IIA CIA Part3

T estpassportQ&A
*KIJGT 3 WCNKV [ $ GV V GT 5 GT X KE G
=KULLKXLXKK[VJGZKYKX\OIKLUXUTK_KGX
*VVRYYYVGUVRCUURQTVEQO
The safer , easier way to help you pass any IT exams.
Exam : IIA-CIA-Part3
Title : CIA Exam Part Three:

Business Knowledge for
Internal Auditing
Version : V14.02
1 / 69
1.An organization decided to reorganize into a flatter structure.

Which of the following changes would be expected with this new structure?
A. Lower costs.
B. Slower decision making at the senior executive level.
C. Limited creative freedom in lower-level managers.
D. Senior-level executives more focused on short-term, routine decision making
Answer: D
2.During her annual performance review, a sales manager admits that she experiences significant stress
due to her job but stays with the organization because of the high bonuses she earns.
Which of the following best describes her primary motivation to remain in the job?
A. Intrinsic reward.
B. Job enrichment
C. Extrinsic reward.
D. The hierarchy of needs.
Answer: C
3.With increased cybersecurity threats, which of the following should management consider to ensure
that there is strong security governance in place?
A. Inventory of information assets
B. Limited sharing of data files with external parties.
C. Vulnerability assessment
D. Clearly defined policies
Answer: C
4.Which of the following risks is best addressed by encryption?

A. Information integrity risk
B. Privacy risk
C. Access risk
D. Software risk
Answer: B
5.Which of the following best describes a man-in-the-middle cyber-attack?

A. The perpetrator is able to delete data on the network without physical access to the device.
B. The perpetrator is able to exploit network activities for unapproved purposes.
C. The perpetrator is able to take over control of data communication in transit and replace traffic.
D. The perpetrator is able to disable default security controls and introduce additional vulnerabilities
Answer: C
6.Which of the following application controls is the most dependent on the password owner?
A. Password selection
B. Password aging
C. Password lockout
D. Password rotation
2 / 69
Answer: A
7.Which of the following is the best example of IT governance controls?

A. Controls that focus on segregation of duties, financial, and change management,
B. Personnel policies that define and enforce conditions for staff in sensitive IT areas.
C. Standards that support IT policies by more specifically defining required actions
D. Controls that focus on data structures and the minimum level of documentation required
Answer: C
8.Which of the following networks is suitable for an organization that has operations In multiple cities and
countries?
A. Wide area network.
B. Local area network
C. Metropolitan area network.
D. Storage area network.
Answer: A
9.Which of the following facilitates data extraction from an application?

A. Application program code.
B. Database system.
C. Operating system.
D. Networks.
Answer: B
10.While conducting an audit of the accounts payable department, an internal auditor found that 3% of
payments made during the period under review did not agree with the submitted invoices.
Which of the following key performance indicators (KPIs) for the department would best assist the
auditor in determining the significance of the test results?
A. A KPI that defines the process owner's tolerance for performance deviations.
B. A KPI that defines the importance of performance levels and disbursement statistics being measured.
C. A KPI that defines timeliness with regard to reporting disbursement data errors to authorized
personnel.
D. A KPI that defines operating ratio objectives of the disbursement process.
Answer: A
11.Which of the following IT professionals is responsible for providing maintenance to switches and
routers to keep IT systems running as intended?
A. Data center operations manager
B. Response and support team.
C. Database administrator,
D. Network administrator
Answer: D
12.Which of the following capital budgeting techniques considers the tune value of money?
3 / 69
A. Annual rate of return.

B. Incremental analysis.
C. Discounted cash flow.
D. Cash payback
Answer: C
13.Which of the following best describes a potential benefit of using data analyses?
A. It easily aligns with existing internal audit competencies to reduce expenses
B. It provides a more holistic view of the audited area.
C. Its outcomes can be easily interpreted into audit: conclusions.
D. Its application increases internal auditors' adherence to the Standards
Answer: C
14.If an organization has a high amount of working capital compared to the industry average, which of
the following is most likely true?
A. Settlement of short-term obligations may become difficult.
B. Cash may be bed up in items not generating financial value.
C. Collection policies of the organization are ineffective.
D. The organization is efficient in using assets to generate revenue.
Answer: B
15.A small software development firm designs and produces custom applications for businesses. The
application development team consists of employees from multiple departments who all report to a single
project manager.
Which of the following organizational structures does this situation represent?
A. Functional departmentalization.
B. Product departmentalization
C. Matrix organization.
D. Divisional organization
Answer: C
16.Which of the following attributes of data are cybersecurity controls primarily designed to protect?
A. Veracity, velocity, and variety.
B. Integrity, availability, and confidentiality.
C. Accessibility, accuracy, and effectiveness.
D. Authorization, logical access, and physical access.
Answer: C
17.The management of working capital is most crucial for which of the following aspects of business?
A. Liquidity
B. Profitability
C. Solvency
D. Efficiency
Answer: A
4 / 69
18.A organization finalized a contract in which a vendor is expected to design, procure, and construct a
power substation for $3,000,000. In this scenario, the organization agreed to which of the following types
of contracts?
A. A cost-reimbursable contract.
B. A lump-sum contract.
C. A time and material contract.
D. A bilateral contract.
Answer: B
19.Which of the following would be the strongest control to prevent unauthorized wireless network
access?
A. Allowing access to the organization's network only through a virtual private network.
B. Logging devices that access the network, including the date. time, and identity of the user.
C. Tracking all mobile device physical locations and banning access from non-designated areas.
D. Permitting only authorized IT personnel to have administrative control of mobile devices.
Answer: D
20.Which of the following best explains the matching principle?

A. Revenues should be recognized when earned.
B. Revenue recognition is matched with cash.
C. Expense recognition is tied to revenue recognition.
D. Expenses are recognized at each accounting period.
Answer: C
21.The head of the research arid development department at a manufacturing organization believes that
his team lacks expertise in some areas, and he decides to hire more experienced researchers to assist
in the development of a new product.
Which of the following variances are likely to occur as the result of this decision?
1. Favorable labor efficiency variance.
2. Adverse labor rate variance.
3. Adverse labor efficiency variance.
4. Favorable labor rate variance.
A. 1 and 2
B. 1 and 4
C. 3 and A
D. 2 and 3
Answer: A
22.Which of the following intangible assets is considered to have an indefinite life?

A. Underground oil deposits
B. Copyright
C. Trademark
D. Land
5 / 69
Answer: C
23.Which of the following should internal auditors be attentive of when reviewing personal data consent
and opt-in/opt-out management process?
A. Whether customers are asked to renew their consent for their data processing at least quarterly.
B. Whether private data is processed in accordance with the purpose for which the consent was
obtained?
C. Whether the organization has established explicit and entitywide policies on data transfer to third
parties.
D. Whether customers have an opportunity to opt-out the right to be forgotten from organizational
records and systems.
Answer: C
24.An analytical model determined that on Friday and Saturday nights the luxury brands stores should
be open for extended hours and with a doubled number of employees present; while on Mondays and
Tuesdays costs can be minimized by reducing the number of employees to a minimum and opening only
for evening hours.
Which of the following best categorizes the analytical model applied?
A. Descriptive.
B. Diagnostic.
C. Prescriptive.
D. Prolific.
Answer: C
25.Which of the following statements is true regarding a bring-your-own-device (BYOD) environment?

A. There is a greater need for organizations to rely on users to comply with policies and procedures.
B. With fewer devices owned by the organization, there is reduced need to maintain documented policies
and procedures.
C. Incident response times are less critical in the BYOD environment, compared to a traditional
environment
D. There is greater sharing of operational risk in a BYOD environment
Answer: A
26.Which of the following is a primary driver behind the creation and prloritteation of new strategic
Initiatives established by an organization?
A. Risk tolerance
B. Performance
C. Threats and opportunities
D. Governance
Answer: C
27.Management is designing its disaster recovery plan. In the event that there is significant damage to
the organization's IT systems this plan should enable the organization to resume operations at a
recovery site after some configuration and data restoration.
6 / 69
Which of the following is the ideal solution for management in this scenario?
A. A warm recovery plan.
B. A cold recovery plan.
C. A hot recovery plan.
D. A manual work processes plan
Answer: B
28.Which of the following is the best example of a compliance risk that Is likely to arise when adopting a
bring-your-own-device (BYOD) policy?
A. The risk that users try to bypass controls and do not install required software updates.
B. The risk that smart devices can be lost or stolen due to their mobile nature..
C. The risk that an organization intrusively monitors personal Information stored on smart devices.
D. The risk that proprietary information is not deleted from the device when an employee leaves.
Answer: D
29.Which of the following is a result of Implementing on e-commerce system, which relies heavily on
electronic data interchange and electronic funds transfer, for purchasing and biting?
A. Higher cash flow and treasury balances.
B. Higher inventory balances
C. Higher accounts receivable.
D. Higher accounts payable
Answer: C
30.A multinational organization allows its employees to access work email via personal smart devices.
However, users are required to consent to the installation of mobile device management (MDM) software
that will remotely wipe data in case of theft or other incidents.
Which of the following should the organization ensure in exchange for the employees' consent?
A. That those employees who do not consent to MDM software cannot have an email account.
B. That personal data on the device cannot be accessed and deleted by system administrators.
C. That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them.
D. That employee consent includes appropriate waivers regarding potential breaches to their privacy.
Answer: B
31.An internal auditor reviews a data population and calculates the mean, median, and range.
What is the most likely purpose of performing this analytic technique?
A. To inform the classification of the data population.
B. To determine the completeness and accuracy of the data.
C. To identify whether the population contains outliers.
D. To determine whether duplicates in the data inflate the range.
Answer: C
32.Which of the following statements is true regarding activity-based costing (ABC)?

A. An ABC costing system is similar to conventional costing systems in how it treats the allocation of
manufacturing overhead.
7 / 69
B. An ABC costing system uses a single unit-level basis to allocate overhead costs to products.
C. An ABC costing system may be used with either a job order or a process cost accounting system.
D. The primary disadvantage of an ABC costing system is less accurate product costing.
Answer: C
33.When reviewing application controls using the four-level model, which of the following processes are
associated with level 4 of the business process method?
A. Activity
B. Subprocess
C. Major process
D. Mega process
Answer: A
34.Which of the following is an example of internal auditors applying data mining techniques for
exploratory purposes?
A. Internal auditors perform reconciliation procedures to support an external audit of financial reporting.
B. Internal auditors perform a systems-focused analysis to review relevant controls.
C. Internal auditors perform a risk assessment to identify potential audit subjects as input for the annual
internal audit plan
D. Internal auditors test IT general controls with regard to operating effectiveness versus design
Answer: C
35.An intruder posing as the organization's CEO sent an email and tricked payroll staff into providing
employees' private tax information.
What type of attack was perpetrated?
A. Boundary attack.
B. Spear phishing attack.
C. Brute force attack.
D. Spoofing attack.
Answer: B
36.Which of the following purchasing scenarios would gain the greatest benefit from implementing
electronic cate interchange?
A. A just-in-time purchasing environment
B. A Large volume of custom purchases
C. A variable volume sensitive to material cost
D. A currently inefficient purchasing process
Answer: A
37.According to lIA guidance on IT, which of the following plans would pair the identification of
critical business processes with recovery time objectives?
A. The business continuity management charter.
B. The business continuity risk assessment plan.
C. The business Impact analysis plan
8 / 69
D. The business case for business continuity planning

Answer: C
38.Which of the following is a disadvantage in a centralized organizational structure?

A. Communication conflicts
B. Slower decision making.
C. Loss of economies of scale
D. Vulnerabilities in sharing knowledge
Answer: C
39.A manufacturer ss deciding whether to sell or process materials further.

Which of the following costs would be relevant to this decision?
A. Incremental processing costs, incremental revenue, and variable manufacturing expenses.
B. Joint costs, incremental processing costs, and variable manufacturing expenses.
C. Incremental revenue, joint costs, and incremental processing costs.
D. Variable manufacturing expenses, incremental revenue, and joint costs
Answer: A
40.Which of the following situations best illustrates a "false positive" in the performance of a spam filter?
A. The spam filter removed Incoming communication that included certain keywords and domains.
B. The spam filter deleted commercial ads automatically, as they were recognized as unwanted.
C. The spam filter routed to the "junk|r folder a newsletter that appeared to include links to fake websites.
D. The spam filter blocked a fitness club gift card that coworkers sent to an employee for her birthday.
Answer: D
41.Which of the following would be the best method to collect information about employees' job
satisfaction?
A. Online surveys sent randomly to employees.
B. Direct onsite observations of employees.
C. Town hall meetings with employees.
D. Face-to-face interviews with employees.
Answer: D
42.Which of the following network types should an organization choose if it wants to allow access only to
its own personnel?
A. An extranet
B. A local area network
C. An Intranet
D. The internet
Answer: B
43.Which of the following should be established by management during implementation of big data
systems to enable ongoing production monitoring?
A. Key performance indicators.
9 / 69
B. Reports of software customization.

C. Change and patch management.
D. Master data management
Answer: A
44.Which of the following controls would be most efficient to protect business data from corruption and
errors?
A. Controls to ensure data is unable to be accessed without authorization.
B. Controls to calculate batch totals to identify an error before approval.
C. Controls to encrypt the data so that corruption is likely ineffective.
D. Controls to quickly identify malicious intrusion attempts.
Answer: B
45.On the last day of the year, a total cost of S 150.000 was incurred in indirect labor related to one of
the key products an organization makes.
How should the expense be reported on that year's financial statements?
A. It should be reported as an administrative expense on the income statement.
B. It should be reported as period cost other than a product cost on the management accounts
C. It should be reported as cost of goods sold on the income statement.
D. It should be reported on the balance sheet as part of inventory.
Answer: C
46.Which of the following is true of matrix organizations?

A. A unity-of-command concept requires employees to report technically, functionally, and
administratively to the same manager.
B. A combination of product and functional departments allows management to utilize personnel from
various Junctions.
C. Authority, responsibility and accountability of the units Involved may vary based on the project's life, or
the organization's culture
D. It is best suited for firms with scattered locations or for multi-line, Large-scale firms.
Answer: B
47.Which of the following statements describes the typical benefit of using a flat organizational structure
for the internal audit activity, compared to a hierarchical structure?
A. A flat structure results in lower operating and support costs than a hierarchical structure.
B. A flat structure results in a stable and very collaborative environment.
C. A flat structure enables field auditors to report to and learn from senior auditors.
D. A flat structure is more dynamic and offers more opportunities for advancement than a hierarchical
structure.
Answer: A
48.An organization's board of directors is particularly focused on positioning, the organization as a leader
in the industry and beating the competition.
Which of the following strategies offers the greatest alignment with the board's focus?
10 / 69
A. Divesting product lines expected to have negative profitability.

B. Increasing the diversity of strategic business units.
C. Increasing investment in research and development for a new product.
D. Relocating the organization's manufacturing to another country.
Answer: C
49.At what stage of project integration management would a project manager and project management
team typically coordinate the various technical and organizational interfaces that exist in the project?
A. Project plan development.
B. Project plan execution
C. Integrated change control.
D. Project quality planning
Answer: A
50.Internal auditors want to increase the likelihood of identifying very small control and transaction
anomalies in their testing that could potentially be exploited to cause material breaches.
Which of the following techniques would best meet this objective?
A. Analysis of the full population of existing data.
B. Verification of the completeness and integrity of existing data.
C. Continuous monitoring on a repetitive basis.
D. Analysis of the databases of partners, such as suppliers.
Answer: A
51.CORRECT TEXT
Which of the following is a project planning methodology that involves a complex series of required
simulations to provide information about schedule risk?
A. Monte Carlo Analysis.
B. Project Management Information System (PMIS).
C. Earned Value Management (EVM).
D. Integrated Project Plan
Answer: A
52.For which of the following scenarios would the most recent backup of the human resources database
be the best source of information to use?
A. An incorrect program fix was implemented just prior to the database backup.
B. The organization is preparing to train all employees on the new self-service benefits system.
C. There was a data center failure that requires restoring the system at the backup site.
D. There is a need to access prior year-end training reports for all employees in the human resources
database
Answer: C
53.Which of the following security controls would be me most effective in preventing security breaches?
A. Approval of identity request
B. Access logging.
11 / 69
C. Monitoring privileged accounts

D. Audit of access rights
Answer: D
54.Which of the following biometric access controls uses the most unique human recognition
characteristic?
A. Facial comparison using photo identification.
B. Signature comparison.
C. Voice comparison.
D. Retinal print comparison.
Answer: D
55.A company produces water buckets with the following costs per bucket:
Direct labor = 82
Direct material = $5
Fixed manufacturing = 83.50
Variable manufacturing = 82.50
The water buckets are usually sold for $15. However, the company received a special order for 50.000
water buckets at 311 each.
Assuming there is adequate manufacturing capacity and ail other variables are constant, what is the
relevant cost per unit to consider when deciding whether to accept this special order at the reduced
price?
A. $9.50
B. $10.50
C. $11
D. $13
Answer: A
56.Which of the following financial statements provides the best disclosure of how a company's money
was used during a particular period?
A. Income statement.
B. Owner's equity statement.
C. Balance sheet.
D. Statement of cash flows.
Answer: D
57.Which of the following IT-related activities is most commonly performed by the second line of
defense?
A. Block unauthorized traffic.
B. Encrypt data.
C. Review disaster recovery test results.
D. Provide independent assessment of IT security.
Answer: C
12 / 69
58.Which of the following best describes the primary objective of cybersecurity?

A. To protect the effective performance of IT general and application controls.
B. To regulate users ‘behavior it the web and cloud environment.
C. To prevent unauthorized access to information assets.
D. To secure application of protocols and authorization routines.
Answer: B
59.Which of the following should software auditors do when reporting internal audit findings related to
enterprisewide resource planning?
A. Draft separate audit reports for business and IT management.
B. Conned IT audit findings to business issues.
C. Include technical details to support IT issues.
D. Include an opinion on financial reporting accuracy and completeness.
Answer: B
60.Which component of an organization's cybersecurity risk assessment framework would allow

management to implement user controls based on a user's role?
A. Prompt response and remediation policy
B. Inventory of information assets
C. Information access management
D. Standard security configurations
Answer: C
61.Which of the following best describes a cyberattacK in which an organization faces a denial-of-service
threat created through malicious data encryption?
A. Phishing.
B. Ransomware.
C. Hacking.
D. Makvare
Answer: D
62.Which of the following is an indicator of liquidity that is more dependable than working capital?
A. Acid-test (quick) ratio
B. Average collection period
C. Current ratio.
D. Inventory turnover.
Answer: A
63.Which of the following statements is true concerning the basic accounting treatment of a partnership?
A. The initial investment of each partner should be recorded at book value.
B. The ownership ratio identifies the basis for dividing net income and net toss.
C. A partner's capital only changes due to net income or net loss.
D. The basis for sharing net incomes or net kisses must be fixed.
Answer: A
13 / 69
64.Which of the following controls would enable management to receive timely feedback and help
mitigate unforeseen risks?
A. Measure product performance against an established standard.
B. Develop standard methods for performing established activities.
C. Require the grouping of activities under a single manager.
D. Assign each employee a reasonable workload.
Answer: D
65.Several organizations have developed a strategy to open co-owned shopping malls.

What would be the primary purpose of this strategy?
A. To exploit core competence.
B. To increase market synergy.
C. To deliver enhanced value.
D. To reduce costs.
Answer: B
66.With regard to project management, which of the following statements about project crashing Is true?
A. It leads to an increase in risk and often results in rework.
B. It is an optimization technique where activities are performed in parallel rather than sequentially.
C. It involves a revaluation of project requirements and/or scope.
D. It is a compression technique in which resources are added so the project.
Answer: D
67.Which of the following data security policies is most likely to be the result of a data privacy law?
A. Access to personally identifiable information is limited to those who need It to perform their job.
B. Confidential data must be backed up and recoverable within a 24-hour period.
C. Updates to systems containing sensitive data must be approved before being moved to production.
D. A record of employees with access to insider information must be maintained, and those employees
may not trade company stock during blackout periods
Answer: A
68.Which of the following is on advantage of a decentralized organizational structure, as opposed to a

centralized structure?
A. Greater cost-effectiveness
B. Increased economies of scale
C. Larger talent pool
D. Strong internal controls
Answer: C
69.Which of the following would be classified as IT general controls?

A. Error listings.
B. Distribution controls.
C. Transaction logging.
14 / 69
D. Systems development controls.

Answer: C
70.Which of the following is most influenced by a retained earnings policy?

A. Cash.
B. Dividends.
C. Gross margin.
D. Net income.
Answer: D
71.Which of the following can be classified as debt investments?

A. Investments in the capital stock of a corporation
B. Acquisition of government bonds.
C. Contents of an investment portfolio,
D. Acquisition of common stock of a corporation
Answer: B
72.A large retail customer made an offer to buy 10.000 units at a special price of $7 per unit. The
manufacturer usually sells each unit for §10, Variable Manufacturing costs are 55 per unit and fixed
manufacturing costs are $3 per unit.
For the manufacturer to accept the offer, which of the following assumptions needs to be true?
A. Fixed and Variable manufacturing costs are less than the special offer selling price.
B. The manufacturer can fulfill the order without expanding the capacities of the production facilities.
C. Costs related to accepting this offer can be absorbed through the sale of other products.
D. The manufacturer’s production facilities are currently operating at full capacity.
Answer: C
73.Which of the following authentication device credentials is the most difficult to revoke when an
employee s access rights need to be removed?
A. A traditional key lock
B. A biometric device
C. A card-key system
D. A proximity device
Answer: B
74.Which of the following is an example of a physical control?

A. Providing fire detection and suppression equipment
B. Establishing a physical security policy and promoting it throughout the organization
C. Performing business continuity and disaster recovery planning
D. Keeping an offsite backup of the organization's critical data
Answer: A
75.Which of the following is a benefit from the concept of Internet of Things?

A. Employees can choose from a variety of devices they want to utilize to privately read work emails
15 / 69
without their employer’s knowledge.

B. Physical devices, such as thermostats and heat pumps, can be set to react to electricity market
changes and reduce costs.
C. Information can be extracted more efficiently from databases and transmitted to relevant applications
for in-depth analytics.
D. Data mining and data collection from internet and social networks is easier, and the results are more
comprehensive
Answer: B
76.Which of the following IT disaster recovery plans includes a remote site dessgnated for recovery with
available space for basic services, such as internet and telecommunications, but does not have servers
or infrastructure equipment?
A. Frozen site
B. Cold site
C. Warm site
D. Hot site
Answer: B
77.According to Maslow's hierarchy of needs theory, which of the following best describes a strategy
where a manager offers an assignment to a subordinate specifically to support his professional growth
and future advancement?
A. Esteem by colleagues.
B. Self-fulfillment
C. Series of belonging in the organization
D. Job security
Answer: B
78.When executive compensation is based on the organization's financial results, which of the following
situations is most likely to arise?
A. The organization reports inappropriate estimates and accruals due to poof accounting controls.
B. The organization uses an unreliable process forgathering and reporting executive compensation data.
C. The organization experiences increasing discontent of employees, if executives are eligible for
compensation amounts that are deemed unreasonable.
D. The organization encourages employee behavior that is inconsistent with the interests of relevant
stakeholders.
Answer: D
79.Which of the following would be a concern related to the authorization controls utilized for a system?
A. Users can only see certain screens in the system.
B. Users are making frequent password change requests.
C. Users Input Incorrect passwords and get denied system access
D. Users are all permitted uniform access to the system.
Answer: A
16 / 69
80.Which of the following is a characteristic of big data?

A. Big data is being generated slowly due to volume.
B. Big data must be relevant for the purposes of organizations.
C. Big data comes from a single type of formal.
D. Big data is always changing
Answer: C
81.Which of the following risks would Involve individuals attacking an oil company's IT system as a sign
of solidarity against drilling in a local area?
A. Tampering
B. Hacking
C. Phishing
D. Piracy
Answer: B
82.An organization with a stable rating, as assessed by International rating agencies, has issued a bond
not backed by assets or collateral. Payments of the interests and the principal to bondholders are
guaranteed by the organization.
Which type of bond did the organization issue?
A. A sinking fund bond.
B. A secured bond.
C. A junk bond.
D. A debenture bond
Answer: D
83.Which of the following controls would be the most effective in preventing the disclosure of an
organization's confidential electronic information?
A. Nondisclosure agreements between the firm and its employees.
B. Logs of user activity within the information system.
C. Two-factor authentication for access into the information system.
D. limited access so information, based on employee duties
Answer: D
84.Which of the following statements is true regarding the term "flexible budgets" as it is used in
accounting?
A. The term describes budgets that exclude fixed costs.
B. Flexible budgets exclude outcome projections, which are hard to determine, and instead rely on the
most recent actual outcomes.
C. The term is a red flag for weak budgetary control activities.
D. Flexible budgets project data for different levels of activity.
Answer: D
85.Which of the following types of date analytics would be used by a hospital to determine which patients
are likely to require remittance for additional treatment?
17 / 69
A. Predictive analytics.
B. Prescriptive analytics.
C. Descriptive analytics.
D. Diagnostic analytics.
Answer: A
86.Which of the following represents a basis for consolidation under the International Financial Reporting
Standards?
A. Variable entity approach.
B. Control ownership.
C. Risk and reward.
D. Voting interest.
Answer: D
87.A financial institution receives frequent and varied email requests from customers for funds to be
wired out of their accounts.
Which verification activity would best help the institution avoid falling victim to phishing?
A. Reviewing the customer's wire activity to determine whether the request is typical.
B. Calling the customer at the phone number on record to validate the request.
C. Replying to the customer via email to validate the sender and request.
D. Reviewing the customer record to verify whether the customer has authorized wire requests from that
email address.
Answer: B
88.A chief audit executive wants to implement an enterprisewide resource planning software.
Which of the following internal audit assessments could provide overall assurance on the likelihood of
the software implementation's success?
A. Readiness assessment.
B. Project risk assessment.
C. Post-implementation review.
D. Key phase review.
Answer: C
89.Management has established a performance measurement focused on the accuracy of

disbursements. The disbursement statistics, provided daily to ail accounts payable and audit staff,
include details of payments stratified by amount and frequency.
Which of the following is likely to be the greatest concern regarding this performance measurement?
A. Articulation of the data
B. Availability of the data.
C. Measurability of the data
D. Relevance of the data.
Answer: D
90.Which of the following statements. Is most accurate concerning the management and audit of a web
18 / 69
server?
A. The file transfer protocol (FTP) should always be enabled.
B. The simple mail transfer protocol (SMTP) should be operating under the most privileged accounts.
C. The number of ports and protocols allowed to access the web server should be maximized.
D. Secure protocols for confidential pages should be used instead of dear-text protocols such as HTTP
or FTP.
Answer: D
91.Which of the following disaster recovery plans includes recovery resources available at the site, but
they may need to be configured to support the production system?
A. Warm site recovery plan.
B. Hot site recovery plan.
C. Cool site recovery plan.
D. Cold site recovery plan.
Answer: A
92.Which of the following describes the most appropriate set of tests for auditing a workstation's logical
access controls?
A. Review the list of people with access badges to the room containing the workstation and a log of
those who accessed the room.
B. Review the password length, frequency of change, and list of users for the workstation's login
process.
C. Review the list of people who attempted to access the workstation and failed, as well as error
messages.
D. Review the passwords of those who attempted unsuccessfully to access the workstation and the log
of their activity
Answer: B
93.In an effort to increase business efficiencies and improve customer service offered to its major trading
partners, management of a manufacturing and distribution company established a secure network, which
provides a secure channel for electronic data interchange between the company and its partners.
Which of the following network types is illustrated by this scenario?
A. A value-added network.
B. A local area network.
C. A metropolitan area network.
D. A wide area network.
Answer: A
94.An internal auditor is assessing the risks related to an organization's mobile device policy. She notes
that the organization allows third parties (vendors and visitors) to use outside smart devices to access its
proprietary networks and systems.
Which of the following types of smart device risks should the internal Auditor be most concerned about?
A. Compliance.
B. Privacy
19 / 69
C. Strategic
D. Physical security
Answer: A
95.Which of following best demonstrates the application of the cost principle?

A. A company reports trading and investment securities at their market cost
B. A building purchased last year for $1 million is currently worth ©1.2 million, but the company still
reports the building at $1 million.
C. A building purchased last year for ©1 million is currently worth £1,2 million, and the company adjusts
the records to reflect the current value
D. A company reports assets at either historical or fair value, depending which is closer to market value.
Answer: B
96.Which of the following backup methodologies would be most efficient in backing up a database in the
production environment?
A. Disk mirroring of the data being stored on the database.
B. A differential backup that is performed on a weekly basis.
C. An array of independent disks used to back up the database.
D. An incremental backup of the database on a daily basis.
Answer: D
97.What is the primary purpose of an Integrity control?

A. To ensure data processing is complete, accurate, and authorized.
B. To ensure data being processed remains consistent and intact.
C. To monitor the effectiveness of other controls
D. To ensure the output aligns with the intended result.
Answer: A
98.In an organization that produces chocolate, the leadership team decides that the organization will
open a milk production facility for its milk chocolate.
Which of the following strategies have the organization chosen?
A. Vertical integration.
B. Unrelated diversification.
C. Differentiation
D. Focus
Answer: C
99.An organization with global headquarters in the United States has subsidiaries in eight other nations.
If the organization operates with an ethnocentric attitude, which of the following statements is true?
A. Standards used for evaluation and control are determined at local subsidiaries, not set by
headquarters.
B. Orders, commands, and advice are sent to the subsidiaries from headquarters.
C. Poop o of local nationality are developed for the best positions within their own country.
D. There is a significant amount of collaboration between headquarters and subs diaries.
20 / 69
Answer: B
100.An internal auditor was assigned to test for ghost employees using data analytics. The auditor
extracted employee data from human resources and payroll. Using spreadsheet functions, the auditor
matched data sets by name and assumed that employees who were not present in each data set should
be investigated further. However, the results seemed erroneous, as very few employees matched across
all data sets.
Which of the following data analytics steps has the auditor most likely omitted?
A. Data analysis.
B. Data diagnostics.
C. Data velocity.
D. Data normalization.
Answer: D
101.Which of the following physical access controls often functions as both a preventive and detective
control?
A. Locked doors.
B. Firewalls.
C. Surveillance cameras.
D. Login IDs and passwords.
Answer: C
102.According to I1A guidance on IT. which of the following activities regarding information security Is
most likely to be the responsibility of line management as opposed to executive management, internal
auditors, or the board?
A. Review and monitor security controls.
B. Dedicate sufficient security resources.
C. Provide oversight to the security function.
D. Assess information control environments.
Answer: B
103.Which of the following items best describes the strategy of outsourcing?

A. Contracting the work to Foreign Service providers to obtain lower costs
B. Contracting functions or knowledge-related work with an external service provider.
C. Contract -ng operation of some business functions with an internal service provider
D. Contracting a specific external service provider to work with an internal service provider
Answer: A
104.Employees at an events organization use a particular technique to solve problems and improve
processes. The technique consists of five steps: define, measure, analyze, improve, and control.
Which of the following best describes this approach?
A. Six Sigma,
B. Quality circle.
C. Value chain analysis.
21 / 69
D. Theory of constraints.
Answer: A
105.According to IIA guidance, which of the following statements is true regarding penetration testing?
A. Testing should not be announced to anyone within the organization to solicit a real-life response.
B. Testing should take place during heavy operational time periods to test system resilience.
C. Testing should be wide in scope and primarily address detective management controls for identifying
potential attacks.
D. Testing should address the preventive controls and management's response.
Answer: B
106.Which of the following bring-your-own-device (BYOD) practices is likely to increase the risk of
Infringement on local regulations, such as copyright or privacy laws?
A. Not installing anti-malware software
B. Updating operating software in a haphazard manner,
C. Applying a weak password for access to a mobile device.
D. JoIIbreaking a locked smart device
Answer: D
107.An organization buys equity securities for trading purposes and sells them within a short time period.
Which of the following is the correct way to value and report those securities at a financial statement
date?
A. At fair value with changes reported in the shareholders' equity section.
B. At fair value with changes reported in net income.
C. At amortized cost in the income statement.
D. As current assets in the balance sheet
Answer: B
108.Which of the following is most appropriately placed in the financing section of an organization's cash
budget?
A. Collections from customers
B. Sale of securities.
C. Purchase of trucks.
D. Payment of debt, including interest
Answer: D
109.An organization suffered significant damage to its local: file and application servers as a result of a
hurricane. Fortunately, the organization was able to recover all information backed up by its overseas
third-party contractor.
Which of the following approaches has been used by the organization?
A. Application management
B. Data center management
C. Managed security services
D. Systems integration
22 / 69
Answer: C
110.Which of the following Issues would be a major concern for internal auditors when using a free
software to analyze a third-party vendor's big data?
A. The ability to use the software with ease to perform the data analysis to meet the engagement
objectives.
B. The ability to purchase upgraded features of the software that allow for more In-depth analysis of the
big data.
C. The ability to ensure that big data entered into the software is secure from potential compromises or
loss.
D. The ability to download the software onto the appropriate computers for use in analyzing the big data.
Answer: C
111.When auditing databases, which of the following risks would an Internal auditor keep In mind In
relation to database administrators?
A. The risk that database administrators will disagree with temporarily preventing user access to the
database for auditing purposes.
B. The risk that database administrators do not receive new patches from vendors that support database
software in a timely fashion.
C. The risk that database administrators set up personalized accounts for themselves, making the audit
time consuming.
D. The risk that database administrators could make hidden changes using privileged access.
Answer: C
112.What kind of strategy would be most effective for an organization to adopt in order to Implement a
unique advertising campaign for selling identical product lines across all of its markets?
A. Export strategy.
B. Transnational strategy
C. Multi-domestic strategy
D. Globalization strategy
Answer: C
113.Which of the following can be viewed as a potential benefit of an enterprisewide resource planning
system?
A. Real-time processing of transactions and elimination of data redundancies.
B. Fewer data processing errors and more efficient data exchange with trading partners.
C. Exploitation of opportunities and mitigation of risks associated with e-business.
D. Integration of business processes into multiple operating environments and databases.
Answer: A
114.An organization created a formalized plan for a large project.

Which of the following should be the first step in the project management plan?
A. Estimate time required to complete the whole project.
B. Determine the responses to expected project risks.
23 / 69
C. Break the project into manageable components.

D. Identify resources needed to complete the project
Answer: A
115.An organization upgraded to a new accounting software.

Which of the following activities should be performed by the IT software vendor immediately following the
upgrade?
A. Market analysis lo identify trends
B. Services to manage and maintain the IT Infrastructure.
C. Backup and restoration.
D. Software testing and validation
Answer: C
116.An organization discovered fraudulent activity involving the employee time-tracking system. One
employee regularly docked in and clocked out her co-worker friends on their days off, inflating their
reported work hours and increasing their wages.
Which of the following physical authentication devices would be most effective at disabling this fraudulent
scheme?
A. Face or finger recognition equipment,
B. Radiofrequency identification chips to authenticate employees with cards.
C. A requirement to clock in and clock out with a unique personal identification number.
D. A combination of a smart card and a password to clock in and clock out.
Answer: D
117.When would a contract be dosed out?

A. When there's a dispute between the contracting parties
B. When ail contractual obligations have been discharged.
C. When there is a force majenre.
D. When the termination clause is enacted.
Answer: B
118.Which of the following capital budgeting techniques considers the expected total net cash flows from
investment?
A. Cash payback
B. Annual rate of return
C. Incremental analysis
D. Net present value
Answer: D
119.At an organization that uses a periodic inventory system, the accountant accidentally understated
the organization s beginning inventory.
How would the accountant's accident impact the income statement?
A. Cost of goods sold will be understated and net income will be overstated.
B. Cost of goods sold will be overstated and net income will be understated
24 / 69
C. Cost of goods sold will be understated and there Wi-Fi be no impact on net income.
D. There will be no impact on cost of goods sold and net income will be overstated
Answer: B
120.A restaurant decided to expand its business to include delivery services, rather than relying on third-
party food delivery services.
Which of the following best describes the restaurants strategy?
A. Diversification
B. Vertical integration
C. Risk avoidance
D. Differentiation
Answer: A
121.Which of the following scenarios best illustrates a spear phishing attack?

A. Numerous and consistent attacks on the company's website caused the server to crash and service
was disrupted.
B. A person posing as a representative of the company's IT help desk called several employees and
played a generic prerecorded message requesting password data.
C. A person received a personalized email regarding a golf membership renewal, and he clicked a
hyperlink to enter his credit card data into a fake website.
D. Many users of a social network service received fake notifications of a unique opportunity to invest in
a new product
Answer: C
122.An Internal auditor is using data analytics to focus on high-risk areas during an engagement. The
auditor has obtained data and is working to eliminate redundancies in the data.
Which of the following statements is true regarding this scenario?
A. The auditor is normalizing data in preparation for analyzing it.
B. The auditor is analyzing the data in preparation for communicating the results,
C. The auditor is cleaning the data in preparation for determining which processes may be involves .
D. The auditor is reviewing trio data prior to defining the question
Answer: A
123.Which of the following performance measures includes both profits and investment base?
A. Residual income
B. A flexible budget
C. Variance analysis.
D. A contribution margin income statement by segment.
Answer: C
124.During which of the following phases of contracting does the organization analyze whether the
market is aligned with organizational objectives?
A. Initiation phase
B. Bidding phase
25 / 69
C. Development phase
D. Negotiation phase
Answer: A
125.During a review of the accounts payable process, an internal auditor gathered all of the vendor
payment transactions for the past 24 months. The auditor then used an Analytics
tool to identify the top five vendors that received the highest sum of payments.
Which of the following analytics techniques did the auditor apply?
A. Process analysis
B. Process mining
C. Data analysis.
D. Data mining
Answer: C
126.Which of the following attributes of data is most likely to be compromised in an organization with a
weak data governance culture?
A. Variety.
B. Velocity.
C. Volume.
D. Veracity.
Answer: D
127.Which of the following parties is most likely to be responsible for maintaining the infrastructure
required to prevent the failure of a real-time backup of a database?
A. IT database administrator.
B. IT data center manager.
C. IT help desk function.
D. IT network administrator.
Answer: B
128.Which of the following is an example of a contingent liability that a company should record?
A. A potential assessment of additional income tax.
B. Possible product warranty costs.
C. The threat of a lawsuit by a competitor.
D. The remote possibility of a contract breach.
Answer: C
129.Which of the following is a characteristic of big data?

A. Big data is often structured.
B. Big data analytic results often need to be visualized.
C. Big data is often generated slowly and is highly variable.
D. Big data comes from internal sources kept in data warehouses.
Answer: B
26 / 69
130.Which of the following practices circumvents administrative restrictions on smart devices, thereby
increasing data security risks?
A. Rooting.
B. Eavesdropping.
C. Man in the middle.
D. Session hijacking.
Answer: A
131.Which of the following is an established systems development methodology?

A. Waterfall.
B. Projects in Controlled Environments (PRINCE2).
C. Information Technology Infrastructure Library (ITIL).
D. COBIT
Answer: A
132.According to IIA guidance on IT, which of the following best describes a logical access control?
A. Require complex passwords to be established and changed quarterly
B. Require swipe cards to control entry into secure data centers.
C. Monitor access to the data center with closed circuit camera surveillance.
D. Maintain current role definitions to ensure appropriate segregation of duties
Answer: D
133.Which of the following statements is true regarding change management?

A. The degree of risk associated with a proposed change determines whether the change request
requires authorization
B. Program changes generally are developed and tested in the production environment.
C. Changes are only required by software programs
D. To protect the production environment, changes must be managed in a repeatable, defined, and
predictable manner
Answer: D
134.According to 11A guidance on IT, which of the following spreadsheets is most likely to be considered
a high-risk user-developed application?
A. A revenue calculation spreadsheet supported with price and volume reports from the production
department.
B. An asset retirement calculation spreadsheet comprised of multiple formulas and assumptions.
C. An ad-hoc inventory listing spreadsheet comprising details of written-off inventory quantities.
D. An accounts receivable reconciliation spreadsheet used by the accounting manager to verify balances
Answer: C
135.Which of the following activities best illustrates a user's authentication control?

A. Identity requests are approved in two steps.
B. Logs are checked for misaligned identities and access rights.
C. Users have to validate their identity with a smart card.
27 / 69
D. Functions can toe performed based on access rights

Answer: C
136.According to 11A guidance on IT, which of the following are indicators of poor change management?
1. Inadequate control design.
2. Unplanned downtime.
3. Excessive troubleshooting.
4. Unavailability of critical services.
A. 2 and 3 only.
B. 1, 2, and 3 only
C. 1, 3, and 4 only
D. 2, 3, and 4 only
Answer: D
137.Which of the following principles s shared by both hierarchies and open organizational structures?
1. A superior can delegate the authority to make decisions but cannot delegate the ultimate responsibility
for the results of those decisions.
2. A supervisor's span of control should not exceed seven subordinates.
3. Responsibility should be accompanied by adequate authority.
4. Employees at all levels should be empowered to make decisions.
A. 1 and 3 only
B. 1 and 4 only
C. 2 and 3 only
D. 3 and 4 only
Answer: A
138.Which of the following describes a third-party network that connects an organization specifically with
its trading partners?
A. Value-added network (VAN).
B. Local area network (LAN).
C. Metropolitan area network (MAN).
D. Wide area network (WAN).
Answer: A
139.Which of the following physical security controls is able to serve as both a detective and preventive
control?
A. Authentication logs.
B. Card key readers.
C. Biometric devices
D. Video surveillance.
Answer: D
140.Which of the following controls is the most effective for ensuring confidentially of transmitted
information?
28 / 69
A. Firewall.
B. Antivirus software.
C. Passwords.
D. Encryption.
Answer: D
141.Which of the following is a systems software control?

A. Restricting server room access to specific individuals
B. Housing servers with sensitive software away from environmental hazards
C. Ensuring that all user requirements are documented
D. Performing of intrusion testing on a regular basis
Answer: D
142.When management uses the absorption costing approach, fixed manufacturing overhead costs are
classified as which of the following types of costs?
A. Direct, product costs.
B. Indirect product costs.
C. Direct period costs,
D. Indirect period costs
Answer: A
143.An employee was promoted within the organization and relocated to a new office in a different
building. A few months later, security personnel discovered that the employee's smart card was being
used to access the building where she previously worked.
Which of the following security controls could prevent such an incident from occurring?
A. Regular review of logs.
B. Two-level authentication.
C. Photos on smart cards.
D. Restriction of access hours.
Answer: C
144.When using data analytics during a review of the procurement process, what is the first step in the
analysis process?
A. Identify data anomalies and outliers.
B. Define questions to be answered.
C. Identify data sources available.
D. Determine the scope of the data extract
Answer: C
145.An organization has a declining inventory turnover but an increasing gross margin rate.
Which of the following statements can best explain this situation?
A. he organization's operating expenses are increasing.
B. The organization has adopted just-in-time inventory.
C. The organization is experiencing inventory theft.
29 / 69
D. The organization's inventory is overstated.

Answer: B
146.Which of the following characteristics applies to an organization that adopts a flat structure?
A. The structure is dispersed geographically
B. The hierarchy levels are more numerous.
C. The span of control is wide
D. The tower-level managers are encouraged to exercise creativity when solving problems
Answer: D
147.A company records income from an investment in common stock when it does which of the
following?
A. Purchases bonds.
B. Receives interest.
C. Receives dividends
D. Sells bonds.
Answer: B
148.An organization's account for office supplies on hand had a balance of $9,000 at the end of year
one. During year two. The organization recorded an expense of $45,000 for purchasing office supplies.
At the end of year two. a physical count determined that the organization has $11 ,500 in office supplies
on hand.
Based on this Information, what would he recorded in the adjusting entry an the end of year two?
A. A debit to office supplies on hand for S2.500
B. A debit to office supplies on hand for $11.500
C. A debit to office supplies on hand for $20,500
D. A debit to office supplies on hand for $42,500
Answer: B
149.Which of the following inventory costing methods requires the organization to account for the actual
cost paid for the unit being sold?
A. Last-in-first-Out (LIFO}.
B. Average cost.
C. First-in-first-out (FIFO).
D. Specific identification
Answer: C
150.Senior management is trying to decide whether to use the direct write-off or allowance method for
recording bad debt on accounts receivables.
Which of the following would be the best argument for using the direct write-off method?
A. It is useful when losses are considered insignificant.
B. It provides a better alignment with revenue.
C. It is the preferred method according to The IIA.
D. It states receivables at net realizable value on the balance sheet.
30 / 69
Answer: C
151.While performing an audit of a car tire manufacturing plant, an internal auditor noticed a significant
decrease in the number of tires produced from the previous operating period.
To determine whether worker inefficiency caused the decrease, what additional information should the
auditor request?
A. Total tire production labor hours for the operating period.
B. Total tire production costs for the operating period.
C. Plant production employee headcount average for the operating period.
D. The production machinery utilization rates.
Answer: C
152.With regard to disaster recovery planning, which of the following would most likely involve
stakeholders from several departments?
A. Determining the frequency with which backups will be performed.
B. Prioritizing the order in which business systems would be restored.
C. Assigning who in the IT department would be involved in the recovery procedures.
D. Assessing the resources needed to meet the data recovery objectives.
Answer: B
153.Which of the following best describes the type of control provided by a firewall?
A. Corrective
B. Detective
C. Preventive
D. Discretionary
Answer: C
154.Which of the following statements is true regarding a project life cycle?

A. Risk and uncertainty increase over the life of the project.
B. Costs and staffing levels are typically high as the project draws to a close.
C. Costs related to making changes increase as the project approaches completion.
D. The project life cycle corresponds with the life cycle of the product produced by or modified by the
project.
Answer: A
155.A third party who provides payroll services to the organization was asked to create audit or “read-
only 1 functionalities in their systems.
Which of the following statements is true regarding this request?
A. This will support execution of the right-to-audit clause.
B. This will enforce robust risk assessment practices
C. This will address cybersecurity considerations and concerns.
D. This will enhance the third party's ability to apply data analytics
Answer: C
31 / 69
156.The chief audit executive (CAE) has been asked to evaluate the chief technology officer's proposal
to outsource several key functions in the organization's IT department.
Which of the following would be the most appropriate action for the CAE to determine whether the
proposal aligns with the organization's strategy?
A. Understand strategic context and evaluate whether supporting information is reliable and complete.
B. Ascertain whether governance and approval processes are transparent, documented, and completed.
C. Perform a due diligence review or asses management's review of provider operations.
D. Identify key performance measures and data sources.
Answer: C
157.Which of the following security controls focuses most on prevention of unauthorized access to the
power plant?
A. An offboarding procedure is initiated monthly to determine redundant physical access rights.
B. Logs generated by smart locks are automatically scanned to identify anomalies in access patterns.
C. Requests for additional access rights are sent for approval and validation by direct supervisors.
D. Automatic notifications are sent to a central security unit when employees enter the premises during
nonwork hours
Answer: C
158.Following an evaluation of an organization's IT controls, an internal auditor suggested improving the

process where results are compared against the input.
Which of the following IT controls would the Internal auditor recommend?
A. Output controls.
B. Input controls
C. Processing controls.
D. Integrity controls.
Answer: C
159.Which of the following is an example of two-factor authentication?

A. The user's facial geometry and voice recognition.
B. The user's password and a separate passphrase.
C. The user's key fob and a smart card.
D. The user's fingerprint and a personal Identification number.
Answer: D
160.According to IIA guidance on IT, which of the following controls the routing of data packets to link
computers?
A. Operating system
B. Control environment
C. Network.
D. Application program code
Answer: C
161.While conducting' audit procedures at the organization's data center an internal auditor noticed the
32 / 69
following:
- Backup media was located on data center shelves.
- Backup media was organized by date.
- Backup schedule was one week in duration.
The system administrator was able to present restore logs.
Which of the following is reasonable for the internal auditor to conclude?
A. Backup media is not properly stored, as the storage facility should be off-site.
B. Backup procedures are adequate and appropriate according to best practices.
C. Backup media is not properly indexed, as backup media should be indexed by system, not date.
D. Backup schedule is not sufficient, as full backup should be conducted daily.
Answer: A
162.What is the primary purpose of data and systems backup?

A. To restore all data and systems immediately after the occurrence of an incident.
B. To set the maximum allowable downtime to restore systems and data after the occurrence of an
incident.
C. To set the point in time to which systems and data must be recovered after the occurrence of an
incident.
D. To restore data and systems to a previous point in time after the occurrence of an incident
Answer: D
163.A rapidly expanding retail organisation continues to be tightly controlled by its original small
management team.
Which of the following is a potential risk in this vertically centralized organization?
A. Lack of coordination among different business units
B. Operational decisions are inconsistent with organizational goals
C. Suboptimal decision making
D. Duplication of business activities
Answer: C
164.According to IIA guidance, which of the following statements is true with regard to workstation
computers that access company Information stored on the network?
A. Individual workstation computer controls are not as important as companywide server controls.
B. Particular attention should be paid to housing workstations away from environmental hazards.
C. Cyber security issues can be controlled at an enterprise level, making workstation level controls
redundant.
D. With security risks near an all-time high, workstations should not be connected to the company
network.
Answer: C
165.Which of the following is a characteristic of using a hierarchical control structure?

A. Less use of policies and procedures.
B. Less organizational commitment by employees.
C. Less emphasis on extrinsic rewards.
33 / 69
D. Less employee’s turnover.

Answer: B
166.Which of the following describes a mechanistic organizational structure?

A. Primary direction of communication tends to be lateral.
B. Definition of assigned tasks tends to be broad and general.
C. Type of knowledge required tends to be broad and professional.
D. Reliance on self-control tends to be low.
Answer: D
167.Which of the following is true regarding the use of remote wipe for smart devices?
A. It can restore default settings and lock encrypted data when necessary.
B. It enables the erasure and reformatting of secure digital (SD) cards.
C. It can delete data backed up to a desktop for complete protection if required.
D. It can wipe data that is backed up via cloud computing
Answer: B
168.Which of the following items represents the first thing that should be done with obtained dote in the
data analytics process?
A. Verify completeness and accuracy.
B. Verify existence and accuracy.
C. Verify completeness and integrity.
D. Verify existence and completeness.
Answer: B
169.Which of the following best describes owner's equity?

A. Assets minus liabilities.
B. Total assets.
C. Total liabilities.
D. Owners contribution plus drawings.
Answer: A
170.An organization requires an average of 5S days to convert raw materials into finished products to
sell. An average of 42 additional days is required to collect receivables.
If the organization takes an average of 10 days to pay for the raw materials, how long is its total cash
conversion cycle?
A. 26 days.
B. 90 days,
C. 100 days.
D. 110 days
Answer: B
171.Which of the following is required in effective IT change management?

A. The sole responsibility for change management is assigned to an experienced and competent IT team
34 / 69
B. Change management follows a consistent process and is done in a controlled environment.

C. Internal audit participates in the implementation of change management throughout the organisation.
D. All changes to systems must be approved by the highest level of authority within an organization.
Answer: B
172.While auditing an organization's customer call center, an internal auditor notices that Key
performance indicators show a positive trend, despite the fact that there have been increasing customer
complaints over the same period.
Which of the following audit recommendations would most likely correct the cause of this inconsistency?
A. Review the call center script used by customer service agents to interact with callers, and update the
script if necessary.
B. Be-emphasize the importance of call center employees completing a certain number of calls per hour.
C. Retrain call center staff on area processes and common technical issues that they will likely be asked
to resolve.
D. Increase the incentive for call center employees to complete calls quickly and raise the number of
calls completed daily
Answer: A
173.Which of the following cost of capital methods identifies the time period required to recover She cost
of the capital investment from the annual inflow produced?
A. Cash payback technique
B. Annual rate of return technique.
C. Internal rate of return method.
D. Net present value method.
Answer: A
174.Which of the following is an example of a key systems development control typically found in the In-
house development of an application system?
A. Logical access controls monitor application usage and generate audit trails.
B. The development process is designed to prevent, detect, and correct errors that may occur.
C. A record is maintained to track the process of data from Input, to output to storage.
D. Business users' requirements are documented, and their achievement is monitored
Answer: B
175.An organization has instituted a bring-your-own-device (BYOD) work environment.

Which of the following policies best addresses the increased risk to the organization's network incurred
by this environment?
A. Limit the use of the employee devices for personal use to mitigate the risk of exposure to
organizational data.
B. Ensure that relevant access to key applications is strictly controlled through an approval and review
process.
C. Institute detection and authentication controls for all devices used for network connectivity and data
storage.
D. Use management software scan and then prompt parch reminders when devices connect to the
35 / 69
network
Answer: D
176.Which of the following best describes the purpose of fixed manufacturing costs?
A. To ensure availability of production facilities.
B. To decrease direct expenses related to production.
C. To incur stable costs despite operating capacity.
D. To increase the total unit cost under absorption costing
Answer: D
177.Which of the following statements Is true regarding the use of centralized authority to govern an
organization?
A. Fraud committed through collusion is more likely when authority is centralized.
B. Centralized managerial authority typically enhances certainty and consistency within an organization.
C. When authority is centralized, the alignment of activities to achieve business goals typically is
decreased.
D. Using separation of duties to mitigate collusion is reduced only when authority is centralized.
Answer: B
178.According to IIA guidance on IT, which of the following would be considered a primary control for a
spreadsheet to help ensure accurate financial reporting?
A. Formulas and static data are locked or protected.
B. The spreadsheet is stored on a network server that is backed up daily.
C. The purpose and use of the spreadsheet are documented.
D. Check-in and check-out software is used to control versions.
Answer: A
179.An organization that relies heavily on IT wants to contain the impact of potential business disruption
to a period of approximately four to seven days.
Which of the following business recovery strategies would most efficiently meet this organization's
needs?
A. A recovery strategy whereby a separate site has not yet been determined, but hardware has been
reserved for purchase and data backups.
B. A recovery strategy whereby a separate site has been secured and is ready for use, with
fully configured hardware and real-time synchronized data
C. A recovery strategy whereby a separate site has been secured and the necessary funds for hardware
and data backups have been reserved.
D. A recovery strategy whereby a separate site has been secured with configurable hardware and data
backups.
Answer: D
180.Which of the following is an example of a physical control designed to prevent security breaches?
A. Preventing database administrators from initiating program changes
B. Blocking technicians from getting into the network room.
36 / 69
C. Restricting system programmers' access to database facilities

D. Using encryption for data transmitted over the public internet
Answer: C
181.Which of the following concepts of managerial accounting is focused on achieving a point of low or
no inventory?
A. Theory of constraints.
B. Just-in-time method.
C. Activity-based costing.
D. Break-even analysis
Answer: C
182.An organization has a declining inventory turnover but an Increasing gross margin rate, Which of the
following statements can best explain this situation?
A. The organization's operating expenses are increasing.
B. The organization has adopted just-in-time inventory.
C. The organization is experiencing Inventory theft
D. The organization's inventory is overstated.
Answer: B
183.Which of the following is a limitation of the remote wipe for a smart device?
A. Encrypted data cannot be locked to prevent further access
B. Default settings cannot be restored on the device.
C. All data, cannot be completely removed from the device
D. Mobile device management software is required for successful remote wipe
Answer: D
184.An organization has an immediate need for servers, but no time to complete capital acquisitions.
Which of the following cloud services would assist with this situation?
A. Infrastructure as a Service (laaS).
B. Platform as a Service (PaaS).
C. Enterprise as a Service (EaaS).
D. Software as a Service (SaaS).
Answer: D
185.An internal auditor is assigned to perform data analytics.

Which of the following is the next step the auditor should undertake after she has ascertained the value
expected from the review?
A. Normalize the data,
B. Obtain the data
C. Identify the risks.
Analyze the data.
Answer: C
37 / 69
186.An internal auditor is reviewing results from software development integration testing.
What is the purpose of integration testing?
A. To verify that the application meets stated user requirements.
B. To verify that standalone programs match code specifications.
C. To verify that the application would work appropriately for the intended number of users.
D. To verify that all software and hardware components work together as intended.
Answer: C
187.According to IIA guidance, which of the following is an IT project success factor?

A. Streamlined decision-making, rather than building consensus among users.
B. Consideration of the facts, rather than consideration of the emotions displayed by project
stakeholders.
C. Focus on flexibility and adaptability, rather than use of a formal methodology.
D. Inclusion of critical features, rather than inclusion of an array of supplementary features.
Answer: B
188.In light of increasing emission taxes in the European Union, a car manufacturer introduced a new
middle-class hybrid vehicle specifically for the European market only.
Which of the following competitive strategies has the manufacturer used?
A. Reactive strategy.
B. Cost leadership strategy.
C. Differentiation strategy.
D. Focus strategy
Answer: D
189.Which of the following scenarios indicates an effective use of financial leverage?

A. An organisation has a rate of return on equity of 20% and a rate of return on assets of 15%.
B. An organization has a current ratio of 2 and an inventory turnover of 12.
C. An organization has a debt to total assets ratio of 0.2 and an interest coverage ratio of 10.
D. An organization has a profit margin of 30% and an assets turnover of 7%.
Answer: B
190.A newly appointed board member received an email that appeared to be from the company's CEO.
The email stated: “Good morning. As you remember, the closure of projects is our top priority. Kindly
organize prompt payment of the attached invoice for our new solar energy partners.” The board member
quickly replied to the email and asked under which project the expense should be accounted. Only then
did he realize that the sender 's mail domain was different from the company's.
Which of the following cybersecurity risks nearly occurred in the situation described?
A. A risk of spyware and malware.
B. A risk of corporate espionage.
C. A ransomware attack risk.
D. A social engineering risk.
Answer: D
38 / 69
191.An organization has 10,000 units of a defect item in stock, per unit, market price is $10$; production
cost is $4; and defect selling price is $5.
What is the carrying amount (inventory value) of defects at your end?
A. $0
B. $4,000
C. $5,000
D. $10,000
Answer: C
192.Focus An organization has decided to have all employees work from home.
Which of the following network types would securely enable this approach?
A. A wireless local area network (WLAN).
B. A personal area network (PAN).
C. A wide area network (WAN).
D. A virtual private network (VPN)
Answer: D
193.An organization is considering integration of governance, risk., and compliance (GRC) activities into
a centralized technology-based resource.
In implementing this GRC resource, which of the following is a key enterprise governance concern that
should be fulfilled by the final product?
A. The board should be fully satisfied that there is an effective system of governance in place through
accurate, quality information provided.
B. Compliance, audit, and risk management can find and seek efficiencies between their functions
through integrated information reporting.
C. Key compliance and risk metrics can be tracked and compared throughout the enterprise, aiding in
identifying problem departments.
D. Data analytics can be utilized for trending of the data to ensure that patterns and ongoing monitoring
occurs throughout the organization.
Answer: A
194.How can the concept of relevant cost help management with behavioral analyses?
A. It explains the assumption mat both costs and revenues are linear through the relevant range
B. It enables management to calculate a minimum number of units to produce and sell without having to
incur a loss.
C. It enables management to predict how costs such as the depreciation of equipment will be affected by
a change in business decisions
D. It enables management to make business decisions, as it explains the cost that will be incurred for a
given course of action
Answer: D
195.Which of the following best describes a transformational leader, as opposed to a transactional

leader?
A. The leader searches for deviations from the rules and standards and intervenes when deviations
39 / 69
exist.
B. The leader intervenes only when performance standards are not met.
C. The leader intervenes to communicate high expectations.
D. The leader does not intervene to promote problem-solving
Answer: C
196.Which of the following performance measures disincentives engaging in earnings management?

A. Linking performance to profitability measures such as return on investment.
B. Linking performance to the stock price.
C. Linking performance to quotas such as units produced.
D. Linking performance to nonfinancial measures such as customer satisfaction and employees training
Answer: A
197.Which of the following information security controls has the primary function of preventing
unauthorized outside users from accessing an organization's data through the organization's network?
A. Firewall.
B. Encryption.
C. Antivirus.
D. Biometrics.
Answer: B
198.A clothing company sells shirts for $8 per shirt. In order to break even, the company must sell
25.000 shirts. Actual sales total S300.000.
What is margin of safety sales for the company?
A. $100.000
B. $200,000
C. $275,000
D. $500,000
Answer: A
199.Which of the following situations best applies to an organisation that uses a project, rather than a
process, to accomplish its business activities?
A. Clothing company designs, makes, and sells a new item.
B. A commercial construction company is hired to build a warehouse.
C. A city department sets up a new firefighter training program.
D. A manufacturing organization acquires component parts from a contracted vendor
Answer: B
200.An investor has acquired an organization that has a dominant position in a mature. slew-growth
Industry and consistently creates positive financial income.
Which of the following terms would the investor most likely label this investment in her portfolio?
A. A star
B. A cash cow
C. A question mark
40 / 69
D. A dog
Answer: B
201.Which of the following techniques would best detect on inventory fraud scheme?
A. Analyze invoice payments just under individual authorization limits.
B. Analyze stratification of inventory adjustments by warehouse location.
C. Analyze Inventory Invoice amounts and compare with approved contract amounts.
D. Analyze differences discovered curing duplicate payment testing.
Answer: C
202.The internal audit activity has identified accounting errors that resulted in the organization
overstating its net income for the fiscal year.
Which of the following is the most likely cause of this overstatement?
A. Beginning inventory was overstated for the year.
B. Cost of goods sold was understated for the year.
C. Ending inventory was understated for the year.
D. Cost of goods sold was overstated for the year.
Answer: B
203.How do data analysis technologies affect internal audit testing?

A. They improve the effectiveness of spot check testing techniques.
B. They allow greater insight into high risk areas.
C. They reduce the overall scope of the audit engagement,
D. They increase the internal auditor's objectivity.
Answer: B
204.An organization prepares a statement of privacy to protect customers' personal information.

Which of the following might violate the privacy principles?
A. Customers can access and update personal information when needed.
B. The organization retains customers' personal information indefinitely.
C. Customers reserve the right to reject sharing personal information with third parties.
D. The organization performs regular maintenance on customers' personal information.
Answer: B
205.Which of the following job design techniques would most likely be used to increase employee
motivation through job responsibility and recognition?
A. Job complicating
B. Job rotation
C. Job enrichment
D. Job enlargement
Answer: C
206.Which of the following should be included in a data privacy poky?

1. Stipulations for deleting certain data after a specified period of time.
41 / 69
2. Guidance on acceptable methods for collecting personal data.

3. A requirement to retain personal data indefinitely to ensure a complete audit trail,
4. A description of what constitutes appropriate use of personal data.
A. 1 and 2 only
B. 2 and 3 only
C. 1, 2 and 4 only
D. 2, 3, and 4 only
Answer: C
207.Which of the following best describes the use of predictive analytics?

A. A supplier of electrical parts analyzed an instances where different types of spare parts were out of
stock prior to scheduled deliveries of those parts.
B. A supplier of electrical parts analyzed sales, applied assumptions related to weather conditions, and
identified locations where stock levels would decrease more quickly.
C. A supplier of electrical parts analyzed all instances of a part being, out of stock poor to its scheduled
delivery date and discovered that increases in sales of that part consistently correlated with stormy
weather.
D. A supplier of electrical parts analyzed sales and stock information and modelled different scenarios for
making decisions on stock reordering and delivery
Answer: B
208.Which of the following scenarios best illustrates a spear phishing attack?

A. Numerous and consistent attacks on the company's website caused the server to crash and service
was disrupted.
B. A person posing as a representative of the company’s IT help desk called several employees and
played a generic prerecorded message requesting password data.
C. A person received a personalized email regarding a golf membership renewal, and he click a
hyperlink to enter his credit card data into a fake website
D. Many users of a social network service received fake notifications of e unique opportunity to invest in
a new product.
Answer: C
209.An internal auditor identified a database administrator with an incompatible dual role.
Which of the following duties should not be performed by the identified administrator?
A. Designing and maintaining the database.
B. Preparing input data and maintaining the database.
C. Maintaining the database and providing its security,
D. Designing the database and providing its security
Answer: B
210.Which of the following is classified as a product cost using the variable costing method?
1. Direct labor costs.
2. Insurance on a factory.
3. Manufacturing supplies.
42 / 69
4. Packaging and shipping costa.

A. 1 and 2
B. 1 and 3
C. 2 and 4
D. 3 and 4
Answer: B
211.Which of the following analytical techniques would an internal auditor use to verify that none of an
organization's employees are receiving fraudulent invoice payments?
A. Perform gap testing.
B. Join different data sources.
C. Perform duplicate testing.
D. Calculate statistical parameters.
Answer: B
212.A bond that matures after one year has a face value of S250,000 and a coupon of $30,000. if the
market price of the bond is 5265,000, which of the following would be the market interest rate?
A. Less than 12 percent.
B. 12 percent.
C. Between 12.01 percent and 12.50 percent.
D. More than 12 50 percent.
Answer: A
213.Which of the following statements is true regarding data backup?

A. System backups should always be performed real time.
B. Backups should be stored in a secured location onsite for easy access.
C. The tape rotation schedule affects how long data is retained
D. Backup media should be restored only m case of a hardware or software failure
Answer: C
214.Which of the following is considered a physical security control?

A. Transaction logs are maintained to capture a history of system processing.
B. System security settings require the use of strong passwords and access controls.
C. Failed system login attempts are recorded and analyzed to identify potential security incidents.
D. System servers are secured by locking mechanisms with access granted to specific individuals.
Answer: D
215.Which of the following is the most appropriate beginning step of a work program for an assurance
engagement involving smart devices?
A. Train all employees on bring-your-own-device (BYOD) policies.
B. Understand what procedures are in place for locking lost devices
C. Obtain a list of all smart devices in use
D. Test encryption of all smart devices
Answer: C
43 / 69
216.During disaster recovery planning, the organization established a recovery point objective.
Which of the following best describes this concept?
A. The maximum tolerable downtime after the occurrence of an incident.
B. The maximum tolerable data loss after the occurrence of an incident.
C. The maximum tolerable risk related to the occurrence of an incident
D. The minimum recovery resources needed after the occurrence of an incident
Answer: B
217.According to IIA guidance, which of the following is a broad collection of integrated policies,
standards, and procedures used to guide the planning and execution of a project?
A. Project portfolio.
B. Project development
C. Project governance.
D. Project management methodologies
Answer: C
218.Which of the following would an organization execute to effectively mitigate and manage risks
created by a crisis or event?
A. Only preventive measures.
B. Alternative and reactive measures.
C. Preventive and alternative measures.
D. Preventive and reactive measures.
Answer: B
219.According to Herzberg's Two-Factor Theory of Motivation, which of the following is a factor

mentioned most often by satisfied employees?
A. Relationship with supervisor
B. Salary
C. Security.
D. Achievement
Answer: C
220.Which of the following is on example of a smart device security control intended to prevent
unauthorized users from gaining access to a device's data or applications?
A. Anti-malware software
B. Authentication
C. Spyware
D. Rooting
Answer: B
221.According to IIA guidance, which of the following would be the best first stop to manage risk when a
third party is overseeing the organization's network and data?
A. Creating a comprehensive reporting system for vendors to demonstrate their ongoing due diligence in
44 / 69
network operations.
B. Drafting a strong contract that requires regular vendor control reports end a right-to-audit clause.
C. Applying administrative privileges to ensure right to access controls are appropriate.
D. Creating a standing cyber-security committee to identify and manage risks related to data security
Answer: B
222.In reviewing an organization's IT infrastructure risks, which of the following controls is to be tested as
pan of reviewing workstations?
A. Input controls
B. Segregation of duties
C. Physical controls
D. Integrity controls
Answer: A
223.An organization accomplishes its goal to obtain a 40 percent share of the domestic market, but is
unable to get the desired return on Investment and output per hour of labor.
Based on this information, the organization is most likely focused on which of the following?
A. Capital investment and not marketing
B. Marketing and not capital investment
C. Efficiency and not input economy
D. Effectiveness and not efficiency
Answer: D
224.A company that supplies medications to large hospitals relies heavily on subcontractors to replenish
any shortages within 24 hours.
Where should internal auditors look for evidence that subcontractors are held responsible for this
obligation?
A. The company's code of ethics.
B. The third-party management risk register.
C. The signed service-level agreement.
D. The subcontractors' annual satisfaction survey.
Answer: C
225.A new manager received computations of the internal fate of return regarding the project proposal.
What should the manager compare the computation results to in order to determine whether the project
is potentially acceptable?
A. Compare to the annual cost of capital
B. Compare to the annual interest data.
C. Compare to the required rate of return.
D. Compare to the net present value.
Answer: A
226.A small chain of grocery stores made a reporting error and understated its ending inventory.
What effect would this have on the income statement for the following year?
45 / 69
A. Net income would be understated.

B. Net income would not be affected.
C. Net income would be overstated.
D. Net income would be negative.
Answer: C
227.Which of the following security controls would provide the most efficient and effective authentication
for customers to access these online shopping account?
A. 12-digit password feature.
B. Security question feature.
C. Voice recognition feature.
D. Two-level sign-on feature
Answer: D
228.Which of the following accounting methods is an investor organization likely to use when buying 40
percent of the stock of another organization?
A. Cost method.
B. Equity method .
C. Consolidation method.
D. Fair value method.
Answer: B
229.Which of the following actions should an internal auditor take to clean the data obtained for analytics
purposes?
A. Deploys data visualization tool.
B. Adopt standardized data analysis software.
C. Define analytics objectives and establish outcomes.
D. Eliminate duplicate records.
Answer: D
230.Management is pondering the following question:

"How does our organization compete?"
This question pertains to which of the following levels of strategy?
A. Functional-level strategy
B. Corporate-level strategy.
C. Business-level strategy,
D. DepartmentsHevet strategy
Answer: C
231.An organization produces products X and Y. The materials used for the production of both products
are limited to 500 Kilograms (kg) per month.
All other resources are unlimited and their costs are fixed.
46 / 69
Individual product details are as follows in order to maximize profit, how much of product Y should the
organization produce each month?
$10 $13
2 kg
70 units
6 kg
120 units
A. 50 units
B. 60 units
C. 70 units
D. 1:20 units
Answer: B
232.Which of the following is improved by the use of smart devices?

A. Version control
B. Privacy
C. Portability
D. Secure authentication
Answer: C
233.Which of the following is a likely result of outsourcing?

A. Increased dependence on suppliers.
B. Increased importance of market strategy.
C. Decreased sensitivity to government regulation
D. Decreased focus on costs
Answer: C
234.Which of the following business practices promotes a culture of high performance?

A. Reiterating the importance of compliance with established policies and procedures.
B. Celebrating employees' individual excellence.
C. Periodically rotating operational managers.
D. Avoiding status differences among employees.
Answer: D
235.According to IIA guidance, which of the following statements is true regarding analytical procedures?
A. Data relationships are assumed to exist and to continue where no known conflicting conditions exist.
B. Analytical procedures are intended primarily to ensure the accuracy of the information being
examined.
47 / 69
C. Data relationships cannot include comparisons between operational and statistical data
D. Analytical procedures can be used to identify unexpected differences, but cannot be used to identify
the absence of differences
Answer: A
236.Management has decided to change the organizational structure from one that was previously
decentralized to one that is now highly centralized. As such: which of the
following would be a characteristic of the now highly centralized organization?
A. Top management does little monitoring of the decisions made at lower levels.
B. The decisions made at the lower levels of management are considered very important.
C. Decisions made at lower levels in the organizational structure are few.
D. Reliance is placed on top management decision making by few of the organization's departments.
Answer: D
237.An organization discovered fraudulent activity involving the employee time-tracking system. One
employee regularly docked in and clocked out her co-worker friends on their days off, inflating their
reported work hours and increasing their wages.
Which of the following physical authentication devices would be most effective at disabling this fraudulent
scheme?
A. Face or finger recognition equipment,
B. Radio-frequency identification chips to authenticate employees with cards.
C. A requirement to clock in and clock out with a unique personal identification number.
D. A combination of a smart card and a password to clock in and clock out.
Answer: A
238.Which of the following is the most appropriate way lo record each partner's initial Investment in a
partnership?
A. At the value agreed upon by the partners.
B. At book value.
C. At fair value
D. At the original cost.
Answer: D
239.An internal audit activity is piloting a data analytics model, which aims to identify anomalies in
payments to vendors and potential fraud indicators.
Which of the following would be the most appropriate criteria for assessing the success of the piloted
model?
A. The percentage of cases flagged by the model and confirmed as positives.
B. The development and maintenance costs associated with the model
C. The feedback of auditors involved with developing the model.
D. The number of criminal investigations initiated based on the outcomes of the model
Answer: A
240.For employees, the primary value of implementing job enrichment is which of the following?
48 / 69
A. Validation of the achievement of their goals anti objectives

B. Increased knowledge through the performance of additional tasks
C. Support for personal growth and a meaningful work experience
D. An increased opportunity to manage better the work done by their subordinates
Answer: C
241.Which of the following organization structures would most likely be able to cope with rapid changes
and uncertainties?
A. Decentralized
B. Centralized
C. Departmentalized
D. Tall structure
Answer: A
242.Which of the following storage options would give the organization the best chance of recovering
data?
A. Encrypted physical copies of the data, and their encryption keys are stored together at the
organization and are readily available upon request.
B. Encrypted physical copies of the data are stored separately from their encryption keys, and both are
held in secure locations a few hours away from the organization.
C. Encrypted reports on usage and database structure changes are stored on a cloud-based, secured
database that is readily accessible.
D. Encrypted copies of the data are stored in a separate secure location a few hours away, while the
encryption keys are stored at the organization and are readily available.
Answer: D
243.An internal auditor found the following information while reviewing the monthly financial siatements
for a wholesaler of safety
The cost of goods sold was reported at $8,500.

Which of the following inventory methods was used to derive this value?
A. Average cost method
B. First-in, first-out (FIFO) method
C. Specific identification method
D. Activity-based costing method
Answer: A
244.According to Herzberg's Two-Factor Theory of Motivation, which of the following is a factor

A. Security.
49 / 69
B. Status.
C. Recognition.
D. Relationship with coworkers
Answer: C
245.A retail organization mistakenly did have include $10,000 of Inventory in the physical count at the
end of the year.
What was the impact to the organization's financial statements?
A. Cost of sales and net income are understated.
B. Cost of sales and net income are overstated.
C. Cost of sales is understated and not income is overstated.
D. Cost of sales is overstated and net Income is understated.
Answer: D
246.What is the primary risk associated with an organization adopting a decentralized structure?
A. Inability to adapt.
B. Greater costs of control function.
C. Inconsistency in decision making.
D. Lack of resilience.
Answer: C
247.Which of the following attributes of data is the most significantly impacted by the internet of things?
A. Normalization
B. Velocity
C. Structuration
D. Veracity
Answer: B
248.A manager at a publishing company received an email that appeared to be from one of her vendors
with an attachment that contained malware embedded in an Excel spreadsheet . When the spreadsheet
was opened, the cybercriminal was able to attack the company's network and gain access to an
unpublished and highly anticipated book.
Which of the following controls would be most effective to prevent such an attack?
A. Monitoring network traffic.
B. Using whitelists and blacklists to manage network traffic.
C. Restricting access and blocking unauthorized access to the network
D. Educating employees throughout the company to recognize phishing attacks.
Answer: D
249.When evaluating the help desk services provided by a third-party service provider which of the
following is likely to be the internal auditor's greatest concern?
A. Whether every call that the service provider received was logged by the help desk.
B. Whether a unique identification number was assigned to each issue identified by the service provider
C. Whether the service provider used its own facilities to provide help desk services
50 / 69
D. Whether the provider's responses and resolutions were well defined according to the service-level
agreement.
Answer: D
250.Which of the following actions is likely to reduce the risk of violating transfer pricing regulations?
A. The organization sells inventory to an overseas subsidiary at fair value.
B. The local subsidiary purchases inventory at a discounted price.
C. The organization sells inventory to an overseas subsidiary at the original cost.
D. The local subsidiary purchases inventory at the depreciated cost.
Answer: C
251.An IT auditor is evaluating IT controls of a newly purchased information system. The auditor
discovers that logging is not configured al database and application levels. Operational management
explains that they do not have enough personnel to manage the logs and they see no benefit in keeping
logs.
Which of the fallowing responses best explains risks associated with insufficient or absent logging
practices?
A. The organization will be unable to develop preventative actions based on analytics.
B. The organization will not be able to trace and monitor the activities of database administers.
C. The organization will be unable to determine why intrusions and cyber incidents took place.
D. The organization will be unable to upgrade the system to newer versions.
Answer: C
252.Which type of bond sells at & discount from face value, then increases in value annually until it
reaches maturity and provides the owner with the total payoff?
A. High-yield bonds
B. Commodity-backed bonds
C. Zero coupon bonds
D. Junk bonds
Answer: C
253.Which of the following statements is true regarding an investee that received a dividend distribution
from an entity and is presumed to have little influence over the entity?
A. The cash dividends received increase the investee investment account accordingly.
B. The investee must adjust the investment account by the ownership interest
C. The investment account is adjusted downward by the percentage of ownership.
D. The investee must record the cash dividends as dividend revenue
Answer: D
254.After purchasing shoes from an online retailer, a customer continued to receive additional unsolicited
offers from the retailer and other retailers who offer similar products.
Which of the following is the most likely control weakness demonstrated by the seller?
A. Excessive collecting of information
B. Application of social engineering
51 / 69
C. Retention of incomplete information.

D. Undue disclosure of information
Answer: D
255.Which of the following is an effective preventive control for data center security?
A. Motion detectors.
B. Key card access to the facility.
C. Security cameras.
D. Monitoring access to data center workstations
Answer: B
256.Which of the following attributes of data analytics relates to the growing number of sources from
which data is being generated?
A. Volume.
B. Velocity.
C. Variety.
D. Veracity.
Answer: C
257.Which of the following lists best describes the classification of manufacturing costs?
A. Direct materials, indirect materials, raw materials.
B. Overhead costs, direct labor, direct materials.
C. Direct materials, direct labor, depreciation on factory buildings.
D. Raw materials, factory employees ‘wages, production selling expenses.
Answer: B
258.Which of the following practices impacts copyright issues related to the manufacturer of a smart
device?
A. Session hijacking.
B. Jailbreaking
C. Eavesdropping,
D. Authentication.
Answer: B
259.Which of the following is most important for an internal auditor to check with regard to the database
version?
A. Verify whether the organization uses the most recent database software version.
B. Verify whether the database software version is supported by the vendor.
C. Verify whether the database software version has been recently upgraded.
D. Verify whether .access to database version information is appropriately restricted.
Answer: B
260.Which of the following techniques would best detect an inventory fraud scheme?
A. Analyze Invoice payments just under individual authorization limits.
52 / 69
B. Analyze stratification of inventory adjustments by warehouse location.

C. Analyze inventory invoice amounts and compare with approved contract amounts.
D. Analyze differences discovered during duplicate payment testing
Answer: C
261.When determining the level of physical controls required for a workstation, which of the following
factors should be considered?
A. Ease of use.
B. Value to the business.
C. Intrusion prevention.
D. Ergonomic model.
Answer: B
262.According to IIA guidance, which of the following best describes an adequate management (audit.)
trail application control for the general ledger?
A. Report identifying data that is outside of system parameters
B. Report identifying general ledger transactions by time and individual.
C. Report comparing processing results with original Input
D. Report confirming that the general ledger data was processed without error
Answer: B
263.An organization uses the management-by-objectives method whereby employee performance is

based on defined goals.
Which of the following statements is true regarding this approach?
A. It is particularly helpful to management when the organization is facing rapid change.
B. It is a more successful approach when adopted by mechanistic organizations.
C. It is mere successful when goal setting is performed not only by management, but by all team
members, including lower-level staff.
D. It is particularly successful in environments that are prone to having poor employer-employee
relations.
Answer: C
264.At one organization, the specific terms of a contract require both the promisor end promise to sign
the contract in the presence of an independent witness.
What is the primary role to the witness to these signatures?
A. A witness verifies the quantities of the copies signed.
B. A witness verifies that the contract was signed with the free consent of the promisor and promise.
C. A witness ensures the completeness of the contract between the promisor and promise.
D. A witness validates that the signatures on the contract were signed by tire promisor and promise.
Answer: D
265.The board of directors wants to implement an incentive program for senior management that is
specifically tied to the long-term health of the organization.
Which of the following methods of compensation would be best to achieve this goal?
53 / 69
A. Commissions.
B. Stock options
C. Gain-sharing bonuses.
D. Allowances
Answer: B
266.Which of the following common quantitative techniques used in capital budgeting is best associated
with the use of a table that describes the present value of an annuity?
A. Cash payback technique.
B. Discounted cash flow technique: net present value.
C. Annual rate of return
D. Discounted cash flow technique: internal rate of return.
Answer: B
267.Which of the following IT disaster recovery plans includes a remote site designated for recovery with
available space for basic services, such as internet and telecommunications, but does not have servers
or infrastructure equipment?
A. Frozen site
B. Cold site
C. Warm site
D. Hot site
Answer: B
268.An attacker, posing as a bank representative, convinced an employee to release certain, financial
information that ultimately resulted in fraud.
Which of the following best describes this cybersecurity risk?
A. Shoulder suiting
B. Pharming,
C. Phishing.
D. Social engineering.
Answer: C
269.At one organization, the specific terms of a contract require both the promisor and promisee to sign
the contract in the presence of an independent witness.
What is the primary role to the witness to these signatures?
A. A witness verifies the quantities of the copies signed.
B. A witness verifies that the contract was signed with the free consent of the promisor and promisee.
C. A witness ensures the completeness of the contract between the promisor and promisee.
D. A witness validates that the signatures on the contract were signed by the promisor and promisee.
Answer: D
270.Which of the following best describes depreciation?

A. It is a process of allocating cost of assets between periods.
B. It is a process of assets valuation.
54 / 69
C. It is a process of accumulating adequate funds to replace assets.

D. It is a process of measuring decline in the value of assets because of obsolescence
Answer: A
271.Which of these instances accurately describes the responsibilities for big data governance?
A. Management must ensure information storage systems are appropriately defined and processes to
update critical data elements are clear.
B. External auditors must ensure that analytical models are periodically monitored and maintained.
C. The board must implement controls around data quality dimensions to ensure that they are effective.
D. Internal auditors must ensure the quality and security of data, with a heightened focus on the riskiest
data elements.
Answer: A
272.Which of the following statements is true regarding user developed applications (UDAs) and
traditional IT applications?
A. UDAs arid traditional JT applications typically follow a similar development life cycle
B. A UDA usually includes system documentation to illustrate its functions, and IT-developed applications
typically do not require such documentation.
C. Unlike traditional IT applications. UDAs typically are developed with little consideration of controls.
D. IT testing personnel usually review both types of applications thoroughly to ensure they were
developed properly.
Answer: C
273.An internal auditor has requested the organizational chart in order to evaluate the control
environment of an organization.
Which of the following is a disadvantage of using the organizational chart?
A. The organizational chart shows only formal relationships.
B. The organizational chart shows only the line of authority.
C. The organizational chart shows only the senior management positions.
D. The organizational chart is irrelevant when testing the control environment.
Answer: A
274.According to IIA guidance on IT, which of the following strategies would provide the most effective
access control over an automated point-of-sale system?
A. Install and update anti-virus software.
B. Implement data encryption techniques.
C. Set data availability by user need.
D. Upgrade firewall configuration
Answer: C
275.An organization selected a differentiation strategy to compete at the business level.

Which of the following structures best fits this strategic choice?
A. Functional structure.
B. Divisional structure.
55 / 69
C. Mechanistic structure.
D. Functional structure with cross-functional teams.
Answer: B
276.Which of the following measures the operating success of a company for a given period of time?
A. Liquidity ratios.
B. Profitability ratios.
C. Solvency ratios.
D. Current ratios.
Answer: B
277.An internal auditor reviewed Finance Department records to obtain a list of current vendor
addresses. The auditor then compared the vendor addresses to a record of employee addresses
maintained by the Payroll Department.
Which of the following types of data analysis did the auditor perform?
A. Duplicate testing.
B. Joining data sources.
C. Gap analysis.
D. Classification
Answer: A
278.Which of the following is a sound network configuration practice to enhance information security?
A. Change management practices to ensure operating system patch documentation is retained.
B. User role requirements are documented in accordance with appropriate application-level control
needs.
C. Validation of intrusion prevention controls is performed to ensure intended functionality and data
integrity.
D. Interfaces reinforce segregation of duties between operations administration and database
development.
Answer: C
279.Which of the following controls would an internal auditor consider the most relevant to reduce risks
of project cost overruns?
A. Scope change requests are reviewed and approved by a manager with a proper level of authority.
B. Cost overruns are reviewed and approved by a control committee led by the project manager.
C. There is a formal quality assurance process to review scope change requests before they are
implemented
D. There is a formal process to monitor the status of the project and compare it to the cost baseline
Answer: D
280.Which of the following actions would senior management need to consider as part of new IT
guidelines regarding the organization's cybersecurity policies?
A. Assigning new roles and responsibilities for senior IT management.
B. Growing use of bring your own devices for organizational matters.
56 / 69
C. Expansion of operations into new markets with limited IT access.

D. Hiring new personnel within the IT department for security purposes.
Answer: D
281.Which of the following types of budgets will best provide the basis for evaluating the organization's
performance?
A. Cash budget.
B. Budgeted balance sheet.
C. Selling and administrative expense budget.
D. Budgeted income statement.
Answer: D
282.Which of the following statements is true regarding cost-volume-profit analysis?

A. Contribution margin is the amount remaining from sales revenue after fixed expenses have been
deducted.
B. Breakeven point is the amount of units sold to cover variable costs.
C. Breakeven occurs when the contribution margin covers fixed costs.
D. Following breakover1, he operating income will increase by the excess of fixed costs less the variable
costs per units sold.
Answer: C
283.Which of the following represents an inventory costing technique that can be manipulated by
management to boost net income by selling units purchased at a low cost?
A. First-in. first-out method (FIFO).
B. Last-in, first-out method (LIFO).
C. Specific identification method.
D. Average-cost method
Answer: A
284.A one-time password would most likely be generated in which of the following situations?
A. When an employee accesses an online digital certificate
B. When an employee's biometrics have been accepted.
C. When an employee creates a unique digital signature,
D. When an employee uses a key fob to produce a token.
Answer: D
285.Which of the following statements is true regarding user-developed applications (UDAs)?

A. UDAs are less flexible and more difficult to configure than traditional IT applications.
B. Updating UDAs may lead to various errors resulting from changes or corrections.
C. UDAs typically are subjected to application development and change management controls.
D. Using UDAs typically enhances the organization's ability to comply with regulatory factors.
Answer: B
286.Which of the following is a distinguishing feature of managerial accounting, which is not applicable to
57 / 69
financial accounting?
A. Managerial accounting uses double-entry accounting and cost data.
B. Managerial accounting uses general accepted accounting principles.
C. Managerial accounting involves decision making based on quantifiable economic events.
D. Managerial accounting involves decision making based on predetermined standards.
Answer: D
287.The chief audit executive (CAE) has embraced a total quality management approach to improving
the internal audit activity's (lAArs) processes. He would like to reduce the time to complete audits and
improve client ratings of the IAA.
Which of the following staffing approaches is the CAE most likely lo select?
A. Assign a team with a trained audit manager to plan each audit and distribute field work tasks to
various staff auditors.
B. Assign a team of personnel who have different specialties to each audit and empower Team members
to participate fully in key decisions
C. Assign a team to each audit, designate a single person to be responsible for each phase of the audit,
and limit decision making outside of their area of responsibility.
D. Assign a team of personnel who have similar specialties to specific engagements that would benefit
from those specialties and limit Key decisions to the senior person.
Answer: D
288.A new clerk in the managerial accounting department applied the high-low method and computed
the difference between the high and low levels of maintenance costs.
Which type of maintenance costs did the clerk determine?
A. Fixed maintenance costs.
B. Variable maintenance costs.
C. Mixed maintenance costs.
D. Indirect maintenance costs.
Answer: C
289.In accounting, which of the following statements is true regarding the terms debit and credit?
A. Debit indicates the right side of an account and credit the left side
B. Debit means an increase in an account and credit means a decrease.
C. Credit indicates the right side of an account and debit the left side.
D. Credit means an increase in an account and debit means a decrease
Answer: D
290.Which of the following best explains why an organization would enter into a capital lease contract?
A. To increase the ability to borrow additional funds from creditors
B. To reduce the organization's free cash flow from operations
C. To Improve the organization's free cash flow from operations
D. To acquire the asset at the end of the lease period at a price lower than the fair market value
Answer: C
58 / 69
291.According to UA guidance on IT, at which of the following stages of the project life cycle would the
project manager most likely address the need to coordinate project resources?
A. Initiation.
B. Planning.
C. Execution.
D. Monitoring.
Answer: B
292.The budgeted cost of work performed is a metric best used to measure which project management
activity?
A. Resource planning.
B. Cost estimating
C. Cost budgeting.
D. Cost control.
Answer: D
293.What relationship exists between decentralization and the degree, importance, and range of lower-
level decision making?
A. Mutually exclusive relationship.
B. Direct relationship.
C. Intrinsic relationship.
D. Inverse relationship.
Answer: B
294.Which of the following is true of bond financing, compared to common stock, when alJ other
variables are equal?
A. Lower shareholder control
B. lower indebtedness
C. Higher company earnings per share.
D. Higher overall company earnings
Answer: C
295.An internal auditor was asked to review an equal equity partnership, in one sampled transaction.
Partner A transferred equipment into the partnership with a Self-declared value of 510 ,000, and Partner
B contributed equipment with a self-declared value of 515,000. The capital accounts reach partner were
subsequently credited with $12,500.
Which of the following statements Is true regarding this transection?
A. The capital accounts of the partners should be increased by she original cost of the contributed
equipment.
B. The capital accounts should be increased using a weighted average based by the current percentage
of ownership.
C. No action is needed, as the capital account of each partner was increased by the correct amount,
D. The capital accounts of the partners should be increased by She fair market value of their
contribution.
59 / 69
Answer: C
296.What security feature would Identity a legitimate employee using her own smart device to gam
access to an application run by the organization?
A. Using a jailbroken or rooted smart device feature.
B. Using only smart devices previously approved by the organization.
C. Obtaining written assurance from the employee that security policies and procedures are followed.
D. Introducing a security question known only by the employee.
Answer: A
297.According to 11A guidance on it; which of the following statements is true regarding websites used in
e-commerce transactions?
A. HTTP sites provide sufficient security to protect customers'credit card information.
B. Web servers store credit cardholders'information submitted for payment.
C. Database servers send cardholders’ information for authorization in clear text.
D. Payment gatewaysauthorizecredit cardonlinepayments.
Answer: D
298.An organization was forced to stop production unexpectedly, as raw materials could not be delivered
due to a military conflict in the region.
Which of the following plans have most likely failed to support the organization?
A. Just-in-time delivery plans.
B. Backup plans.
C. Contingency plans.
D. Standing plans.
Answer: C
299.An organization is considering outsourcing its IT services, and the internal auditor as assessing the
related risks.
The auditor grouped the related risks into three categories;
- Risks specific to the organization itself.
- Risks specific to the service provider.
- Risks shared by both the organization and the service provider
Which of the following risks should the auditor classify as specific to the service provider?
A. Unexpected increases in outsourcing costs.
B. Loss of data privacy.
C. Inadequate staffing.
D. Violation of contractual terms.
Answer: D
300.An organization has an agreement with a third-party vendor to have a fully operational facility,
duplicate of the original site and configured to the organization's needs, inorder to quickly recover
operational capability in the event of a disaster.
Which of the following best describes this approach to disaster recovery planning?
60 / 69
A. Cold recovery plan,

B. Outsourced recovery plan.
C. Storage area network recovery plan.
D. Hot recovery plan
Answer: C
301.Which of the following IT layers would require the organization to maintain communication with a
vendor in a tightly controlled and monitored manner?
A. Applications
B. Technical infrastructure.
C. External connections.
D. IT management
Answer: B
302.Which of the following is a cybersecurity monitoring activity intended to deter disruptive codes from
being installed on an organizations systems?
A. Boundary defense
B. Malware defense.
C. Penetration tests
D. Wireless access controls
Answer: C
303.An organization contracted a third-party service provider to plan, design, and build a new facility.
Senior management would like to transfer all of the risk to the builder.
Which type of procurement contract would the organization use?
A. Cost-plus contract.
B. Turnkey contract.
C. Service contract.
D. Solutions contract.
Answer: A
304.Based on lest results, an IT auditor concluded that the organization would suffer unacceptable loss
of data if there was a disaster at its data center.
Which of the following test results would likely lead the auditor to this conclusion?
A. Requested backup tapes were not returned from the offsite vendor In a timely manner.
B. Returned backup tapes from the offsite vendor contained empty spaces.
C. Critical systems have boon backed up more frequently than required.
D. Critical system backup tapes are taken off site less frequently than required
Answer: D
305.The manager of the sales department wants to Increase the organization's net profit margin by 7%
(from 43% in the prior year to 50% in the current year).
61 / 69
Given the information provided in the table below, what would be the targeted sales amount for the
current year?
A. $20,000,000
B. $24.500.000
C. $30.000.000
D. $35.200.000
Answer: D
306.An internal auditor considers the financial statement of an organization as part of a financial
assurance engagement. The auditor expresses the organization's electricity and depreciation expenses
as a percentage of revenue to be 10% and 7% respectively.
Which of the following techniques was used by the internal auditor In this calculation?
A. Horizontal analysis
B. Vertical analysis
C. Ratio analysis
D. Trend analysis
Answer: B
307.An organization decided to outsource its human resources function. As part of its process migration,
the organization is implementing controls over sensitive employee data.
What would be the most appropriate directive control in this area?
A. Require a Service Organization Controls (SOC) report from the service provider
B. Include a data protection clause in the contract with the service provider.
C. Obtain a nondisclosure agreement from each employee at the service provider who will handle
sensitive data.
D. Encrypt the employees 'data before transmitting it to the service provider
Answer: B
308.During an audit of the payroll system, the internal auditor identifies and documents the following
condition: "Once a user is logged into the system, the user has access to all functionality within the
system."
What is the most likely root cause for tins issue?
A. The authentication process relies on a simple password only, which is a weak method of
authorization.
62 / 69
B. The system authorization of the user does not correctly reflect the access rights intended.
C. There was no periodic review to validate access rights.
D. The application owner apparently did not approve the access request during the provisioning process.
Answer: B
309.An organization and its trading partner rely on a computer-to-computer exchange of digital business
documents.
Which of the following best describes this scenario?
A. Use of a central processing unit
B. Use of a database management system
C. Use of a local area network
D. Use of electronic data Interchange
Answer: D
310.Which of the following statements distinguishes a router from a typical switch?

A. A router operates at layer two. while a switch operates at layer three of the open systems
interconnection model.
B. A router transmits data through frames, while a switch sends data through packets.
C. A router connects networks, while a switch connects devices within a network.
D. A router uses a media access control address during the transmission of data, whie a switch uses an
internet protocol address.
Answer: C
311.Which of the following physical access control is most likely to be based on ’’something you have"
concept?
A. A retina characteristics reader
B. A P3M code reader
C. A card-key scanner
D. A fingerprint scanner
Answer: C
312.According to The IIA's Three Lines Model, which of the following IT security activities is commonly
shared by all three lines?
A. Assessments of third parties and suppliers.
B. Recruitment and retention of certified IT talent.
C. Classification of data and design of access privileges.
D. Creation and maintenance of secure network and device configuration.
Answer: C
313.An organization that soils products to a foreign subsidiary wants to charge a price that wilt decrease
import tariffs.
Which of the following is the best course of action for the organization?
A. Decrease the transfer price
B. Increase the transfer price
63 / 69
C. Charge at the arm's length price

D. Charge at the optimal transfer price
Answer: A
314.Which of the following sites would an Internet service provider most likely use to restore operations
after its servers were damaged by a natural disaster?
A. On site.
B. Cold site.
C. Hot site.
D. Warm site
Answer: D
315.Which of the following measures would best protect an organization from automated attacks
whereby the attacker attempts to identify weak or leaked passwords in order to log into employees'
accounts?
A. Requiring users to change their passwords every two years.
B. Requiring two-step verification for all users
C. Requiring the use of a virtual private network (VPN) when employees are out of the office.
D. Requiring the use of up-to-date antivirus, security, and event management tools.
Answer: B
316.Which of the following would most likely serve as a foundation for individual operational goats?
A. Individual skills and capabilities.
B. Alignment with organizational strategy.
C. Financial and human resources of the unit.
D. Targets of key performance indicators
Answer: D
317.Which of the following types of accounts must be closed at the end of the period?
A. Income statement accounts.
B. Balance sheet accounts.
C. Permanent accounts.
D. Real accounts.
Answer: A
318.According to Herzberg's Two-Factor Theory of Motivation, which of the following factors arc
A. Salary and status
B. Responsibility and advancement
C. Work conditions and security
D. Peer relationships and personal life
Answer: B
319.An internal auditor discusses user-defined default passwords with the database administrator. Such
64 / 69
passwords will be reset as soon as the user logs in for the first time, but the initial value of the password
is set as "123456."
Which of the following are the auditor and the database administrator most likely discussing in this
situation?
A. Whether it would be more secure to replace numeric values with characters.
B. What happens in the situations where users continue using the initial password.
C. What happens in the period between the creation of the account and the password change.
D. Whether users should be trained on password management features and requirements.
Answer: B
320.An internal auditor is reviewing key phases of a software development project.

Which of the following would; the auditor most likely use to measure the project team's performance
related to how project tasks are completed?
A. A balanced scorecard.
B. A quality audit
C. Earned value analysis.
D. Trend analysis
Answer: B
321.Which of the following responsibilities would ordinary fall under the help desk function of an
organization?
A. Maintenance service items such as production support.
B. Management of infrastructure services, including network management.
C. Physical hosting of mainframes and distributed servers
D. End-to -end security architecture design.
Answer: B
322.According to IIA guidance on IT, which of the following best describes a situation where data backup
plans exist to ensure that critical data can be restored at some point in the future, but recovery and
restore processes have not been defined?
A. Hot recovery plan
B. Warm recovery plan
C. Cold recovery plan
D. Absence of recovery plan
Answer: D
323.An organization's technician was granted a role that enables him to prioritize projects throughout the
organization.
Which type of authority will the technician most likely be exercising?
A. Legitimate authority
B. Coercive authority.
C. Referent authority.
D. Expert authority.
Answer: A
65 / 69
324.According to Maslow's hierarchy of needs theory, which of the following would likely have the most
impact on retaining staff, if their lower-level needs are already met?
A. Social benefits.
B. Compensation.
C. Job safety.
D. Recognition
Answer: D
325.Which of the following statements, is true regarding the capital budgeting procedure known as
discounted payback period?
A. It calculates the overall value of a project.
B. It ignores the time value of money.
C. It calculates the time a project takes to break even.
D. It begins at time zero for the project.
Answer: C
326.Which of the following best describes a detective control designed to protect an organization from
cyberthreats and attacks?
A. A list of trustworthy, good traffic and a list of unauthorized, blocked traffic.
B. Monitoring for vulnerabilities based on industry intelligence.
C. Comprehensive service level agreements with vendors.
D. Firewall and other network perimeter protection tools.
Answer: B
327.According to IIA guidance, which of the following links computers and enables them to -
communicate with each other?
A. Application program code
B. Database system
C. Operating system
D. Networks
Answer: D
328.Which of the following is a security feature that Involves the use of hardware and software to filter or
prevent specific Information from moving between the inside network and the outs de network?
A. Authorization
B. Architecture model
C. Firewall
D. Virtual private network
Answer: C
329.During which phase of the contracting process ere contracts drafted for a proposed business
activity?
A. Initiation phase.
66 / 69
B. Bidding phase
C. Development phase
D. Management phase
Answer: A
330.An internal auditor observed that the organization's disaster recovery solution will make use of a
cold site in a town several miles away.
Which of the following is likely to be a characteristic of this disaster recover/ solution?
A. Data is synchronized in real time
B. Recovery time is expected to be less than one week
C. Servers are not available and need to be procured
D. Recovery resources end data restore processes have not been defined.
Answer: C
331.As it relates to the data analytics process, which of the following best describes the purpose of an
internal auditor who cleaned and normalized cate?
A. The auditor eliminated duplicate information.
B. The auditor organized data to minimize useless information.
C. The auditor made data usable for a specific purpose by ensuring that anomalies were Identified and
corrected.
D. The auditor ensured data fields were consistent and that data could be used for a specific purpose.
Answer: B
332.Which of the following application controls, implemented by management, monitors data being
processed to ensure the data remains consistent and accurate?
A. Management trail controls
B. Output controls.
C. Integrity controls
D. input controls
Answer: C
333.An organization has decided to allow its managers to use their own smart phones at work.
With this change, which of the following is most important to Include In the IT department's
comprehensive policies and procedures?
A. Required documentation of process for discontinuing use of the devices
B. Required removal of personal pictures and contacts.
C. Required documentation of expiration of contract with service provider.
D. Required sign-off on conflict of interest statement.
Answer: A
334.When examining; an organization's strategic plan, an internal auditor should expect to find which of
the following components?
A. Identification of achievable goals and timelines
B. Analysis of the competitive environment.
67 / 69
C. Plan for the procurement of resources

D. Plan for progress reporting and oversight.
Answer: A
335.Which of the following would most likely be found in an organization that uses a decentralized
organizational structure?
A. There is a higher reliance on organizational culture.
B. There are clear expectations set for employees.
C. There are electronic monitoring techniques employed
D. There is a defined code far employee behavior.
Answer: B
336.An internal auditor for a pharmaceutical company as planning a cybersecurity audit and conducting
a risk assessment.
Which of the following would be considered the most significant cyber threat to the organization?
A. Cybercriminals hacking into the organization's time and expense system to collect employee personal
data.
B. Hackers breaching the organization's network to access research and development reports
C. A denial-of-service attack that prevents access to the organization's website.
D. A hacker accessing she financial information of the company
Answer: B
337.Which of the following statements is true regarding the management-by-objectives method?

A. Management by objectives is most helpful in organizations that have rapid changes.
B. Management by objectives is most helpful in mechanistic organizations with rigidly defined tasks.
C. Management by objectives helps organizations to keep employees motivated.
D. Management by objectives helps organizations to distinguish clearly strategic goals from operational
goals.
Answer: C
338.An organization had a gross profit margin of 40 percent in year one and in year two. The net profit
margin was 18 percent in year one and 13 percent in year two.
Which of the following could be the reason for the decline in the net profit margin for year two?
A. Cost of sales increased relative to sales.
B. Total sales increased relative to expenses.
C. The organization had a higher dividend payout rate in year two.
D. The government increased the corporate tax rate
Answer: D
339.Which of the following is an example of an application control?

A. Automated password change requirements.
B. System data backup process.
C. User testing of system changes.
D. Formatted data fields
68 / 69
Answer: D
340.Which of the following contract concepts is typically given in exchange for the execution of a
promise?
A. Lawfulness.
B. Consideration.
C. Agreement.
D. Discharge
Answer: B
69 / 69

IIA CIA Part3

Uploaded by

Copyright:

Available Formats

You might also like

IIA CIA Part3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IIA CIA Part3

Uploaded by

Copyright:

Available Formats

T estpassportQ&A

Title : CIA Exam Part Three:

1.An organization decided to reorganize into a flatter structure.

4.Which of the following risks is best addressed by encryption?

5.Which of the following best describes a man-in-the-middle cyber-attack?

7.Which of the following is the best example of IT governance controls?

9.Which of the following facilitates data extraction from an application?

A. Annual rate of return.

20.Which of the following best explains the matching principle?

22.Which of the following intangible assets is considered to have an indefinite life?

25.Which of the following statements is true regarding a bring-your-own-device (BYOD) environment?

32.Which of the following statements is true regarding activity-based costing (ABC)?

D. The business case for business continuity planning

38.Which of the following is a disadvantage in a centralized organizational structure?

39.A manufacturer ss deciding whether to sell or process materials further.

B. Reports of software customization.

46.Which of the following is true of matrix organizations?

A. Divesting product lines expected to have negative profitability.

C. Monitoring privileged accounts

58.Which of the following best describes the primary objective of cybersecurity?

60.Which component of an organization's cybersecurity risk assessment framework would allow

65.Several organizations have developed a strategy to open co-owned shopping malls.

68.Which of the following is on advantage of a decentralized organizational structure, as opposed to a

69.Which of the following would be classified as IT general controls?

D. Systems development controls.

70.Which of the following is most influenced by a retained earnings policy?

71.Which of the following can be classified as debt investments?

74.Which of the following is an example of a physical control?

75.Which of the following is a benefit from the concept of Internet of Things?

without their employer’s knowledge.

80.Which of the following is a characteristic of big data?

89.Management has established a performance measurement focused on the accuracy of

95.Which of following best demonstrates the application of the cost principle?

97.What is the primary purpose of an Integrity control?

103.Which of the following items best describes the strategy of outsourcing?

114.An organization created a formalized plan for a large project.

C. Break the project into manageable components.

115.An organization upgraded to a new accounting software.

117.When would a contract be dosed out?

121.Which of the following scenarios best illustrates a spear phishing attack?

129.Which of the following is a characteristic of big data?

131.Which of the following is an established systems development methodology?

133.Which of the following statements is true regarding change management?

135.Which of the following activities best illustrates a user's authentication control?

D. Functions can toe performed based on access rights

141.Which of the following is a systems software control?

D. The organization's inventory is overstated.

154.Which of the following statements is true regarding a project life cycle?

158.Following an evaluation of an organization's IT controls, an internal auditor suggested improving the

159.Which of the following is an example of two-factor authentication?

162.What is the primary purpose of data and systems backup?

165.Which of the following is a characteristic of using a hierarchical control structure?

D. Less employee’s turnover.

166.Which of the following describes a mechanistic organizational structure?

169.Which of the following best describes owner's equity?

171.Which of the following is required in effective IT change management?

B. Change management follows a consistent process and is done in a controlled environment.

175.An organization has instituted a bring-your-own-device (BYOD) work environment.