Free Practice Questions for IIA IIA-CIA-Part3 Exam

The first step in a project management plan is to break the project into manageable components, known as Work Breakdown Structure (WBS). This step ensures clarity, task allocation, and effective tracking.

(A) Estimate time required to complete the whole project.

Incorrect: Time estimation comes after breaking the project into smaller tasks.

(B) Determine the responses to expected project risks.

Incorrect: Risk management is important but is planned after defining project tasks and scope.

(C) Break the project into manageable components. (Correct Answer)

Dividing the project into smaller tasks (WBS) helps in resource allocation, scheduling, and risk assessment.

IIA GTAG 12 – Project Risk Management suggests using WBS to define tasks clearly.

(D) Identify resources needed to complete the project.

Incorrect: Resources can only be allocated effectively after defining project components.

IIA GTAG 12 – Project Risk Management: Recommends Work Breakdown Structure (WBS) as the first step in project planning.

PMBOK (Project Management Body of Knowledge): Defines WBS as the foundation of project planning.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (C) Break the project into manageable components, as this is the first step in structuring and planning a successful project.

A focus strategy targets a specific market segment, geographical area, or niche customer base rather than competing in the entire market.

Why Option D (Focus strategy) is Correct:

The car manufacturer introduced a hybrid vehicle specifically for the European market to address increasing emission taxes, meaning they are focusing on a specific region and customer need.

Focus strategy aims at tailoring products to meet the needs of a particular group of consumers (e.g., environmentally conscious European customers).

Why Other Options Are Incorrect:

Option A (Reactive strategy):

Incorrect because while the company is responding to regulatory changes, "reactive strategy" is not a recognized competitive strategy under Porter’s model.

Option B (Cost leadership strategy):

Incorrect because cost leadership focuses on minimizing costs and offering the lowest price in the broad market. This scenario does not emphasize cost reduction.

Option C (Differentiation strategy):

Incorrect because differentiation involves offering unique products across a broad market, whereas the hybrid vehicle is targeted specifically for the European market.

IIA Practice Guide – "Auditing Strategic Risk Management": Discusses competitive strategies, including focus strategy.

Porter's Competitive Strategy Model: Defines focus strategy as targeting a niche market.

COSO ERM Framework – "Strategic Decision-Making": Recommends market-specific focus strategies to mitigate regulatory risks.

IIA References:

Automated attacks that attempt to exploit weak or leaked passwords—such as credential stuffing, brute force attacks, and dictionary attacks—pose a significant cybersecurity risk. Implementing two-step verification (also known as multi-factor authentication, or MFA) is one of the most effective measures to mitigate these threats.

Why Two-Step Verification is Effective (B - Correct Answer)

Multi-factor authentication (MFA) adds an additional security layer beyond a password, requiring a second factor such as a one-time code sent to a mobile device, biometric authentication, or a security key.

Even if an attacker obtains a password, they cannot access the account without the second authentication factor.

The IIA Global Technology Audit Guide (GTAG) 1: Information Security Management emphasizes the use of multi-factor authentication to prevent unauthorized access.

Why Other Options Are Less Effective:

Option A: Changing passwords every two years

Ineffective because attackers often use compromised credentials that may be recent. Best practices recommend regular password updates but coupled with MFA.

The IIA's GTAG 16: Identity and Access Management highlights that password rotation alone does not fully protect against automated attacks.

Option C: Using a VPN when out of the office

Irrelevant to password attacks. A VPN encrypts data and secures network connections but does not prevent brute force or credential stuffing attacks.

The IIA GTAG 17: Auditing Network Security discusses VPNs for secure remote access but does not consider them a solution for password-based attacks.

Option D: Using antivirus and security tools

While important for overall security, these tools cannot prevent attacks that exploit stolen or weak passwords.

The IIA GTAG 15: Information Security Governance states that security tools should be combined with authentication controls like MFA for best protection.

GTAG 1: Information Security Management – Recommends multi-factor authentication to prevent unauthorized system access.

GTAG 16: Identity and Access Management – Highlights the limitations of password-only security and supports multi-factor authentication.

GTAG 17: Auditing Network Security – Covers VPN usage but does not consider it a solution for password attacks.

GTAG 15: Information Security Governance – Discusses the role of security tools and authentication in securing user accounts.

Step-by-Step Explanation:IIA References for Validation:Thus, requiring two-step verification (B) is the most effective control against automated password attacks.

Access control is about ensuring that only authorized individuals can access specific data, based on their role and necessity. The Principle of Least Privilege (PoLP) dictates that users should only have access to the data they need for their job.

Minimizes Unauthorized Access Risks – Prevents employees from accessing sensitive data unnecessarily.

Supports Segregation of Duties (SoD) – Critical in preventing fraud and security breaches.

Enhances Compliance – Meets regulatory requirements like GDPR, PCI-DSS, and SOX, which demand strict access controls.

Strengthens System Security – Reduces potential damage from malware, insider threats, or data breaches.

A. Install and update anti-virus software – Important for cybersecurity but does not directly control user access.

B. Implement data encryption techniques – Protects stored or transmitted data but does not define access rights.

D. Upgrade firewall configuration – Controls network traffic, not user-specific access within an automated system.

IIA’s GTAG on Access Management and Controls – Recommends setting data access based on user needs to prevent fraud and misuse.

COBIT 2019 (Governance and Management of Enterprise IT) – Advocates for role-based access controls.

ISO 27001 Annex A.9 (Access Control) – Stresses the importance of restricting access based on business requirements.

Why Setting Data Availability by User Need is the Best Strategy?Why Not the Other Options?IIA References:✅ Final Answer: C. Set data availability by user need.

When multiple organizations co-own shopping malls, their primary strategy is to increase market synergy, meaning they combine resources and expertise to enhance market presence, attract more customers, and improve competitive positioning.

(A) To exploit core competence.

Incorrect: Core competencies refer to unique internal capabilities, whereas co-owning shopping malls is a collaborative market strategy.

(B) To increase market synergy. (Correct Answer)

Market synergy occurs when businesses collaborate to create greater market impact than they could individually.

Shared ownership enhances customer traffic, brand reach, and business opportunities.

IIA Standard 2110 – Governance highlights the importance of strategic partnerships in achieving synergy.

(C) To deliver enhanced value.

Incorrect: While value is a benefit, the main goal of co-ownership is strategic market advantage and synergy.

(D) To reduce costs.

Incorrect: Cost reduction may be a secondary benefit, but the primary goal is market synergy through shared resources and customer base expansion.

IIA Standard 2110 – Governance: Encourages strategic collaborations for business growth.

COSO ERM – Strategy and Objective-Setting: Highlights market synergy as a key factor in strategic partnerships.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because co-ownership of shopping malls primarily aims to increase market synergy, allowing organizations to leverage shared resources and customer networks for greater market impact.

Capital budgeting techniques are used to evaluate investment projects by analyzing potential costs and benefits. One key consideration in capital budgeting is the time value of money (TVM), which states that a dollar received today is worth more than a dollar received in the future due to its earning potential.

Why Option C (Discounted cash flow) is Correct:

Discounted Cash Flow (DCF) explicitly incorporates the time value of money by discounting future cash flows to their present value.

Methods such as Net Present Value (NPV) and Internal Rate of Return (IRR) fall under DCF analysis, making them highly reliable for long-term capital budgeting decisions.

Why Other Options Are Incorrect:

Option A (Annual rate of return):

Incorrect because the annual rate of return (ARR) is based on accounting profits and does not consider the time value of money.

Option B (Incremental analysis):

Incorrect because incremental analysis is a decision-making tool that compares alternative costs and revenues but does not discount future cash flows.

Option D (Cash payback):

Incorrect because the payback period method only measures the time needed to recover an investment and ignores the time value of money.

IIA GTAG – "Auditing Capital Budgeting Decisions": Discusses the importance of time value of money in investment decisions.

COSO ERM Framework – "Risk Considerations in Financial Planning": Recommends using DCF methods for capital investment decisions.

IFRS & GAAP Financial Reporting Standards: Advocate for using DCF techniques for asset valuation and investment analysis.

IIA References:

Business continuity planning (BCP) requires a recovery strategy that minimizes downtime and ensures that critical operations resume within the organization’s desired recovery time objective (RTO).

Since the organization wants to recover within four to seven days, it does not require an expensive real-time recovery site (hot site).

The best strategy is a warm site: a pre-secured location with configurable hardware and data backups that can be activated within the required timeframe.

(A) Incorrect – A recovery strategy whereby a separate site has not yet been determined, but hardware has been reserved for purchase and data backups.

This is a cold site, requiring time for setup and hardware installation.

It does not meet the four to seven-day recovery timeframe efficiently.

(B) Incorrect – A recovery strategy whereby a separate site has been secured and is ready for use, with fully configured hardware and real-time synchronized data.

This describes a hot site, which allows instant failover with real-time synchronization.

While effective, it is costly and unnecessary for a four-to-seven-day recovery target.

(C) Incorrect – A recovery strategy whereby a separate site has been secured and the necessary funds for hardware and data backups have been reserved.

While a site has been secured, the absence of pre-configured hardware would delay recovery, making it an inefficient choice.

(D) Correct – A recovery strategy whereby a separate site has been secured with configurable hardware and data backups.

This describes a warm site, which is the best balance between cost and recovery efficiency.

Configurable hardware and data backups ensure that operations can resume within four to seven days.

IIA’s GTAG (Global Technology Audit Guide) – Business Continuity and IT Disaster Recovery

Recommends warm sites for recovery within a few days.

ISO 22301 – Business Continuity Management Systems

Defines recovery time objectives (RTOs) and site classifications (hot, warm, cold).

COBIT Framework – IT Risk Management

Guides organizations on cost-effective recovery site selection based on risk tolerance.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

To efficiently protect business data from corruption and errors, the best approach is proactive detection through validation controls. Batch total calculations help verify data integrity before approval, ensuring errors are caught early.

(A) Controls to ensure data is unable to be accessed without authorization.

Incorrect: Access controls prevent unauthorized access, but they do not detect or prevent data corruption/errors.

(B) Controls to calculate batch totals to identify an error before approval. (Correct Answer)

Batch control totals ensure that data entries match expected values before processing, helping detect errors before approval.

IIA GTAG 3 – Continuous Auditing recommends automated validation and reconciliation checks for data integrity.

(C) Controls to encrypt the data so that corruption is likely ineffective.

Incorrect: Encryption protects data confidentiality, but it does not prevent or detect errors or corruption.

(D) Controls to quickly identify malicious intrusion attempts.

Incorrect: Intrusion detection systems focus on cybersecurity, not data corruption or errors.

IIA Standard 2120 – Risk Management: Recommends controls for error prevention and early detection.

IIA GTAG 3 – Continuous Auditing: Suggests automated validation processes like batch totals to detect errors before approval.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because batch total calculations effectively detect errors before approval, ensuring data integrity.

The most recent backup is primarily used to restore lost data in the event of a system failure, data corruption, or cyberattack. If a data center failure occurs, the latest backup is the best source to recover the human resources database and resume operations.

(A) Incorrect – An incorrect program fix was implemented just prior to the database backup.

If an incorrect fix was applied before the backup, restoring the latest backup would still contain the error.

The organization would need to restore an earlier version before the faulty update.

(B) Incorrect – The organization is preparing to train all employees on the new self-service benefits system.

The latest backup is not needed for training; the live system or historical data would be used instead.

(C) Correct – There was a data center failure that requires restoring the system at the backup site.

In the event of a system failure, restoring from the most recent backup minimizes data loss and downtime.

This is the primary reason for maintaining regular backups.

(D) Incorrect – There is a need to access prior year-end training reports for all employees in the human resources database.

Historical records would likely be stored in archived backups or reports, not the latest backup.

The most recent backup contains current data, not old reports.

IIA’s GTAG (Global Technology Audit Guide) – IT Disaster Recovery and Backup Strategies

Covers the importance of backups in system restoration.

NIST Cybersecurity Framework – Data Recovery and Business Continuity

Recommends frequent backups to protect against system failures.

ISO 22301 – Business Continuity Management

Defines recovery procedures and best practices for backup site restoration.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Organizations that rely on third-party vendors for IT services must ensure secure and controlled communication, especially in areas where external connections are involved. External connections typically include:

Cloud services (e.g., SaaS, PaaS, IaaS)

Third-party APIs

Remote access (VPNs, firewalls, network gateways)

IoT devices and external sensors

These connections introduce cybersecurity risks, requiring continuous monitoring, vendor communication, and security controls.

(A) Applications.

Incorrect. While application security is important, it is typically managed internally. Vendor involvement is needed for software patches and updates, but communication is not as tightly monitored.

(B) Technical infrastructure.

Incorrect. This layer includes internal IT components like servers, databases, and networks, which are mostly managed in-house. Vendor involvement is required for hardware/software updates but not to the same extent as external connections.

(C) External connections. ✅

Correct. External connections require tightly controlled communication with vendors to prevent security breaches, unauthorized access, and data leaks.

IIA GTAG "Auditing IT Governance" highlights third-party risk management as a key area for IT audits.

IIA Standard 2110 requires organizations to establish governance structures for vendor and IT security management.

(D) IT management.

Incorrect. IT management focuses on internal oversight of IT policies and compliance, but does not necessarily require tightly controlled vendor communication.

IIA GTAG – "Auditing IT Governance"

IIA GTAG – "Managing Third-Party Risks"

IIA Standard 2110 – Governance

Analysis of Answer Choices:IIA References: