IIA IIA-CIA-PART3 Online Practice Questions and Exam Preparation

IIA IIA-CIA-PART3 Online Questions & Answers

• Question 1341:

  While conducting an audit of the accounts payable department, an internal auditor found that 3% of payments made during the period under review did not agree with the submitted invoices. Which of the following key performance indicators (KPIs) for the department would best assist the auditor in determining the significance of the test results?

  A. A KPI that defines the process owner's tolerance for performance deviations.
  B. A KPI that defines the importance of performance levels and disbursement statistics being measured.
  C. A KPI that defines timeliness with regard to reporting disbursement data errors to authorized personnel.
  D. A KPI that defines operating ratio objectives of the disbursement process.
  A. A KPI that defines the process owner's tolerance for performance deviations.

  ---

  Explanation

• Question 1342:

  An organization has decided to allow its managers to use their own smart phones at work. With this change, which of the following is most important to include in the IT department's comprehensive policies and procedures?

  A. Required documentation of process for discontinuing use of the devices.
  B. Required removal of personal pictures and contacts.
  C. Required documentation of expiration of contract with service provider.
  D. Required sign-off on confiict of interest statement.
  A. Required documentation of process for discontinuing use of the devices.

  ---

  Explanation

• Question 1343:

  Which of the following information security controls has the primary function of preventing unauthorized outside users from accessing an organization's data through the organization's network?

  A. Firewall.
  B. Encryption.
  C. Antivirus.
  D. Biometrics.
  A. Firewall.

  ---

  Explanation

  A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predefined security rules. It is the primary control for preventing unauthorized external access to an organization's network,

  making it the best answer.

  Option A: Firewall (Correct Answer) - Firewalls prevent unauthorized access by filtering traffic, blocking malicious connections, and securing the network perimeter.

  Option B: Encryption - While encryption protects data confidentiality, it does not actively prevent unauthorized access to a network.

  Option C: Antivirus - Antivirus software protects against malware and viruses but does not prevent unauthorized network access .

  Option D: Biometrics - Biometrics controls physical or logical access (e.g., fingerprint authentication) but does not secure a network from external threats .

  IIA GTAG 15 - Information Security Governance highlights firewalls as a critical security control for network protection.

  IIA IPPF Standard 2110 - Governance emphasizes the need for network security policies that include firewalls.

  NIST SP 800-41 Rev.1 - Guidelines on Firewalls and Firewall Policy states that firewalls are the first line of defense in securing organizational networks.

• Question 1344:

  A firm should state its primary competitive scopes when it:

  A. Defines its strategic business units (SBUs).
  B. Establishes strategic control points.
  C. Formulates its mission.
  D. Makes investment and divestment decisions.
  C. Formulates its mission.

  ---

  Explanation

  At the highest level, a firm's strategic planning function involves formulating its mission (ultimate firm purposes and directions), determining its strategic business units (SBUs), allocating resources to SBUs, planning to start new businesses, and downsizing or divesting oldbusinesses. A mission statement should address reasonably limited objectives, define the firm's major policies and values, and state the firm's primary competitive scopes (e.g., industries, products and services, applications, core competencies, market segments, degree of vertical integration, and geographic markets).

• Question 1345:

  The form of departmentation that most readily lends itself to use of profit centers is:

  A. Project.
  B. Functional.
  C. Product.
  D. Matrix.
  C. Product.

  ---

  Explanation

  Departmentation by product is growing in importance for multiline, large-scale enterprises. It is an outgrowth of functional departmentation and permits extensive authority for a division executive over a given product or product line. Its advantages include better use of specialized resources and skills, ease of coordination of the activities for a given product, and simpler assignment of profit responsibility. It is compatible with a decentralization strategy and provides, via product profit centers, a basis for allocating capital more efficiently.

• Question 1346:

  Which of the following best describes the type of control provided by a firewall?

  A. Corrective
  B. Detective
  C. Preventive
  D. Discretionary
  C. Preventive

  ---

  Explanation

  A firewall is a security control mechanism designed to prevent unauthorized access to or from a private network. It monitors and filters incoming and outgoing network traffic based on predefined security rules.

  Definition of Control Types:

  Preventive Control: Stops an undesirable event from occurring.

  Detective Control: Identifies and records events after they have happened.

  Corrective Control: Takes action to correct an issue after it has been detected.

  Discretionary Control: Provides access control based on user discretion.

  Why a Firewall is a Preventive Control:

  Firewalls block unauthorized access to protect networks before a security breach can occur.

  They enforce security policies in real-time , preventing cyber threats such as malware, intrusions, and unauthorized data access.

  As per IIA GTAG (Global Technology Audit Guide) on Information Security , firewalls are categorized as preventive controls because they proactively mitigate threats before they materialize.

  Why Not Other Options?

  Option A. Corrective: Firewalls do not correct security breaches; they prevent them .

  Option B. Detective: Firewalls do not just detect threats but actively block them.

  Option D. Discretionary: Firewalls operate based on preset security rules rather than user discretion.

  IIA GTAG - Information Security

  IIA Standard 2110 - IT Governanceand; Risk Management

  Step-by-Step Justification:IIA References: Thus, the correct and verified answer is C. Preventive .

• Question 1347:

  Which of the following statements is true regarding user-developed applications (UDAs)?

  A. UDAs are less flexible and more difficult to configure than traditional IT applications.
  B. Updating UDAs may lead to various errors resulting from changes or corrections.
  C. UDAs typically are subjected to application development and change management controls.
  D. Using UDAs typically enhances the organization's ability to comply with regulatory factors.
  B. Updating UDAs may lead to various errors resulting from changes or corrections.

  ---

  Explanation

• Question 1348:

  Which of the following statements is correct regarding risk analysis?

  A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.
  B. The highest risk assessment should always be assigned to the area with the largest potential loss.
  C. The highest risk assessment should always be assigned to the area with the highest probability of occurrence.
  D. Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.
  A. The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.

  ---

  Explanation

• Question 1349:

  A company that supplies medications to large hospitals relies heavily on subcontractors to replenish any shortages within 24 hours. Where should internal auditors look for evidence that subcontractors are held responsible for this obligation?

  A. The company's code of ethics.
  B. The third-party management risk register.
  C. The signed service-level agreement.
  D. The subcontractors' annual satisfaction survey.
  C. The signed service-level agreement.

  ---

  Explanation

• Question 1350:

  Which of the following devices translates the intended message into the sender's chosen communication form?

  A. Transmitter.
  B. Encoder.
  C. Channels.
  D. Decoder.
  B. Encoder.

  ---

  Explanation

  The encoder is a device used to translate the sender's message into an appropriate form of communication. This communication form is selected by the sender of the message. The device may be verbal, written, or nonverbal, such as facial

  expressions or voice inflections.

  Computers are often used as encoders.