Professional Documents
Culture Documents
IIA CIA Part3
IIA CIA Part3
IIA CIA Part3
*KIJGT 3 WCNKV [ $ GV V GT 5 GT X KE G
=KULLKXLXKK[VJGZKYKX\OIKLUXUTK_KGX
*VVRYYYVGUVRCUURQTVEQO
The safer , easier way to help you pass any IT exams.
Exam : IIA-CIA-Part3
Version : V14.02
1 / 69
The safer , easier way to help you pass any IT exams.
2.During her annual performance review, a sales manager admits that she experiences significant stress
due to her job but stays with the organization because of the high bonuses she earns.
Which of the following best describes her primary motivation to remain in the job?
A. Intrinsic reward.
B. Job enrichment
C. Extrinsic reward.
D. The hierarchy of needs.
Answer: C
3.With increased cybersecurity threats, which of the following should management consider to ensure
that there is strong security governance in place?
A. Inventory of information assets
B. Limited sharing of data files with external parties.
C. Vulnerability assessment
D. Clearly defined policies
Answer: C
6.Which of the following application controls is the most dependent on the password owner?
A. Password selection
B. Password aging
C. Password lockout
D. Password rotation
2 / 69
The safer , easier way to help you pass any IT exams.
Answer: A
8.Which of the following networks is suitable for an organization that has operations In multiple cities and
countries?
A. Wide area network.
B. Local area network
C. Metropolitan area network.
D. Storage area network.
Answer: A
10.While conducting an audit of the accounts payable department, an internal auditor found that 3% of
payments made during the period under review did not agree with the submitted invoices.
Which of the following key performance indicators (KPIs) for the department would best assist the
auditor in determining the significance of the test results?
A. A KPI that defines the process owner's tolerance for performance deviations.
B. A KPI that defines the importance of performance levels and disbursement statistics being measured.
C. A KPI that defines timeliness with regard to reporting disbursement data errors to authorized
personnel.
D. A KPI that defines operating ratio objectives of the disbursement process.
Answer: A
11.Which of the following IT professionals is responsible for providing maintenance to switches and
routers to keep IT systems running as intended?
A. Data center operations manager
B. Response and support team.
C. Database administrator,
D. Network administrator
Answer: D
12.Which of the following capital budgeting techniques considers the tune value of money?
3 / 69
The safer , easier way to help you pass any IT exams.
13.Which of the following best describes a potential benefit of using data analyses?
A. It easily aligns with existing internal audit competencies to reduce expenses
B. It provides a more holistic view of the audited area.
C. Its outcomes can be easily interpreted into audit: conclusions.
D. Its application increases internal auditors' adherence to the Standards
Answer: C
14.If an organization has a high amount of working capital compared to the industry average, which of
the following is most likely true?
A. Settlement of short-term obligations may become difficult.
B. Cash may be bed up in items not generating financial value.
C. Collection policies of the organization are ineffective.
D. The organization is efficient in using assets to generate revenue.
Answer: B
15.A small software development firm designs and produces custom applications for businesses. The
application development team consists of employees from multiple departments who all report to a single
project manager.
Which of the following organizational structures does this situation represent?
A. Functional departmentalization.
B. Product departmentalization
C. Matrix organization.
D. Divisional organization
Answer: C
16.Which of the following attributes of data are cybersecurity controls primarily designed to protect?
A. Veracity, velocity, and variety.
B. Integrity, availability, and confidentiality.
C. Accessibility, accuracy, and effectiveness.
D. Authorization, logical access, and physical access.
Answer: C
17.The management of working capital is most crucial for which of the following aspects of business?
A. Liquidity
B. Profitability
C. Solvency
D. Efficiency
Answer: A
4 / 69
The safer , easier way to help you pass any IT exams.
18.A organization finalized a contract in which a vendor is expected to design, procure, and construct a
power substation for $3,000,000. In this scenario, the organization agreed to which of the following types
of contracts?
A. A cost-reimbursable contract.
B. A lump-sum contract.
C. A time and material contract.
D. A bilateral contract.
Answer: B
19.Which of the following would be the strongest control to prevent unauthorized wireless network
access?
A. Allowing access to the organization's network only through a virtual private network.
B. Logging devices that access the network, including the date. time, and identity of the user.
C. Tracking all mobile device physical locations and banning access from non-designated areas.
D. Permitting only authorized IT personnel to have administrative control of mobile devices.
Answer: D
21.The head of the research arid development department at a manufacturing organization believes that
his team lacks expertise in some areas, and he decides to hire more experienced researchers to assist
in the development of a new product.
Which of the following variances are likely to occur as the result of this decision?
1. Favorable labor efficiency variance.
2. Adverse labor rate variance.
3. Adverse labor efficiency variance.
4. Favorable labor rate variance.
A. 1 and 2
B. 1 and 4
C. 3 and A
D. 2 and 3
Answer: A
5 / 69
The safer , easier way to help you pass any IT exams.
Answer: C
23.Which of the following should internal auditors be attentive of when reviewing personal data consent
and opt-in/opt-out management process?
A. Whether customers are asked to renew their consent for their data processing at least quarterly.
B. Whether private data is processed in accordance with the purpose for which the consent was
obtained?
C. Whether the organization has established explicit and entitywide policies on data transfer to third
parties.
D. Whether customers have an opportunity to opt-out the right to be forgotten from organizational
records and systems.
Answer: C
24.An analytical model determined that on Friday and Saturday nights the luxury brands stores should
be open for extended hours and with a doubled number of employees present; while on Mondays and
Tuesdays costs can be minimized by reducing the number of employees to a minimum and opening only
for evening hours.
Which of the following best categorizes the analytical model applied?
A. Descriptive.
B. Diagnostic.
C. Prescriptive.
D. Prolific.
Answer: C
26.Which of the following is a primary driver behind the creation and prloritteation of new strategic
Initiatives established by an organization?
A. Risk tolerance
B. Performance
C. Threats and opportunities
D. Governance
Answer: C
27.Management is designing its disaster recovery plan. In the event that there is significant damage to
the organization's IT systems this plan should enable the organization to resume operations at a
recovery site after some configuration and data restoration.
6 / 69
The safer , easier way to help you pass any IT exams.
Which of the following is the ideal solution for management in this scenario?
A. A warm recovery plan.
B. A cold recovery plan.
C. A hot recovery plan.
D. A manual work processes plan
Answer: B
28.Which of the following is the best example of a compliance risk that Is likely to arise when adopting a
bring-your-own-device (BYOD) policy?
A. The risk that users try to bypass controls and do not install required software updates.
B. The risk that smart devices can be lost or stolen due to their mobile nature..
C. The risk that an organization intrusively monitors personal Information stored on smart devices.
D. The risk that proprietary information is not deleted from the device when an employee leaves.
Answer: D
29.Which of the following is a result of Implementing on e-commerce system, which relies heavily on
electronic data interchange and electronic funds transfer, for purchasing and biting?
A. Higher cash flow and treasury balances.
B. Higher inventory balances
C. Higher accounts receivable.
D. Higher accounts payable
Answer: C
30.A multinational organization allows its employees to access work email via personal smart devices.
However, users are required to consent to the installation of mobile device management (MDM) software
that will remotely wipe data in case of theft or other incidents.
Which of the following should the organization ensure in exchange for the employees' consent?
A. That those employees who do not consent to MDM software cannot have an email account.
B. That personal data on the device cannot be accessed and deleted by system administrators.
C. That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them.
D. That employee consent includes appropriate waivers regarding potential breaches to their privacy.
Answer: B
31.An internal auditor reviews a data population and calculates the mean, median, and range.
What is the most likely purpose of performing this analytic technique?
A. To inform the classification of the data population.
B. To determine the completeness and accuracy of the data.
C. To identify whether the population contains outliers.
D. To determine whether duplicates in the data inflate the range.
Answer: C
7 / 69
The safer , easier way to help you pass any IT exams.
B. An ABC costing system uses a single unit-level basis to allocate overhead costs to products.
C. An ABC costing system may be used with either a job order or a process cost accounting system.
D. The primary disadvantage of an ABC costing system is less accurate product costing.
Answer: C
33.When reviewing application controls using the four-level model, which of the following processes are
associated with level 4 of the business process method?
A. Activity
B. Subprocess
C. Major process
D. Mega process
Answer: A
34.Which of the following is an example of internal auditors applying data mining techniques for
exploratory purposes?
A. Internal auditors perform reconciliation procedures to support an external audit of financial reporting.
B. Internal auditors perform a systems-focused analysis to review relevant controls.
C. Internal auditors perform a risk assessment to identify potential audit subjects as input for the annual
internal audit plan
D. Internal auditors test IT general controls with regard to operating effectiveness versus design
Answer: C
35.An intruder posing as the organization's CEO sent an email and tricked payroll staff into providing
employees' private tax information.
What type of attack was perpetrated?
A. Boundary attack.
B. Spear phishing attack.
C. Brute force attack.
D. Spoofing attack.
Answer: B
36.Which of the following purchasing scenarios would gain the greatest benefit from implementing
electronic cate interchange?
A. A just-in-time purchasing environment
B. A Large volume of custom purchases
C. A variable volume sensitive to material cost
D. A currently inefficient purchasing process
Answer: A
37.According to lIA guidance on IT, which of the following plans would pair the identification of
critical business processes with recovery time objectives?
A. The business continuity management charter.
B. The business continuity risk assessment plan.
C. The business Impact analysis plan
8 / 69
The safer , easier way to help you pass any IT exams.
40.Which of the following situations best illustrates a "false positive" in the performance of a spam filter?
A. The spam filter removed Incoming communication that included certain keywords and domains.
B. The spam filter deleted commercial ads automatically, as they were recognized as unwanted.
C. The spam filter routed to the "junk|r folder a newsletter that appeared to include links to fake websites.
D. The spam filter blocked a fitness club gift card that coworkers sent to an employee for her birthday.
Answer: D
41.Which of the following would be the best method to collect information about employees' job
satisfaction?
A. Online surveys sent randomly to employees.
B. Direct onsite observations of employees.
C. Town hall meetings with employees.
D. Face-to-face interviews with employees.
Answer: D
42.Which of the following network types should an organization choose if it wants to allow access only to
its own personnel?
A. An extranet
B. A local area network
C. An Intranet
D. The internet
Answer: B
43.Which of the following should be established by management during implementation of big data
systems to enable ongoing production monitoring?
A. Key performance indicators.
9 / 69
The safer , easier way to help you pass any IT exams.
44.Which of the following controls would be most efficient to protect business data from corruption and
errors?
A. Controls to ensure data is unable to be accessed without authorization.
B. Controls to calculate batch totals to identify an error before approval.
C. Controls to encrypt the data so that corruption is likely ineffective.
D. Controls to quickly identify malicious intrusion attempts.
Answer: B
45.On the last day of the year, a total cost of S 150.000 was incurred in indirect labor related to one of
the key products an organization makes.
How should the expense be reported on that year's financial statements?
A. It should be reported as an administrative expense on the income statement.
B. It should be reported as period cost other than a product cost on the management accounts
C. It should be reported as cost of goods sold on the income statement.
D. It should be reported on the balance sheet as part of inventory.
Answer: C
47.Which of the following statements describes the typical benefit of using a flat organizational structure
for the internal audit activity, compared to a hierarchical structure?
A. A flat structure results in lower operating and support costs than a hierarchical structure.
B. A flat structure results in a stable and very collaborative environment.
C. A flat structure enables field auditors to report to and learn from senior auditors.
D. A flat structure is more dynamic and offers more opportunities for advancement than a hierarchical
structure.
Answer: A
48.An organization's board of directors is particularly focused on positioning, the organization as a leader
in the industry and beating the competition.
Which of the following strategies offers the greatest alignment with the board's focus?
10 / 69
The safer , easier way to help you pass any IT exams.
49.At what stage of project integration management would a project manager and project management
team typically coordinate the various technical and organizational interfaces that exist in the project?
A. Project plan development.
B. Project plan execution
C. Integrated change control.
D. Project quality planning
Answer: A
50.Internal auditors want to increase the likelihood of identifying very small control and transaction
anomalies in their testing that could potentially be exploited to cause material breaches.
Which of the following techniques would best meet this objective?
A. Analysis of the full population of existing data.
B. Verification of the completeness and integrity of existing data.
C. Continuous monitoring on a repetitive basis.
D. Analysis of the databases of partners, such as suppliers.
Answer: A
51.CORRECT TEXT
Which of the following is a project planning methodology that involves a complex series of required
simulations to provide information about schedule risk?
A. Monte Carlo Analysis.
B. Project Management Information System (PMIS).
C. Earned Value Management (EVM).
D. Integrated Project Plan
Answer: A
52.For which of the following scenarios would the most recent backup of the human resources database
be the best source of information to use?
A. An incorrect program fix was implemented just prior to the database backup.
B. The organization is preparing to train all employees on the new self-service benefits system.
C. There was a data center failure that requires restoring the system at the backup site.
D. There is a need to access prior year-end training reports for all employees in the human resources
database
Answer: C
53.Which of the following security controls would be me most effective in preventing security breaches?
A. Approval of identity request
B. Access logging.
11 / 69
The safer , easier way to help you pass any IT exams.
54.Which of the following biometric access controls uses the most unique human recognition
characteristic?
A. Facial comparison using photo identification.
B. Signature comparison.
C. Voice comparison.
D. Retinal print comparison.
Answer: D
55.A company produces water buckets with the following costs per bucket:
Direct labor = 82
Direct material = $5
Fixed manufacturing = 83.50
Variable manufacturing = 82.50
The water buckets are usually sold for $15. However, the company received a special order for 50.000
water buckets at 311 each.
Assuming there is adequate manufacturing capacity and ail other variables are constant, what is the
relevant cost per unit to consider when deciding whether to accept this special order at the reduced
price?
A. $9.50
B. $10.50
C. $11
D. $13
Answer: A
56.Which of the following financial statements provides the best disclosure of how a company's money
was used during a particular period?
A. Income statement.
B. Owner's equity statement.
C. Balance sheet.
D. Statement of cash flows.
Answer: D
57.Which of the following IT-related activities is most commonly performed by the second line of
defense?
A. Block unauthorized traffic.
B. Encrypt data.
C. Review disaster recovery test results.
D. Provide independent assessment of IT security.
Answer: C
12 / 69
The safer , easier way to help you pass any IT exams.
59.Which of the following should software auditors do when reporting internal audit findings related to
enterprisewide resource planning?
A. Draft separate audit reports for business and IT management.
B. Conned IT audit findings to business issues.
C. Include technical details to support IT issues.
D. Include an opinion on financial reporting accuracy and completeness.
Answer: B
61.Which of the following best describes a cyberattacK in which an organization faces a denial-of-service
threat created through malicious data encryption?
A. Phishing.
B. Ransomware.
C. Hacking.
D. Makvare
Answer: D
62.Which of the following is an indicator of liquidity that is more dependable than working capital?
A. Acid-test (quick) ratio
B. Average collection period
C. Current ratio.
D. Inventory turnover.
Answer: A
63.Which of the following statements is true concerning the basic accounting treatment of a partnership?
A. The initial investment of each partner should be recorded at book value.
B. The ownership ratio identifies the basis for dividing net income and net toss.
C. A partner's capital only changes due to net income or net loss.
D. The basis for sharing net incomes or net kisses must be fixed.
Answer: A
13 / 69
The safer , easier way to help you pass any IT exams.
64.Which of the following controls would enable management to receive timely feedback and help
mitigate unforeseen risks?
A. Measure product performance against an established standard.
B. Develop standard methods for performing established activities.
C. Require the grouping of activities under a single manager.
D. Assign each employee a reasonable workload.
Answer: D
66.With regard to project management, which of the following statements about project crashing Is true?
A. It leads to an increase in risk and often results in rework.
B. It is an optimization technique where activities are performed in parallel rather than sequentially.
C. It involves a revaluation of project requirements and/or scope.
D. It is a compression technique in which resources are added so the project.
Answer: D
67.Which of the following data security policies is most likely to be the result of a data privacy law?
A. Access to personally identifiable information is limited to those who need It to perform their job.
B. Confidential data must be backed up and recoverable within a 24-hour period.
C. Updates to systems containing sensitive data must be approved before being moved to production.
D. A record of employees with access to insider information must be maintained, and those employees
may not trade company stock during blackout periods
Answer: A
14 / 69
The safer , easier way to help you pass any IT exams.
72.A large retail customer made an offer to buy 10.000 units at a special price of $7 per unit. The
manufacturer usually sells each unit for §10, Variable Manufacturing costs are 55 per unit and fixed
manufacturing costs are $3 per unit.
For the manufacturer to accept the offer, which of the following assumptions needs to be true?
A. Fixed and Variable manufacturing costs are less than the special offer selling price.
B. The manufacturer can fulfill the order without expanding the capacities of the production facilities.
C. Costs related to accepting this offer can be absorbed through the sale of other products.
D. The manufacturer’s production facilities are currently operating at full capacity.
Answer: C
73.Which of the following authentication device credentials is the most difficult to revoke when an
employee s access rights need to be removed?
A. A traditional key lock
B. A biometric device
C. A card-key system
D. A proximity device
Answer: B
15 / 69
The safer , easier way to help you pass any IT exams.
76.Which of the following IT disaster recovery plans includes a remote site dessgnated for recovery with
available space for basic services, such as internet and telecommunications, but does not have servers
or infrastructure equipment?
A. Frozen site
B. Cold site
C. Warm site
D. Hot site
Answer: B
77.According to Maslow's hierarchy of needs theory, which of the following best describes a strategy
where a manager offers an assignment to a subordinate specifically to support his professional growth
and future advancement?
A. Esteem by colleagues.
B. Self-fulfillment
C. Series of belonging in the organization
D. Job security
Answer: B
78.When executive compensation is based on the organization's financial results, which of the following
situations is most likely to arise?
A. The organization reports inappropriate estimates and accruals due to poof accounting controls.
B. The organization uses an unreliable process forgathering and reporting executive compensation data.
C. The organization experiences increasing discontent of employees, if executives are eligible for
compensation amounts that are deemed unreasonable.
D. The organization encourages employee behavior that is inconsistent with the interests of relevant
stakeholders.
Answer: D
79.Which of the following would be a concern related to the authorization controls utilized for a system?
A. Users can only see certain screens in the system.
B. Users are making frequent password change requests.
C. Users Input Incorrect passwords and get denied system access
D. Users are all permitted uniform access to the system.
Answer: A
16 / 69
The safer , easier way to help you pass any IT exams.
81.Which of the following risks would Involve individuals attacking an oil company's IT system as a sign
of solidarity against drilling in a local area?
A. Tampering
B. Hacking
C. Phishing
D. Piracy
Answer: B
82.An organization with a stable rating, as assessed by International rating agencies, has issued a bond
not backed by assets or collateral. Payments of the interests and the principal to bondholders are
guaranteed by the organization.
Which type of bond did the organization issue?
A. A sinking fund bond.
B. A secured bond.
C. A junk bond.
D. A debenture bond
Answer: D
83.Which of the following controls would be the most effective in preventing the disclosure of an
organization's confidential electronic information?
A. Nondisclosure agreements between the firm and its employees.
B. Logs of user activity within the information system.
C. Two-factor authentication for access into the information system.
D. limited access so information, based on employee duties
Answer: D
84.Which of the following statements is true regarding the term "flexible budgets" as it is used in
accounting?
A. The term describes budgets that exclude fixed costs.
B. Flexible budgets exclude outcome projections, which are hard to determine, and instead rely on the
most recent actual outcomes.
C. The term is a red flag for weak budgetary control activities.
D. Flexible budgets project data for different levels of activity.
Answer: D
85.Which of the following types of date analytics would be used by a hospital to determine which patients
are likely to require remittance for additional treatment?
17 / 69
The safer , easier way to help you pass any IT exams.
A. Predictive analytics.
B. Prescriptive analytics.
C. Descriptive analytics.
D. Diagnostic analytics.
Answer: A
86.Which of the following represents a basis for consolidation under the International Financial Reporting
Standards?
A. Variable entity approach.
B. Control ownership.
C. Risk and reward.
D. Voting interest.
Answer: D
87.A financial institution receives frequent and varied email requests from customers for funds to be
wired out of their accounts.
Which verification activity would best help the institution avoid falling victim to phishing?
A. Reviewing the customer's wire activity to determine whether the request is typical.
B. Calling the customer at the phone number on record to validate the request.
C. Replying to the customer via email to validate the sender and request.
D. Reviewing the customer record to verify whether the customer has authorized wire requests from that
email address.
Answer: B
88.A chief audit executive wants to implement an enterprisewide resource planning software.
Which of the following internal audit assessments could provide overall assurance on the likelihood of
the software implementation's success?
A. Readiness assessment.
B. Project risk assessment.
C. Post-implementation review.
D. Key phase review.
Answer: C
90.Which of the following statements. Is most accurate concerning the management and audit of a web
18 / 69
The safer , easier way to help you pass any IT exams.
server?
A. The file transfer protocol (FTP) should always be enabled.
B. The simple mail transfer protocol (SMTP) should be operating under the most privileged accounts.
C. The number of ports and protocols allowed to access the web server should be maximized.
D. Secure protocols for confidential pages should be used instead of dear-text protocols such as HTTP
or FTP.
Answer: D
91.Which of the following disaster recovery plans includes recovery resources available at the site, but
they may need to be configured to support the production system?
A. Warm site recovery plan.
B. Hot site recovery plan.
C. Cool site recovery plan.
D. Cold site recovery plan.
Answer: A
92.Which of the following describes the most appropriate set of tests for auditing a workstation's logical
access controls?
A. Review the list of people with access badges to the room containing the workstation and a log of
those who accessed the room.
B. Review the password length, frequency of change, and list of users for the workstation's login
process.
C. Review the list of people who attempted to access the workstation and failed, as well as error
messages.
D. Review the passwords of those who attempted unsuccessfully to access the workstation and the log
of their activity
Answer: B
93.In an effort to increase business efficiencies and improve customer service offered to its major trading
partners, management of a manufacturing and distribution company established a secure network, which
provides a secure channel for electronic data interchange between the company and its partners.
Which of the following network types is illustrated by this scenario?
A. A value-added network.
B. A local area network.
C. A metropolitan area network.
D. A wide area network.
Answer: A
94.An internal auditor is assessing the risks related to an organization's mobile device policy. She notes
that the organization allows third parties (vendors and visitors) to use outside smart devices to access its
proprietary networks and systems.
Which of the following types of smart device risks should the internal Auditor be most concerned about?
A. Compliance.
B. Privacy
19 / 69
The safer , easier way to help you pass any IT exams.
C. Strategic
D. Physical security
Answer: A
96.Which of the following backup methodologies would be most efficient in backing up a database in the
production environment?
A. Disk mirroring of the data being stored on the database.
B. A differential backup that is performed on a weekly basis.
C. An array of independent disks used to back up the database.
D. An incremental backup of the database on a daily basis.
Answer: D
98.In an organization that produces chocolate, the leadership team decides that the organization will
open a milk production facility for its milk chocolate.
Which of the following strategies have the organization chosen?
A. Vertical integration.
B. Unrelated diversification.
C. Differentiation
D. Focus
Answer: C
99.An organization with global headquarters in the United States has subsidiaries in eight other nations.
If the organization operates with an ethnocentric attitude, which of the following statements is true?
A. Standards used for evaluation and control are determined at local subsidiaries, not set by
headquarters.
B. Orders, commands, and advice are sent to the subsidiaries from headquarters.
C. Poop o of local nationality are developed for the best positions within their own country.
D. There is a significant amount of collaboration between headquarters and subs diaries.
20 / 69
The safer , easier way to help you pass any IT exams.
Answer: B
100.An internal auditor was assigned to test for ghost employees using data analytics. The auditor
extracted employee data from human resources and payroll. Using spreadsheet functions, the auditor
matched data sets by name and assumed that employees who were not present in each data set should
be investigated further. However, the results seemed erroneous, as very few employees matched across
all data sets.
Which of the following data analytics steps has the auditor most likely omitted?
A. Data analysis.
B. Data diagnostics.
C. Data velocity.
D. Data normalization.
Answer: D
101.Which of the following physical access controls often functions as both a preventive and detective
control?
A. Locked doors.
B. Firewalls.
C. Surveillance cameras.
D. Login IDs and passwords.
Answer: C
102.According to I1A guidance on IT. which of the following activities regarding information security Is
most likely to be the responsibility of line management as opposed to executive management, internal
auditors, or the board?
A. Review and monitor security controls.
B. Dedicate sufficient security resources.
C. Provide oversight to the security function.
D. Assess information control environments.
Answer: B
104.Employees at an events organization use a particular technique to solve problems and improve
processes. The technique consists of five steps: define, measure, analyze, improve, and control.
Which of the following best describes this approach?
A. Six Sigma,
B. Quality circle.
C. Value chain analysis.
21 / 69
The safer , easier way to help you pass any IT exams.
D. Theory of constraints.
Answer: A
105.According to IIA guidance, which of the following statements is true regarding penetration testing?
A. Testing should not be announced to anyone within the organization to solicit a real-life response.
B. Testing should take place during heavy operational time periods to test system resilience.
C. Testing should be wide in scope and primarily address detective management controls for identifying
potential attacks.
D. Testing should address the preventive controls and management's response.
Answer: B
106.Which of the following bring-your-own-device (BYOD) practices is likely to increase the risk of
Infringement on local regulations, such as copyright or privacy laws?
A. Not installing anti-malware software
B. Updating operating software in a haphazard manner,
C. Applying a weak password for access to a mobile device.
D. JoIIbreaking a locked smart device
Answer: D
107.An organization buys equity securities for trading purposes and sells them within a short time period.
Which of the following is the correct way to value and report those securities at a financial statement
date?
A. At fair value with changes reported in the shareholders' equity section.
B. At fair value with changes reported in net income.
C. At amortized cost in the income statement.
D. As current assets in the balance sheet
Answer: B
108.Which of the following is most appropriately placed in the financing section of an organization's cash
budget?
A. Collections from customers
B. Sale of securities.
C. Purchase of trucks.
D. Payment of debt, including interest
Answer: D
109.An organization suffered significant damage to its local: file and application servers as a result of a
hurricane. Fortunately, the organization was able to recover all information backed up by its overseas
third-party contractor.
Which of the following approaches has been used by the organization?
A. Application management
B. Data center management
C. Managed security services
D. Systems integration
22 / 69
The safer , easier way to help you pass any IT exams.
Answer: C
110.Which of the following Issues would be a major concern for internal auditors when using a free
software to analyze a third-party vendor's big data?
A. The ability to use the software with ease to perform the data analysis to meet the engagement
objectives.
B. The ability to purchase upgraded features of the software that allow for more In-depth analysis of the
big data.
C. The ability to ensure that big data entered into the software is secure from potential compromises or
loss.
D. The ability to download the software onto the appropriate computers for use in analyzing the big data.
Answer: C
111.When auditing databases, which of the following risks would an Internal auditor keep In mind In
relation to database administrators?
A. The risk that database administrators will disagree with temporarily preventing user access to the
database for auditing purposes.
B. The risk that database administrators do not receive new patches from vendors that support database
software in a timely fashion.
C. The risk that database administrators set up personalized accounts for themselves, making the audit
time consuming.
D. The risk that database administrators could make hidden changes using privileged access.
Answer: C
112.What kind of strategy would be most effective for an organization to adopt in order to Implement a
unique advertising campaign for selling identical product lines across all of its markets?
A. Export strategy.
B. Transnational strategy
C. Multi-domestic strategy
D. Globalization strategy
Answer: C
113.Which of the following can be viewed as a potential benefit of an enterprisewide resource planning
system?
A. Real-time processing of transactions and elimination of data redundancies.
B. Fewer data processing errors and more efficient data exchange with trading partners.
C. Exploitation of opportunities and mitigation of risks associated with e-business.
D. Integration of business processes into multiple operating environments and databases.
Answer: A
23 / 69
The safer , easier way to help you pass any IT exams.
116.An organization discovered fraudulent activity involving the employee time-tracking system. One
employee regularly docked in and clocked out her co-worker friends on their days off, inflating their
reported work hours and increasing their wages.
Which of the following physical authentication devices would be most effective at disabling this fraudulent
scheme?
A. Face or finger recognition equipment,
B. Radiofrequency identification chips to authenticate employees with cards.
C. A requirement to clock in and clock out with a unique personal identification number.
D. A combination of a smart card and a password to clock in and clock out.
Answer: D
118.Which of the following capital budgeting techniques considers the expected total net cash flows from
investment?
A. Cash payback
B. Annual rate of return
C. Incremental analysis
D. Net present value
Answer: D
119.At an organization that uses a periodic inventory system, the accountant accidentally understated
the organization s beginning inventory.
How would the accountant's accident impact the income statement?
A. Cost of goods sold will be understated and net income will be overstated.
B. Cost of goods sold will be overstated and net income will be understated
24 / 69
The safer , easier way to help you pass any IT exams.
C. Cost of goods sold will be understated and there Wi-Fi be no impact on net income.
D. There will be no impact on cost of goods sold and net income will be overstated
Answer: B
120.A restaurant decided to expand its business to include delivery services, rather than relying on third-
party food delivery services.
Which of the following best describes the restaurants strategy?
A. Diversification
B. Vertical integration
C. Risk avoidance
D. Differentiation
Answer: A
122.An Internal auditor is using data analytics to focus on high-risk areas during an engagement. The
auditor has obtained data and is working to eliminate redundancies in the data.
Which of the following statements is true regarding this scenario?
A. The auditor is normalizing data in preparation for analyzing it.
B. The auditor is analyzing the data in preparation for communicating the results,
C. The auditor is cleaning the data in preparation for determining which processes may be involves .
D. The auditor is reviewing trio data prior to defining the question
Answer: A
123.Which of the following performance measures includes both profits and investment base?
A. Residual income
B. A flexible budget
C. Variance analysis.
D. A contribution margin income statement by segment.
Answer: C
124.During which of the following phases of contracting does the organization analyze whether the
market is aligned with organizational objectives?
A. Initiation phase
B. Bidding phase
25 / 69
The safer , easier way to help you pass any IT exams.
C. Development phase
D. Negotiation phase
Answer: A
125.During a review of the accounts payable process, an internal auditor gathered all of the vendor
payment transactions for the past 24 months. The auditor then used an Analytics
tool to identify the top five vendors that received the highest sum of payments.
Which of the following analytics techniques did the auditor apply?
A. Process analysis
B. Process mining
C. Data analysis.
D. Data mining
Answer: C
126.Which of the following attributes of data is most likely to be compromised in an organization with a
weak data governance culture?
A. Variety.
B. Velocity.
C. Volume.
D. Veracity.
Answer: D
127.Which of the following parties is most likely to be responsible for maintaining the infrastructure
required to prevent the failure of a real-time backup of a database?
A. IT database administrator.
B. IT data center manager.
C. IT help desk function.
D. IT network administrator.
Answer: B
128.Which of the following is an example of a contingent liability that a company should record?
A. A potential assessment of additional income tax.
B. Possible product warranty costs.
C. The threat of a lawsuit by a competitor.
D. The remote possibility of a contract breach.
Answer: C
26 / 69
The safer , easier way to help you pass any IT exams.
130.Which of the following practices circumvents administrative restrictions on smart devices, thereby
increasing data security risks?
A. Rooting.
B. Eavesdropping.
C. Man in the middle.
D. Session hijacking.
Answer: A
132.According to IIA guidance on IT, which of the following best describes a logical access control?
A. Require complex passwords to be established and changed quarterly
B. Require swipe cards to control entry into secure data centers.
C. Monitor access to the data center with closed circuit camera surveillance.
D. Maintain current role definitions to ensure appropriate segregation of duties
Answer: D
134.According to 11A guidance on IT, which of the following spreadsheets is most likely to be considered
a high-risk user-developed application?
A. A revenue calculation spreadsheet supported with price and volume reports from the production
department.
B. An asset retirement calculation spreadsheet comprised of multiple formulas and assumptions.
C. An ad-hoc inventory listing spreadsheet comprising details of written-off inventory quantities.
D. An accounts receivable reconciliation spreadsheet used by the accounting manager to verify balances
Answer: C
27 / 69
The safer , easier way to help you pass any IT exams.
136.According to 11A guidance on IT, which of the following are indicators of poor change management?
1. Inadequate control design.
2. Unplanned downtime.
3. Excessive troubleshooting.
4. Unavailability of critical services.
A. 2 and 3 only.
B. 1, 2, and 3 only
C. 1, 3, and 4 only
D. 2, 3, and 4 only
Answer: D
137.Which of the following principles s shared by both hierarchies and open organizational structures?
1. A superior can delegate the authority to make decisions but cannot delegate the ultimate responsibility
for the results of those decisions.
2. A supervisor's span of control should not exceed seven subordinates.
3. Responsibility should be accompanied by adequate authority.
4. Employees at all levels should be empowered to make decisions.
A. 1 and 3 only
B. 1 and 4 only
C. 2 and 3 only
D. 3 and 4 only
Answer: A
138.Which of the following describes a third-party network that connects an organization specifically with
its trading partners?
A. Value-added network (VAN).
B. Local area network (LAN).
C. Metropolitan area network (MAN).
D. Wide area network (WAN).
Answer: A
139.Which of the following physical security controls is able to serve as both a detective and preventive
control?
A. Authentication logs.
B. Card key readers.
C. Biometric devices
D. Video surveillance.
Answer: D
140.Which of the following controls is the most effective for ensuring confidentially of transmitted
information?
28 / 69
The safer , easier way to help you pass any IT exams.
A. Firewall.
B. Antivirus software.
C. Passwords.
D. Encryption.
Answer: D
142.When management uses the absorption costing approach, fixed manufacturing overhead costs are
classified as which of the following types of costs?
A. Direct, product costs.
B. Indirect product costs.
C. Direct period costs,
D. Indirect period costs
Answer: A
143.An employee was promoted within the organization and relocated to a new office in a different
building. A few months later, security personnel discovered that the employee's smart card was being
used to access the building where she previously worked.
Which of the following security controls could prevent such an incident from occurring?
A. Regular review of logs.
B. Two-level authentication.
C. Photos on smart cards.
D. Restriction of access hours.
Answer: C
144.When using data analytics during a review of the procurement process, what is the first step in the
analysis process?
A. Identify data anomalies and outliers.
B. Define questions to be answered.
C. Identify data sources available.
D. Determine the scope of the data extract
Answer: C
145.An organization has a declining inventory turnover but an increasing gross margin rate.
Which of the following statements can best explain this situation?
A. he organization's operating expenses are increasing.
B. The organization has adopted just-in-time inventory.
C. The organization is experiencing inventory theft.
29 / 69
The safer , easier way to help you pass any IT exams.
146.Which of the following characteristics applies to an organization that adopts a flat structure?
A. The structure is dispersed geographically
B. The hierarchy levels are more numerous.
C. The span of control is wide
D. The tower-level managers are encouraged to exercise creativity when solving problems
Answer: D
147.A company records income from an investment in common stock when it does which of the
following?
A. Purchases bonds.
B. Receives interest.
C. Receives dividends
D. Sells bonds.
Answer: B
148.An organization's account for office supplies on hand had a balance of $9,000 at the end of year
one. During year two. The organization recorded an expense of $45,000 for purchasing office supplies.
At the end of year two. a physical count determined that the organization has $11 ,500 in office supplies
on hand.
Based on this Information, what would he recorded in the adjusting entry an the end of year two?
A. A debit to office supplies on hand for S2.500
B. A debit to office supplies on hand for $11.500
C. A debit to office supplies on hand for $20,500
D. A debit to office supplies on hand for $42,500
Answer: B
149.Which of the following inventory costing methods requires the organization to account for the actual
cost paid for the unit being sold?
A. Last-in-first-Out (LIFO}.
B. Average cost.
C. First-in-first-out (FIFO).
D. Specific identification
Answer: C
150.Senior management is trying to decide whether to use the direct write-off or allowance method for
recording bad debt on accounts receivables.
Which of the following would be the best argument for using the direct write-off method?
A. It is useful when losses are considered insignificant.
B. It provides a better alignment with revenue.
C. It is the preferred method according to The IIA.
D. It states receivables at net realizable value on the balance sheet.
30 / 69
The safer , easier way to help you pass any IT exams.
Answer: C
151.While performing an audit of a car tire manufacturing plant, an internal auditor noticed a significant
decrease in the number of tires produced from the previous operating period.
To determine whether worker inefficiency caused the decrease, what additional information should the
auditor request?
A. Total tire production labor hours for the operating period.
B. Total tire production costs for the operating period.
C. Plant production employee headcount average for the operating period.
D. The production machinery utilization rates.
Answer: C
152.With regard to disaster recovery planning, which of the following would most likely involve
stakeholders from several departments?
A. Determining the frequency with which backups will be performed.
B. Prioritizing the order in which business systems would be restored.
C. Assigning who in the IT department would be involved in the recovery procedures.
D. Assessing the resources needed to meet the data recovery objectives.
Answer: B
153.Which of the following best describes the type of control provided by a firewall?
A. Corrective
B. Detective
C. Preventive
D. Discretionary
Answer: C
155.A third party who provides payroll services to the organization was asked to create audit or “read-
only 1 functionalities in their systems.
Which of the following statements is true regarding this request?
A. This will support execution of the right-to-audit clause.
B. This will enforce robust risk assessment practices
C. This will address cybersecurity considerations and concerns.
D. This will enhance the third party's ability to apply data analytics
Answer: C
31 / 69
The safer , easier way to help you pass any IT exams.
156.The chief audit executive (CAE) has been asked to evaluate the chief technology officer's proposal
to outsource several key functions in the organization's IT department.
Which of the following would be the most appropriate action for the CAE to determine whether the
proposal aligns with the organization's strategy?
A. Understand strategic context and evaluate whether supporting information is reliable and complete.
B. Ascertain whether governance and approval processes are transparent, documented, and completed.
C. Perform a due diligence review or asses management's review of provider operations.
D. Identify key performance measures and data sources.
Answer: C
157.Which of the following security controls focuses most on prevention of unauthorized access to the
power plant?
A. An offboarding procedure is initiated monthly to determine redundant physical access rights.
B. Logs generated by smart locks are automatically scanned to identify anomalies in access patterns.
C. Requests for additional access rights are sent for approval and validation by direct supervisors.
D. Automatic notifications are sent to a central security unit when employees enter the premises during
nonwork hours
Answer: C
160.According to IIA guidance on IT, which of the following controls the routing of data packets to link
computers?
A. Operating system
B. Control environment
C. Network.
D. Application program code
Answer: C
161.While conducting' audit procedures at the organization's data center an internal auditor noticed the
32 / 69
The safer , easier way to help you pass any IT exams.
following:
- Backup media was located on data center shelves.
- Backup media was organized by date.
- Backup schedule was one week in duration.
The system administrator was able to present restore logs.
Which of the following is reasonable for the internal auditor to conclude?
A. Backup media is not properly stored, as the storage facility should be off-site.
B. Backup procedures are adequate and appropriate according to best practices.
C. Backup media is not properly indexed, as backup media should be indexed by system, not date.
D. Backup schedule is not sufficient, as full backup should be conducted daily.
Answer: A
163.A rapidly expanding retail organisation continues to be tightly controlled by its original small
management team.
Which of the following is a potential risk in this vertically centralized organization?
A. Lack of coordination among different business units
B. Operational decisions are inconsistent with organizational goals
C. Suboptimal decision making
D. Duplication of business activities
Answer: C
164.According to IIA guidance, which of the following statements is true with regard to workstation
computers that access company Information stored on the network?
A. Individual workstation computer controls are not as important as companywide server controls.
B. Particular attention should be paid to housing workstations away from environmental hazards.
C. Cyber security issues can be controlled at an enterprise level, making workstation level controls
redundant.
D. With security risks near an all-time high, workstations should not be connected to the company
network.
Answer: C
33 / 69
The safer , easier way to help you pass any IT exams.
167.Which of the following is true regarding the use of remote wipe for smart devices?
A. It can restore default settings and lock encrypted data when necessary.
B. It enables the erasure and reformatting of secure digital (SD) cards.
C. It can delete data backed up to a desktop for complete protection if required.
D. It can wipe data that is backed up via cloud computing
Answer: B
168.Which of the following items represents the first thing that should be done with obtained dote in the
data analytics process?
A. Verify completeness and accuracy.
B. Verify existence and accuracy.
C. Verify completeness and integrity.
D. Verify existence and completeness.
Answer: B
170.An organization requires an average of 5S days to convert raw materials into finished products to
sell. An average of 42 additional days is required to collect receivables.
If the organization takes an average of 10 days to pay for the raw materials, how long is its total cash
conversion cycle?
A. 26 days.
B. 90 days,
C. 100 days.
D. 110 days
Answer: B
34 / 69
The safer , easier way to help you pass any IT exams.
172.While auditing an organization's customer call center, an internal auditor notices that Key
performance indicators show a positive trend, despite the fact that there have been increasing customer
complaints over the same period.
Which of the following audit recommendations would most likely correct the cause of this inconsistency?
A. Review the call center script used by customer service agents to interact with callers, and update the
script if necessary.
B. Be-emphasize the importance of call center employees completing a certain number of calls per hour.
C. Retrain call center staff on area processes and common technical issues that they will likely be asked
to resolve.
D. Increase the incentive for call center employees to complete calls quickly and raise the number of
calls completed daily
Answer: A
173.Which of the following cost of capital methods identifies the time period required to recover She cost
of the capital investment from the annual inflow produced?
A. Cash payback technique
B. Annual rate of return technique.
C. Internal rate of return method.
D. Net present value method.
Answer: A
174.Which of the following is an example of a key systems development control typically found in the In-
house development of an application system?
A. Logical access controls monitor application usage and generate audit trails.
B. The development process is designed to prevent, detect, and correct errors that may occur.
C. A record is maintained to track the process of data from Input, to output to storage.
D. Business users' requirements are documented, and their achievement is monitored
Answer: B
35 / 69
The safer , easier way to help you pass any IT exams.
network
Answer: D
176.Which of the following best describes the purpose of fixed manufacturing costs?
A. To ensure availability of production facilities.
B. To decrease direct expenses related to production.
C. To incur stable costs despite operating capacity.
D. To increase the total unit cost under absorption costing
Answer: D
177.Which of the following statements Is true regarding the use of centralized authority to govern an
organization?
A. Fraud committed through collusion is more likely when authority is centralized.
B. Centralized managerial authority typically enhances certainty and consistency within an organization.
C. When authority is centralized, the alignment of activities to achieve business goals typically is
decreased.
D. Using separation of duties to mitigate collusion is reduced only when authority is centralized.
Answer: B
178.According to IIA guidance on IT, which of the following would be considered a primary control for a
spreadsheet to help ensure accurate financial reporting?
A. Formulas and static data are locked or protected.
B. The spreadsheet is stored on a network server that is backed up daily.
C. The purpose and use of the spreadsheet are documented.
D. Check-in and check-out software is used to control versions.
Answer: A
179.An organization that relies heavily on IT wants to contain the impact of potential business disruption
to a period of approximately four to seven days.
Which of the following business recovery strategies would most efficiently meet this organization's
needs?
A. A recovery strategy whereby a separate site has not yet been determined, but hardware has been
reserved for purchase and data backups.
B. A recovery strategy whereby a separate site has been secured and is ready for use, with
fully configured hardware and real-time synchronized data
C. A recovery strategy whereby a separate site has been secured and the necessary funds for hardware
and data backups have been reserved.
D. A recovery strategy whereby a separate site has been secured with configurable hardware and data
backups.
Answer: D
180.Which of the following is an example of a physical control designed to prevent security breaches?
A. Preventing database administrators from initiating program changes
B. Blocking technicians from getting into the network room.
36 / 69
The safer , easier way to help you pass any IT exams.
181.Which of the following concepts of managerial accounting is focused on achieving a point of low or
no inventory?
A. Theory of constraints.
B. Just-in-time method.
C. Activity-based costing.
D. Break-even analysis
Answer: C
182.An organization has a declining inventory turnover but an Increasing gross margin rate, Which of the
following statements can best explain this situation?
A. The organization's operating expenses are increasing.
B. The organization has adopted just-in-time inventory.
C. The organization is experiencing Inventory theft
D. The organization's inventory is overstated.
Answer: B
183.Which of the following is a limitation of the remote wipe for a smart device?
A. Encrypted data cannot be locked to prevent further access
B. Default settings cannot be restored on the device.
C. All data, cannot be completely removed from the device
D. Mobile device management software is required for successful remote wipe
Answer: D
184.An organization has an immediate need for servers, but no time to complete capital acquisitions.
Which of the following cloud services would assist with this situation?
A. Infrastructure as a Service (laaS).
B. Platform as a Service (PaaS).
C. Enterprise as a Service (EaaS).
D. Software as a Service (SaaS).
Answer: D
37 / 69
The safer , easier way to help you pass any IT exams.
186.An internal auditor is reviewing results from software development integration testing.
What is the purpose of integration testing?
A. To verify that the application meets stated user requirements.
B. To verify that standalone programs match code specifications.
C. To verify that the application would work appropriately for the intended number of users.
D. To verify that all software and hardware components work together as intended.
Answer: C
188.In light of increasing emission taxes in the European Union, a car manufacturer introduced a new
middle-class hybrid vehicle specifically for the European market only.
Which of the following competitive strategies has the manufacturer used?
A. Reactive strategy.
B. Cost leadership strategy.
C. Differentiation strategy.
D. Focus strategy
Answer: D
190.A newly appointed board member received an email that appeared to be from the company's CEO.
The email stated: “Good morning. As you remember, the closure of projects is our top priority. Kindly
organize prompt payment of the attached invoice for our new solar energy partners.” The board member
quickly replied to the email and asked under which project the expense should be accounted. Only then
did he realize that the sender 's mail domain was different from the company's.
Which of the following cybersecurity risks nearly occurred in the situation described?
A. A risk of spyware and malware.
B. A risk of corporate espionage.
C. A ransomware attack risk.
D. A social engineering risk.
Answer: D
38 / 69
The safer , easier way to help you pass any IT exams.
191.An organization has 10,000 units of a defect item in stock, per unit, market price is $10$; production
cost is $4; and defect selling price is $5.
What is the carrying amount (inventory value) of defects at your end?
A. $0
B. $4,000
C. $5,000
D. $10,000
Answer: C
192.Focus An organization has decided to have all employees work from home.
Which of the following network types would securely enable this approach?
A. A wireless local area network (WLAN).
B. A personal area network (PAN).
C. A wide area network (WAN).
D. A virtual private network (VPN)
Answer: D
193.An organization is considering integration of governance, risk., and compliance (GRC) activities into
a centralized technology-based resource.
In implementing this GRC resource, which of the following is a key enterprise governance concern that
should be fulfilled by the final product?
A. The board should be fully satisfied that there is an effective system of governance in place through
accurate, quality information provided.
B. Compliance, audit, and risk management can find and seek efficiencies between their functions
through integrated information reporting.
C. Key compliance and risk metrics can be tracked and compared throughout the enterprise, aiding in
identifying problem departments.
D. Data analytics can be utilized for trending of the data to ensure that patterns and ongoing monitoring
occurs throughout the organization.
Answer: A
194.How can the concept of relevant cost help management with behavioral analyses?
A. It explains the assumption mat both costs and revenues are linear through the relevant range
B. It enables management to calculate a minimum number of units to produce and sell without having to
incur a loss.
C. It enables management to predict how costs such as the depreciation of equipment will be affected by
a change in business decisions
D. It enables management to make business decisions, as it explains the cost that will be incurred for a
given course of action
Answer: D
39 / 69
The safer , easier way to help you pass any IT exams.
exist.
B. The leader intervenes only when performance standards are not met.
C. The leader intervenes to communicate high expectations.
D. The leader does not intervene to promote problem-solving
Answer: C
197.Which of the following information security controls has the primary function of preventing
unauthorized outside users from accessing an organization's data through the organization's network?
A. Firewall.
B. Encryption.
C. Antivirus.
D. Biometrics.
Answer: B
198.A clothing company sells shirts for $8 per shirt. In order to break even, the company must sell
25.000 shirts. Actual sales total S300.000.
What is margin of safety sales for the company?
A. $100.000
B. $200,000
C. $275,000
D. $500,000
Answer: A
199.Which of the following situations best applies to an organisation that uses a project, rather than a
process, to accomplish its business activities?
A. Clothing company designs, makes, and sells a new item.
B. A commercial construction company is hired to build a warehouse.
C. A city department sets up a new firefighter training program.
D. A manufacturing organization acquires component parts from a contracted vendor
Answer: B
200.An investor has acquired an organization that has a dominant position in a mature. slew-growth
Industry and consistently creates positive financial income.
Which of the following terms would the investor most likely label this investment in her portfolio?
A. A star
B. A cash cow
C. A question mark
40 / 69
The safer , easier way to help you pass any IT exams.
D. A dog
Answer: B
201.Which of the following techniques would best detect on inventory fraud scheme?
A. Analyze invoice payments just under individual authorization limits.
B. Analyze stratification of inventory adjustments by warehouse location.
C. Analyze Inventory Invoice amounts and compare with approved contract amounts.
D. Analyze differences discovered curing duplicate payment testing.
Answer: C
202.The internal audit activity has identified accounting errors that resulted in the organization
overstating its net income for the fiscal year.
Which of the following is the most likely cause of this overstatement?
A. Beginning inventory was overstated for the year.
B. Cost of goods sold was understated for the year.
C. Ending inventory was understated for the year.
D. Cost of goods sold was overstated for the year.
Answer: B
205.Which of the following job design techniques would most likely be used to increase employee
motivation through job responsibility and recognition?
A. Job complicating
B. Job rotation
C. Job enrichment
D. Job enlargement
Answer: C
41 / 69
The safer , easier way to help you pass any IT exams.
209.An internal auditor identified a database administrator with an incompatible dual role.
Which of the following duties should not be performed by the identified administrator?
A. Designing and maintaining the database.
B. Preparing input data and maintaining the database.
C. Maintaining the database and providing its security,
D. Designing the database and providing its security
Answer: B
210.Which of the following is classified as a product cost using the variable costing method?
1. Direct labor costs.
2. Insurance on a factory.
3. Manufacturing supplies.
42 / 69
The safer , easier way to help you pass any IT exams.
211.Which of the following analytical techniques would an internal auditor use to verify that none of an
organization's employees are receiving fraudulent invoice payments?
A. Perform gap testing.
B. Join different data sources.
C. Perform duplicate testing.
D. Calculate statistical parameters.
Answer: B
212.A bond that matures after one year has a face value of S250,000 and a coupon of $30,000. if the
market price of the bond is 5265,000, which of the following would be the market interest rate?
A. Less than 12 percent.
B. 12 percent.
C. Between 12.01 percent and 12.50 percent.
D. More than 12 50 percent.
Answer: A
215.Which of the following is the most appropriate beginning step of a work program for an assurance
engagement involving smart devices?
A. Train all employees on bring-your-own-device (BYOD) policies.
B. Understand what procedures are in place for locking lost devices
C. Obtain a list of all smart devices in use
D. Test encryption of all smart devices
Answer: C
43 / 69
The safer , easier way to help you pass any IT exams.
216.During disaster recovery planning, the organization established a recovery point objective.
Which of the following best describes this concept?
A. The maximum tolerable downtime after the occurrence of an incident.
B. The maximum tolerable data loss after the occurrence of an incident.
C. The maximum tolerable risk related to the occurrence of an incident
D. The minimum recovery resources needed after the occurrence of an incident
Answer: B
217.According to IIA guidance, which of the following is a broad collection of integrated policies,
standards, and procedures used to guide the planning and execution of a project?
A. Project portfolio.
B. Project development
C. Project governance.
D. Project management methodologies
Answer: C
218.Which of the following would an organization execute to effectively mitigate and manage risks
created by a crisis or event?
A. Only preventive measures.
B. Alternative and reactive measures.
C. Preventive and alternative measures.
D. Preventive and reactive measures.
Answer: B
220.Which of the following is on example of a smart device security control intended to prevent
unauthorized users from gaining access to a device's data or applications?
A. Anti-malware software
B. Authentication
C. Spyware
D. Rooting
Answer: B
221.According to IIA guidance, which of the following would be the best first stop to manage risk when a
third party is overseeing the organization's network and data?
A. Creating a comprehensive reporting system for vendors to demonstrate their ongoing due diligence in
44 / 69
The safer , easier way to help you pass any IT exams.
network operations.
B. Drafting a strong contract that requires regular vendor control reports end a right-to-audit clause.
C. Applying administrative privileges to ensure right to access controls are appropriate.
D. Creating a standing cyber-security committee to identify and manage risks related to data security
Answer: B
222.In reviewing an organization's IT infrastructure risks, which of the following controls is to be tested as
pan of reviewing workstations?
A. Input controls
B. Segregation of duties
C. Physical controls
D. Integrity controls
Answer: A
223.An organization accomplishes its goal to obtain a 40 percent share of the domestic market, but is
unable to get the desired return on Investment and output per hour of labor.
Based on this information, the organization is most likely focused on which of the following?
A. Capital investment and not marketing
B. Marketing and not capital investment
C. Efficiency and not input economy
D. Effectiveness and not efficiency
Answer: D
224.A company that supplies medications to large hospitals relies heavily on subcontractors to replenish
any shortages within 24 hours.
Where should internal auditors look for evidence that subcontractors are held responsible for this
obligation?
A. The company's code of ethics.
B. The third-party management risk register.
C. The signed service-level agreement.
D. The subcontractors' annual satisfaction survey.
Answer: C
225.A new manager received computations of the internal fate of return regarding the project proposal.
What should the manager compare the computation results to in order to determine whether the project
is potentially acceptable?
A. Compare to the annual cost of capital
B. Compare to the annual interest data.
C. Compare to the required rate of return.
D. Compare to the net present value.
Answer: A
226.A small chain of grocery stores made a reporting error and understated its ending inventory.
What effect would this have on the income statement for the following year?
45 / 69
The safer , easier way to help you pass any IT exams.
227.Which of the following security controls would provide the most efficient and effective authentication
for customers to access these online shopping account?
A. 12-digit password feature.
B. Security question feature.
C. Voice recognition feature.
D. Two-level sign-on feature
Answer: D
228.Which of the following accounting methods is an investor organization likely to use when buying 40
percent of the stock of another organization?
A. Cost method.
B. Equity method .
C. Consolidation method.
D. Fair value method.
Answer: B
229.Which of the following actions should an internal auditor take to clean the data obtained for analytics
purposes?
A. Deploys data visualization tool.
B. Adopt standardized data analysis software.
C. Define analytics objectives and establish outcomes.
D. Eliminate duplicate records.
Answer: D
231.An organization produces products X and Y. The materials used for the production of both products
are limited to 500 Kilograms (kg) per month.
All other resources are unlimited and their costs are fixed.
46 / 69
The safer , easier way to help you pass any IT exams.
Individual product details are as follows in order to maximize profit, how much of product Y should the
organization produce each month?
$10 $13
2 kg
70 units
6 kg
120 units
A. 50 units
B. 60 units
C. 70 units
D. 1:20 units
Answer: B
235.According to IIA guidance, which of the following statements is true regarding analytical procedures?
A. Data relationships are assumed to exist and to continue where no known conflicting conditions exist.
B. Analytical procedures are intended primarily to ensure the accuracy of the information being
examined.
47 / 69
The safer , easier way to help you pass any IT exams.
C. Data relationships cannot include comparisons between operational and statistical data
D. Analytical procedures can be used to identify unexpected differences, but cannot be used to identify
the absence of differences
Answer: A
236.Management has decided to change the organizational structure from one that was previously
decentralized to one that is now highly centralized. As such: which of the
following would be a characteristic of the now highly centralized organization?
A. Top management does little monitoring of the decisions made at lower levels.
B. The decisions made at the lower levels of management are considered very important.
C. Decisions made at lower levels in the organizational structure are few.
D. Reliance is placed on top management decision making by few of the organization's departments.
Answer: D
237.An organization discovered fraudulent activity involving the employee time-tracking system. One
employee regularly docked in and clocked out her co-worker friends on their days off, inflating their
reported work hours and increasing their wages.
Which of the following physical authentication devices would be most effective at disabling this fraudulent
scheme?
A. Face or finger recognition equipment,
B. Radio-frequency identification chips to authenticate employees with cards.
C. A requirement to clock in and clock out with a unique personal identification number.
D. A combination of a smart card and a password to clock in and clock out.
Answer: A
238.Which of the following is the most appropriate way lo record each partner's initial Investment in a
partnership?
A. At the value agreed upon by the partners.
B. At book value.
C. At fair value
D. At the original cost.
Answer: D
239.An internal audit activity is piloting a data analytics model, which aims to identify anomalies in
payments to vendors and potential fraud indicators.
Which of the following would be the most appropriate criteria for assessing the success of the piloted
model?
A. The percentage of cases flagged by the model and confirmed as positives.
B. The development and maintenance costs associated with the model
C. The feedback of auditors involved with developing the model.
D. The number of criminal investigations initiated based on the outcomes of the model
Answer: A
240.For employees, the primary value of implementing job enrichment is which of the following?
48 / 69
The safer , easier way to help you pass any IT exams.
241.Which of the following organization structures would most likely be able to cope with rapid changes
and uncertainties?
A. Decentralized
B. Centralized
C. Departmentalized
D. Tall structure
Answer: A
242.Which of the following storage options would give the organization the best chance of recovering
data?
A. Encrypted physical copies of the data, and their encryption keys are stored together at the
organization and are readily available upon request.
B. Encrypted physical copies of the data are stored separately from their encryption keys, and both are
held in secure locations a few hours away from the organization.
C. Encrypted reports on usage and database structure changes are stored on a cloud-based, secured
database that is readily accessible.
D. Encrypted copies of the data are stored in a separate secure location a few hours away, while the
encryption keys are stored at the organization and are readily available.
Answer: D
243.An internal auditor found the following information while reviewing the monthly financial siatements
for a wholesaler of safety
49 / 69
The safer , easier way to help you pass any IT exams.
B. Status.
C. Recognition.
D. Relationship with coworkers
Answer: C
245.A retail organization mistakenly did have include $10,000 of Inventory in the physical count at the
end of the year.
What was the impact to the organization's financial statements?
A. Cost of sales and net income are understated.
B. Cost of sales and net income are overstated.
C. Cost of sales is understated and not income is overstated.
D. Cost of sales is overstated and net Income is understated.
Answer: D
246.What is the primary risk associated with an organization adopting a decentralized structure?
A. Inability to adapt.
B. Greater costs of control function.
C. Inconsistency in decision making.
D. Lack of resilience.
Answer: C
247.Which of the following attributes of data is the most significantly impacted by the internet of things?
A. Normalization
B. Velocity
C. Structuration
D. Veracity
Answer: B
248.A manager at a publishing company received an email that appeared to be from one of her vendors
with an attachment that contained malware embedded in an Excel spreadsheet . When the spreadsheet
was opened, the cybercriminal was able to attack the company's network and gain access to an
unpublished and highly anticipated book.
Which of the following controls would be most effective to prevent such an attack?
A. Monitoring network traffic.
B. Using whitelists and blacklists to manage network traffic.
C. Restricting access and blocking unauthorized access to the network
D. Educating employees throughout the company to recognize phishing attacks.
Answer: D
249.When evaluating the help desk services provided by a third-party service provider which of the
following is likely to be the internal auditor's greatest concern?
A. Whether every call that the service provider received was logged by the help desk.
B. Whether a unique identification number was assigned to each issue identified by the service provider
C. Whether the service provider used its own facilities to provide help desk services
50 / 69
The safer , easier way to help you pass any IT exams.
D. Whether the provider's responses and resolutions were well defined according to the service-level
agreement.
Answer: D
250.Which of the following actions is likely to reduce the risk of violating transfer pricing regulations?
A. The organization sells inventory to an overseas subsidiary at fair value.
B. The local subsidiary purchases inventory at a discounted price.
C. The organization sells inventory to an overseas subsidiary at the original cost.
D. The local subsidiary purchases inventory at the depreciated cost.
Answer: C
251.An IT auditor is evaluating IT controls of a newly purchased information system. The auditor
discovers that logging is not configured al database and application levels. Operational management
explains that they do not have enough personnel to manage the logs and they see no benefit in keeping
logs.
Which of the fallowing responses best explains risks associated with insufficient or absent logging
practices?
A. The organization will be unable to develop preventative actions based on analytics.
B. The organization will not be able to trace and monitor the activities of database administers.
C. The organization will be unable to determine why intrusions and cyber incidents took place.
D. The organization will be unable to upgrade the system to newer versions.
Answer: C
252.Which type of bond sells at & discount from face value, then increases in value annually until it
reaches maturity and provides the owner with the total payoff?
A. High-yield bonds
B. Commodity-backed bonds
C. Zero coupon bonds
D. Junk bonds
Answer: C
253.Which of the following statements is true regarding an investee that received a dividend distribution
from an entity and is presumed to have little influence over the entity?
A. The cash dividends received increase the investee investment account accordingly.
B. The investee must adjust the investment account by the ownership interest
C. The investment account is adjusted downward by the percentage of ownership.
D. The investee must record the cash dividends as dividend revenue
Answer: D
254.After purchasing shoes from an online retailer, a customer continued to receive additional unsolicited
offers from the retailer and other retailers who offer similar products.
Which of the following is the most likely control weakness demonstrated by the seller?
A. Excessive collecting of information
B. Application of social engineering
51 / 69
The safer , easier way to help you pass any IT exams.
255.Which of the following is an effective preventive control for data center security?
A. Motion detectors.
B. Key card access to the facility.
C. Security cameras.
D. Monitoring access to data center workstations
Answer: B
256.Which of the following attributes of data analytics relates to the growing number of sources from
which data is being generated?
A. Volume.
B. Velocity.
C. Variety.
D. Veracity.
Answer: C
257.Which of the following lists best describes the classification of manufacturing costs?
A. Direct materials, indirect materials, raw materials.
B. Overhead costs, direct labor, direct materials.
C. Direct materials, direct labor, depreciation on factory buildings.
D. Raw materials, factory employees ‘wages, production selling expenses.
Answer: B
258.Which of the following practices impacts copyright issues related to the manufacturer of a smart
device?
A. Session hijacking.
B. Jailbreaking
C. Eavesdropping,
D. Authentication.
Answer: B
259.Which of the following is most important for an internal auditor to check with regard to the database
version?
A. Verify whether the organization uses the most recent database software version.
B. Verify whether the database software version is supported by the vendor.
C. Verify whether the database software version has been recently upgraded.
D. Verify whether .access to database version information is appropriately restricted.
Answer: B
260.Which of the following techniques would best detect an inventory fraud scheme?
A. Analyze Invoice payments just under individual authorization limits.
52 / 69
The safer , easier way to help you pass any IT exams.
261.When determining the level of physical controls required for a workstation, which of the following
factors should be considered?
A. Ease of use.
B. Value to the business.
C. Intrusion prevention.
D. Ergonomic model.
Answer: B
262.According to IIA guidance, which of the following best describes an adequate management (audit.)
trail application control for the general ledger?
A. Report identifying data that is outside of system parameters
B. Report identifying general ledger transactions by time and individual.
C. Report comparing processing results with original Input
D. Report confirming that the general ledger data was processed without error
Answer: B
264.At one organization, the specific terms of a contract require both the promisor end promise to sign
the contract in the presence of an independent witness.
What is the primary role to the witness to these signatures?
A. A witness verifies the quantities of the copies signed.
B. A witness verifies that the contract was signed with the free consent of the promisor and promise.
C. A witness ensures the completeness of the contract between the promisor and promise.
D. A witness validates that the signatures on the contract were signed by tire promisor and promise.
Answer: D
265.The board of directors wants to implement an incentive program for senior management that is
specifically tied to the long-term health of the organization.
Which of the following methods of compensation would be best to achieve this goal?
53 / 69
The safer , easier way to help you pass any IT exams.
A. Commissions.
B. Stock options
C. Gain-sharing bonuses.
D. Allowances
Answer: B
266.Which of the following common quantitative techniques used in capital budgeting is best associated
with the use of a table that describes the present value of an annuity?
A. Cash payback technique.
B. Discounted cash flow technique: net present value.
C. Annual rate of return
D. Discounted cash flow technique: internal rate of return.
Answer: B
267.Which of the following IT disaster recovery plans includes a remote site designated for recovery with
available space for basic services, such as internet and telecommunications, but does not have servers
or infrastructure equipment?
A. Frozen site
B. Cold site
C. Warm site
D. Hot site
Answer: B
268.An attacker, posing as a bank representative, convinced an employee to release certain, financial
information that ultimately resulted in fraud.
Which of the following best describes this cybersecurity risk?
A. Shoulder suiting
B. Pharming,
C. Phishing.
D. Social engineering.
Answer: C
269.At one organization, the specific terms of a contract require both the promisor and promisee to sign
the contract in the presence of an independent witness.
What is the primary role to the witness to these signatures?
A. A witness verifies the quantities of the copies signed.
B. A witness verifies that the contract was signed with the free consent of the promisor and promisee.
C. A witness ensures the completeness of the contract between the promisor and promisee.
D. A witness validates that the signatures on the contract were signed by the promisor and promisee.
Answer: D
54 / 69
The safer , easier way to help you pass any IT exams.
271.Which of these instances accurately describes the responsibilities for big data governance?
A. Management must ensure information storage systems are appropriately defined and processes to
update critical data elements are clear.
B. External auditors must ensure that analytical models are periodically monitored and maintained.
C. The board must implement controls around data quality dimensions to ensure that they are effective.
D. Internal auditors must ensure the quality and security of data, with a heightened focus on the riskiest
data elements.
Answer: A
272.Which of the following statements is true regarding user developed applications (UDAs) and
traditional IT applications?
A. UDAs arid traditional JT applications typically follow a similar development life cycle
B. A UDA usually includes system documentation to illustrate its functions, and IT-developed applications
typically do not require such documentation.
C. Unlike traditional IT applications. UDAs typically are developed with little consideration of controls.
D. IT testing personnel usually review both types of applications thoroughly to ensure they were
developed properly.
Answer: C
273.An internal auditor has requested the organizational chart in order to evaluate the control
environment of an organization.
Which of the following is a disadvantage of using the organizational chart?
A. The organizational chart shows only formal relationships.
B. The organizational chart shows only the line of authority.
C. The organizational chart shows only the senior management positions.
D. The organizational chart is irrelevant when testing the control environment.
Answer: A
274.According to IIA guidance on IT, which of the following strategies would provide the most effective
access control over an automated point-of-sale system?
A. Install and update anti-virus software.
B. Implement data encryption techniques.
C. Set data availability by user need.
D. Upgrade firewall configuration
Answer: C
55 / 69
The safer , easier way to help you pass any IT exams.
C. Mechanistic structure.
D. Functional structure with cross-functional teams.
Answer: B
276.Which of the following measures the operating success of a company for a given period of time?
A. Liquidity ratios.
B. Profitability ratios.
C. Solvency ratios.
D. Current ratios.
Answer: B
277.An internal auditor reviewed Finance Department records to obtain a list of current vendor
addresses. The auditor then compared the vendor addresses to a record of employee addresses
maintained by the Payroll Department.
Which of the following types of data analysis did the auditor perform?
A. Duplicate testing.
B. Joining data sources.
C. Gap analysis.
D. Classification
Answer: A
278.Which of the following is a sound network configuration practice to enhance information security?
A. Change management practices to ensure operating system patch documentation is retained.
B. User role requirements are documented in accordance with appropriate application-level control
needs.
C. Validation of intrusion prevention controls is performed to ensure intended functionality and data
integrity.
D. Interfaces reinforce segregation of duties between operations administration and database
development.
Answer: C
279.Which of the following controls would an internal auditor consider the most relevant to reduce risks
of project cost overruns?
A. Scope change requests are reviewed and approved by a manager with a proper level of authority.
B. Cost overruns are reviewed and approved by a control committee led by the project manager.
C. There is a formal quality assurance process to review scope change requests before they are
implemented
D. There is a formal process to monitor the status of the project and compare it to the cost baseline
Answer: D
280.Which of the following actions would senior management need to consider as part of new IT
guidelines regarding the organization's cybersecurity policies?
A. Assigning new roles and responsibilities for senior IT management.
B. Growing use of bring your own devices for organizational matters.
56 / 69
The safer , easier way to help you pass any IT exams.
281.Which of the following types of budgets will best provide the basis for evaluating the organization's
performance?
A. Cash budget.
B. Budgeted balance sheet.
C. Selling and administrative expense budget.
D. Budgeted income statement.
Answer: D
283.Which of the following represents an inventory costing technique that can be manipulated by
management to boost net income by selling units purchased at a low cost?
A. First-in. first-out method (FIFO).
B. Last-in, first-out method (LIFO).
C. Specific identification method.
D. Average-cost method
Answer: A
284.A one-time password would most likely be generated in which of the following situations?
A. When an employee accesses an online digital certificate
B. When an employee's biometrics have been accepted.
C. When an employee creates a unique digital signature,
D. When an employee uses a key fob to produce a token.
Answer: D
286.Which of the following is a distinguishing feature of managerial accounting, which is not applicable to
57 / 69
The safer , easier way to help you pass any IT exams.
financial accounting?
A. Managerial accounting uses double-entry accounting and cost data.
B. Managerial accounting uses general accepted accounting principles.
C. Managerial accounting involves decision making based on quantifiable economic events.
D. Managerial accounting involves decision making based on predetermined standards.
Answer: D
287.The chief audit executive (CAE) has embraced a total quality management approach to improving
the internal audit activity's (lAArs) processes. He would like to reduce the time to complete audits and
improve client ratings of the IAA.
Which of the following staffing approaches is the CAE most likely lo select?
A. Assign a team with a trained audit manager to plan each audit and distribute field work tasks to
various staff auditors.
B. Assign a team of personnel who have different specialties to each audit and empower Team members
to participate fully in key decisions
C. Assign a team to each audit, designate a single person to be responsible for each phase of the audit,
and limit decision making outside of their area of responsibility.
D. Assign a team of personnel who have similar specialties to specific engagements that would benefit
from those specialties and limit Key decisions to the senior person.
Answer: D
288.A new clerk in the managerial accounting department applied the high-low method and computed
the difference between the high and low levels of maintenance costs.
Which type of maintenance costs did the clerk determine?
A. Fixed maintenance costs.
B. Variable maintenance costs.
C. Mixed maintenance costs.
D. Indirect maintenance costs.
Answer: C
289.In accounting, which of the following statements is true regarding the terms debit and credit?
A. Debit indicates the right side of an account and credit the left side
B. Debit means an increase in an account and credit means a decrease.
C. Credit indicates the right side of an account and debit the left side.
D. Credit means an increase in an account and debit means a decrease
Answer: D
290.Which of the following best explains why an organization would enter into a capital lease contract?
A. To increase the ability to borrow additional funds from creditors
B. To reduce the organization's free cash flow from operations
C. To Improve the organization's free cash flow from operations
D. To acquire the asset at the end of the lease period at a price lower than the fair market value
Answer: C
58 / 69
The safer , easier way to help you pass any IT exams.
291.According to UA guidance on IT, at which of the following stages of the project life cycle would the
project manager most likely address the need to coordinate project resources?
A. Initiation.
B. Planning.
C. Execution.
D. Monitoring.
Answer: B
292.The budgeted cost of work performed is a metric best used to measure which project management
activity?
A. Resource planning.
B. Cost estimating
C. Cost budgeting.
D. Cost control.
Answer: D
293.What relationship exists between decentralization and the degree, importance, and range of lower-
level decision making?
A. Mutually exclusive relationship.
B. Direct relationship.
C. Intrinsic relationship.
D. Inverse relationship.
Answer: B
294.Which of the following is true of bond financing, compared to common stock, when alJ other
variables are equal?
A. Lower shareholder control
B. lower indebtedness
C. Higher company earnings per share.
D. Higher overall company earnings
Answer: C
295.An internal auditor was asked to review an equal equity partnership, in one sampled transaction.
Partner A transferred equipment into the partnership with a Self-declared value of 510 ,000, and Partner
B contributed equipment with a self-declared value of 515,000. The capital accounts reach partner were
subsequently credited with $12,500.
Which of the following statements Is true regarding this transection?
A. The capital accounts of the partners should be increased by she original cost of the contributed
equipment.
B. The capital accounts should be increased using a weighted average based by the current percentage
of ownership.
C. No action is needed, as the capital account of each partner was increased by the correct amount,
D. The capital accounts of the partners should be increased by She fair market value of their
contribution.
59 / 69
The safer , easier way to help you pass any IT exams.
Answer: C
296.What security feature would Identity a legitimate employee using her own smart device to gam
access to an application run by the organization?
A. Using a jailbroken or rooted smart device feature.
B. Using only smart devices previously approved by the organization.
C. Obtaining written assurance from the employee that security policies and procedures are followed.
D. Introducing a security question known only by the employee.
Answer: A
297.According to 11A guidance on it; which of the following statements is true regarding websites used in
e-commerce transactions?
A. HTTP sites provide sufficient security to protect customers'credit card information.
B. Web servers store credit cardholders'information submitted for payment.
C. Database servers send cardholders’ information for authorization in clear text.
D. Payment gatewaysauthorizecredit cardonlinepayments.
Answer: D
298.An organization was forced to stop production unexpectedly, as raw materials could not be delivered
due to a military conflict in the region.
Which of the following plans have most likely failed to support the organization?
A. Just-in-time delivery plans.
B. Backup plans.
C. Contingency plans.
D. Standing plans.
Answer: C
299.An organization is considering outsourcing its IT services, and the internal auditor as assessing the
related risks.
The auditor grouped the related risks into three categories;
- Risks specific to the organization itself.
- Risks specific to the service provider.
- Risks shared by both the organization and the service provider
Which of the following risks should the auditor classify as specific to the service provider?
A. Unexpected increases in outsourcing costs.
B. Loss of data privacy.
C. Inadequate staffing.
D. Violation of contractual terms.
Answer: D
300.An organization has an agreement with a third-party vendor to have a fully operational facility,
duplicate of the original site and configured to the organization's needs, inorder to quickly recover
operational capability in the event of a disaster.
Which of the following best describes this approach to disaster recovery planning?
60 / 69
The safer , easier way to help you pass any IT exams.
301.Which of the following IT layers would require the organization to maintain communication with a
vendor in a tightly controlled and monitored manner?
A. Applications
B. Technical infrastructure.
C. External connections.
D. IT management
Answer: B
302.Which of the following is a cybersecurity monitoring activity intended to deter disruptive codes from
being installed on an organizations systems?
A. Boundary defense
B. Malware defense.
C. Penetration tests
D. Wireless access controls
Answer: C
303.An organization contracted a third-party service provider to plan, design, and build a new facility.
Senior management would like to transfer all of the risk to the builder.
Which type of procurement contract would the organization use?
A. Cost-plus contract.
B. Turnkey contract.
C. Service contract.
D. Solutions contract.
Answer: A
304.Based on lest results, an IT auditor concluded that the organization would suffer unacceptable loss
of data if there was a disaster at its data center.
Which of the following test results would likely lead the auditor to this conclusion?
A. Requested backup tapes were not returned from the offsite vendor In a timely manner.
B. Returned backup tapes from the offsite vendor contained empty spaces.
C. Critical systems have boon backed up more frequently than required.
D. Critical system backup tapes are taken off site less frequently than required
Answer: D
305.The manager of the sales department wants to Increase the organization's net profit margin by 7%
(from 43% in the prior year to 50% in the current year).
61 / 69
The safer , easier way to help you pass any IT exams.
Given the information provided in the table below, what would be the targeted sales amount for the
current year?
A. $20,000,000
B. $24.500.000
C. $30.000.000
D. $35.200.000
Answer: D
306.An internal auditor considers the financial statement of an organization as part of a financial
assurance engagement. The auditor expresses the organization's electricity and depreciation expenses
as a percentage of revenue to be 10% and 7% respectively.
Which of the following techniques was used by the internal auditor In this calculation?
A. Horizontal analysis
B. Vertical analysis
C. Ratio analysis
D. Trend analysis
Answer: B
307.An organization decided to outsource its human resources function. As part of its process migration,
the organization is implementing controls over sensitive employee data.
What would be the most appropriate directive control in this area?
A. Require a Service Organization Controls (SOC) report from the service provider
B. Include a data protection clause in the contract with the service provider.
C. Obtain a nondisclosure agreement from each employee at the service provider who will handle
sensitive data.
D. Encrypt the employees 'data before transmitting it to the service provider
Answer: B
308.During an audit of the payroll system, the internal auditor identifies and documents the following
condition: "Once a user is logged into the system, the user has access to all functionality within the
system."
What is the most likely root cause for tins issue?
A. The authentication process relies on a simple password only, which is a weak method of
authorization.
62 / 69
The safer , easier way to help you pass any IT exams.
B. The system authorization of the user does not correctly reflect the access rights intended.
C. There was no periodic review to validate access rights.
D. The application owner apparently did not approve the access request during the provisioning process.
Answer: B
309.An organization and its trading partner rely on a computer-to-computer exchange of digital business
documents.
Which of the following best describes this scenario?
A. Use of a central processing unit
B. Use of a database management system
C. Use of a local area network
D. Use of electronic data Interchange
Answer: D
311.Which of the following physical access control is most likely to be based on ’’something you have"
concept?
A. A retina characteristics reader
B. A P3M code reader
C. A card-key scanner
D. A fingerprint scanner
Answer: C
312.According to The IIA's Three Lines Model, which of the following IT security activities is commonly
shared by all three lines?
A. Assessments of third parties and suppliers.
B. Recruitment and retention of certified IT talent.
C. Classification of data and design of access privileges.
D. Creation and maintenance of secure network and device configuration.
Answer: C
313.An organization that soils products to a foreign subsidiary wants to charge a price that wilt decrease
import tariffs.
Which of the following is the best course of action for the organization?
A. Decrease the transfer price
B. Increase the transfer price
63 / 69
The safer , easier way to help you pass any IT exams.
314.Which of the following sites would an Internet service provider most likely use to restore operations
after its servers were damaged by a natural disaster?
A. On site.
B. Cold site.
C. Hot site.
D. Warm site
Answer: D
315.Which of the following measures would best protect an organization from automated attacks
whereby the attacker attempts to identify weak or leaked passwords in order to log into employees'
accounts?
A. Requiring users to change their passwords every two years.
B. Requiring two-step verification for all users
C. Requiring the use of a virtual private network (VPN) when employees are out of the office.
D. Requiring the use of up-to-date antivirus, security, and event management tools.
Answer: B
316.Which of the following would most likely serve as a foundation for individual operational goats?
A. Individual skills and capabilities.
B. Alignment with organizational strategy.
C. Financial and human resources of the unit.
D. Targets of key performance indicators
Answer: D
317.Which of the following types of accounts must be closed at the end of the period?
A. Income statement accounts.
B. Balance sheet accounts.
C. Permanent accounts.
D. Real accounts.
Answer: A
318.According to Herzberg's Two-Factor Theory of Motivation, which of the following factors arc
mentioned most often by satisfied employees?
A. Salary and status
B. Responsibility and advancement
C. Work conditions and security
D. Peer relationships and personal life
Answer: B
319.An internal auditor discusses user-defined default passwords with the database administrator. Such
64 / 69
The safer , easier way to help you pass any IT exams.
passwords will be reset as soon as the user logs in for the first time, but the initial value of the password
is set as "123456."
Which of the following are the auditor and the database administrator most likely discussing in this
situation?
A. Whether it would be more secure to replace numeric values with characters.
B. What happens in the situations where users continue using the initial password.
C. What happens in the period between the creation of the account and the password change.
D. Whether users should be trained on password management features and requirements.
Answer: B
321.Which of the following responsibilities would ordinary fall under the help desk function of an
organization?
A. Maintenance service items such as production support.
B. Management of infrastructure services, including network management.
C. Physical hosting of mainframes and distributed servers
D. End-to -end security architecture design.
Answer: B
322.According to IIA guidance on IT, which of the following best describes a situation where data backup
plans exist to ensure that critical data can be restored at some point in the future, but recovery and
restore processes have not been defined?
A. Hot recovery plan
B. Warm recovery plan
C. Cold recovery plan
D. Absence of recovery plan
Answer: D
323.An organization's technician was granted a role that enables him to prioritize projects throughout the
organization.
Which type of authority will the technician most likely be exercising?
A. Legitimate authority
B. Coercive authority.
C. Referent authority.
D. Expert authority.
Answer: A
65 / 69
The safer , easier way to help you pass any IT exams.
324.According to Maslow's hierarchy of needs theory, which of the following would likely have the most
impact on retaining staff, if their lower-level needs are already met?
A. Social benefits.
B. Compensation.
C. Job safety.
D. Recognition
Answer: D
325.Which of the following statements, is true regarding the capital budgeting procedure known as
discounted payback period?
A. It calculates the overall value of a project.
B. It ignores the time value of money.
C. It calculates the time a project takes to break even.
D. It begins at time zero for the project.
Answer: C
326.Which of the following best describes a detective control designed to protect an organization from
cyberthreats and attacks?
A. A list of trustworthy, good traffic and a list of unauthorized, blocked traffic.
B. Monitoring for vulnerabilities based on industry intelligence.
C. Comprehensive service level agreements with vendors.
D. Firewall and other network perimeter protection tools.
Answer: B
327.According to IIA guidance, which of the following links computers and enables them to -
communicate with each other?
A. Application program code
B. Database system
C. Operating system
D. Networks
Answer: D
328.Which of the following is a security feature that Involves the use of hardware and software to filter or
prevent specific Information from moving between the inside network and the outs de network?
A. Authorization
B. Architecture model
C. Firewall
D. Virtual private network
Answer: C
329.During which phase of the contracting process ere contracts drafted for a proposed business
activity?
A. Initiation phase.
66 / 69
The safer , easier way to help you pass any IT exams.
B. Bidding phase
C. Development phase
D. Management phase
Answer: A
330.An internal auditor observed that the organization's disaster recovery solution will make use of a
cold site in a town several miles away.
Which of the following is likely to be a characteristic of this disaster recover/ solution?
A. Data is synchronized in real time
B. Recovery time is expected to be less than one week
C. Servers are not available and need to be procured
D. Recovery resources end data restore processes have not been defined.
Answer: C
331.As it relates to the data analytics process, which of the following best describes the purpose of an
internal auditor who cleaned and normalized cate?
A. The auditor eliminated duplicate information.
B. The auditor organized data to minimize useless information.
C. The auditor made data usable for a specific purpose by ensuring that anomalies were Identified and
corrected.
D. The auditor ensured data fields were consistent and that data could be used for a specific purpose.
Answer: B
332.Which of the following application controls, implemented by management, monitors data being
processed to ensure the data remains consistent and accurate?
A. Management trail controls
B. Output controls.
C. Integrity controls
D. input controls
Answer: C
333.An organization has decided to allow its managers to use their own smart phones at work.
With this change, which of the following is most important to Include In the IT department's
comprehensive policies and procedures?
A. Required documentation of process for discontinuing use of the devices
B. Required removal of personal pictures and contacts.
C. Required documentation of expiration of contract with service provider.
D. Required sign-off on conflict of interest statement.
Answer: A
334.When examining; an organization's strategic plan, an internal auditor should expect to find which of
the following components?
A. Identification of achievable goals and timelines
B. Analysis of the competitive environment.
67 / 69
The safer , easier way to help you pass any IT exams.
335.Which of the following would most likely be found in an organization that uses a decentralized
organizational structure?
A. There is a higher reliance on organizational culture.
B. There are clear expectations set for employees.
C. There are electronic monitoring techniques employed
D. There is a defined code far employee behavior.
Answer: B
336.An internal auditor for a pharmaceutical company as planning a cybersecurity audit and conducting
a risk assessment.
Which of the following would be considered the most significant cyber threat to the organization?
A. Cybercriminals hacking into the organization's time and expense system to collect employee personal
data.
B. Hackers breaching the organization's network to access research and development reports
C. A denial-of-service attack that prevents access to the organization's website.
D. A hacker accessing she financial information of the company
Answer: B
338.An organization had a gross profit margin of 40 percent in year one and in year two. The net profit
margin was 18 percent in year one and 13 percent in year two.
Which of the following could be the reason for the decline in the net profit margin for year two?
A. Cost of sales increased relative to sales.
B. Total sales increased relative to expenses.
C. The organization had a higher dividend payout rate in year two.
D. The government increased the corporate tax rate
Answer: D
68 / 69
The safer , easier way to help you pass any IT exams.
Answer: D
340.Which of the following contract concepts is typically given in exchange for the execution of a
promise?
A. Lawfulness.
B. Consideration.
C. Agreement.
D. Discharge
Answer: B
69 / 69