Summary:
The auditor has observed a decrease in output (number of tires) and wants to investigate if "worker inefficiency" is the cause. Worker inefficiency specifically relates to the productivity of labor—how much output is generated per unit of labor input. To measure this, the auditor needs data on both the total output and the total labor input.

Correct Option:

A. Total tire production labor hours for the operating period.
This is the most direct information needed. To determine labor efficiency, the auditor must calculate the number of tires produced per labor hour (or the inverse, hours per tire). By comparing this ratio (e.g., tires/labor hour) between the current and previous periods, the auditor can objectively determine if worker productivity has decreased, increased, or remained stable, directly addressing the question of inefficiency.

Incorrect Option:

B. Total tire production costs for the operating period.
This is too broad. Production costs include materials, overhead, and labor. An increase in costs could be due to higher raw material prices or energy costs, not necessarily labor inefficiency. It does not isolate the labor productivity metric.

C. Plant production employee headcount average for the operating period.
Knowing the headcount is insufficient. If the headcount remained the same but hours per employee were reduced (e.g., a shift was shortened), labor input decreased, which could explain the lower output without implying inefficiency. The critical variable is total hours worked, not just the number of workers.

D. The production machinery utilization rates.
This data would help investigate other potential causes, such as equipment downtime or maintenance issues. If machinery utilization is low, the decrease in output is likely due to equipment problems, not worker inefficiency. This information is useful for a broader investigation but does not directly test the specific hypothesis of labor inefficiency.

Reference:
The IIA's International Professional Practices Framework (IPPF) requires internal auditors to gather sufficient, reliable, and relevant evidence to support their conclusions. Standard 2320 on analysis and evaluation specifically requires auditors to identify the causes of observed events. In this case, analyzing labor productivity (output per labor hour) is the most relevant evidence to directly evaluate the cause of "worker inefficiency."

Summary:
This question focuses on identifying a control that is classified as preventive for data center security. A preventive control is designed to deter or stop an unauthorized event from occurring in the first place. It acts as a barrier before a security incident can happen.

Correct Option:

B. Key card access to the facility.
This is an effective preventive control. It physically prevents unauthorized personnel from entering the data center. By requiring a valid key card, the control stops an intrusion at the perimeter, denying potential intruders physical access to the servers, network gear, and storage systems inside.

Incorrect Option:

A. Motion detectors. These are detective controls.
They are designed to sense and alert security personnel to movement after an intruder has already gained unauthorized access to a secured area. They do not prevent the entry itself.

C. Security cameras. These are primarily detective controls.
They record events for later review and can act as a deterrent, but their primary function is to provide evidence of a security breach that has already occurred. They do not physically block access.

D. Monitoring access to data center workstations.
This is a detective control. It involves reviewing logs or watching live feeds to see who is accessing workstations. This monitoring happens after the individual has already passed through physical security barriers and is inside the data center.

Reference:
The IIA's Global Technology Audit Guide (GTAG) on managing and auditing IT infrastructure emphasizes the importance of layered physical security. Preventive controls, such as key card access systems, are the first and most critical layer in a defense-in-depth strategy for a data center, as they are the primary means of stopping unauthorized physical access.

Summary
This question concerns a fundamental information security principle: the segregation of duties and least privilege. The condition described, where a logged-in user has access to all system functions, indicates a critical failure in authorization controls. The root cause is not the initial login (authentication) but the system's failure to restrict user access to only the functions and data necessary for their job role after they have logged in.

Correct Option

B. The system authorization of the user does not correctly reflect the access rights intended.
This is the most direct root cause. Authorization is the process of granting or denying a user access to specific resources after they have been authenticated. The described condition is a classic failure of authorization, where user profiles or roles are incorrectly configured, granting excessive privileges. This violates the principle of least privilege, a core component of IT general controls, by not restricting users to only the functionality they require.

Incorrect Option

A. The authentication process relies on a simple password only, which is a weak method of authorization.
This option is incorrect because it confuses authentication with authorization. A simple password is a weakness in authentication (verifying user identity), not authorization (defining user access rights). The issue described is about excessive access after a successful login, not about the strength of the login method itself.

C. There was no periodic review to validate access rights.
While the absence of periodic access reviews is a significant control deficiency that could allow inappropriate access to persist, it is not the most likely root cause. The root cause is the initial misconfiguration of the authorization settings. A periodic review is a detective control that would ideally find this problem, but its absence did not create the problem.

D. The application owner apparently did not approve the access request during the provisioning process.
This describes a potential failure in the user provisioning process, but it is not the specific technical root cause. Lack of approval might lead to incorrect authorization, but the direct, technical root cause captured by the audit finding is that the system's authorization settings themselves are flawed and do not enforce segregation of duties.

Reference
The IIA's International Professional Practices Framework (IPPF) and related guidance on IT controls emphasize the importance of logical access controls, which include both authentication and authorization. The principle of least privilege, a key authorization concept, is a fundamental expectation for safeguarding information assets.

Summary
This question tests knowledge of schedule compression techniques in project management. Project crashing is a specific method used to shorten the project's duration. The key is to understand the distinction between crashing and other techniques like fast-tracking. Crashing focuses on adding resources to critical path tasks to reduce their duration, which typically increases project cost but aims to preserve the original project scope.

Correct Option

D. It is a compression technique in which resources are added so the project.
This is the textbook definition of project crashing. It is a schedule compression technique used to shorten the project schedule by adding additional resources (such as labor, equipment, or overtime) to critical path activities. The primary trade-off is that while time is saved, the project's cost increases due to the added resources. The project scope itself remains unchanged.

Incorrect Option

A. It leads to an increase in risk and often results in rework.
While crashing can sometimes increase risk (e.g., communication overhead with more people), this is not its defining characteristic. This description is more generally associated with fast-tracking or poor planning. The direct outcome of crashing is increased cost for reduced time, not necessarily rework.

B. It is an optimization technique where activities are performed in parallel rather than sequentially.
This is the definition of fast-tracking, not crashing. Fast-tracking changes the logical sequence of activities (e.g., starting a design phase before planning is fully complete), which increases risk. Crashing does not change the sequence of activities; it shortens them by adding resources.

C. It involves a revaluation of project requirements and/or scope.
This describes scope reduction or a change control process, not crashing. A core principle of crashing is that the project scope and requirements remain intact. If the scope is re-evaluated and reduced to save time, that is a different technique altogether and is not classified as crashing.

Reference
The Project Management Institute (PMI) "A Guide to the Project Management Body of Knowledge (PMBOK® Guide)" is the global standard for project management. It clearly defines schedule compression techniques, distinguishing "Crashing" (adding resources to reduce schedule duration for the least incremental cost) from "Fast-tracking" (performing activities in parallel). While the IIA does not produce the PMBOK, it recognizes these standard project management frameworks as essential knowledge for internal auditors.

Summary
This question requires the internal auditor to correctly categorize risks in an IT outsourcing arrangement based on the primary party responsible. Risks specific to the service provider are those whose origin and primary control lie directly with the provider's own management, operations, and integrity. The other party (the organization) is impacted by the risk but does not directly control its root cause.

Correct Option

D. Violation of contractual terms.
This risk is specific to the service provider. A violation of the contract, such as failing to meet a service level agreement (SLA) or not complying with security standards, is an action or failure that originates directly from the provider. The organization can monitor for violations and enforce penalties, but it cannot control the provider's decision to adhere to the terms. The root cause of the violation rests solely with the provider.

Incorrect Option

A. Unexpected increases in outsourcing costs.
This is best classified as a risk specific to the organization. While the service provider might raise prices, the organization's failure to negotiate a contract with clear, fixed pricing terms and cost escalation clauses is the root cause of this financial risk. The organization bears the financial impact and controls its own contracting process.

B. Loss of data privacy.
This is a shared risk. The service provider is responsible for implementing technical and physical controls to protect the data. However, the organization retains ultimate accountability for the data and is responsible for conducting due diligence and requiring specific privacy controls in the contract. A failure by either party can lead to a data privacy breach.

C. Inadequate staffing.
This is a shared risk. The service provider has the primary responsibility for staffing its teams with qualified personnel. However, the organization shares in this risk if it does not define required skill sets in the contract or if its own management fails to provide adequate oversight and feedback on the provider's staff performance.

Reference
The IIA's Global Technology Audit Guide (GTAG), particularly those related to IT outsourcing and third-party risk management, provides frameworks for categorizing risks in such relationships. These guides emphasize that while risks can be shared, the primary responsibility for operational execution and contractual compliance lies with the service provider.

Summary
This question tests the core internal control principle of segregation of duties, specifically within IT functions. A key conflict exists between a user's ability to initiate or change data and their ability to control the underlying database. The role of a database administrator (DBA), who has powerful access to the entire database, must be segregated from the duties of those who create or modify the transactional data within it to prevent unauthorized or undetected data manipulation.

Correct Option

B. Preparing input data and maintaining the database.
This combination creates a high-risk scenario. "Preparing input data" is a user function that involves creating or modifying transactional records. "Maintaining the database" is a DBA function with elevated privileges. Combining these allows an individual to both create fraudulent transactions and then use their administrative powers to conceal the activity by directly altering logs or tables, effectively performing and hiding an error or fraud without independent oversight.

Incorrect Option

A. Designing and maintaining the database.
These are both logical and core technical functions of a DBA role. There is no inherent conflict as both are design and control-oriented duties focused on the database's structure and performance, not on the transactional data within it. This is a standard combined duty for this job function.

C. Maintaining the database and providing its security.
These two duties are complementary and are typically combined within the DBA role. Maintaining the database (e.g., performance tuning, backups) and managing its security (e.g., user access controls) are both system-level, custodial functions. They do not involve the initiation or authorization of business transactions, so combining them does not create a segregation of duties conflict.

D. Designing the database and providing its security.
Similar to option A and C, these are both system-level, architectural functions. Designing the database structure and defining its security model are closely related and foundational IT control activities. There is no inherent conflict in having the same person or role perform both of these high-level design and control tasks.

Reference
The IIA's IPPF and related guidance on IT governance and controls stress the importance of segregating incompatible functions. A fundamental rule is to separate the duties of those who have access to data (users) from those who control the database environment (DBAs). Combining data preparation with database administration privileges violates this principle and creates an unacceptable risk of undetected fraud or error.

Summary
This question tests knowledge of accounting standards for different types of financial investments. The key distinction is the holder's intent. Securities bought with the intent to sell them in the short term for a profit are classified as "trading securities." The accounting rules require these assets to be reported at their current market value on the balance sheet, with any unrealized gains or losses flowing through the income statement, as this best reflects the trading activity's impact on profitability.

Correct Option

B. At fair value with changes reported in net income.
This is the correct accounting treatment for "trading securities." They are reported on the balance sheet at their fair value (market price) at the reporting date. The unrealized gains and losses from the change in fair value during the period are recognized in the income statement as part of net income. This treatment provides a transparent view of the profit or loss generated by the organization's active trading activities within the period.

Incorrect Option

A. At fair value with changes reported in the shareholders' equity section.
This describes the accounting for "Available-for-Sale" securities under certain accounting frameworks (like US GAAP). Changes in fair value for those securities are recorded in Other Comprehensive Income (OCI), which is part of equity, not the income statement. This is incorrect for trading securities, where the intent is short-term profit, requiring income statement recognition.

C. At amortized cost in the income statement.
Amortized cost is primarily used for debt securities held to maturity, where the intent is to collect contractual cash flows. It is not used for equity securities or for trading portfolios. The income statement reflects interest income and realized gains/losses, not periodic fair value changes, making this method inappropriate for actively traded securities.

D. As current assets in the balance sheet
While trading securities are indeed classified as current assets due to the intent to sell them quickly, this option is incomplete. It only addresses the balance sheet classification and ignores the critical accounting rules for how they are valued (at fair value) and, most importantly, where the changes in value are reported (in net income). Therefore, it does not fully answer the question.

Reference
The financial accounting standards that govern this treatment are the International Financial Reporting Standards (IFRS), specifically IFRS 9, "Financial Instruments," and the equivalent topic in US GAAP, ASC 320, "Investments - Debt and Equity Securities." These standards mandate the fair value through profit or loss (net income) model for financial assets held for trading.

Summary
This question tests the understanding of Herzberg's Two-Factor Theory, which classifies workplace factors into two categories. Hygiene factors (e.g., salary, security, policies) prevent dissatisfaction but do not motivate. Motivators (intrinsic to the job itself) are the true drivers of satisfaction and motivation. The question asks for the factor most often cited by satisfied employees, which must be a motivator, not a hygiene factor.

Correct Option

C. Recognition.
According to Herzberg's research, "Recognition" is a core motivator. Satisfied employees frequently mention factors related to achievement, the work itself, responsibility, and recognition for their accomplishments. These intrinsic factors lead to job satisfaction and motivate employees to perform better. Recognition validates an employee's achievement and is directly linked to the content of the work itself, making it a powerful satisfier.

Incorrect Option

A. Security.
Security is classified as a hygiene factor. While a lack of job security can cause significant dissatisfaction, its presence is expected and does not actively create satisfaction or motivation. It is a baseline condition. Satisfied employees are motivated by more than just the absence of negative factors; they are driven by positive, growth-oriented motivators like recognition.

B. Status.
Status is considered a hygiene factor in Herzberg's model. It relates to the job's position or title within the organization. Like company policies or salary, a perceived lack of status can cause dissatisfaction, but its presence is not a primary source of genuine, lasting satisfaction mentioned by motivated employees. It is extrinsic to the work itself.

D. Relationship with coworkers.
Interpersonal relationships are a hygiene factor. Poor relationships with peers or supervisors can be a major source of dissatisfaction. However, good relationships are considered a standard part of the work environment. While pleasant, they are not the primary motivator that Herzberg found satisfied employees most frequently citing; that distinction belongs to intrinsic job content factors.

Reference
The theory is based on the research of Frederick Herzberg as published in his 1968 Harvard Business Review article "One More Time: How Do You Motivate Employees?" and his book "The Motivation to Work." His findings identified achievement, recognition, the work itself, responsibility, and advancement as the true motivators (satisfiers) that lead to job satisfaction.