IIA IIA-CIA-PART3 Online Practice Questions and Exam Preparation

IIA IIA-CIA-PART3 Online Questions & Answers

• Question 311:

  Dual reporting is most characteristic of which method of departmentation?

  A. Territorial.
  B. Functional.
  C. Product.
  D. Matrix.
  D. Matrix.

  ---

  Explanation

  A matrix organization consists of a project team of people from various functional areas within the organization. These specialists report simultaneously to the project manager and the managers of their functional departments. At the end of the project, the team is disbanded.

• Question 312:

  If the chief audit executive (CAE) observes that an international wire was approved to transfer funds to a country embargoed by the government, which of the following would be the most appropriate first step for the CAE to take?

  A. Track the wire and perform ongoing monitoring
  B. Discuss the issue with management
  C. Immediately report the transaction to the regulatory authorities
  D. Report the transaction to the audit committee
  B. Discuss the issue with management

  ---

  Explanation

  When internal audit identifies a serious issue, the CAE must first discuss the matter with management to confirm facts and obtain explanations. If the issue remains unresolved or poses unacceptable risk, it is then escalated to senior

  management, the board, and regulators as required. Direct reporting to regulators (Option C) or the audit committee (Option D) without first engaging management bypasses proper escalation. Option A (ongoing monitoring) delays action on a

  compliance breach.

  IIA Standards - Standard 2600: Communicating the Acceptance of Risks.

• Question 313:

  Which of the following are typical responsibilities for operational management within a risk management program?

  1. Implementing corrective actions to address process deficiencies.

  2. Identifying shifts in the organization's risk management environment.

  3. Providing guidance and training on risk management processes.

  4. Assessing the impact of mitigation strategies and activities.

  A. 1 and 2 only
  B. 1 and 4 only
  C. 2 and 3 only
  D. 3 and 4 only
  B. 1 and 4 only

  ---

  Explanation

• Question 314:

  An internal audit uncovered high-risk issues that needed to be addressed by the organization. During the exit conference, the audit team discussed the high-risk issues with the manager responsible for addressing them. How should the chief audit executive respond if the manager agrees to correct the issues identified during the audit?

  A. Include in the report that management has agreed to address the issue and set a date for follow-up
  B. Include an assignment in the annual internal audit plan to perform a follow-up audit
  C. Discuss the audit observation with senior management
  D. Solicit input from management and create the action plan
  A. Include in the report that management has agreed to address the issue and set a date for follow-up

  ---

  Explanation

  When management agrees to address audit issues, the CAE must ensure that the final report documents management's agreement and corrective action plan, including implementation timelines. This ensures accountability and enables

  proper follow-up monitoring.

  Option B (follow-up engagement) may happen later, but the first step is proper documentation. Option C is unnecessary since management already agreed to corrective action. Option D is inappropriate because it is management's

  responsibility to develop and own the action plan, not internal audit's.

  IIA Standards - Standard 2410: Criteria for Communicating; Standard 2500: Monitoring Progress.

• Question 315:

  When planning for successful negotiations, the negotiator should:

  A. Understand the implications for both sides if the negotiation fails.
  B. Concentrate solely on the issues in the negotiation at hand.
  C. Not deviate from stated positions.
  D. Depend on the initial research prepared for the negotiation.
  A. Understand the implications for both sides if the negotiation fails.

  ---

  Explanation

  Negotiators should assess the best alternatives for both themselves and the other parties to determine their relative strength in the negotiation process. If alternatives are not readily available or are unattractive, a party is under additional pressure to make the negotiation work.

• Question 316:

  Backward integration strategy is most appropriate when the firm's current suppliers are:

  A. Highly reliable.
  B. Not reliable.
  C. Geographically dispersed.
  D. Geographically concentrated.
  B. Not reliable.

  ---

  Explanation

  Backward integration is appropriate when the firm's current suppliers are unreliable. Stable relationships between internal sellers and buyers create economies because they need not fear loss of the related buyers and sellers. They also need not fear undue economicpressure from each other. Furthermore, because the relationship is locked in, more efficient procedures for their relationship (e.g., dedicated controls and records) may be implemented. Another advantage is that internal sellers and buyers may more fully adapt to each other's needs than they would or could in dealings with outsiders.

• Question 317:

  The manager of a team of actuaries has been asked to develop the basic pricing structure for a new health insurance product. The team has successfully designed other pricing structures in recent years. The manager was assigned to the team 6 months ago that is the best leadership style for the manager of this team?

  A. Directive.
  B. Supportive.
  C. Participative.
  D. Achievement-oriented.
  C. Participative.

  ---

  Explanation

• Question 318:

  At a manufacturing plant, how would using Internet of Things during the production process benefit the organization?

  A. It would provide the ability to monitor in real-time.
  B. It would assist in securing sensitive data.
  C. It would help detect cyberattacks in a more timely fashion.
  D. It would assist in ensuring that data integrity is maintained.
  A. It would provide the ability to monitor in real-time.

  ---

  Explanation

• Question 319:

  Which of the following local area network physical layouts is subject to the greatest risk of failure if one device fails?

  A. Star network.
  B. Bus network.
  C. Token ring network.
  D. Mesh network.
  C. Token ring network.

  ---

  Explanation

• Question 320:

  Which of the following should be included in a data privacy poky?

  1. Stipulations for deleting certain data after a specified period of time.

  2. Guidance on acceptable methods for collecting personal data.

  3. A requirement to retain personal data indefinitely to ensure a complete audit trail,

  4. A description of what constitutes appropriate use of personal data.

  A. 1 and 2 only
  B. 2 and 3 only
  C. 1, 2 and 4 only
  D. 2, 3, and 4 only
  C. 1, 2 and 4 only

  ---

  Explanation

  A data privacy policy outlines how an organization collects, stores, processes, and protects personal data. It should comply with global data protection regulations such as GDPR, CCPA, and IIA guidelines on data security.

  (1)

  Stipulations for deleting certain data after a specified period of time.

  Correct. Many data protection laws (e.g., GDPR Article 5 ) require organizations to delete personal data after a defined retention period to reduce data breach risks.

  (2)

  Guidance on acceptable methods for collecting personal data.

  Correct. A privacy policy must define legal and ethical ways to collect personal data (e.g., user consent, lawful processing).

  (3)

  A requirement to retain personal data indefinitely to ensure a complete audit trail.

  Incorrect. Retaining personal data indefinitely violates most data privacy regulations (e.g., GDPR Right to Be Forgotten ). Data must be stored only for as long as necessary.

  (4)

  A description of what constitutes appropriate use of personal data.

  Correct. A privacy policy should clearly define how collected data can and cannot be used to prevent misuse and ensure compliance.

  IIA GTAG - "Auditing Privacy Risk";

  IIA Standard 2110 - "Governance (Data Protectionand; Privacy)

  GDPR (General Data Protection Regulation) - "Articles 5and; 17 (Data Retentionand; Deletion)

  Analysis of Answer Choices:IIA References:Thus, the correct answer is C (1, 2, and 4 only) because data should not be retained indefinitely , and the policy must include data collection, retention, and appropriate usage guidelines .