IIA-CIA-Part3-3P Practice Exam Questions with Answers CIA Exam Part Three: Business Knowledge for Internal Auditing Certification

1 and 4 only

2 and 3 only

1, 2, and 3 only

1, 2, 3, and 4

To keep stock price constant.

To keep shareholders' equity constant.

To increase shareholders' equity.

To enhance the stock liquidity.

1, 2, and 3

1, 2, and 4

1, 3, and 4

2, 3, and 4

Use of a formal systems development lifecycle.

End-user involvement.

Adequate software documentation.

Formalized non-regression testing phase.

Firewalls can protect against computer viruses.

Firewalls monitor attacks from the Internet.

Firewalls provide network administrators tools to retaliate against hackers.

Firewalls may be software-based or hardware-based.

Basing performance evaluations on the number of projects completed.

Comparing results with those of other engineering departments.

Creating a quality council within the engineering department.

Conducting post-project surveys on performance.

Continually evaluate the needs and opinions of all stakeholder groups.

Ensure strict compliance with applicable laws and regulations to avoid incidents.

Maintain a comprehensive publicity campaign that highlights the organization's efforts.

Increase goodwill through philanthropic activities among stakeholder communities.

A zero-based budget provides estimates of costs that would be incurred under different levels of activity.

A zero-based budget maintains focus on the budgeting process.

A zero-based budget is prepared each year and requires each item of expenditure to be justified.

A zero-based budget uses input from lower-level and middle-level managers to formulate budget plans.

Specific guidance must be followed when interacting with nongovernmental organizations.

Disclosure laws tend to be consistent from one jurisdiction to another.

There are several internationally recognized standards for dealing with financial donors.

Legal representation should be consulted before releasing internal audit information to other assurance

Production controls weakness.

Application controls weakness.

Authorization controls weakness.

Change controls weakness.

The extent to which management judgments are required in an area could serve as a risk factor in assisting the auditor in making a comparative risk analysis.

The highest risk assessment should always be assigned to the area with the largest potential loss.

The highest risk assessment should always be assigned to the area with the highest probability of

occurrence.

Risk analysis must be reduced to quantitative terms in order to provide meaningful comparisons across an organization.

The "Funds Needed" line will remain pointed upward, but will become less steep.

The "Funds Needed" line will remain pointed upward, but will become more steep.

The "Funds Needed" line will point downward with a minimal slope.

The "Funds Needed" line will point downward with an extreme slope.

Facilitates communication between primary functions.

Helps to focus on the achievement of organizational goals.

Provides for efficient use of specialized knowledge .

Accommodates geographically dispersed companies

Report identifying data that is outside of system parameters

Report identifying general ledger transactions by time and individual

Report comparing processing results with original input

Report confirming that the general ledger data was processed without error.

Lack of coordination among different business units.

Operational decisions are inconsistent with organizational goals.

Suboptimal decision-making.

Duplication of business activities.

To verify that the application meets staled user requirements.

To verify that standalone programs match code specifications.

To verify that me application would work appropriately for the intended number of users.

To verify that all software and hardware components work together as intended

$100,000

$200,000

$275,000

$500,000

Management might place the same degree of reliance in reports produced by EUC applications as it does in reports produced under traditional systems development procedures.

The organization may incur higher application development and maintenance costs for EUC systems.

Since development time is typically longer for EUC applications, management may not be able to respond quickly to competitive pressures

Management may not be able to make quick and accurate decisions due to a diminished capacity to respond to managerial requests for computerized information

High-yield bonds.

Commodity-backed bonds.

Zero coupon bonds.

Junk bonds.

Inform, direct, manage, and monitor.

Identify, assess, manage, and control.

Organize, assign, authorize, and implement.

Add value, improve, assure, and conform.

Both the key used to encrypt the data and the key used to decrypt the data are made public.

The key used to encrypt the data is kept private but the key used to decrypt the data is made public.

The key used to encrypt the data is made public but the key used to decrypt the data is kept private.

Both the key used to encrypt the data and the key used to decrypt the data are made private.

The organization should review the skill requirements and ensure that the service provider is maintaining sufficient expertise and retaining skilled resources.

The organization should proactively monitor the performance of the service provider, escalate concerns, and use penalty clauses in the contract where necessary.

The organization should ensure that there is a clear management communication strategy and path for evaluating and reporting on all outsourced services concerns.

The organization should work with the service provider to review the current agreement and

expectations relating to objectives, processes, and overall performance.

Determine the optimal amount of resources for the organization to invest in CSR.

Align CSR program objectives with the organization's strategic plan.

Integrate CSR activities into the organization's decision-making process.

Determine whether the organization has an appropriate policy governing its CSR activities.

Empathetic listening.

Reframing.

Reflective listening.

Dialogue.

$160

$210

$350

$490

Forming stage.

Norming stage.

Performing stage.

Storming stage.

Key processes across the entity which impact quality must be identified and included.

The quality management system must be documented in the articles of incorporation, quality manual,

procedures, work instructions, and records.

Management must review the quality policy, analyze data about quality management system

performance, and assess opportunities for improvement and the need for change.

The entity must have processes for inspections, testing, measurement, analysis, and improvement.

Established strategy of players.

Low number of new firms.

High unit costs.

Technical expertise.

1 only

2 and 4 only

1, 3, and 4 only

1, 2, 3, and 4

Conform with all other parts of The IIA's Standards and provide appropriate disclosures.

Conform with all other parts of The IIA's Standards; there is no need to provide appropriate disclosures.

Continue the engagement without conforming with the other parts of The IIA's Standards.

Withdraw from the engagement.

Each party's negotiator presents a menu of options to the other party.

Each party adopts one initial position from which to start.

Each negotiator minimizes the information provided to the other party.

Each negotiator starts with an offer, which is optimal from the negotiator's perspective.

A transmission control protocol/Internet protocol (TCP/IP).

An operating system.

A web browser.

A web server.

$170,000

$280,000

$300,000

$540,000

Improved integrity of programs and processing.

Enhanced ongoing maintenance of the system.

Greater accuracy of the testing phase.

Reduced need for unexpected software changes.

Systems-based preventive control.

People-based preventive control.

Systems-based detective control.

People-based detective control.

Risk response.

Risk identification.

Identification of context.

Risk assessment.

The framework categorizes an organization's objectives to distinct, non overlapping objectives.

Control environment is one of the framework's eight components.

The framework facilitates effective risk management, even if objectives have not been established.

The framework integrates with, but is not dependent upon, the corresponding internal control

framework.

Internal strengths and weaknesses.

Break-even points.

External trends and events.

Internal risk factors.

Motivation.

Performance.

Organizational structure.

Communication.

The maximum tolerable downtime after the occurrence of an incident.

The maximum tolerable data loss after the occurrence of an incident.

The maximum tolerable risk related to the occurrence of an incident.

The minimum recovery resources needed after the occurrence of an incident.

Establish separate vendor creation and approval teams.

Develop and distribute a code of conduct that prohibits conflicts of interest.

Perform a regular review of the vendor master file.

Require submission of a conflict-of-interest declaration.

Servers optimize data processing by sharing it with other computers on the information system

Servers manage the interconnectivity of system hardware devices in the information system.

Servers manage the data stored in databases residing on the information system.

Servers enforce access controls between networks transmitting data on the information system

Key performance indicators

Reports of software customization

Change and patch management

Master data management

Income statement

Statement of cash flows.

Balance sheet

Owner's equity statement

Hardware encryption.

Software encryption

Data encryption.

Authentication.

Block unauthorized traffic.

Encrypt data.

Review disaster recovery test results.

Provide independent assessment of IT security.

Limit the use of the employee devices for personal use to mitigate the risk of exposure to organizational data.

Ensure that relevant access to key applications is strictly controlled through an approval and review process

Institute detection and authentication controls for all devices used for network connectivity and data storage

Use management software to scan and then prompt patch reminders when devices connect to the network

1 and 2

1 and 3

2 and 4

3 and 4

Compliance

Privacy

Strategic

Physical security.

To reconstitute systems efficiently following a disruptive event.

To define rules on how devices within the system should communicate after a disaster.

To describe how data should move from one system to another system in case of an emergency.

To establish a protected area of network that is accessible to the public after a disaster

1 2. and 3 only.

1. 2 and 4 only

1, 3. and 4 only.

1,2. 3, and 4

Plenum.

Biometric lock.

Identification card.

Electromechanical lock.

Access to personally identifiable information is limited to those who need it to perform their job.

Confidential data must be backed up and recoverable within a 24-hour period.

Updates to systems containing sensitive data must be approved before being moved to production.

A record of employees with access to insider information must be maintained and those employees may not trade company stock during blackout periods

Less use of policies and procedures

Less organizational commitment by employees

Less emphasis on extrinsic rewards

Less employees turnover

Providing fire detection and suppression equipment

Establishing a physical security policy and promoting it throughout the organization

Performing business continuity and disaster recovery planning

Keeping an offsite backup of the organization's critical data

A list of trustworthy good traffic and a list of unauthorized blocked traffic.

Monitoring for vulnerabilities based on industry intelligence

Comprehensive service level agreements with vendors.

Firewall and other network penmeter protection tools.

It leads to an increase in risk and often results in rework

It is an optimization technique where activities are performed in parallel rather than sequentially

It involves a revaluation of protect requirements and/or scope.

It is a compression technique in which resources are added to the protect

An internal auditor analyzed electricity production and sales interim reports and compiled a risk assessment.

An internal auditor extracted sales data to a spreadsheet and applied judgmental analysis for sampling.

An internal auditor classified solar panel sales by region and discovered unsuccessful sales

representatives.

An internal auditor broke down a complex process into smaller pieces to make it more understandable.

If the number of bicycles produced is increased by 15 percent, the variable cost per unit will increase proportionally

The fixed cost per unit will vary directly based on the number of bicycles produced during the

production cycle

The total variable cost will vary proportionally and inversely with the number of bicycles produced during a production run

If the number of bicycles produced is increased by 30 percent the fixed cost per unit will decline

There is a higher reliance on organizational culture

There are clear expectations set for employees

There are electronic monitoring techniques employed

There is a defined code for employee behavior

Cybersecurity risks are identical across all organizations regardless of industry

Installation of antivirus and malware software prevents cybersecurity risks

Deployment of proper cybersecurity measures assures business success

Information value extends the emergence of cybersecurity risks

26 days.

90 days.

100 days.

110 days.

Value-added network (VAN).

Local area network (LAN).

Metropolitan area network (MAN).

Wide area network (WAN).

Identification of achievable goals and timelines.

Analysis of the competitive environment.

Plan for the procurement of resources.

Plan for progress reporting and oversight.

Backup servers in the data center are stored in an environmentally controlled location

All users have a unique ID and password to access data

Swipe cards are used to access the data center

Firewalls and antivirus protection are in place to prevent unauthorized access to data.

Capital investment and not marketing

Marketing and not capital investment.

Efficiency and not input economy.

Effectiveness and not efficiency.

Full cost

Full cost plus a markup.

Market price of the product

Variable cost plus a markup

Determining the frequency with which backups will be performed.

Prioritizing the order in which business systems would be restored.

Assigning who in the IT department would be involved in the recovery procedures.

Assessing the resources needed to meet the data recovery objectives