Free Practice Questions for IIA IIA-CIA-Part3 Exam

Understanding the Accounting for Office Supplies:

The organization maintains an account for office supplies on hand, which represents unused office supplies at any given time.

The expense recorded during the year represents the cost of office supplies purchased.

At year-end, the adjusting entry is made to reflect the actual amount of supplies on hand and adjust the supplies expense accordingly.

Formula to Determine the Supplies Used:

Supplies Used=Beginning Balance+Purchases−Ending Balance\text{Supplies Used} = \text{Beginning Balance} + \text{Purchases} - \text{Ending Balance}Supplies Used=Beginning Balance+Purchases−Ending Balance

Plugging in the given values:

Supplies Used=9,000+45,000−11,500=42,500\text{Supplies Used} = 9,000 + 45,000 - 11,500 = 42,500Supplies Used=9,000+45,000−11,500=42,500

This amount ($42,500) represents the actual office supplies used and should be recorded as an expense.

The adjusting entry would include:

A debit to Office Supplies on Hand for $42,500

A credit to Office Supplies Expense for $42,500

Why Other Options Are Incorrect:

A. A debit to office supplies on hand for $2,500 – Incorrect, as this figure does not represent supplies used or purchased.

B. A debit to office supplies on hand for $11,500 – Incorrect, as this is the ending balance and not the adjustment amount.

C. A debit to office supplies on hand for $20,500 – Incorrect, as this does not align with the formula for calculating used supplies.

IIA’s Perspective on Financial Reporting and Adjusting Entries:

IIA Standard 1220 – Due Professional Care emphasizes accurate financial reporting and proper adjustments for year-end entries.

GAAP Accounting Principles require accrual-based adjustments to ensure that expenses are recognized in the period they are incurred.

COSO Internal Control Framework supports proper inventory and expense adjustments to avoid misstated financials.

IIA References:

IIA Standard 1220 – Due Professional Care (Financial Reporting Accuracy)

GAAP Accounting Standards – Adjusting Entries for Supplies and Inventory

COSO Internal Control – Accurate Expense Recognition

Thus, the correct and verified answer is D. A debit to office supplies on hand for $42,500.

Comprehensive and Detailed In-Depth Explanation:

Big data is commonly characterized by the "Three Vs":

Volume: The vast amount of data generated and collected.

Velocity: The speed at which new data is generated and the pace at which data moves.

Variety: The diverse types and sources of data, including structured, semi-structured, and unstructured formats.

These characteristics highlight the challenges and considerations in managing and analyzing big data. Options A, C, and D list attributes that, while relevant in certain contexts, do not encapsulate the core defining features of big data as effectively as option B.

When implementing big data systems, organizations must establish ongoing production monitoring to ensure system performance, efficiency, and reliability.

Why Option A (Key performance indicators) is Correct:

KPIs (Key Performance Indicators) measure the effectiveness and success of big data systems.

KPIs help track system efficiency, data processing speed, accuracy, and resource utilization during production.

Examples of KPIs in big data systems include data ingestion rate, processing time, query performance, system uptime, and error rates.

Why Other Options Are Incorrect:

Option B (Reports of software customization):

Incorrect because software customization reports document system modifications but do not monitor system performance.

Option C (Change and patch management):

Incorrect because change and patch management deals with software updates and security fixes, not ongoing performance monitoring.

Option D (Master data management):

Incorrect because master data management focuses on data governance and consistency, not real-time system performance.

IIA GTAG – "Auditing Big Data Systems": Recommends using KPIs to measure the effectiveness of big data implementation.

COBIT 2019 – APO08 (Manage Performance and Capacity): Emphasizes KPI tracking for IT and data system performance.

NIST Big Data Framework: Highlights the importance of KPIs for monitoring big data system performance.

IIA References:

Reliance on external auditors’ work is possible if the CAE has sufficient access to review their programs and workpapers to evaluate the scope, quality, and results. This ensures internal audit can confirm the appropriateness of relying on their work.

Option B is not required—external and internal audit can use different methodologies. Options C and D represent governance involvement but do not substitute for CAE’s independent evaluation of audit work.

According to the International Standards for the Professional Practice of Internal Auditing, when significant risk exposures remain unaddressed after a follow-up engagement, the CAE must first discuss the matter with the appropriate level of management responsible for the area. The purpose is to determine whether there is a valid reason for not implementing the recommended corrective actions, to clarify management’s perspective, and to encourage timely resolution.

If management still refuses to act and the risk remains high, the CAE must then escalate the issue to senior management and, if necessary, to the board. Immediate escalation to the board without first discussing with management is inappropriate, as it bypasses the chain of accountability. Reporting directly to external auditors is also not the responsibility of the CAE unless specifically mandated by regulation or law.

Therefore, the correct initial step is to discuss the issue with management responsible for the risk area (Option B).

Even when outsourcing the internal audit function, the organization retains responsibility for ensuring the internal audit activity complies with the Standards. This includes maintaining a QAIP to assess effectiveness and quality. The provider executes the function, but the CAE and the organization’s oversight bodies remain accountable for quality.

Options B and C are incorrect since internal and external assessments may be performed by the provider, but ultimate responsibility rests with the organization. Option D (postponement) would violate the Standards.

When implementing Mobile Device Management (MDM) software, organizations must balance security and employee privacy. Since MDM allows remote wiping of data, it is essential to ensure that personal data remains protected and is not accessible or deleted by administrators.

(A) That those employees who do not consent to MDM software cannot have an email account:

While organizations may require MDM for security, they should offer alternative access methods (e.g., web-based email) to avoid strict enforcement that could impact employee productivity.

Denying access entirely may violate employment agreements or privacy laws in certain jurisdictions.

(B) That personal data on the device cannot be accessed and deleted by system administrators (Correct Answer):

The organization should ensure that MDM software does not intrude on personal data such as photos, messages, and private applications.

Best practice is to configure MDM to only manage corporate data and applications, ensuring that personal files remain untouched.

This aligns with privacy laws such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

(C) That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them:

Ethical and legal standards require transparency when monitoring employees.

Covert monitoring is generally illegal under privacy laws like GDPR and the U.S. Electronic Communications Privacy Act (ECPA).

(D) That employee consent includes appropriate waivers regarding potential breaches to their privacy:

While obtaining consent is important, organizations cannot force employees to waive their legal privacy rights.

Consent alone does not justify unrestricted access to personal data.

IIA GTAG 17: Auditing IT Security – Recommends safeguarding personal and corporate data in BYOD (Bring Your Own Device) policies.

COBIT Framework – DSS05 (Manage Security Services) – Advises organizations to define policies that protect corporate assets without violating employee privacy.

ISO/IEC 27001: Information Security Management System – Requires organizations to implement security controls without infringing on employee rights.

Analysis of Each Option:IIA References:Conclusion:Since personal data privacy must be preserved, option (B) is the correct answer.

Data governance refers to the policies, processes, and controls an organization implements to ensure data integrity, security, and compliance. When an organization has a weak data governance culture, the most compromised attribute of data is "veracity," which refers to the accuracy, reliability, and trustworthiness of data.

Why Option D (Veracity) is Correct:

Weak data governance leads to poor data quality, inconsistencies, and errors, reducing data veracity (trustworthiness and accuracy).

Without strong governance, data may be incomplete, outdated, or manipulated, leading to flawed decision-making.

Data veracity is critical for risk management, internal audit, and regulatory compliance, as unreliable data can lead to financial misstatements and operational risks.

Why Other Options Are Incorrect:

Option A (Variety):

Variety refers to different types and sources of data (structured, unstructured, semi-structured).

A weak data governance culture does not necessarily affect the diversity of data sources.

Option B (Velocity):

Velocity refers to the speed at which data is generated, processed, and analyzed.

Weak governance impacts data quality more than processing speed.

Option C (Volume):

Volume refers to the quantity of data being processed and stored.

Weak data governance might lead to data duplication or loss but does not directly impact data volume.

IIA GTAG – "Auditing Data Governance": Emphasizes the importance of data veracity in decision-making.

COSO Internal Control Framework: Highlights the role of data integrity in financial and operational controls.

IIA’s Global Technology Audit Guide on Data Analytics: Discusses the risks of poor data governance affecting veracity.

IIA References:

Comprehensive and Detailed Step-by-Step Explanation with all IIA References:

Understanding the Concern:

Internal auditors must assess risks when using free software for data analysis, particularly regarding data security, confidentiality, and integrity.

When analyzing third-party vendor data, the primary risk is data compromise, unauthorized access, or data loss due to inadequate security controls in free software.

Why Data Security is the Biggest Concern:

Free software often lacks robust security measures, making sensitive vendor data susceptible to breaches, cyberattacks, or loss.

Ensuring compliance with data protection regulations (e.g., GDPR, CCPA) and contractual obligations with third-party vendors is critical.

Why Other Options Are Incorrect:

A. The ability to use the software with ease → While usability is important, security risks outweigh ease of use in an internal audit context.

B. The ability to purchase upgraded features → Upgrades may improve analysis capabilities but do not address security concerns.

D. The ability to download the software → Installing software is a technical issue, not a major audit concern compared to security.

IIA Standards and References:

IIA Standard 2110 – Governance: Internal auditors should ensure data security risks are addressed in technology use.

IIA Standard 2120 – Risk Management: Auditors must evaluate the organization’s ability to safeguard data.

IIA GTAG (Global Technology Audit Guide) on Data Analytics (2017): Recommends ensuring security of third-party data when using analytical tools.

Thus, the correct answer is C: The ability to ensure that big data entered into the software is secure from potential compromises or loss.

Comprehensive and Detailed Step-by-Step Explanation with all IIA References: =

Understanding the Impact of an Understated Ending Inventory:

Ending inventory is a key component of the cost of goods sold (COGS) calculation: COGS=BeginningInventory+Purchases−EndingInventoryCOGS = Beginning Inventory + Purchases - Ending InventoryCOGS=BeginningInventory+Purchases−EndingInventory

If the ending inventory is understated, it means the reported inventory is lower than its actual value.

This results in an overstated COGS because a smaller amount is subtracted in the formula above.

An overstated COGS leads to an understated net income in the current year.

Effect on the Following Year’s Income Statement:

The beginning inventory for the next year is based on the ending inventory of the previous year.

Since the prior year's ending inventory was understated, the new year's beginning inventory is also understated.

A lower beginning inventory leads to a lower COGS in the new year.

Since COGS is lower, net income in the following year will be overstated.

IIA’s Perspective on Financial Reporting Errors:

The IIA’s International Standards for the Professional Practice of Internal Auditing (IPPF) emphasize the importance of accurate financial reporting.

IIA Standard 1220 – Due Professional Care requires internal auditors to consider the probability of errors, fraud, or misstatements in financial reporting.

COSO’s Internal Control – Integrated Framework highlights that inventory valuation errors can impact financial integrity and decision-making.

GAAP & IFRS Accounting Standards also require proper inventory reporting to ensure accurate financial statements.

IIA References:

IPPF Standard 1220 – Due Professional Care

COSO Internal Control – Integrated Framework

GAAP & IFRS Accounting Principles on Inventory Valuation

Thus, the correct and verified answer is C. Net income would be overstated.

When conducting a cybersecurity risk assessment, an internal auditor must evaluate the most significant threats based on their potential impact on the organization. In the pharmaceutical industry, intellectual property (IP), such as research and development (R&D) data, is one of the most valuable and sensitive assets.

(A) Cybercriminals hacking into the organization's time and expense system to collect employee personal data:While the loss of employee personal data is a serious concern due to privacy and regulatory implications (e.g., GDPR, CCPA), it does not pose as critical a threat as the loss of proprietary pharmaceutical research.

(B) Hackers breaching the organization's network to access research and development reports (Correct Answer):R&D reports contain proprietary drug formulas, clinical trial results, and patent-pending innovations, making them highly valuable to competitors and cybercriminals. A breach could lead to intellectual property theft, financial losses, loss of competitive advantage, and regulatory non-compliance (e.g., FDA, EMA requirements). This is considered the most significant threat because:

It could result in billions of dollars in lost revenue.

Competitors or state-sponsored hackers could exploit stolen research.

It could disrupt drug development and approval processes.

(C) A denial-of-service (DoS) attack that prevents access to the organization's website:While DoS attacks can damage an organization's reputation and disrupt operations, they generally do not cause the same level of financial or strategic harm as the loss of critical R&D data. Most organizations have cybersecurity measures (e.g., load balancers, CDNs) to mitigate DoS risks.

(D) A hacker accessing the financial information of the company:Unauthorized access to financial data can be serious, leading to fraud or reputational damage. However, publicly traded companies already disclose much of their financial data, and financial breaches typically have a lower long-term impact compared to intellectual property theft.

IIA Global Technology Audit Guide (GTAG) 15: Information Security Governance: Recommends that internal auditors prioritize risks that impact strategic assets, such as intellectual property.

IIA Standard 2120 - Risk Management: Requires internal auditors to evaluate the organization’s risk management processes, emphasizing risks with significant financial and operational consequences.

IIA Practice Advisory 2110-2: Assessing the Adequacy of Risk Management Processes: Highlights that internal auditors must identify risks that could threaten the organization’s long-term objectives, such as IP theft.

COSO ERM Framework: Encourages prioritization of risks that have high impact on an organization’s value and strategic objectives, such as cyber threats to proprietary research.

Analysis of Each Option:IIA References:Conclusion:Given the pharmaceutical industry's reliance on proprietary R&D, a breach compromising research reports represents the most significant cyber threat. Therefore, option (B) is the correct answer.

The net profit margin is calculated as:

Net Profit Margin=Net ProfitTotal Sales×100\text{Net Profit Margin} = \frac{\text{Net Profit}}{\text{Total Sales}} \times 100Net Profit Margin=Total SalesNet Profit​×100

The given data shows:

Gross profit margin (Revenue – Cost of Goods Sold) remained constant at 40% in both years.

Net profit margin declined from 18% in Year 1 to 13% in Year 2.

Since the gross profit margin remained unchanged, the cost of sales did not increase relative to sales. This eliminates Option A as a possible cause.

A decline in net profit margin while gross profit remains the same suggests an increase in operating expenses, interest, or taxes.

If the government increased the corporate tax rate, net income after taxes would be lower, leading to a reduced net profit margin.

The IIA’s GTAG 14 – Auditing Governance, Risk, and Compliance recommends analyzing external factors like tax rate changes when evaluating financial performance.

A. Cost of sales increased relative to sales → Incorrect. If this were true, gross profit margin would have declined, but it remained stable.

B. Total sales increased relative to expenses → Incorrect. If sales increased while expenses stayed constant, net profit margin would have increased, not decreased.

C. The organization had a higher dividend payout rate in year two → Incorrect. Dividends do not affect net profit margin, as they are paid out from net income after it is calculated.

IIA Standard 2120 – Risk Management states that auditors should analyze changes in financial performance due to external economic factors.

COSO ERM Framework highlights tax rate changes as a key risk factor in financial analysis.

IFRS (International Financial Reporting Standards) require companies to disclose changes in tax rates and their impact on profitability.

Why Option D is Correct?Explanation of the Other Options:IIA References & Best Practices:Thus, the correct answer is D. The government increased the corporate tax rate.

Understanding the Three Lines of Defense Model:

First Line of Defense (Operational Management): Performs daily IT security tasks, such as blocking unauthorized traffic and encrypting data.

Second Line of Defense (Risk Management & Compliance): Monitors and reviews security controls, including disaster recovery testing and risk management activities.

Third Line of Defense (Internal Audit): Provides an independent assessment of IT security controls.

Why Option C (Review Disaster Recovery Test Results) Is Correct?

The second line of defense is responsible for monitoring and evaluating IT risk management processes, including disaster recovery and business continuity planning.

Reviewing disaster recovery test results ensures that the organization is prepared for IT disruptions and meets compliance requirements.

IIA Standard 2110 – Governance requires auditors to evaluate whether IT risk management activities (such as disaster recovery) are being effectively monitored.

Why Other Options Are Incorrect?

Option A (Block unauthorized traffic):

This is a first-line defense task, typically handled by IT security teams (e.g., firewall and intrusion detection system monitoring).

Option B (Encrypt data):

Encryption is part of daily IT security operations and is handled by the first line of defense.

Option D (Provide an independent assessment of IT security):

Independent assessments are the responsibility of internal audit (third line of defense), not the second line.

The second line of defense focuses on monitoring IT risk, making disaster recovery test review a key responsibility.

IIA Standard 2110 and the Three Lines of Defense Model confirm this role.

Final Justification:IIA References:

IPPF Standard 2110 – Governance (IT Risk Management)

IIA Three Lines of Defense Model

COBIT Framework – IT Governance & Risk Management

Two-level (or multi-factor) authentication (MFA) is the most efficient and effective security control for authenticating customers when accessing online shopping accounts. It provides an extra layer of security beyond just passwords, making it more difficult for unauthorized users to gain access.

Stronger Authentication – It requires two independent verification methods, such as:

Something you know (password, PIN)

Something you have (one-time code, mobile device, smart card)

Something you are (biometric feature)

Reduces Risk of Credential Theft – Even if hackers obtain a user's password, they still need the second factor to gain access.

Meets Regulatory Standards – Many cybersecurity frameworks (NIST, ISO 27001, PCI-DSS) recommend or mandate MFA for customer authentication.

Enhanced Customer Trust – Provides users with better security, reducing risks of fraud or account takeovers.

A. 12-digit password feature – Longer passwords improve security, but they can still be compromised through phishing or brute force attacks.

B. Security question feature – These are often weak because users choose predictable answers (e.g., mother's maiden name).

C. Voice recognition feature – Biometric authentication is useful, but voice recognition can be bypassed using deepfake or recorded audio.

IIA’s GTAG (Global Technology Audit Guide) on Information Security Management – Recommends multi-factor authentication for access control.

IIA’s International Professional Practices Framework (IPPF) – Standard 2110.A2 – Highlights the need for strong security controls to protect customer data.

NIST SP 800-63 (Digital Identity Guidelines) – Encourages multi-factor authentication as a best practice for securing user accounts.

Why Two-Level Sign-On (MFA) Is the Best Choice?Why Not the Other Options?IIA References:✅ Final Answer: D. Two-level sign-on feature (Most effective for online customer authentication).

===============