Which of the following best describes a cyberattacK in which an organization faces a denial-of-service threat created through malicious data encryption?
A. Phishing.
B. Ransomware.
C. Hacking.
D. Makvare
Explanation:
Ransomware is a type of malicious software (malware) that encrypts an organization's files, systems, or data, rendering them inaccessible to the legitimate users. The attacker then demands a ransom payment (typically in cryptocurrency) in exchange for the decryption key. This attack creates a denial-of-service condition because the encrypted data and systems are effectively unavailable to the organization until the ransom is paid or the data is restored from backups. The combination of malicious data encryption and the resulting denial-of-service is the defining characteristic of a ransomware attack.
Why the other options are incorrect:
A. Phishing.
This is a social engineering attack where an attacker deceives a user into revealing sensitive information (e.g., passwords, credit card details) via fraudulent emails or messages. It does not involve encryption or denial of service.
C. Hacking.
This is a broad term for unauthorized access or intrusion into systems. While hacking can lead to ransomware deployment, hacking itself is not defined by encryption or denial-of-service.
D. Makvare.
This appears to be a misspelling of "Malware" (malicious software). Malware is a general category that includes viruses, worms, trojans, and ransomware. While ransomware is a type of malware, the question specifically describes encryption + denial-of-service, which uniquely points to ransomware—not the broader category of malware.
References:
IIA GTAG – Information Security Governance:Defines ransomware as a type of malware that encrypts data and demands payment for decryption, effectively causing denial of access to critical systems.
NIST SP 800-83 – Ransomware Guidance: Describes ransomware as a denial-of-service attack through encryption, where victims lose access to their data until the ransom is paid or backups are restored.
An internal auditor was asked to review an equal equity partnership, in one sampled transaction. Partner A transferred equipment into the partnership with a Self-declared value of 510 ,000, and Partner B contributed equipment with a self-declared value of 515,000. The capital accounts reach partner were subsequently credited with $12,500. Which of the following statements Is true regarding this transection?
A. The capital accounts of the partners should be increased by she original cost of the contributed equipment.
B. The capital accounts should be increased using a weighted average based by the current percentage of ownership.
C. No action is needed, as the capital account of each partner was increased by the correct amount,
D. The capital accounts of the partners should be increased by She fair market value of their contribution.
Explanation:
In partnership accounting, when a partner contributes non-cash assets (such as equipment), the contribution must be recorded at the fair market value (FMV) of the asset on the date of contribution—not the self-declared value, original cost, or book value. The scenario states that Partner A claimed a self-declared value of $510,000 and Partner B claimed $515,000, but both capital accounts were credited with only $12,500—which is clearly erroneous and not based on FMV. The correct accounting treatment is to credit each partner's capital account by the fair market value of the contributed equipment, as this reflects the true economic value brought into the partnership and ensures equitable ownership percentages.
Why the other options are incorrect:
A. The capital accounts of the partners should be increased by the original cost of the contributed equipment. Original cost is historical and does not reflect current value at the time of contribution. Partnership accounting requires fair value, not historical cost.
B. The capital accounts should be increased using a weighted average based by the current percentage of ownership. Weighted average is not used for initial contributions. Each partner's capital is credited based on the value of their individual contribution, not a blended average.
C. No action is needed, as the capital account of each partner was increased by the correct amount. This is false—$12,500 is not the fair market value of either equipment contribution. The amounts are incorrectly recorded.
References:
GAAP / Partnership Accounting – ASC 323: Non-cash contributions to a partnership are recorded at fair value on the date of contribution.
IFRS – IAS 16 & IFRS 13: Assets acquired in exchange or contributed to a partnership are initially measured at fair value.
Which of the following risks is best addressed by encryption?
A. Information integrity risk
B. Privacy risk
C. Access risk
D. Software risk
Explanation:
Encryption is a cryptographic control that transforms readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a key. Its primary purpose is to protect the confidentiality of data—ensuring that only authorized parties with the correct decryption key can access the information. Encryption directly addresses access risk by preventing unauthorized individuals from reading or using intercepted or stolen data. Whether data is in transit (e.g., over the internet) or at rest (e.g., on a hard drive), encryption ensures that even if access is gained, the data remains unintelligible without the key. Therefore, it is most directly a control against unauthorized access.
Why the other options are incorrect:
A. Information integrity risk.
While encryption can indirectly support integrity through methods like digital signatures and hashing, the primary purpose of encryption is confidentiality, not integrity. Integrity is primarily addressed by hashing, checksums, and message authentication codes (MACs).
B. Privacy risk.
Privacy risk is broader—it involves the protection of personal data in compliance with laws and regulations.Encryption is one tool to address privacy, but not the primary answer to the question. The question asks "best addressed by encryption," and the most direct match is access risk because encryption prevents unauthorized access to data.
D. Software risk.
Software risk relates to vulnerabilities, bugs, or malware in applications. Encryption does not address software defects; it addresses data protection, not code security.
References:
IIA GTAG – Information Security Governance: Defines encryption as a control to ensure confidentiality by preventing unauthorized access to sensitive data.
NIST SP 800-53 – SC-13 (Cryptographic Protection): States that encryption is used to protect the confidentiality of information.
When would a contract be dosed out?
A. When there's a dispute between the contracting parties
B. When ail contractual obligations have been discharged.
C. When there is a force majenre
D. When the termination clause is enacted
Explanation:
A contract is closed out when both parties have fully performed their respective obligations under the agreement—meaning all deliverables have been provided, all payments have been made, all terms have been satisfied, and there are no remaining duties or claims outstanding. This is the normal, successful conclusion of a contract lifecycle, often referred to as performance or full discharge. At this point, the contract is formally closed, and no further action is required by either party.
Why the other options are incorrect:
A. When there's a dispute between the contracting parties.
A dispute does not close a contract; it typically triggers resolution mechanisms (negotiation, mediation, arbitration, or litigation). The contract remains active until the dispute is resolved and obligations are fulfilled or terminated.
C. When there is a force majeure.
Force majeure (unforeseeable events like natural disasters) may suspend or excuse performance, but it does not automatically close the contract. The parties may renegotiate, wait for the event to pass, or terminate—but closure only occurs when all obligations are discharged or the contract is formally ended.
D. When the termination clause is enacted.
Enacting a termination clause ends the contract early, but this is termination—not normal closure. Termination occurs before full performance and may involve penalties or settlements. Closure is the successful completion of all obligations.
References:
Contract Law (Restatement (Second) of Contracts § 235): A contract is discharged when all duties are fully performed.
CIA Part 3 Syllabus – Legal & Regulatory Issues / Contracting: Tests the candidate's understanding of the contract lifecycle, distinguishing between normal closure (performance/discharge) and early termination.
Which of the following is an indicator of liquidity that is more dependable than working capital?
A. Acid-test (quick) ratio
B. Average collection period
C. Current ratio.
D. Inventory turnover.
Explanation:
Working capital (current assets minus current liabilities) is an absolute dollar amount that does not account for the composition of current assets. It can be misleading because it includes inventory and prepaid expenses, which may not be quickly convertible to cash. The acid-test (quick) ratio is a more dependable indicator of liquidity because it excludes inventory and prepaids, focusing only on cash, marketable securities, and accounts receivable—the most liquid assets that can be used to meet short-term obligations immediately. This ratio provides a stricter, more conservative measure of an organization's ability to pay its current liabilities without relying on the sale of inventory.
Why the other options are incorrect:
B. Average collection period. This measures how quickly receivables are collected. While useful for cash flow analysis, it does not provide a comprehensive liquidity snapshot like the acid-test ratio.
C. Current ratio. The current ratio (current assets ÷ current liabilities) is similar to working capital but is a ratio rather than a dollar amount. However, it still includes inventory and prepaids, making it less dependable than the quick ratio for immediate liquidity assessment.
D. Inventory turnover. This measures how efficiently inventory is sold and replaced. It is an operational efficiency metric, not a direct measure of liquidity.
References:
CIA Part 3 Syllabus – Financial Management / Liquidity Ratios: Tests the candidate's understanding that the acid-test (quick) ratio is a more conservative liquidity measure than the current ratio because it excludes inventory.
Financial Analysis Textbooks (Ross, Brigham): The quick ratio is a more dependable indicator of short-term liquidity as it focuses on the most liquid assets.
An internal auditor found the following information while reviewing the monthly financial
siatements for a wholesaler of safety

The cost of goods sold was reported at $8,500. Which of the following inventory methods
was used to derive this value?
A. Average cost method
B. First-in, first-out (FIFO) method
C. Specific identification method
D. Activity-based costing method
Explanation:
To determine which inventory method was used, we calculate the Cost of Goods Sold (COGS) under each method and compare it to the reported $8,500.
Given Data:
Opening Inventory: 1,000 units @ $2 = $2,000
Purchases: 5,000 units @ $3 = $15,000
Total Available: 6,000 units @ Total Cost = $17,000
Units Sold: 3,000 units
Average Cost Method:
Weighted Average Cost = $17,000 ÷ 6,000 = $2.8333 per unit
COGS = 3,000 × $2.8333 = **$8,500** ✅
FIFO (First-In, First-Out):
COGS = (1,000 × $2) + (2,000 × $3) = $2,000 + $6,000 = $8,000 ❌
LIFO (Last-In, First-Out):
COGS = 3,000 × $3 = **$9,000** ❌
Since the reported COGS of $8,500 exactly matches the Average Cost method calculation, the wholesaler used the average cost method.
Why the other options are incorrect:
B. FIFO method. FIFO yields $8,000, not $8,500.
C. Specific identification method.
This requires tracking the actual cost of each individual item sold, which cannot be determined from the aggregate data provided.
D. Activity-based costing method.
ABC is a method for allocating overhead costs to products or services, not an inventory costing method for determining COGS.
References:
GAAP – ASC 330 (Inventory): Recognizes average cost, FIFO, LIFO, and specific identification as acceptable inventory costing methods.
CIA Part 3 Syllabus – Financial Management / Inventory Valuation: Tests the candidate's ability to calculate COGS using different inventory methods and identify the method used based on reported figures.
A retail organization mistakenly did have include $10,000 of Inventory in the physical count at the end of the year. What was the impact to the organization's financial statements?
A. Cost of sales and net income are understated.
B. Cost of sales and net income are overstated.
C. Cost of sales is understated and not income is overstated.
D. Cost of sales is overstated and net Income is understated.
Explanation:
When ending inventory is understated (i.e., $10,000 of inventory is not included in the physical count), the Cost of Goods Sold (COGS) is overstated. This is because COGS is calculated as:
COGS = Beginning Inventory + Purchases – Ending Inventory
If Ending Inventory is too low, the subtraction is smaller, making COGS higher (overstated). Higher COGS directly reduces gross profit, which in turn reduces net income. Therefore, net income becomes understated.
This is a classic accounting error with a direct and inverse relationship: understated ending inventory → overstated COGS → understated net income.
Why the other options are incorrect:
A. Cost of sales and net income are understated. This would occur if ending inventory were overstated, not understated.
B. Cost of sales and net income are overstated. This is the opposite of the correct effect. Overstated ending inventory would overstate net income and understate COGS.
C. Cost of sales is understated and net income is overstated. This also describes the effect of an overstated ending inventory, not an understated one.
References:
GAAP – ASC 330 (Inventory): Inventory errors have a direct impact on COGS and net income. An understatement of ending inventory causes COGS to be overstated and net income to be understated.
CIA Part 3 Syllabus – Financial Management / Inventory Errors: Tests the candidate's understanding of the ripple effect of inventory misstatements on financial statements.
Which of the following statements. Is most accurate concerning the management and audit of a web server?
A. The file transfer protocol (FTP) should always be enabled.
B. The simple mail transfer protocol (SMTP) should be operating under the most privileged accounts.
C. The number of ports and protocols allowed to access the web server should be maximized.
D. Secure protocols for confidential pages should be used instead of dear-text protocols such as HTTP or FTP.
Explanation:
When managing and auditing a web server, the most critical security principle is to protect sensitive data during transmission. This is achieved by using secure protocols—such as HTTPS (HTTP over SSL/TLS) for web traffic and SFTP/FTPS for file transfers—instead of clear-text protocols like HTTP or FTP. Clear-text protocols transmit data, including credentials and confidential information, in an unencrypted format, making them vulnerable to interception, eavesdropping, and man-in-the-middle attacks. Secure protocols encrypt the data in transit, ensuring confidentiality and integrity, which is a fundamental control for any web server handling sensitive information.
Why the other options are incorrect:
A. The file transfer protocol (FTP) should always be enabled.
This is false. FTP is a clear-text protocol and should generally be disabled in favor of secure alternatives like SFTP or FTPS. Enabling FTP introduces unnecessary security risks.
B. The simple mail transfer protocol (SMTP) should be operating under the most privileged accounts. This is incorrect and dangerous. Services like SMTP should run under least-privilege accounts, not privileged ones, to minimize the impact if the service is compromised.
C. The number of ports and protocols allowed to access the web server should be maximized. This is the opposite of good security practice. The principle of least functionality dictates that only necessary ports and protocols should be open, reducing the attack surface.
References:
IIA GTAG – Information Security Governance: Emphasizes the use of encrypted protocols (HTTPS, SFTP) to protect data in transit and recommends disabling insecure protocols like HTTP and FTP.
NIST SP 800-53 – SC-8 (Transmission Confidentiality and Integrity): Requires that organizations protect the confidentiality and integrity of transmitted information, typically through encryption.
Which of the following is improved by the use of smart devices?
A. Version control
B. Privacy
C. Portability
D. Secure authentication
Which of the following organization structures would most likely be able to cope with rapid changes and uncertainties?
A. Decentralized
B. Centralized
C. Departmentalized
D. Tall structure
An organization has an agreement with a third-party vendor to have a fully operational facility, duplicate of the original site and configured to the organization's needs, in order to quickly recover operational capability in the event of a disaster, Which of the following best describes this approach to disaster recovery planning?
A. Cold recovery plan,
B. Outsourced recovery plan.
C. Storage area network recovery plan.
D. Hot recovery plan
Which of the following statements is true regarding the term "flexible budgets" as it is used in accounting?
A. The term describes budgets that exclude fixed costs.
B. Flexible budgets exclude outcome projections, which are hard to determine, and instead rely on the most recent actual outcomes.
C. The term is a red flag for weak budgetary control activities.
D. Flexible budgets project data for different levels of activity.
| Page 12 out of 41 Pages |
| 6789101112131415161718 |
| IIA-CIA-Part3 Practice Test Home |
Real-World Scenario Mastery: Our IIA-CIA-Part3 practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before Certified Internal Auditor Part 3 - Internal Audit Function exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive IIA-CIA-Part3 practice exam questions pool covering all topics, the real exam feels like just another practice session.