Free IIA-CIA-Part3-3P Practice Test Questions 2026

Explanation:
Group development models (e.g., Tuckman) describe distinct phases teams experience. The storming stage involves conflict and disagreement as members assert opinions. The norming stage follows, where conflict decreases, trust builds, and group norms emerge, increasing cohesion and unity among members toward shared goals.

Correct Option:

B. Norming stage.
During norming, members resolve differences from the storming phase. They establish common expectations, roles, and standards. This reduces interpersonal hostility and fosters group cohesiveness, collaboration, and mutual support. The team begins functioning more harmoniously, focusing on collective outcomes rather than individual conflicts.

Incorrect Option:

A. Forming stage.
This initial stage is characterized by politeness, uncertainty, and dependence on leadership. Conflict is typically low or avoided entirely, but cohesiveness is not yet developed because members are still getting acquainted and have not established strong interpersonal bonds or shared norms.

C. Performing stage.
At this stage, conflict and cohesiveness are already managed well, and the group focuses on achieving goals efficiently. However, the decrease in conflict and increase in cohesiveness happens before performing—during norming. Performing assumes these foundations are already in place.

D. Storming stage.
This stage is exactly the opposite of the description. Storming features high conflict, hostility, power struggles, and disagreement over roles and leadership. Cohesiveness is low or breaking down. The decrease in conflict occurs after this stage, not within it.

Reference:
Tuckman’s (1965) Stages of Group Development (Forming, Storming, Norming, Performing); IIA’s Global Internal Audit Competency Framework (Communication & Teamwork domain) references group dynamics in audit team effectiveness.

Explanation:
This question tests knowledge of inventory valuation methods under International Financial Reporting Standards (IFRS) or U.S. GAAP. FIFO assumes oldest goods sell first. During rising prices (inflation), FIFO reports lower cost of goods sold (older, cheaper costs) and higher ending inventory (newer, higher costs), which affects profit and tax calculations.

Correct Option:

D. It minimizes current-period income taxes.
This statement is false, making it the correct choice for "except." During rising prices, FIFO produces higher net income (lower COGS) and therefore higher income taxes, not minimized. LIFO (where permitted) minimizes taxes in inflationary periods by reporting higher COGS and lower taxable income.

Incorrect Option:

A. It values inventory close to current replacement cost.
True statement. FIFO ending inventory consists of the most recently purchased goods, so its balance sheet value approximates current replacement cost, providing relevant financial information for decision-making.

B. It generates the highest profit when prices are rising.
True statement. With inflation, older, lower costs transfer to COGS, leaving higher margins compared to LIFO or weighted average. This maximizes reported net income during periods of rising prices.

C. It approximates the physical flow of goods.
True statement. Many businesses physically sell oldest inventory first (e.g., perishable goods, food, fashion). FIFO aligns accounting with actual physical movement, making it intuitive and operational for inventory management.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Financial Accounting section); IAS 2 Inventories; ASC 330 (U.S. GAAP). Note: LIFO is prohibited under IFRS but permitted under U.S. GAAP.

Explanation:
Vertical integration occurs when a company expands operations into different stages of the same industry (e.g., acquiring a supplier or distributor). While it offers benefits like cost control and supply certainty, disadvantages include reduced strategic flexibility, increased fixed costs, and potential loss of focus on core competencies.

Correct Option:

A. It may reduce the flexibility to change partners.
Vertical integration locks the organization into internal sources of supply or distribution. If a better external partner (cheaper, more innovative, or higher quality) emerges, the integrated firm cannot easily switch without incurring significant divestment costs, reducing strategic agility.

Incorrect Option:

B. It may not reduce the bargaining power of suppliers.
This is incorrect because vertical integration does typically reduce supplier bargaining power by internalizing the supply function. The organization no longer negotiates with external suppliers for integrated inputs, thus directly lowering their leverage.

C. It may limit the organization's ability to differentiate the product.
Vertical integration generally enhances differentiation potential by allowing tighter quality control and unique specifications. Limiting differentiation is not a standard disadvantage; outsourcing niche components is more likely to limit differentiation.

D. It may lead to limited control of proprietary knowledge.
Vertical integration increases control over proprietary knowledge by keeping processes and technologies in-house. Limited control is a risk of outsourcing, not of backward or forward integration.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Strategic Management section); Porter, M.E. (1980) Competitive Strategy — Vertical Integration and Strategic Flexibility.

Explanation:
Transfer pricing determines the value of goods or services exchanged between divisions within the same organization. The market price approach uses the prevailing external market price as the internal transfer price. This method is considered most objective and fair when an active, competitive external market exists for the same product or service.

Correct Option:

A. There is an external market for that service.
When an external market exists, market price becomes the best benchmark. It reflects opportunity cost, supports goal congruence, prevents suboptimal decisions, and provides an arm's-length basis that is unbiased. Both divisions can compare internal transfer with external alternatives, ensuring efficient resource allocation.

Incorrect Option:

B. The selling department operates at 50 percent of its capacity.
Capacity level alone does not justify market price. At low capacity, marginal cost might be more appropriate to encourage internal transfers. Market price could be too high, leading the buying division to purchase externally unnecessarily, hurting overall corporate profit.

C. The purchasing department has more negotiating power than the selling department.
Negotiating power imbalance distorts transfer pricing. A powerful buying division might force a price below market, disadvantaging the selling division and causing suboptimal decisions. Market price should be objective, not determined by relative bargaining power.

D. There is no external market for that service.
Without an external market, market price cannot be observed or determined. In such cases, organizations use other methods like cost-based transfer pricing (e.g., variable cost, full cost plus markup) or negotiated prices, not market price.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Performance Management & Transfer Pricing section); Horngren, Datar, & Rajan, Cost Accounting: A Managerial Emphasis.

Explanation:
Internal development (organic growth) involves building a new business unit from scratch rather than acquiring an existing firm. Companies choose this path when entry barriers are low, when they possess proprietary technology, or when incumbents are unlikely to react aggressively. Slow retaliation reduces the risk of price wars or other competitive responses.

Correct Option:

A. It is expected that there will be slow retaliation from incumbents.
When incumbents are expected to react slowly or weakly, internal development becomes less risky. The new entrant can gain market share and establish operations before facing significant competitive pressure. This favorable condition makes organic entry more attractive than paying acquisition premiums.

Incorrect Option:

B. The acquiring organization has information that the selling organization is weak.
This favors acquisition, not internal development. Information asymmetry where the buyer knows the target is undervalued creates an opportunity to purchase assets cheaply. Buying a weak firm at a discount can be faster and cheaper than building from scratch.

C. The number of bidders to acquire the organization for sale is low.
Low bidder competition favors acquisition because purchase price remains depressed. The organization can acquire cheaply without premium bidding wars. This condition encourages buying an existing business rather than developing internally.

D. The condition of the economy is poor.
A poor economy often favors acquisition because asset prices are depressed, distressed sellers exist, and bargains are available. Internal development during a poor economy may face tight credit, weak demand, and high risk of failure, making acquisitions more attractive.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Strategic Management/Corporate Development section); Porter, M.E. (1980) Competitive Strategy — Entry Barriers and Incumbent Retaliation.

Explanation:
Market signals are actions or announcements by competitors that provide information about their intentions, motivations, or future plans. These signals can be deliberate (to communicate strategy) or unintentional (revealed through behavior). Common market signals include price changes, new product announcements, advertising campaigns, warranty programs, or capacity expansions.

Correct Option:

D. The competitor announces a new warranty program.
A warranty program announcement is a direct market signal. It communicates the competitor's confidence in product quality, potential intent to capture market share, and willingness to compete on post-sale service. Such announcements influence how other firms respond, making it a clear strategic signal.

Incorrect Option:

A. The bargaining power of buyers is forcing a drop in market prices.
This describes a market condition or competitive force (from Porter's Five Forces), not a signal. Buyer power causing price drops is a structural market outcome, not an intentional or indirect communication from one competitor to others.

B. There is pressure from the competitor's substitute products.
Pressure from substitutes is another structural industry force. It describes a competitive threat, not a signal. While substitutes may influence strategy, the statement lacks an explicit action or announcement that conveys specific strategic intent.

C. Strategic analysis by the organization indicates feasibility of expanding to new market niches.
This represents internal strategic planning, not a market signal. Until the organization announces or takes visible action (e.g., entering a niche), competitors cannot observe or interpret this as a signal of future behavior.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Strategic Management / Competitive Analysis section); Porter, M.E. (1980) Competitive Strategy — Chapter on Market Signals.

Explanation:
Granting temporary access to third parties (e.g., consultants, vendors, auditors) introduces security risks. Effective controls ensure access is limited in scope, time-bound, and based on business need. The most robust control combines least privilege, automated expiration, and activity-based provisioning rather than relying solely on manual deletion or managerial approval.

Correct Option:

B. User accounts specify expiration dates and are based on services provided.
This enforces two critical controls: (1) time limitation through automatic expiration, preventing access from lingering after need ends, and (2) need-to-know/least privilege by tailoring access only to required services. Automated expiration is more reliable than manual deletion, which may be forgotten.

Incorrect Option:

A. Access is approved by the supervising manager.
While managerial approval is important as a preventive control, it is not the most effective alone. Approval can be given inappropriately, bypassed, or never revoked. It lacks technical enforcement and does not address access duration or scope limitations.

C. Administrator access is provided for a limited period.
Providing administrator-level access is inherently risky even for limited periods. Administrator rights bypass most security controls. The principle of least privilege dictates that third parties should rarely, if ever, receive admin access. This control is both dangerous and rarely justified.

D. User accounts are deleted when the work is completed.
Manual deletion relies on human action after work completion. In practice, managers often forget to notify IT, or work completion is ambiguous, leading to orphaned accounts. While deletion is good, automated expiration (Option B) is superior because it removes dependency on post-completion action.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Information Security / Access Control section); GTAG (Global Technology Audit Guide) on Access Control; NIST SP 800-53 (AC-2: Account Management).

Explanation:
IT governance is a subset of corporate governance focused on directing and controlling IT activities. It ensures IT supports business objectives, optimizes value, and manages risks. Key components include strategic alignment (long-term planning), organizational structures, and leadership roles. Operational plans belong to IT management execution, not governance itself.

Correct Option:

C. 1, 2, and 4 only. These three items represent core IT governance elements:
1 Strategic alignment between IT long-term plan and organizational objectives.
2 Organizational structures ensuring IT supports business strategies.
4 Leadership's role in ensuring IT supports strategies and objectives.
All three fall under governance (setting direction, oversight, and accountability).

Incorrect Option:

3. Operational plans established to support IT strategies and objectives.
This describes IT management, not IT governance. Governance decides what should be achieved (policies, priorities, resource allocation). Management executes how to achieve it through operational plans, budgets, and day-to-day activities. Mixing operational plans into governance blurs the governance/management distinction.

Why not A, B, or D?

A (1,2 only) omits the critical leadership/accountability role (item 4).

B (3,4 only) incorrectly includes operational plans (item 3) while missing strategic alignment and structures.

D (2,3,4 only) includes operational plans and excludes strategic alignment.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Governance section); ISACA *COBIT 5/2019* (EDM – Evaluate, Direct, Monitor); IT Governance Institute definition separating governance (strategic alignment, leadership, structures) from management (operational plans).

Explanation:
Relevant cost is a managerial accounting concept used for decision-making (e.g., make-or-buy, special orders, keep-or-drop). Only costs that are future and differ between alternatives affect the decision. Sunk costs (past) and future costs that are identical across options are irrelevant and should be ignored.

Correct Option:

B. A future cost that differs among alternatives.
This is the precise definition of relevant cost. For a cost to influence a decision, it must (1) occur in the future, and (2) vary between the available alternatives. Costs that are identical regardless of choice provide no decision-useful information and are therefore irrelevant.

Incorrect Option:

A. A future cost that is the same among alternatives.
Future costs that do not differ (e.g., fixed overhead that remains constant regardless of which product is produced) are irrelevant for the decision. They will be incurred no matter what, so they do not affect the comparative analysis between options.

C. A past cost that is the same among alternatives.
Past costs (sunk costs) are always irrelevant, regardless of whether they are same or different across alternatives. Examples include historical purchase price or prior research costs. These cannot be changed by future decisions and must be excluded from decision-making.

D. A past cost that differs among alternatives.
Even if past costs differ, they remain irrelevant because they are already incurred and cannot be altered. Decision-makers should focus only on future differential cash flows, not historical differences that are irreversible.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Managerial Accounting / Decision-Making section); Horngren, Datar, & Rajan, Cost Accounting: A Managerial Emphasis (Relevant Costs for Decision Making).

Explanation:
User authentication is the process of verifying the identity of a user attempting to access a system. It typically involves three steps: identification (user claims an identity), verification/authentication (user provides evidence like password or biometric), and validation (checking credentials against stored data). Authorization is a separate, subsequent process.

Correct Option:

A. Authorization.
Authorization occurs after successful authentication. It determines what resources an authenticated user can access and what actions they can perform (e.g., read, write, delete). Authorization is not part of authentication; it is a distinct security function. Confusing the two is a common misconception.

Incorrect Option:

B. Identification.
Identification is the first step of authentication where the user claims an identity (e.g., entering a username). Without identification, the system does not know which user is attempting access. This is an integral part of the authentication process.

C. Verification.
Verification (also called authentication proper) is the step where the user provides credentials (password, smart card, fingerprint) to prove they are the claimed identity. This is the core of authentication and is absolutely included.

D. Validation.
Validation involves checking the provided credentials against stored authoritative data (e.g., verifying password hash matches database). This confirms whether the credentials are correct and current. It is part of the authentication decision process.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Information Security / Access Control section); NIST SP 800-53 (IA - Identification and Authentication); ISO/IEC 27001 (Access Control domain). Authorization follows authentication.

Explanation:
COBIT (Control Objectives for Information and Related Technology) distinguishes between pervasive (general) controls and detailed (application) controls. Pervasive controls apply across the entire IT environment (e.g., governance, security policies). Detailed controls are specific to individual applications or processes (e.g., input validation, disaster recovery planning).

Correct Option:

A. 1 and 4 only.

Statement 1:
True. Pervasive controls are general, cross-cutting controls (IT governance, security policies). Detailed controls are specific to particular applications or functions.

Statement 4:
True. Disaster recovery planning is considered a detailed (or specific) control because it addresses recovery of specific systems/functions, not the entire pervasive control environment.

Incorrect Options:

Statement 2: False.
Application controls are not a subset of pervasive controls. In COBIT, application controls and pervasive controls are separate categories. Pervasive controls support the overall environment, while application controls operate within specific applications.

Statement 3: False.
Software implementation is an operational activity or change management process, not a type of pervasive control. Pervasive controls include areas like risk assessment, organizational structure, and IT strategy—not the act of implementation.

Why not B, C, or D?

B (2,3 only) both statements are false.

C (2,3,4 only) includes false statements 2 and 3.

D (1,2,4 only) includes false statement 2.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Governance / COBIT Framework section); COBIT 5/2019 (Enabling Processes—Pervasive vs. Application Controls); ISACA publications.

Explanation:
Internal auditors often rely on user-developed spreadsheets for testing or operational review. However, spreadsheets carry inherent risks such as errors, lack of version control, hidden data, complexity creep, and integration issues. The ability to meet user needs is typically the intended benefit, not a concern, when users develop spreadsheets themselves.

Correct Option:

C. Ability to meet user needs.
This is the primary advantage of user-developed spreadsheets, not a concern. Users build spreadsheets specifically to address their unique requirements. Meeting user needs is the goal, not a risk. Therefore, this is correctly identified as "not a potential area of concern" for reliance.

Incorrect Option:

A. Increasing complexity over time.
This is a major concern. Spreadsheets often evolve through undocumented modifications, adding formulas, macros, and links. Complexity increases error risk, reduces auditability, and makes verification difficult. What starts simple becomes fragile and hard to maintain.

B. Interface with corporate systems.
Manual or semi-automated interfaces between spreadsheets and corporate systems (e.g., data exports, copy-paste) introduce risks of data corruption, omission, or version mismatch. Lack of controlled integration can lead to unreliable information for decision-making or auditing.

D. Hidden data columns or worksheets.
Hidden rows, columns, or cells are common spreadsheet risks. Users may hide data intentionally (to simplify views) or accidentally, leading auditors to overlook relevant information. Hidden data can conceal errors, assumptions, or manual overrides, compromising audit evidence reliability.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Controls / End-User Computing section); GTAG (Global Technology Audit Guide) on Auditing User-Developed Applications/Spreadsheets; IFAC guidance on spreadsheet risk management.