IIA IIA-CIA-PART3 Online Practice Questions and Exam Preparation

IIA IIA-CIA-PART3 Online Questions & Answers

• Question 1151:

  According to IIA guidance on IT, which of the following activities regarding information security is most likely to be the responsibility of line management as opposed to executive management, internal auditors, or the board?

  A. Review and monitor security controls.
  B. Dedicate sufficient security resources.
  C. Provide oversight to the security function.
  D. Assess information control environments.
  A. Review and monitor security controls.

  ---

  Explanation

  Understanding Information Security Responsibilities:

  Executive management sets the overall strategy and ensures resources are allocated for information security.

  Internal auditors provide independent assurance on security effectiveness.

  The board provides oversight and ensures that security risks are managed appropriately.

  Line management is responsible for day-to-day operations, including the review and monitoring of security controls to ensure compliance with security policies.

  Why Reviewing and Monitoring Security Controls is a Line Management Function:

  Line management directly oversees operational security measures, ensuring that established controls are functioning effectively.

  They address security gaps, enforce security policies, and report issues to senior management when necessary.

  This aligns with IIA Standard 2120 - Risk Management , which requires management to implement and monitor risk mitigation controls.

  Why Other Options Are Incorrect:

  Option B: Dedicate sufficient security resources: This is the responsibility of executive management, as they control resource allocation.

  Option C: Provide oversight to the security function: The board and executive management provide oversight, not line management.

  Option D: Assess information control environments: Internal auditors assess control environments, ensuring compliance and effectiveness.

  IIA Standards and References:

  IIA Standard 2110 - Governance: Emphasizes the board's role in overseeing security.

  IIA Standard 2120 - Risk Management: States that management must monitor security risks.

  IIA GTAG (Global Technology Audit Guide) on Information Security (2016): Outlines that line management is responsible for monitoring security controls on a daily basis.

  Thus, the correct answer is A: Review and monitor security controls.

• Question 1152:

  Which of the following best describes an objective for an audit of an environmental management system?

  A. To assess whether an annual control review is necessary.
  B. To determine conformance with requirements and agreements.
  C. Toevaluate executive management oversight.
  D. Topromote environmental awareness.
  B. To determine conformance with requirements and agreements.

  ---

  Explanation

• Question 1153:

  Line and staff positions are most likely to be in conflict because:

  A. Line managers have no authority over staff employees.
  B. Staff managers consider line managers' functional authority threatening to staff managers' own authority.
  C. Line managers believe that staff managers are resistant to line managers' advice.
  D. Staff managers dislike relying on line expertise.
  A. Line managers have no authority over staff employees.

  ---

  Explanation

  Line managers are directly responsible for achieving the organization's objectives, but staff managers are not directly accountable. However, line managers may have no authority to influence staff behavior when it is inconsistent with the achievement of objectives.

• Question 1154:

  Which of the following is a logical access control designed to enhance the security of a computer-based application system?

  A. User accounts will be locked alter three unsuccessful attempts to access the system
  B. Users will not be allowed to use any of their last five passwords to access the system
  C. Users will be assigned rights to access the system based on their job responsibilities
  D. Users will automatically lose access to the system after 15 minutes of inactivity
  B. Users will not be allowed to use any of their last five passwords to access the system

  ---

  Explanation

• Question 1155:

  Which of the following is an example of an application system control?

  A. Data values fall within a prescribed range.
  B. Error listings are generated and promptly remediated.
  C. Report distribution is restricted to authorized personnel.
  D. Field amounts contain an upper or lower limit.
  A. Data values fall within a prescribed range.

  ---

  Explanation

• Question 1156:

  Which of the following would be a concern related to the authorization controls utilized for a system?

  A. Users can only see certain screens in the system.
  B. Users are making frequent password change requests.
  C. Users Input Incorrect passwords and get denied system access
  D. Users are all permitted uniform access to the system.
  D. Users are all permitted uniform access to the system.

  ---

  Explanation

  Authorization controls ensure that users have appropriate access levels based on their roles and responsibilities. The primary concern arises when all users have uniform access , as it violates the principle of least privilege (PoLP) and increases the risk of unauthorized access and data breaches .

  (A)

  Users can only see certain screens in the system.

  Incorrect. This is a good security practice , as it limits user access based on job roles, preventing unauthorized access to sensitive information.

  (B)

  Users are making frequent password change requests.

  Incorrect. Frequent password resets might indicate poor password management but are not directly related to authorization controls.

  (C)

  Users input incorrect passwords and get denied system access.

  Incorrect. This indicates authentication issues, not an authorization control concern. If users are denied access due to incorrect passwords, the system's authentication mechanisms are working correctly.

  (D)

  Users are all permitted uniform access to the system.

  Correct. Authorization should be role-based, meaning different users should have different levels of access depending on their responsibilities. Uniform access violates security best practices and increases the risk of fraud, data misuse, and

  compliance violations.

  IIA GTAG "Identity and Access Management" emphasizes that authorization controls should be based on job functions to prevent unnecessary exposure to sensitive data.

  IIA Standard 2120 - Risk Management highlights the importance of access control policies to mitigate cybersecurity risks.

  IIA GTAG - "Identity and Access Managemen";

  IIA Standard 2120 - Risk Management COBIT Framework - Access Control and Identity Management Analysis of Answer Choices:IIA References:Thus, the correct answer is D , as uniform access across all users is a major security concern in authorization control.

• Question 1157:

  An organization accomplishes its goal to obtain a 40 percent share of the domestic market, but is unable to get the desired return on investment and output per hour of labor. Based on this information, the organization is most likely focused on which of the following?

  A. Capital investment and not marketing.
  B. Marketing and not capital investment.
  C. Efficiency and not input economy.
  D. Effectiveness and not efficiency.
  D. Effectiveness and not efficiency.

  ---

  Explanation

• Question 1158:

  A manager who is authorized to make purchases up to a certain dollar amount approves the set-up of a fictitious vendor and subsequently initiates purchase orders.

  Which of the following controls would best address this risk?

  A. Establish separate vendor creation and approval teams.
  B. Develop and distribute a code of conduct that prohibits conflicts of interest.
  C. Perform a regular review of the vendor master file.
  D. Require submission of a conflict-of-interest declaration.
  B. Develop and distribute a code of conduct that prohibits conflicts of interest.

  ---

  Explanation

• Question 1159:

  According to IIA guidance, which of the following is the correct order to conduct a business impact analysis (BIA) for the potential loss of an organization's network services'?

  1. identify resources and partners to provide required recovery services

  2. Identify the business processes supporting the network functionality

  3. Obtain approval of the BIA from the operating managers relative to their areas of responsibility

  4. Identify the business impact if the network services cannot be performed

  A. 1, 2, 3, 4
  B. 2, 1, 4, 3
  C. 2, 4, 1, 3
  D. 4, 2, 1, 3
  B. 2, 1, 4, 3

  ---

  Explanation

• Question 1160:

  All of the following statements about communication are true except:

  A. Written communication inhibits feedback.
  B. Managers spend more of their workday involved in oral communication than written communication.
  C. Written communication provides a permanent record.
  D. Written communication is usually better when the message is non-routine and personal.
  D. Written communication is usually better when the message is non-routine and personal.

  ---

  Explanation

  Written communication is usually better when the message is routine and impersonal. A nonroutine message can be better communicated orally. Written communication also offers the advantage of providing a permanent record of the message, but it inhibits immediate feedback because the two parties are not in direct contact. Breakthroughs in electronic technology, such as computers that can recognize the human voice, may in the future blur the distinction between oral and written communication.