) Traffic padding.

3) Edit checks.

4) Structured data format.

Which of the following best describes the concept of relevant cost?

Which of the following statements is true regarding outsourced business processes?

According to IIA guidance on IT auditing, which of the following would not be an area examined by the internal audit activity?

Which of the following strategies would most likely prevent an organization from adjusting to evolving industry market conditions?

An internationally recognized brand name is an entrance barrier to new competitors because new competitors would:

Unsecured loans are loans:

If a bank's activities are categorized under such departments as community banking, institutional banking, and agricultural banking, what kind of departmentalization is being utilized?

Which of the following application-based controls is an example of a programmed edit check?

A small furniture-manufacturing firm with 100 employees is located in a two-story building and does not plan to expand. The furniture manufactured is not special-ordered or custom-made. The most likely structure for this organization would be:

An internal auditor discovered that several unauthorized modifications were made to the production version of an organization's accounting application. Which of the following best describes this deficiency?

A supervisor receives a complaint from an employee who is frustrated about having to learn a new software

program. The supervisor responds that the new software will enable the employee to work more efficiently and with greater accuracy. This response is an example of: