IIA IIA-CIA-PART3 Online Practice Questions and Exam Preparation

IIA IIA-CIA-PART3 Online Questions & Answers

• Question 371:

  Which of the following best describes a detective control designed to protect an organization from cyberthreats and attacks?

  A. A list of trustworthy, good traffic and a list of unauthorized, blocked traffic.
  B. Monitoring for vulnerabilities based on industry intelligence.
  C. Comprehensive service level agreements with vendors.
  D. Firewall and other network perimeter protection tools.
  D. Firewall and other network perimeter protection tools.

  ---

  Explanation

• Question 372:

  Which of the following differentiates a physical access control from a logical access control?

  A. Physical access controls secure tangible IT resources, whereas logical access controls secure software and data internal to the IT system.
  B. Physical access controls secure software and data internal to the IT system, whereas logical access controls secure tangible IT resources.
  C. Physical access controls include firewalls, user IDs, and passwords, whereas logical access controls include locks and security guards.
  D. Physical access controls include input processing and output controls, whereas logical access controls include locked doors and security guards.
  A. Physical access controls secure tangible IT resources, whereas logical access controls secure software and data internal to the IT system.

  ---

  Explanation

  Comprehensive and Detailed In-Depth Explanation:

  Physical access controls are security measures designed to prevent unauthorized physical access to tangible IT resources, such as computer hardware, servers, and networking equipment. Examples include locks, security guards, and biometric access systems. In contrast, logical access controls protect access to software and data within the IT system, ensuring that only authorized users can interact with digital resources. These controls include mechanisms like user IDs, passwords, firewalls, and encryption. Option A accurately captures this distinction, whereas the other options either reverse the definitions or misclassify examples of physical and logical controls.

• Question 373:

  Which of the following best describes the job design strategy used by the chief audit executive that encourages internal auditors to manage engagements from the beginning to the end?

  A. Job sharing.
  B. Job shadowing.
  C. Job enrichment.
  D. Job rotation.
  C. Job enrichment.

  ---

  Explanation

• Question 374:

  An organization's account for office supplies on hand had a balance of $9,000 at the end of year one. During year two, the organization recorded an expense of $45,000 for purchasing office supplies. At the end of year two, a physical count determined that the organization has $11,500 in office supplies on hand. Based on this information, what would be recorded in the adjusting entry at the end of year two?

  A. A debit to office supplies on hand for $2,500
  B. A debit to office supplies on hand for $11,500
  C. A debit to office supplies on hand for $20,500
  D. A debit to office supplies on hand for $42,500
  A. A debit to office supplies on hand for $2,500

  ---

  Explanation

• Question 375:

  When auditing databases, which of the following risks would an Internal auditor keep in mind in relation to database administrators?

  A. The risk that database administrators will disagree with temporarily preventing user access to the database for auditing purposes.
  B. The risk that database administrators do not receive new patches from vendors that support database software in a timely fashion.
  C. The risk that database administrators set up personalized accounts for themselves, making the audit time consuming.
  D. The risk that database administrators could make hidden changes using privileged access.
  D. The risk that database administrators could make hidden changes using privileged access.

  ---

  Explanation

  Database administrators (DBAs) have privileged access, meaning they can make unauthorized or hidden changes to data, database structures, and security settings without detection. This presents a high risk of fraud, data manipulation, and

  security breaches.

  Option A: The risk that database administrators will disagree with temporarily preventing user access to the database for auditing purposes. (Incorrect)

  While resistance from DBAs during an audit can be a challenge, it is not a significant risk compared to the ability to manipulate data unnoticed.

  Option B: The risk that database administrators do not receive new patches from vendors that support database software in a timely fashion. (Incorrect)

  Patch management is a security concern but does not directly relate to the unique risk of DBAs abusing privileged access .

  Option C: The risk that database administrators set up personalized accounts for themselves, making the audit time-consuming. (Incorrect)

  While personal accounts can complicate audits, the greater risk is that DBAs can make changes without detection.

  IIA GTAG 4 - Management of IT Auditing emphasizes the need for controls over privileged access to prevent unauthorized database modifications.

  IIA Standard 2110 - Governance requires internal auditors to assess risks related to IT governance and privileged access management .

  IIA GTAG 8 - Auditing Application Controls highlights that auditors must review DBA activity logs and ensure segregation of duties.

  Explanation of Answer Choices:IIA References:Thus, the correct answer is D. The risk that database administrators could make hidden changes using privileged access.

• Question 376:

  Management has established a performance measurement focused on the accuracy of disbursements. The disbursement statistics, provided daily to all accounts payable and audit staff, include details of payments stratified by amount and frequency.

  Which of the following is likely to be the greatest concern regarding this performance measurement?

  A. Articulation of the data.
  B. Availability of the data.
  C. Measurability of the data.
  D. Relevance of the data.
  D. Relevance of the data.

  ---

  Explanation

• Question 377:

  An advisable strategy for a participant in a meeting of the employees would be to:

  A. Read the agenda and supporting materials for the meeting during the early part of the meeting to prepare for later discussion.
  B. Present strong opinions on one side of a proposal right away.
  C. Present views as trial balloons that can be researched later.
  D. Consider the opinions and information needs of other participants before speaking.
  D. Consider the opinions and information needs of other participants before speaking.

  ---

  Explanation

  Analyzing the audience assists a speaker to gather the right information for the meeting. Moreover, understanding the other participants' opinions and needs enables the speaker to express his/her ideas in the way best calculated to be persuasive.

• Question 378:

  The internal auditor concluded there was a high likelihood that a significant wind farm development, worth $200 million, would be delayed from its approved schedule. As a result, electricity production would not start on time, leading to considerable financial penalties.

  Which of the following should be added to the observation to support its clarity and completeness?

  A. The effect of the observation
  B. The criteria of the observation
  C. The condition of the observation
  D. The cause of the observation
  D. The cause of the observation

  ---

  Explanation

  Audit observations should include condition, criteria, cause, and effect. In this case, the condition (delay risk), criteria (schedule), and effect (penalties) are already presented. What is missing is the cause--the underlying reason for the project

  delay. Identifying the cause ensures recommendations address the root of the problem.

  IIA Practice Guide - Audit Findings: Condition, Criteria, Cause, Effect, and Recommendation.

• Question 379:

  Which of the following cost of capital methods identifies the time period required to recover the cost of the capital investment from the annual inflow produced?

  A. Cash payback technique.
  B. Annual rate of return technique.
  C. Internal rate of return method.
  D. Net present value method.
  A. Cash payback technique.

  ---

  Explanation

• Question 380:

  An internal auditor has completed the fieldwork of an assurance engagement on the organization's business continuity. The most significant finding is that business requirements were left up to the IT function to decide and implement. As a result, the time to recovery for some critical systems following a disruption is too long, while recovery time of non-critical systems is needlessly prioritized at a significant cost.

  Which of the following is the most appropriate recommendation to include in the engagement report?

  A. Management of business units should review and correct the recovery targets
  B. Conduct an IT function review and correct the recovery targets
  C. Management of the IT function should ensure that the business continuity plan is more realistic
  D. Ensure that in the future business requirements are set by the management of business units
  D. Ensure that in the future business requirements are set by the management of business units

  ---

  Explanation

  Business continuity planning must be driven by business requirements, not IT decisions. The most appropriate recommendation is to ensure that management of business units determines recovery objectives and priorities, since they

  understand the criticality of operations. IT then implements solutions based on these business requirements.

  Option A addresses current targets but does not correct the root cause. Options B and C focus only on IT, which is not responsible for defining business needs.

  IIA Standards - Standard 2130: Control; Global Technology Audit Guide (GTAG): Business Continuity Management.