Free Practice Questions for IIA IIA-CIA-Part3 Exam

Fixed manufacturing costs refer to costs that do not vary with the level of production activity within a relevant range. These costs include expenses such as depreciation, rent, property taxes, and salaries of permanent employees in the production facility. Their primary purpose is to ensure the availability and operational readiness of production facilities, regardless of fluctuations in production levels.

(A) Correct – To ensure availability of production facilitiesFixed manufacturing costs are incurred to maintain and operate production facilities, ensuring that they remain functional and available for production when needed. These costs exist even if no units are produced, emphasizing their role in sustaining the production infrastructure.

(B) Incorrect – To decrease direct expenses related to productionFixed manufacturing costs are unrelated to direct expenses, such as raw materials and labor, which vary with production volume. Instead, they remain constant regardless of output levels.

(C) Incorrect – To incur stable costs despite operating capacityWhile fixed costs remain stable within a relevant range, their primary purpose is not just cost stability but ensuring production facilities' availability and functionality.

(D) Incorrect – To increase the total unit cost under absorption costingUnder absorption costing, fixed manufacturing costs are allocated to units produced, affecting per-unit cost calculations. However, this is an accounting treatment rather than the core purpose of fixed manufacturing costs.

IIA’s Global Internal Audit Standards – Managing Resources Effectively

Fixed manufacturing costs ensure operational resources are available and managed efficiently.

IIA’s Guide on Cost Management and Internal Control

Highlights the role of cost structures, including fixed costs, in ensuring business continuity.

IIA’s Practice Advisory on Cost Accounting Controls

Discusses the importance of maintaining production facilities to ensure operational readiness.

Breakdown of Answer Choices:IIA References and Internal Auditing Standards:Would you like further clarification on any point?

A management action plan should include: (1) corrective action, (2) responsible personnel, and (3) implementation timeline. In this case, while the corrective action and due date are included, the responsible personnel is missing, which is critical for accountability.

Option B (status) is tracked later during follow-up. Option C (policy reference) is not mandatory. Option D (risk level) belongs to the observation, not the action plan.

When deciding whether to sell a product as-is or process it further, a manufacturer should consider only relevant costs—those that will change based on the decision.

Why Option A (Incremental processing costs, incremental revenue, and variable manufacturing expenses) is Correct:

Incremental processing costs: These are additional costs required to process the material further, making them directly relevant.

Incremental revenue: The additional revenue that would be generated if the product is processed further is a key factor in decision-making.

Variable manufacturing expenses: These costs change with production levels, making them important in the decision-making process.

Why Other Options Are Incorrect:

Option B (Joint costs, incremental processing costs, and variable manufacturing expenses):

Incorrect because joint costs (costs incurred before the split-off point) are sunk costs and are not relevant in the decision.

Option C (Incremental revenue, joint costs, and incremental processing costs):

Incorrect because, again, joint costs are not relevant to the decision.

Option D (Variable manufacturing expenses, incremental revenue, and joint costs):

Incorrect because joint costs should be ignored in a sell-or-process-further decision.

IIA GTAG – "Auditing Cost Accounting Decisions": Discusses relevant costs in decision-making.

IFRS & GAAP Cost Accounting Standards: Explain cost classification and decision-making.

COSO Internal Control – Integrated Framework: Recommends proper cost allocation methods for financial decisions.

IIA References:

A systems development methodology refers to a structured approach used in software development and systems engineering to guide the design, development, and implementation of software applications.

Why Option A (Waterfall) is Correct:

Waterfall methodology is a linear and sequential systems development methodology where each phase (e.g., requirements, design, implementation, testing, deployment) must be completed before moving to the next.

It is widely established and historically one of the first software development methodologies.

Used in large-scale enterprise projects where detailed planning and structured execution are required.

Why Other Options Are Incorrect:

Option B (PRINCE2 - Projects in Controlled Environments):

Incorrect because PRINCE2 is a project management framework, not a systems development methodology.

Option C (ITIL - Information Technology Infrastructure Library):

Incorrect because ITIL is a set of IT service management (ITSM) best practices, not a software development methodology.

Option D (COBIT - Control Objectives for Information and Related Technologies):

Incorrect because COBIT is a governance framework for IT management and controls, not a development methodology.

IIA GTAG – "Auditing IT Projects and Systems Development": Highlights Waterfall as a traditional systems development methodology.

IIA’s Global Technology Audit Guide on IT Risks: Discusses software development lifecycle risks, including Waterfall methodology.

COBIT Framework – BAI03 (Manage Solutions Identification and Build): References structured methodologies like Waterfall in IT governance.

IIA References:

The described situation is a classic social engineering attack, specifically a phishing or CEO fraud (business email compromise) attempt. Social engineering exploits human psychology rather than technical vulnerabilities. In this case, the attacker attempted to impersonate the CEO and trick the board member into making an unauthorized payment.

(A) Incorrect – A risk of spyware and malware.

Spyware and malware typically involve malicious software installed on a device, which is not the case here.

This attack relied on deception rather than malware to obtain unauthorized funds.

(B) Incorrect – A risk of corporate espionage.

Corporate espionage involves unauthorized data theft, sabotage, or insider threats.

The attacker here attempted financial fraud, not intellectual property theft.

(C) Incorrect – A ransomware attack risk.

Ransomware encrypts files and demands payment for decryption.

There is no mention of system encryption or ransom demands in this case.

(D) Correct – A social engineering risk.

The attacker impersonated the CEO and used urgency to manipulate the board member into processing a fraudulent payment.

This technique is a business email compromise (BEC) scam, a well-known social engineering tactic.

IIA’s GTAG (Global Technology Audit Guide) – Cybersecurity Risks and Controls

Discusses social engineering and its impact on financial fraud.

NIST Cybersecurity Framework – Social Engineering Threats

Defines social engineering tactics, including email impersonation and phishing.

COBIT Framework – Information Security Governance

Recommends controls to mitigate social engineering risks, such as employee training and email authentication mechanisms.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

In a hierarchical audit structure, work is reviewed across multiple levels of management, resulting in higher costs because highly skilled and experienced auditors are required for supervisory roles. This increases the cost base compared to a flat structure.

Option A exaggerates benefits of a flat structure. Option B is incorrect because hierarchical structures require more—not less—supervision. Option C is misleading because flat structures typically limit growth opportunities due to fewer layers of promotion.

A mechanistic organizational structure is a highly structured, hierarchical, and rigid system with well-defined roles, centralized authority, and formalized processes. It is best suited for stable environments where efficiency and control are priorities.

Highly centralized decision-making

Strict hierarchy and formalized job roles

Low flexibility and innovation

Heavy reliance on formal policies, procedures, and direct supervision

(A) Primary direction of communication tends to be lateral.

Incorrect: Mechanistic structures favor vertical communication (top-down or bottom-up), not lateral (horizontal) communication.

IIA Standard 2110 – Governance emphasizes clear roles and responsibilities, which are strictly followed in mechanistic structures.

(B) Definition of assigned tasks tends to be broad and general.

Incorrect: In a mechanistic structure, tasks are specific, well-defined, and specialized, unlike in an organic structure where roles are more flexible.

COSO ERM – Control Environment highlights well-defined roles in structured environments.

(C) Type of knowledge required tends to be broad and professional.

Incorrect: Mechanistic structures rely on specialized and technical knowledge, not broad, generalized knowledge.

(D) Reliance on self-control tends to be low. (Correct Answer)

Mechanistic structures depend on external control mechanisms like supervision, rules, and formal procedures.

Employees have little autonomy, and self-control is not a primary governance mechanism.

IIA Standard 2200 – Engagement Planning stresses the importance of structure in ensuring compliance, aligning with mechanistic principles.

IIA Standard 2110 – Governance: Defines structured governance mechanisms in hierarchical organizations.

COSO ERM – Control Environment: Emphasizes reliance on formal controls in rigid structures.

GTAG 1 – Information Technology Risks and Controls: Highlights the need for structured controls in mechanistic environments.

Characteristics of a Mechanistic Structure:Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) because mechanistic organizations rely heavily on external controls rather than self-regulation.

The situation describes a scenario where a customer's personal information was shared with third parties without explicit consent, leading to unsolicited offers. This indicates a control weakness in data privacy and confidentiality, specifically the undue disclosure of information to external parties.

(A) Incorrect – Excessive collecting of information.

While collecting too much personal data can be a privacy concern, the issue here is not about data collection but how the data was shared.

(B) Incorrect – Application of social engineering.

Social engineering refers to deceptive tactics used to manipulate individuals into disclosing confidential information, which is not the case here.

(C) Incorrect – Retention of incomplete information.

The issue is not about missing or incomplete data but rather unauthorized sharing of data.

(D) Correct – Undue disclosure of information.

The retailer improperly shared the customer's personal data with other businesses, leading to unsolicited offers.

This represents a failure to comply with data privacy regulations (e.g., GDPR, CCPA).

IIA’s GTAG (Global Technology Audit Guide) – Data Privacy Risks and Controls

Highlights the risks associated with unauthorized data sharing.

NIST Cybersecurity Framework – Data Protection and Privacy

Emphasizes the importance of controlling access to customer information.

COSO’s ERM Framework – Information Governance and Compliance

Discusses the importance of data protection policies to prevent undue disclosure

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

According to IIA guidance, if a nonconformance occurs, the CAE must evaluate its impact on the overall scope and operations of the internal audit activity. If the deficiency materially affects internal audit’s overall ability to fulfill its responsibilities, conformance cannot be claimed. If the impact is limited, conformance may still be declared with appropriate disclosure.

Options A and B assume automatic conformance without evaluation. Option C is incorrect because there is no concept of “partial conformance” under the Standards.

The IIA Standards require that significant governance, risk management, or control issues be communicated to senior management and the board, regardless of whether they arise from assurance or advisory engagements.

Option A is misleading, as it overstates the audit committee’s role. Option C is incorrect because responsibility for final communication lies with the CAE, not the supervisor. Option D is also incorrect since the audit committee does not approve every report; that responsibility rests with internal audit leadership.

Subjective factors are based on judgment or opinion, whereas objective factors rely on measurable data. The quality of staff supervision is a judgment-based assessment, making it subjective.

Options A, C, and D are measurable, quantitative factors and thus objective.

Internal audit methodologies are determined by the CAE and should be aligned with the IIA’s principles of confidentiality, integrity, objectivity, and competency. This ensures methodology design is consistent with professional standards.

Option A misstates the objective—methodologies are not for client validation. Option B is incorrect because methodologies are not required to be publicly posted. Option C mischaracterizes the objective: methodology ensures audit consistency, not execution of organizational strategy directly.

Biometric access controls use unique physical or behavioral characteristics for identification and security. Among the listed options, retinal print comparison is the most unique and secure, as it relies on the intricate patterns of blood vessels in the retina, which are nearly impossible to replicate or alter.

(A) Facial comparison using photo identification.

Incorrect: Facial recognition is widely used but less unique than retinal scanning because it can be affected by lighting, aging, or facial hair.

IIA GTAG 9 – Identity and Access Management mentions facial recognition as a medium-security method.

(B) Signature comparison.

Incorrect: Signatures can be forged or changed over time, making this a low-security biometric method.

(C) Voice comparison.

Incorrect: Voice patterns are unique but can be affected by illness, background noise, or recording quality, reducing reliability.

(D) Retinal print comparison. (Correct Answer)

Retinal patterns are highly unique, more than fingerprints, and do not change over time.

Difficult to forge, making it the most secure biometric authentication method.

IIA GTAG 9 – Identity and Access Management ranks retinal scanning among the highest security biometric controls.

IIA GTAG 9 – Identity and Access Management: Discusses biometric authentication and ranks retinal scanning as one of the most secure options.

IIA Standard 2120 – Risk Management: Emphasizes strong authentication controls for access security.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) Retinal print comparison because it is the most unique, secure, and reliable biometric characteristic for authentication.

The equity method is used when an investor owns between 20% and 50% of another company’s stock, indicating significant influence over the investee. Since the investor organization is purchasing 40% of the stock, it qualifies for this method.

(A) Cost method.

Incorrect: The cost method is used when the investor has less than 20% ownership and no significant influence.

(B) Equity method. (Correct Answer)

The equity method is required when the investor has significant influence over the investee (typically between 20% and 50% ownership).

Under this method, the investor records a proportional share of the investee’s profits and losses in its financial statements.

IIA Standard 2330 – Documenting Information recommends accurate financial reporting and appropriate accounting method selection.

(C) Consolidation method.

Incorrect: The consolidation method is used when the investor owns more than 50% of the stock, granting control over the investee.

(D) Fair value method.

Incorrect: The fair value method applies when investments are traded in active markets and do not grant significant influence.

IIA Standard 2330 – Documenting Information: Requires appropriate classification of financial investments.

GAAP & IFRS Accounting Standards: Mandate the equity method for ownership between 20% and 50% with significant influence.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) Equity method, as 40% ownership implies significant influence, requiring the use of this method.

The CAE should first discuss the risk and its implications with the responsible management. This provides management the opportunity to reassess, take corrective action, or explain their position. If the issue remains unresolved and the risk is still deemed excessive, then escalation to senior management or the board may follow.

Option A (designing response) is management’s role. Option C (scheduling an audit) may be relevant later, but immediate discussion is the first step. Option D is premature without first engaging management.