IIA IIA-CIA-PART3 Online Practice Questions and Exam Preparation

IIA IIA-CIA-PART3 Online Questions & Answers

• Question 1301:

  Given the information below, which organization is in the weakest position to pay short-term debts? Organization A: Current assets constitute $1,200,000; Current liabilities are $400,000 Organization B: Current assets constitute $1,000,000; Current liabilities are $1,000,000 Organization C: Current assets constitute $900,000; Current liabilities are $300,000 Organization D: Current assets constitute $1,000,000; Current liabilities are $250,000

  A. Organization A
  B. Organization B
  C. Organization C
  D. Organization D
  B. Organization B

  ---

  Explanation

  IIA Business Knowledge for Internal Auditing, Financial Ratios section.

• Question 1302:

  For the past several years, many organizations have attempted to reduce administrative costs and respond more rapidly to customer and competitive demands. One method is to eliminate layers of middle management. The element of organizational structure affected by such reductions is:

  A. Spatial differentiation.
  B. Formalization.
  C. Vertical differentiation.
  D. Formalization of jobs.
  C. Vertical differentiation.

  ---

  Explanation

  Vertical differentiation concerns the depth of the organizational hierarchy. The greater the number of levels, the more complex the organization, the greater the potential for information distortion, the more difficult the coordination of management activities, and the slower and less effective the response to changing conditions.

• Question 1303:

  Job enrichment is a motivational approach used by management that:

  A. Emphasizes the need for close supervision.
  B. Is based on Maslow's analysis of survival needs.
  C. Is based on Herzberg's analysis of factors extrinsic to the work.
  D. Applies the principle of worker participation.
  D. Applies the principle of worker participation.

  ---

  Explanation

  Job enrichment increases the scope of boring, repetitive tasks by using more of the employee's skills and allowing the employee more power to make decisions concerning the job, such as order of tasks, etc. Thus, it encourages worker participation in decisions previously made by management.

• Question 1304:

  A firm may decide to enter a new business by creating a new entity. After undertaking a structural analysis, the internal entrant chooses an appropriate target industry. The most likely target is an industry in which the entrant:

  A. Will have to develop its own distribution network.
  B. Can raise mobility barriers after entry.
  C. Will not have to compete with a dominant firm that seeks to protect the industry.
  D. Calculates that the costs of retaliation to existing firms are less than the benefits.
  B. Can raise mobility barriers after entry.

  ---

  Explanation

  A distinctive ability to influence industry structure is another basis for earning above- average profits. Thus, an ability to raise mobility barriers after the firm has entered the industry is a reason to target that industry. Moreover, a firm may be able to recognize that entering a fragmented industry will start a process of consolidation and increased entry barriers.

• Question 1305:

  The board is considering outsourcing the internal audit function to an external service provider. Which of the following would always remain the responsibility of the organization?

  A. Ongoing monitoring of the quality of internal audit documents
  B. Defining audit scopes sufficient to achieve the engagements' objectives
  C. Maintaining a quality assurance and improvement program
  D. Assessment of organizational risks for the annual audit plan
  D. Assessment of organizational risks for the annual audit plan

  ---

  Explanation

  Even if the internal audit activity is outsourced, the organization's senior management and the board retain overall responsibility for governance, risk management, and control processes. Specifically, management must ensure that an annual

  risk assessment is performed to identify and prioritize organizational risks. This forms the basis of the internal audit plan.

  While the external service provider may assist in planning and execution, the assessment of risks to the organization cannot be delegated away because accountability for risk management remains with the organization itself. Activities such

  as quality assurance programs or audit scope discussions can be supported or executed by the service provider, but responsibility for risk assessment is always with management and the board.

  IIA Standards - Standard 2070: External Service Provider and Organizational Responsibility for Internal Auditing.

• Question 1306:

  Which of the following cybersecurity-related activities is most likely to be performed by the second line of defense?

  A. Deploy intrusion detection systems and conduct penetration testing
  B. Administer security procedures, training, and testing.
  C. Monitor incidents, key risk indicators, and remediation
  D. implement vulnerability management with internal and external scans.
  B. Administer security procedures, training, and testing.

  ---

  Explanation

• Question 1307:

  The concurrent action of basic competitive forces as defined by Porter's model determines the

  A. Long-term profitability and the competitive intensity of the industry.
  B. Entrance barriers that potential players must face to get into the industry.
  C. Rivalry inside the industry.
  D. Strategy that a firm should follow to achieve its objectives.
  A. Long-term profitability and the competitive intensity of the industry.

  ---

  Explanation

  Michael E. Porter, a leader in the field of strategic management, has developed a comprehensive model of the structure of industries and competition. One feature is his analysis of the five competitive forces that determine long-term profitability measured by long-term return on investment. This analysis determines the attractiveness of an industry.

• Question 1308:

  The belief that successful leadership occurs when the leader's style matches the situation is the basis for:

  A. The contingency approach to leadership.
  B. The managerial-grid model of leadership.
  C. A behavioral approach to leadership.
  D. An achievement-oriented approach to leadership theories.
  A. The contingency approach to leadership.

  ---

  Explanation

  According to Fred E. Fiedler's contingency theory, people become leaders not only because of personality attributes, but also because of various situational factors and the interaction between the leaders and the situation. Thus, the right person at the right time may rise to a position of leadership if his/her personality and the needs of the situation complement each other. The same person might not become a leader in different circumstances because of failure to interact successfully with that situation. The contingency theory model has three dimensions. (1) Position power is a function of the formal authority structure. It is the degree to which the position held enables a leader to evaluate, reward, sanction, or promote the group members independent of other sources of power, such as personality or expertise. (2) Task structure is how clearly and carefully members' responsibilities for various tasks are defined. Quality of performance is more easily controlled when tasks are clearly defined. (3) Leadermember relations reflect the extent to which group members like, trust, and are willing to follow a leader.

• Question 1309:

  An intruder posing as the organization's CEO sent an email and tricked payroll staff into providing employees' private tax information. What type of attack was perpetrated?

  A. Boundary attack.
  B. Spear phishing attack.
  C. Brute force attack.
  D. Spoofing attack.
  B. Spear phishing attack.

  ---

  Explanation

  A spear phishing attack is a highly targeted email-based attack where an attacker impersonates a trusted individual (e.g., the CEO) to trick recipients into providing sensitive information.

  In this scenario, an intruder posed as the CEO and deceived payroll staff into sharing employees' private tax information .

  Spear phishing is more targeted than general phishing , often using personal details to make the fraudulent request seem legitimate.

  Option A. Boundary attack. (Incorrect)

  A boundary attack refers to attempts to breach an organization's network perimeter defenses , such as firewalls and intrusion detection systems.

  This scenario describes a social engineering attack , not a technical boundary attack.

  Option B. Spear phishing attack. (Correct)

  Spear phishing attacks are highly personalized email attacks , usually targeting specific employees within an organization.

  Attackers research their targets and use realistic messages to trick them into divulging sensitive data.

  This fits the scenario, as the attacker impersonated the CEO to steal tax information.

  Option C. Brute force attack. (Incorrect)

  A brute force attack involves systematically guessing passwords to gain unauthorized access to systems.

  This attack was based on deception, not password cracking .

  Option D. Spoofing attack. (Incorrect, but closely related)

  Email spoofing is a technique where an attacker falsifies the sender's email address .

  While spear phishing often includes spoofing , the broader technique used here is spear phishing , as it involved social engineering and deception.

  IIA GTAG 16 - Security Risk: IT and Cybersecurity discusses phishing and social engineering threats, emphasizing internal controls to mitigate them.

  IIA Standard 2120 - Risk Management highlights the need for risk assessments in cybersecurity, including employee awareness training for phishing attacks.

  National Institute of Standards and Technology (NIST) Special Publication 800-61 classifies spear phishing as a high-risk cyber threat to organizations.

• Question 1310:

  Which of the following is an example of a phishing attack?

  A. An employee receives an email that appears to be from the organization's bank, though it is not. The employee replies to the email and sends the requested confidential information.
  B. An organization's website has been hacked. The hacker added political content that is not consistent with the organization's views.
  C. An organization's systems have been compromised by malicious software. The software locks the organization's operating system until d ransom is paid.
  D. An organization's communication systems have been intercepted. A communication session is controlled by an unauthorized third party.
  A. An employee receives an email that appears to be from the organization's bank, though it is not. The employee replies to the email and sends the requested confidential information.

  ---

  Explanation