Free IIA-CIA-Part3-3P Practice Test Questions 2026

Explanation:
Crisis management program development follows a logical sequence. Before formulating plans, forming teams, or practicing responses, the organization must first understand what crises it might face. Risk analysis (or risk assessment) identifies potential crisis scenarios, their likelihood, and potential impact. This foundational step guides all subsequent program design decisions.

Correct Option:

B. Conduct a risk analysis.
Risk analysis is the first stage because it identifies potential crises (natural disasters, cyberattacks, product failures, reputational threats). Without understanding which risks exist and their severity, the organization cannot prioritize resources, design relevant contingency plans, or form appropriate teams.

Incorrect Option:

A. Formulate contingency plans.
Contingency planning comes after risk analysis. You cannot formulate effective plans without knowing which crisis scenarios to plan for and their potential impact. Plans are outputs of the risk analysis stage.

C. Create a crisis management team.
Team creation follows risk analysis and planning. The team's composition (who leads, which functions are represented) depends on the types of crises identified and the response strategies selected.

D. Practice the response to a crisis. Practice (drills, simulations) occurs near the end of program development, after plans are documented and teams are trained. It is a testing and improvement stage, not the first stage.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Crisis Management / Business Continuity section); Crisis management literature (e.g., Coombs, Ongoing Crisis Communication) – risk assessment as initial step; ISO 22361 (Crisis management – risk analysis first).

Explanation:
When assessing the adequacy of a risk mitigation strategy, the auditor must consider whether the strategy aligns with management’s risk tolerance, can address multiple risks efficiently, and can be tested for effectiveness. However, cost versus benefit is generally a management decision, not a primary factor in the auditor’s assessment of adequacy.

Correct Option:

C. 1, 3, and 4.

1: Management’s tolerance for specific risks – essential to determine if residual risk after mitigation is acceptable.

3: Whether a control can mitigate multiple risks – relevant for efficiency and integration of controls.

4: The ability to test the effectiveness of the control – necessary to verify that the strategy actually works.

Incorrect Option:

2. The cost versus benefit of implementing a control.
While relevant for management's choice of strategy, the adequacy of a mitigation strategy focuses on whether it reduces risk to an acceptable level, not primarily whether it is cost-effective. Cost-benefit analysis is more relevant to control selection than to assessing adequacy. Therefore, this item is not typically a primary consideration for the auditor when evaluating adequacy.

Why not A, B, or D?

A (1,2,3) includes #2 (cost vs. benefit) which is not central to adequacy assessment.

B (1,2,4) includes #2.

D (2,3,4) includes #2 and omits #1 (risk tolerance), which is fundamental to adequacy.

Reference:
IIA International Professional Practices Framework (IPPF) – Standard 2120: Risk Management; IIA Practice Guide: Risk Assessment in Internal Auditing (adequacy of mitigation considers tolerance, multiple risks, testability). Cost-benefit is management’s consideration.

Explanation:
An unsecured loan is not backed by collateral (specific assets pledged as security). The lender relies on the borrower's creditworthiness. Among the options, commercial paper (short-term corporate debt issued to investors) is unsecured. The other options involve specific assets pledged as collateral (second mortgage, receivables, or other assets).

Correct Option:

B. An issue of commercial paper.
Commercial paper is an unsecured promissory note issued by corporations to raise short-term funds. No specific assets are pledged; investors rely on the issuer's credit rating and financial strength. Default risk is higher than secured debt, reflected in interest rates.

Incorrect Option:

A. Second-mortgage financing from a bank.
This is secured by real property (the second mortgage is a lien against the property). If the borrower defaults, the bank can foreclose. This is a secured loan, not unsecured.

C. Pledged accounts receivable.
This is asset-based financing where specific receivables are assigned or pledged as collateral. The lender has a claim on those receivables in case of default. Clearly secured.

D. Asset-based financing.
This is a broad category of secured lending where loans are backed by assets (inventory, equipment, receivables). By definition, asset-based financing is secured, not unsecured.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Treasury / Financing section); Commercial paper definition (unsecured short-term corporate debt); Secured vs. unsecured borrowing distinctions.

Explanation:
Matrix management creates dual reporting relationships (functional and project/product). One of its primary purposes is to break down traditional silos and increase lateral (horizontal) communication across functions. This facilitates information sharing, coordination, and problem-solving across departments, improving responsiveness and innovation compared to rigid hierarchical structures.

Correct Option:

D. To increase lateral communication.
In a matrix, employees communicate across functional boundaries (e.g., engineering, marketing, production) to serve project needs. This lateral flow bypasses vertical chain-of-command delays, enabling faster decisions, knowledge sharing, and integration of diverse expertise.

Incorrect Option:

A. To improve the chain of command.
Matrix weakens the traditional unitary chain of command by introducing dual reporting. It complicates authority, rather than improving clarity. "Improving chain of command" is a goal of traditional hierarchical structures, not matrix.

B. To strengthen corporate headquarters.
Matrix does not inherently strengthen headquarters. It distributes authority between functional departments and project/product teams, often at divisional or regional levels. Headquarters may even lose direct control.

C. To focus better on a single market.
Matrix is most useful when an organization serves multiple markets or has multiple product lines simultaneously. For a single market, simpler structures (functional or divisional) are more focused. Matrix introduces unnecessary complexity.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Organizational Structures section); Robbins & Judge, Organizational Behavior (matrix structure advantages: lateral communication, flexibility, information flow).

Explanation:
COBIT (Control Objectives for Information and Related Technologies) is a framework for IT governance and management. It is technology-neutral, meaning its control objectives are not specific to particular IT platforms (e.g., Windows, Linux, Oracle). Instead, COBIT provides generic, platform-independent controls applicable across diverse environments. Statement C claims platform specificity, which is false.

Correct Option:

C. COBIT control objectives are specific to various IT platforms and help determine minimum controls.
This statement is not true. COBIT is intentionally platform-agnostic. It focuses on processes and governance, not on specific technologies. Organizations map COBIT controls to their specific platforms; COBIT itself does not prescribe platform-specific controls.

Incorrect Option:

A. COBIT helps management understand and manage IT risks.
True. COBIT provides a framework for identifying, assessing, and managing IT-related risks, linking IT processes to enterprise objectives.

B. Management needs to determine cost-benefit of adopting COBIT objectives.
True. COBIT recognizes that implementing controls requires cost-benefit analysis. Management must decide which objectives are relevant and cost-effective for their organization.

D. COBIT enables self-assessments against industry best practices.
True. COBIT includes capability maturity models and assessment tools that allow organizations to benchmark their IT processes against recognized best practices.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Governance / COBIT section); ISACA *COBIT 5/2019 Framework* – technology-neutral, platform-independent control objectives.

Explanation:
In cost analysis, the independent variable is the factor that drives or causes changes in the dependent variable. Maintenance cost depends on activity level. Here, patient days represent the activity measure (volume of service). As patient days change, maintenance cost changes. Therefore, patient days is the independent variable (x) and maintenance cost is dependent (y).

Correct Option:

D. Patient days.
Patient days is the independent variable because it is the measure of activity that influences maintenance cost. In the equation (e.g., y = a + bx), patient days would be the "x" (independent). Cost behavior is analyzed with respect to changes in patient days.

Incorrect Option:

A. Fixed cost.
Fixed cost is a component of total cost (the intercept "a" in y = a + bx). It does not vary with activity; it is a parameter, not an independent variable. Fixed cost is determined, not the driver.

B. Variable cost.
Variable cost per unit is a coefficient (slope "b" in y = a + bx). It is also a parameter, not the independent variable. The independent variable is the activity level, not the cost per unit.

C. Total maintenance cost.
Total maintenance cost is the dependent variable (y). It is what the equation predicts or explains, not what drives the change. The question asks for the independent variable, which is patient days.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Managerial Accounting / Cost Behavior section); Regression analysis and cost estimation: independent variable = cost driver (activity level).

Explanation:
In a risk-based internal audit plan, a top-down approach starts from the highest level of the organization (strategic objectives) and cascades down to identify relevant business processes. This ensures alignment with organizational goals and focuses audit resources on key areas that support those objectives, which is a fundamental principle in the IIA’s risk-based planning methodology.

Correct Option:

C. Analyzing the organization's objectives and identifying the processes needed to achieve the objectives.
This is the best description of a top-down approach. It begins at the strategic level by understanding the organization’s objectives and then maps the critical business processes required to achieve them. This method ensures that internal audit activities are aligned with the entity’s goals and prioritizes high-impact areas before diving into details.

Incorrect Option:

A. Identifying the processes at the activity level.
This describes a bottom-up approach. It starts from detailed transactional or operational activities and works upward. While useful for process mapping, it is not top-down as it does not begin with high-level objectives.

B. Analyzing the organization's strategic plan where the business processes are defined.
This is partially related but incomplete. The strategic plan may mention processes at a high level; however, simply analyzing the plan does not fully capture the top-down process of deriving necessary processes from objectives.

D. Identifying the risks affecting the organization, the objectives, and then the processes concerned.
This mixes elements of risk assessment with process identification. While risk identification is important in risk-based planning, the pure top-down approach to understanding business processes specifically starts with objectives first, before risks.

Reference:
IIA Global Standards – Performance Standard 2010 (Planning) and related guidance on risk-based internal auditing. CIA Exam Part 3 – Business Knowledge for Internal Auditing (Domain I: Governance, Risk Management, and Control).

Explanation:
A multidomestic strategy focuses on local responsiveness by tailoring products and services to each country’s unique needs. It sacrifices economies of scale for better adaptation to local markets. This approach becomes effective when customer preferences, regulations, or competitive conditions differ significantly across countries, making standardization impractical or uncompetitive.

Correct Option:

C. It is an effective strategy when large differences exist between countries.
Correct because multidomestic strategies thrive on cross-country heterogeneity. When cultural, legal, or economic gaps are wide, local adaptation allows firms to meet specific market demands, gain local acceptance, and compete effectively against domestic players who already understand those differences.

Incorrect Options:

A. It uses the same products in all countries.
Incorrect. This describes a global standardization strategy. Multidomestic strategies deliberately vary products, packaging, pricing, and promotion across markets to suit local tastes and regulations.

B. It centralizes control with little decision-making authority given to the local level.
Incorrect. Multidomestic strategies decentralize authority, granting substantial autonomy to local subsidiaries. Centralized control characterizes global or home‑country‑centric strategies, not multidomestic ones.

D. It provides cost advantages, improves coordinated activities, and speeds product development.
Incorrect. These benefits accrue from global or transnational strategies through standardization, shared R&D, and integrated supply chains. Multidomestic strategies typically increase costs due to duplication and customization, and they often slow coordinated product development across borders.

Reference:
IIA CIA Part 3 Learning System – “Business Strategy and International Operations”; IPPF Practice Guide on “Strategy and International Business.”

Explanation:
An effective risk‑based audit plan must align with the organization’s overall objectives because risks are defined as events that may affect the achievement of those objectives. Without first understanding what the organization aims to achieve, identifying and prioritizing risks lacks direction and relevance for audit resource allocation.

Correct Option:

D. Reviewing organizational objectives.
Correct because objectives form the foundation of any risk‑based audit planning. Only after reviewing objectives can an internal audit activity identify risks that could impede them, assess those risks, and prioritize audit engagements accordingly. This ensures audit efforts are directly linked to organizational success.

Incorrect Options:

A. Identifying risks to the organization's operations.
Incorrect. Risk identification should follow the review of objectives. Without knowing the objectives, an auditor cannot determine which operational risks are relevant or significant. Jumping to risk identification first may lead to missing key risks or focusing on low‑priority areas.

B. Observing and analyzing controls.
Incorrect. Control observation and analysis occur after risks have been identified and prioritized. Controls are designed to mitigate specific risks, so understanding risks must come first. Starting with controls reverses the logical sequence of risk‑based auditing.

C. Prioritizing known risks.
Incorrect. Prioritization can only happen after risks have been identified based on organizational objectives. Attempting to prioritize without a clear link to objectives may result in a plan that addresses lower‑impact risks while overlooking those most critical to achieving strategic goals.

Reference:
IIA Standard 2010 – “Planning”; IIA Practice Guide: “Developing the Internal Audit Strategic Plan”; IPPF – The International Professional Practices Framework.