When determining the level of physical controls required for a workstation, which of the following factors should be considered?
A. Ease of use.
B. Value to the business.
C. Intrusion prevention.
D. Ergonomic model.
Explanation:
When determining the level of physical controls required for a workstation (e.g., locks, secure rooms, surveillance, access badges), the primary factor to consider is the value to the business—which encompasses the sensitivity and criticality of the data processed, the importance of the applications hosted, and the cost of replacement or recovery. This value directly drives the risk assessment that dictates the appropriate level of physical security. Higher-value workstations (e.g., those handling financial records, personally identifiable information, or trade secrets) require stronger physical controls, while lower-value assets may warrant minimal protection. This aligns with the fundamental principle of risk-based security: protect assets in proportion to their value and the risk of loss.
Why the other options are incorrect:
A. Ease of use. Physical controls should not be compromised for convenience. Security and usability must be balanced, but ease of use is not a primary driver for determining the level of physical control—it is a secondary consideration in control design.
C. Intrusion prevention.This is a category of controls, not a factor to consider. Intrusion prevention systems (e.g., locks, alarms) are the means of physical protection, but the level of such controls is determined by the asset's business value and risk exposure.
D. Ergonomic model. Ergonomics relates to user comfort, health, and productivity (keyboard height, monitor placement, chair design). It has no bearing on the physical security requirements for preventing unauthorized access or theft.
References:
IIA GTAG – Information Security Governance: Emphasizes that physical security controls must be commensurate with the value and sensitivity of the assets being protected. A risk-based approach is fundamental.
An internal auditor is reviewing results from software development integration testing. What is the purpose of integration testing?
A. To verify that the application meets stated user requirements.
B. To verify that standalone programs match code specifications
C. To verify that the application would work appropriately for the intended number of users.
D. To verify that all software and hardware components work together as intended
Explanation:
Integration testing is a phase of the software development life cycle (SDLC) where individual software modules, subsystems, and hardware components are combined and tested as a group to ensure they interact correctly and function together as a cohesive system. The primary purpose is to identify interface defects, data flow issues, and communication errors between components that may not be detectable when each unit is tested in isolation. It verifies that the integrated system meets its overall design specifications and that all dependencies work harmoniously.
Why the other options are incorrect:
A. To verify that the application meets stated user requirements. This is the purpose of User Acceptance Testing (UAT), which occurs after integration testing and validates that the system fulfills business needs from the end-user perspective.
B. To verify that standalone programs match code specifications.This describes Unit Testing, where individual modules are tested in isolation against their specific code specifications. Integration testing occurs after unit testing.
C. To verify that the application would work appropriately for the intended number of users. This is the purpose of Performance/Load Testing, which evaluates system behavior under expected or peak user loads. It is not the goal of integration testing.
References:
IIA GTAG – Auditing IT Projects / System Implementations: Defines integration testing as the phase where software and hardware components are combined and tested to verify interoperability and interface integrity.
A multinational organization allows its employees to access work email via personal smart devices. However, users are required to consent to the installation of mobile device management (MDM) software that will remotely wipe data in case of theft or other incidents. Which of the following should the organization ensure in exchange for the employees' consent?
A. That those employees who do not consent to MDM software cannot have an email account.
B. That personal data on the device cannot be accessed and deleted by system administrators.
C. That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them
D. That employee consent includes appropriate waivers regarding potential breaches to their privacy
Explanation:
When an organization implements Mobile Device Management (MDM) with remote wipe capabilities on employees' personal smart devices, it creates a significant privacy risk—the ability to delete all data on the device, including the employee's personal photos, contacts, and files. In exchange for obtaining the employee's consent to install such intrusive software, the organization has a corresponding ethical and legal obligation to ensure that system administrators cannot access or delete the employee's personal data. This is typically achieved through containerization (separating corporate and personal data) or by configuring the MDM to wipe only the corporate partition, leaving personal content untouched. This balances the organization's security needs with the employee's privacy rights.
Why the other options are incorrect:
A. That those employees who do not consent to MDM software cannot have an email account. This is a possible enforcement mechanism, but it is not the exchange the organization must provide for consent. The question asks what the organization should ensure in exchange for consent—privacy protection, not a penalty for refusal.
C. That monitoring of employees' online activities is conducted in a covert way to avoid upsetting them. Covert monitoring is generally unethical and often illegal. Organizations must have clear, transparent policies regarding monitoring; secrecy undermines trust and violates privacy laws.
D. That employee consent includes appropriate waivers regarding potential breaches to their privacy. A waiver of privacy rights is not an adequate "exchange." Employees cannot fully waive fundamental privacy protections, and the organization should proactively protect personal data, not merely seek to limit liability through waivers.
References:
IIA GTAG – Auditing Bring Your Own Device (BYOD): Emphasizes that organizations must balance security controls (like remote wipe) with employee privacy rights, typically through containerization and clear policies that ensure personal data is not accessed or deleted by administrators.
Which of the following is most appropriately placed in the financing section of an organization's cash budget?
A. Collections from customers
B. Sale of securities.
C. Purchase of trucks.
D. Payment of debt, including interest
Explanation:
A cash budget is divided into three main sections:
Operating (Receipts and Disbursements) – day-to-day cash inflows and outflows.
Investing – cash flows from buying/selling long-term assets.
Financing – cash flows related to borrowing, repaying debt, and equity transactions.
The financing section includes cash flows from obtaining or repaying capital, such as loan repayments, interest payments, dividend payments, and proceeds from issuing stock or bonds. Therefore, payment of debt, including interest, is the most appropriate item to place in the financing section, as it directly relates to the organization's capital structure and debt obligations.
Why the other options are incorrect:
A. Collections from customers. This is an operating cash receipt from the organization's core business activities (sales), not a financing activity.
B. Sale of securities. This is ambiguous. If "securities" refers to equity or debt securities issued by the organization, it would be financing. However, in standard financial terminology, "sale of securities" typically means trading securities (investments) held by the organization, which falls under investing activities. The question uses "sale of securities" in the context of marketable securities, making it an investing activity.
C. Purchase of trucks. This is an investing cash outflow, as trucks are long-term productive assets (property, plant, and equipment), not a financing transaction.
References:
CIA Part 3 Syllabus – Financial Management / Cash Budgeting: Tests the candidate's understanding of the three sections of a cash budget: operating, investing, and financing.
Corporate Finance / Managerial Accounting: The financing section includes debt-related cash flows (borrowing, repayments, interest), equity transactions, and dividend payments.
According to The IIA's Three Lines Model, which of the following IT security activities is commonly shared by all three lines?
A. Assessments of third parties and suppliers.
B. Recruitment and retention of certified IT talent.
C. Classification of data and design of access privileges.
D. Creation and maintenance of secure network and device configuration.
Explanation:
According to The IIA's Three Lines Model, the three lines work together to achieve effective risk management and governance. Data classification and access privilege design is a core security activity that requires collaboration across all three lines:
First line (operational management) implements and maintains access controls, applying least privilege principles to ensure employees have only the access needed for their roles.
Second line (risk, compliance, InfoSec) provides oversight, establishes policies, monitors compliance, and challenges the design of access privileges to ensure alignment with risk appetite.
Third line (internal audit) provides independent assurance that data classification and access controls are designed effectively and operating as intended.
This shared responsibility—from implementation to oversight to assurance—makes it the most appropriate choice for an activity commonly shared by all three lines.
Why the other options are incorrect:
A. Assessments of third parties and suppliers. This is primarily a second-line function (e.g., Third-Party Risk Management). While internal audit (third line) may review this process, the first line does not typically perform supplier assessments.
B. Recruitment and retention of certified IT talent. This is a first-line HR/operational activity. The second line may set policy, and the third line may assess staffing adequacy, but it is not a security control actively executed or shared by all three lines.
D. Creation and maintenance of secure network and device configuration. This is a hands-on first-line technical activity performed by network/system administrators. While the second line provides oversight and the third line provides assurance, the actual creation and maintenance are not shared activities—they are executed by the first line.
References:
The IIA's Three Lines Model (2017/2020): Defines the roles: first line (operational management) owns risks and controls; second line (risk/compliance/security) provides oversight and challenge; third line (internal audit) provides independent assurance. Data classification and access control require coordination across all lines to ensure effective governance.
An organization that soils products to a foreign subsidiary wants to charge a price that wilt decrease import tariffs. Which of the following is the best course of action for the organization?
A. Decrease the transfer price
B. Increase the transfer price
C. Charge at the arm's length price
D. Charge at the optimal transfer price
Explanation:
To decrease import tariffs on goods sold to a foreign subsidiary, the organization should decrease the transfer price. The customs value—the basis upon which import tariffs are calculated—is typically derived from the invoice price of the goods. By lowering this intercompany price, the organization directly reduces the dutiable value, thereby decreasing the tariff liability .
This creates a direct trade-off: a lower transfer price minimizes tariffs but increases the taxable profit of the importing entity, while a higher transfer price inflates tariffs but reduces taxable profit in the import country . Organizations must weigh the cost of cross-border duties against their income tax exposure.
Why the other options are incorrect:
B. Increase the transfer price. This would increase the customs value and therefore increase import tariffs—the opposite of the desired outcome .
C. Charge at the arm's length price. While the arm's length principle is the internationally accepted standard for transfer pricing, it is not a tactical tool for decreasing tariffs . Charging the arm's length price simply satisfies tax compliance; it does not inherently minimize tariff exposure . Moreover, tax authorities and customs have different valuation criteria, and a price accepted for tax purposes may not be acceptable for customs .
D. Charge at the optimal transfer price. This is vague. While "optimal" could theoretically include tariff minimization, the specific tactic for reducing tariffs is to lower the transfer price—making option A the precise, actionable answer .
References:
Customs Valuation: Under the WTO Valuation Agreement, the transaction value (typically the invoice price) is the primary basis for customs value and tariff calculation .
Transfer Pricing & Tariffs: Lower transfer prices directly reduce customs value and tariff costs, though this must be balanced against income tax consequences .
What is the primary purpose of data and systems backup?
A. To restore all data and systems immediately after the occurrence of an incident.
B. To set the maximum allowable downtime to restore systems and data after the occurrence of an incident.
C. To set the point in time to which systems and data must be recovered after the occurrence of an incident.
D. To restore data and systems to a previous point in time after the occurrence of an incident
Explanation:
The primary purpose of data and systems backup is to create recoverable copies of information and system configurations that can be used to restore operations to a previous point in time following an incident—such as hardware failure, cyberattack (e.g., ransomware), human error, or natural disaster. Backups are the fundamental mechanism for recovery, enabling the organization to retrieve lost or corrupted data and resume business functions. Without backups, restoration is impossible; with them, the organization can roll back to a known good state (defined by the Recovery Point Objective – RPO) and recover from the disruption.
Why the other options are incorrect:
A. To restore all data and systems immediately after the occurrence of an incident.
This describes the Recovery Time Objective (RTO) and near-instantaneous recovery, which is the goal of hot sites or real-time replication, not the purpose of backups themselves. Backups enable recovery, but not necessarily immediate recovery.
B. To set the maximum allowable downtime to restore systems and data after the occurrence of an incident.
This defines the Recovery Time Objective (RTO)—a business continuity metric, not the purpose of backups. Backups are the means; RTO is the target.
C. To set the point in time to which systems and data must be recovered after the occurrence of an incident.
This defines the Recovery Point Objective (RPO)—a metric that specifies the maximum acceptable data loss. Backups help achieve the RPO, but the purpose of backups is restoration, not setting the metric.
References:
IIA GTAG – Business Continuity Management: Defines backups as the foundational recovery mechanism used to restore data and systems to a prior state after an incident.
IIA CIA Part 3 Syllabus – IT / Business Continuity & Disaster Recovery: Tests the candidate's understanding that backups enable restoration to a previous point, distinct from RTO and RPO, which are performance metrics.
In accounting, which of the following statements is true regarding the terms debit and credit?
A. Debit indicates the right side of an account and credit the left side
B. Debit means an increase in an account and credit means a decrease.
C. Credit indicates the right side of an account and debit the left side.
D. Credit means an increase in an account and debit means a decrease
Explanation:
In double-entry accounting, debit and credit are directional terms that indicate the side of an account where a transaction is recorded:
Debit (Dr.) always refers to the left side of an account.
Credit (Cr.) always refers to the right side of an account.
This is a fixed, universal rule in accounting, regardless of whether the account is an asset, liability, equity, revenue, or expense. The effect of a debit or credit (increase or decrease) depends on the type of account—not on the term itself. For example, a debit increases asset and expense accounts but decreases liability, equity, and revenue accounts. However, the side of the T-account is always consistent: debit = left, credit = right.
Why the other options are incorrect:
A. Debit indicates the right side of an account and credit the left side.
This is the exact opposite of the correct rule. Debit is left; credit is right.
B. Debit means an increase in an account and credit means a decrease.
This is false because the effect depends on the account type. For example, a debit increases an asset but decreases a liability. This statement is an oversimplification that ignores the account classification.
D. Credit means an increase in an account and debit means a decrease.
This is also false for the same reason. A credit increases liabilities and revenues but decreases assets and expenses. The effect is not fixed.
References:
GAAP / Double-Entry Accounting: The foundational rule is that debits are recorded on the left side of an account, and credits on the right side. The effect on account balances depends on the account type (asset, liability, equity, revenue, expense).
CIA Part 3 Syllabus – Financial Management / Accounting: Tests the candidate's understanding of the fundamental accounting equation and the mechanics of debits and credits.
Which of the following describes a third-party network that connects an organization specifically with its trading partners?
A. Value-added network (VAN).
B. Local area network (LAN).
C. Metropolitan area network (MAN).
D. Wide area network (WAN).
Explanation:
A Value-Added Network (VAN) is a private, third-party managed network that is specifically designed to facilitate secure, reliable, and standardized electronic data interchange (EDI) between an organization and its trading partners (e.g., suppliers, customers, logistics providers). VANs provide value-added services beyond basic data transmission, such as protocol translation, message validation, data encryption, audit trails, and store-and-forward capabilities. They are the traditional backbone for B2B e-commerce and supply chain communication, ensuring that business documents (e.g., purchase orders, invoices, shipping notices) are exchanged accurately and securely between external partners.
Why the other options are incorrect:
B. Local area network (LAN).
A LAN is a network confined to a small geographic area (e.g., a single office or building) that connects internal devices. It does not connect an organization to external trading partners.
C. Metropolitan area network (MAN).
A MAN spans a larger geographic area than a LAN, typically a city or metropolitan region. While it may connect multiple buildings, it is not specifically designed for trading partner communication.
D. Wide area network (WAN).
A WAN spans large geographic distances (e.g., countries or continents) and connects multiple LANs. While a VAN can operate over a WAN infrastructure, a WAN itself is a general-purpose network, not specifically a third-party network for trading partner EDI.
References:
IIA GTAG – Auditing Electronic Data Interchange (EDI) and VANs: Defines VANs as third-party networks that provide secure, managed EDI services for trading partner communication, including data translation and audit trails.
Which of the following physical access control is most likely to be based on ’’something you have" concept?
A. A retina characteristics reader
B. A P3M code reader
C. A card-key scanner
D. A fingerprint scanner
Explanation:
Physical access controls are categorized based on the three authentication factors:
Something you know (e.g., PIN, password)
Something you have (e.g., card-key, token, smart card, key fob)
Something you are (e.g., fingerprint, retina, voice)
A card-key scanner reads a physical credential (an access card or proximity card) that the user must possess to gain entry. This is the classic example of a "something you have" factor, as the user presents a tangible item that contains encoded identification data. The scanner validates the card's credentials and grants access if authorized.
Why the other options are incorrect:
A. A retina characteristics reader. This is a biometric control based on "something you are"—the unique pattern of blood vessels in the retina. It does not rely on possession.
B. A PIN code reader. This is based on "something you know"—a numeric secret that the user must memorize and enter. It is a knowledge-based factor, not possession-based.
D. A fingerprint scanner. This is another biometric control based on "something you are"—the unique ridge pattern of a fingerprint. It is not based on possession.
References:
IIA GTAG – Information Security Governance: Defines the three authentication factors—knowledge, possession, and inherence—and categorizes card-key readers as possession-based controls.
What is the primary purpose of an Integrity control?
A. To ensure data processing is complete, accurate, and authorized.
B. To ensure data being processed remains consistent and intact.
C. To ensure data being processed remains consistent and intact.
D. To ensure the output aligns with the intended result.
Explanation:
An integrity control is designed to protect data from unauthorized modification, corruption, or loss during processing, storage, or transmission. Its primary purpose is to ensure that data remains consistent, accurate, and intact throughout its lifecycle. Integrity controls include mechanisms such as checksums, hashing, parity checks, reconciliation, and edit checks to detect and prevent data alteration or errors. In the context of the CIA Triad (Confidentiality, Integrity, Availability), integrity is specifically about preserving the trustworthiness and completeness of data.
Why the other options are incorrect:
A. To ensure data processing is complete, accurate, and authorized. This is a broader description of application controls in general (encompassing completeness, accuracy, and authorization), not specifically the primary purpose of integrity controls. Integrity controls focus on maintaining data consistency, not all three objectives.
C. To ensure data being processed remains consistent and intact. (This is identical to B.) Since B is the correct answer, C is a duplicate and not a separate valid option.
D. To ensure the output aligns with the intended result. This describes validation or output controls (verifying that outputs are correct), not the specific purpose of integrity controls. Integrity focuses on the data itself during processing, not just final outputs.
References:
IIA GTAG – Information Security Governance: Defines integrity controls as mechanisms to ensure data is not altered or destroyed and remains complete and accurate throughout processing.
IIA CIA Part 3 Syllabus – IT / Security Controls: Tests the candidate's understanding of the CIA Triad, where integrity is specifically about maintaining data consistency and intactness.
Which of the following situations best illustrates a "false positive" in the performance of a spam filter?
A. The spam filter removed Incoming communication that included certain keywords and domains.
B. The spam filter deleted commercial ads automatically, as they were recognized as unwanted.
C. The spam filter routed to the "junk|r folder a newsletter that appeared to include links to fake websites.
D. The spam filter blocked a fitness club gift card that coworkers sent to an employee for her birthday.
Explanation:
A "false positive" occurs when a security control (like a spam filter) incorrectly identifies a legitimate item as malicious or unwanted and takes action against it (e.g., blocks it or routes it to junk). In this scenario, the spam filter blocked a legitimate email—a gift card sent by coworkers for a birthday—mistakenly classifying it as spam. This is a classic false positive because the email was genuine and desired, yet it was incorrectly flagged and blocked.
Why the other options are incorrect:
A. The spam filter removed incoming communication that included certain keywords and domains.
This is a correct action based on predefined rules. If the keywords/domains are known spam indicators, this is a true positive (correctly identified spam), not a false positive.
B. The spam filter deleted commercial ads automatically, as they were recognized as unwanted.
This is also a true positive—commercial ads are typically unwanted and correctly classified as spam. The filter performed as intended.
C. The spam filter routed to the 'junk' folder a newsletter that appeared to include links to fake websites.
If the links were indeed suspicious or fake, this is a true positive—the filter correctly identified a potentially harmful newsletter. Even if the newsletter was legitimate but contained compromised links, the filter acted correctly.
References:
IIA GTAG – Information Security Governance: Defines false positives as instances where a security control incorrectly flags legitimate activity as a threat, leading to unnecessary disruptions and reduced user trust.
| Page 8 out of 41 Pages |
| 234567891011121314 |
| IIA-CIA-Part3 Practice Test Home |
Real-World Scenario Mastery: Our IIA-CIA-Part3 practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before Certified Internal Auditor Part 3 - Internal Audit Function exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive IIA-CIA-Part3 practice exam questions pool covering all topics, the real exam feels like just another practice session.