Free Practice Questions for IIA IIA-CIA-Part3 Exam

Understanding Management by Objectives (MBO):

MBO is a performance management approach where employees set clear, measurable goals aligned with organizational objectives.

Success depends on employee participation in goal-setting to increase motivation, commitment, and performance.

Why MBO Works Best with Employee Involvement:

Engagement and Accountability: Employees are more motivated and accountable when they help define their goals.

Alignment with Organizational Strategy: Ensures that goals at all levels support the company’s broader objectives.

Improved Communication: Encourages collaboration between management and employees, leading to better alignment of expectations.

Why Other Options Are Incorrect:

A. It is particularly helpful to management when the organization is facing rapid change:

MBO is not well-suited for rapidly changing environments, as predefined goals may become irrelevant quickly.

B. It is more successful when adopted by mechanistic organizations:

Mechanistic organizations (rigid structures, strict hierarchies) often struggle with MBO because it requires flexibility and employee participation.

D. It is particularly successful in environments that are prone to having poor employer-employee relations:

While MBO can improve communication, it is not a solution for poor employer-employee relations, as trust and collaboration are essential for its success.

IIA’s Perspective on Performance Management and Organizational Success:

IIA Standard 2120 – Risk Management emphasizes the need for effective goal-setting and employee involvement in performance assessment.

Balanced Scorecard Framework supports MBO principles by aligning employee performance with strategic objectives.

COSO ERM Framework highlights the importance of employee engagement in goal-setting to enhance decision-making and risk management.

IIA References:

IIA Standard 2120 – Risk Management & Employee Performance Assessment

COSO ERM – Performance & Risk Alignment

Balanced Scorecard Approach – Employee Participation in Goal Setting

Thus, the correct and verified answer is C. It is more successful when goal setting is performed not only by management, but by all team members, including lower-level staff.

Project governance refers to a broad collection of integrated policies, standards, and procedures that provide a framework for planning and executing projects. It establishes decision-making processes, accountability, and risk management controls to ensure that projects align with organizational objectives.

(A) Project portfolio. ❌

Incorrect. A project portfolio refers to a collection of projects managed together to achieve strategic objectives. It does not specifically define the policies, standards, and procedures for project execution.

(B) Project development. ❌

Incorrect. Project development focuses on designing, building, and testing a project, but it does not encompass governance structures like policies, standards, and oversight.

(C) Project governance. ✅

Correct. Project governance includes integrated policies, standards, and procedures that guide project planning, execution, and oversight.

IIA GTAG "Auditing IT Projects" emphasizes project governance as the primary control framework for managing project risks and ensuring alignment with organizational goals.

(D) Project management methodologies. ❌

Incorrect. Project management methodologies (e.g., Agile, Waterfall, PRINCE2) provide structured approaches for executing projects but do not encompass the full governance framework.

IIA GTAG – "Auditing IT Projects"

IIA Standard 2110 – Governance (Project Risk Management)

COSO ERM Framework – Project Oversight and Risk Governance

Analysis of Answer Choices:IIA References:Thus, the correct answer is C (Project governance), as it provides the integrated policies, standards, and procedures needed for effective project oversight.

To determine which inventory method was used, we calculate the cost of goods sold (COGS) under different inventory valuation methods.

Opening Inventory: 1,000 units @ $2 each = $2,000

Purchased: 5,000 units @ $3 each = $15,000

Total Inventory: 6,000 units

Units Sold: 3,000 at $7 per unit

Reported COGS: $8,500

Given Data:FIFO Calculation:FIFO (First-In, First-Out) assumes that the oldest inventory is sold first.

1,000 units from opening inventory @ $2 = $2,000

2,000 units from purchases @ $3 = $6,000

Total COGS under FIFO: $2,000 + $6,000 = $8,000

Average Cost Calculation:Average cost per unit =

Total Cost of InventoryTotal Units=(2,000+15,000)6,000=17,0006,000=2.83 per unit\frac{\text{Total Cost of Inventory}}{\text{Total Units}} = \frac{(2,000 + 15,000)}{6,000} = \frac{17,000}{6,000} = 2.83 \text{ per unit}Total UnitsTotal Cost of Inventory​=6,000(2,000+15,000)​=6,00017,000​=2.83 per unit

COGS using average cost method: 3,000×2.83=8,4903,000 \times 2.83 = 8,4903,000×2.83=8,490 This is not an exact match to the reported COGS of $8,500.

Since the closest method to the reported value is FIFO ($8,000 vs. $8,500 reported COGS, accounting for possible rounding errors or additional costs), FIFO is the most likely method used.

(A) Average cost method. ❌ Incorrect. The calculated COGS using the weighted average method was $8,490, which does not match exactly with the reported COGS of $8,500.

(B) First-in, first-out (FIFO) method. ✅ Correct. The FIFO method yielded $8,000, which is the closest match to the reported COGS. Minor rounding adjustments or other expenses could explain the difference of $500.

(C) Specific identification method. ❌ Incorrect. This method applies when each inventory item is individually tracked, which is not mentioned in the question.

(D) Activity-based costing method. ❌ Incorrect. Activity-based costing (ABC) is used for overhead allocation and is not a primary inventory valuation method.

IIA GTAG – "Auditing Inventory Management"

IIA Standard 2130 – Control Activities (Inventory and Costing Methods)

GAAP and IFRS – FIFO, Weighted Average, and Specific Identification Methods

Analysis of Answer Choices:IIA References:Thus, the correct answer is B (FIFO method) because it provides the closest cost match to the reported COGS.

Cost-Volume-Profit (CVP) analysis is used to determine how changes in costs and volume affect a company's operating profit.

Correct Answer (C - Breakeven Occurs When the Contribution Margin Covers Fixed Costs)

Contribution Margin (CM) = Sales Revenue – Variable Costs.

The breakeven point is where total contribution margin equals total fixed costs, meaning the company has no profit or loss.

The IIA’s Practice Guide: Auditing Financial Performance supports this as the key breakeven definition.

Why Other Options Are Incorrect:

Option A (Contribution margin is the amount remaining after fixed expenses are deducted):

Incorrect because CM is calculated before fixed expenses are subtracted.

Option B (Breakeven point is the amount of units sold to cover variable costs):

Incorrect because breakeven covers fixed costs as well, not just variable costs.

Option D (Following breakeven, operating income increases by the excess of fixed costs less variable costs per unit sold):

Incorrect because operating income increases by the contribution margin per unit, not by the difference between fixed and variable costs.

IIA Practice Guide: Auditing Financial Performance – Defines breakeven analysis as when contribution margin covers fixed costs.

IIA GTAG 13: Business Performance – Discusses cost-volume-profit analysis for financial decision-making.

IIA References for Validation:Thus, C is the correct answer because breakeven occurs when the contribution margin equals fixed costs.

An ethnocentric attitude in global business means that the parent company (headquarters) makes all key decisions and expects its foreign subsidiaries to follow directives without much autonomy. This approach often results in centralized control, standardized policies, and minimal local input.

(A) Standards used for evaluation and control are determined at local subsidiaries, not set by headquarters.

Incorrect. In an ethnocentric organization, standards and controls are determined by headquarters, not by local subsidiaries.

IIA Standard 2120 – Risk Management emphasizes that corporate governance should ensure consistent policies across all locations, which aligns with ethnocentric approaches.

(B) Orders, commands, and advice are sent to the subsidiaries from headquarters. ✅

Correct. In ethnocentric organizations, decision-making authority is centralized at headquarters, and subsidiaries are expected to follow orders and policies without deviation.

IIA GTAG "Auditing Global Operations" discusses risks related to centralized control structures, where headquarters enforces policies globally.

(C) People of local nationality are developed for the best positions within their own country.

Incorrect. This describes a polycentric approach, where local talent is developed for leadership roles. Ethnocentric organizations prefer to assign expatriates from headquarters to key positions in subsidiaries.

(D) There is a significant amount of collaboration between headquarters and subsidiaries.

Incorrect. Collaboration is more common in geocentric or regiocentric models, where decision-making is shared. Ethnocentric organizations have limited collaboration, as headquarters dictates policies.

IIA GTAG – "Auditing Global Operations"

IIA Standard 2120 – Risk Management

COSO Framework – Internal Control and Corporate Governance

Analysis of Answer Choices:IIA References:Thus, the correct answer is B, as ethnocentric organizations enforce top-down control, sending orders, commands, and advice to subsidiaries.

A cold site is a disaster recovery option that provides only basic infrastructure (such as power, space, and network connectivity) but does not have pre-installed IT equipment such as servers and storage. Organizations must procure and install servers and restore data before resuming operations, leading to longer recovery times.

Let’s analyze each option:

Option A: Data is synchronized in real-time

Incorrect.

Real-time data synchronization is a feature of hot sites, which have fully operational infrastructure and data replication.

Cold sites do not support real-time synchronization because they lack servers and storage.

Option B: Recovery time is expected to be less than one week

Incorrect.

Cold sites require significant setup time since servers and infrastructure must be procured, configured, and installed.

Recovery time can often exceed one week, depending on the complexity of IT systems.

Option C: Servers are not available and need to be procured

Correct.

A cold site lacks computing hardware (e.g., servers, storage, network devices), meaning the organization must purchase or transport servers to the site before recovery can begin.

IIA Reference: Internal auditors assess disaster recovery strategies, including the limitations of cold sites and their impact on business continuity. (IIA GTAG: Auditing Business Continuity and Disaster Recovery)

Option D: Recovery resources and data restore processes have not been defined.

Incorrect.

Even though a cold site lacks IT infrastructure, the organization still has a disaster recovery plan, which includes predefined recovery steps, resource planning, and data restoration procedures.

Thus, the verified answer is C. Servers are not available and need to be procured.

Recording Initial Investment in a Partnership:

When forming a partnership, each partner contributes assets, cash, or services to the business.

The initial investment should be recorded at the value agreed upon by the partners, which may differ from fair market value or book value.

This is because partnerships are formed based on mutual agreement, and partners decide how to allocate capital and contributions.

Why Other Options Are Incorrect:

B. At book value:

Book value refers to the value recorded in a partner’s individual financial statements. However, in a new partnership, the previous book value is not relevant.

C. At fair value:

While fair value is commonly used in financial reporting, in partnerships, the agreed-upon value is more relevant as partners may negotiate different terms.

D. At the original cost:

The original cost of assets contributed may not reflect their current market or partnership-agreed value, making it an inappropriate basis for initial recording.

IIA’s Perspective on Financial Recording:

IIA Standard 1220 – Due Professional Care requires auditors to ensure that financial transactions are recorded in accordance with agreed terms.

COSO Internal Control – Integrated Framework supports the principle that partnership agreements should dictate valuation methods.

GAAP & IFRS Accounting Guidelines recognize that partnership accounting is based on agreed-upon contributions rather than standardized valuation methods.

IIA References:

IIA Standard 1220 – Due Professional Care

COSO Internal Control – Integrated Framework

GAAP & IFRS Partnership Accounting Standards

Importance of Secure Protocols for Web Server Management:

Web servers handle sensitive data, including user credentials, financial information, and confidential communications.

Using secure protocols like HTTPS, SFTP, and TLS-encrypted SMTP ensures data is encrypted and protected from cyber threats.

Risks of Clear-Text Protocols (HTTP & FTP):

HTTP (Hypertext Transfer Protocol) and FTP (File Transfer Protocol) transmit data in plaintext, making them vulnerable to man-in-the-middle (MITM) attacks, packet sniffing, and unauthorized access.

SFTP (Secure File Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) encrypt data, mitigating these risks.

Why Other Options Are Incorrect:

A. The file transfer protocol (FTP) should always be enabled – Incorrect.

FTP is not secure, and enabling it can expose the server to unauthorized file access and cyberattacks.

B. The simple mail transfer protocol (SMTP) should be operating under the most privileged accounts – Incorrect.

SMTP should operate with minimal privileges to reduce security risks in case of a breach.

C. The number of ports and protocols allowed to access the web server should be maximized – Incorrect.

Minimizing open ports and protocols reduces the attack surface and limits unauthorized access.

IIA’s Perspective on IT Security and Web Server Management:

IIA Standard 2110 – Governance requires organizations to establish secure IT practices, including encryption and secure protocols.

IIA GTAG (Global Technology Audit Guide) on IT Risks emphasizes minimizing security vulnerabilities by using encrypted communication.

ISO 27001 Security Standard recommends secure transmission protocols for protecting sensitive data.

IIA References:

IIA Standard 2110 – IT Security and Governance

IIA GTAG – IT Risks and Secure Web Server Management

ISO 27001 Security Standard – Data Encryption and Secure Transmission

Thus, the correct and verified answer is D. Secure protocols for confidential pages should be used instead of clear-text protocols such as HTTP or FTP.

Both hierarchies (traditional organizations with a clear chain of command) and open organizational structures (flatter, decentralized decision-making models) share certain fundamental management principles.

Let’s analyze each statement:

A superior can delegate the authority to make decisions but cannot delegate the ultimate responsibility for the results of those decisions.

Correct. In both hierarchical and open structures, managers can delegate decision-making authority, but they remain accountable for the outcomes.

IIA Reference: Internal auditors assess governance structures to ensure that accountability remains with senior management, even when authority is delegated. (IIA Standard 2110: Governance)

A supervisor's span of control should not exceed seven subordinates.

Incorrect. While some management theories suggest an ideal span of control, there is no universal limit of seven subordinates. The optimal number depends on factors like task complexity and organizational structure.

Responsibility should be accompanied by adequate authority.

Correct. Employees must have the necessary authority to fulfill their responsibilities effectively, regardless of the organizational structure.

IIA Reference: The IIA’s guidelines on effective governance and accountability emphasize the need for clear delegation of authority to ensure operational efficiency. (IIA Practice Guide: Organizational Governance)

Employees at all levels should be empowered to make decisions.

Incorrect. While this principle applies to open organizational structures, it does not align with traditional hierarchies, where decision-making authority is concentrated at higher levels.

Thus, the verified answer is A. 1 and 3 only.

System software controls refer to security measures and protocols that protect an organization's IT infrastructure from unauthorized access, cyber threats, and system failures. Intrusion testing (penetration testing) is a key system software control used to detect vulnerabilities in IT environments.

Correct Answer (D - Performing Intrusion Testing on a Regular Basis)

Intrusion testing is a critical system software security measure that helps identify weaknesses in software configurations and security defenses.

This falls under system software controls because it directly tests the security of operating systems, applications, and network software.

The IIA’s GTAG 11: Developing IT Security Audits highlights penetration testing as a necessary control for system software security.

Why Other Options Are Incorrect:

Option A (Restricting server room access to specific individuals):

This is a physical access control, not a system software control.

Option B (Housing servers away from environmental hazards):

This is an environmental control, focusing on disaster prevention rather than software security.

Option C (Ensuring that all user requirements are documented):

This relates to project documentation and system development, but it does not control software security.

IIA GTAG 11: Developing IT Security Audits – Recommends regular penetration testing as a system software control.

IIA Practice Guide: Auditing IT Security – Discusses system software security measures.

IIA References for Validation:Thus, D is the correct answer because intrusion testing is a core system software control ensuring security.