IIA Certified Internal Auditor-Internal Audit Knowledge Elements IIA-CIA-Part3 Exam Practice Test

Answer : B

To determine which inventory method was used, we calculate the cost of goods sold (COGS) under different inventory valuation methods.

Given Data:

Opening Inventory: 1,000 units @ $2 each = $2,000

Purchased: 5,000 units @ $3 each = $15,000

Total Inventory: 6,000 units

Units Sold: 3,000 at $7 per unit

Reported COGS: $8,500

FIFO Calculation:

FIFO (First-In, First-Out) assumes that the oldest inventory is sold first.

1,000 units from opening inventory @ $2 = $2,000

2,000 units from purchases @ $3 = $6,000

Total COGS under FIFO: $2,000 + $6,000 = $8,000

Average Cost Calculation:

Average cost per unit =

Total Cost of InventoryTotal Units=(2,000+15,000)6,000=17,0006,000=2.83 per unit\frac{\text{Total Cost of Inventory}}{\text{Total Units}} = \frac{(2,000 + 15,000)}{6,000} = \frac{17,000}{6,000} = 2.83 \text{ per unit}Total UnitsTotal Cost of Inventory=6,000(2,000+15,000)=6,00017,000=2.83 per unit

COGS using average cost method: 3,0002.83=8,4903,000 \times 2.83 = 8,4903,0002.83=8,490 This is not an exact match to the reported COGS of $8,500.

Since the closest method to the reported value is FIFO ($8,000 vs. $8,500 reported COGS, accounting for possible rounding errors or additional costs), FIFO is the most likely method used.

Analysis of Answer Choices:

(A) Average cost method. Incorrect. The calculated COGS using the weighted average method was $8,490, which does not match exactly with the reported COGS of $8,500.

(B) First-in, first-out (FIFO) method. Correct. The FIFO method yielded $8,000, which is the closest match to the reported COGS. Minor rounding adjustments or other expenses could explain the difference of $500.

(C) Specific identification method. Incorrect. This method applies when each inventory item is individually tracked, which is not mentioned in the question.

(D) Activity-based costing method. Incorrect. Activity-based costing (ABC) is used for overhead allocation and is not a primary inventory valuation method.

IIA Reference:

IIA GTAG -- 'Auditing Inventory Management'

IIA Standard 2130 -- Control Activities (Inventory and Costing Methods)

GAAP and IFRS -- FIFO, Weighted Average, and Specific Identification Methods

Thus, the correct answer is B (FIFO method) because it provides the closest cost match to the reported COGS.

Answer : A

Preventing security breaches requires proactive security controls, and the approval of identity requests ensures that only authorized individuals gain access to systems and data.

Step-by-Step Justification:

Types of Security Controls:

Preventive Controls (Stop security incidents before they happen)

Detective Controls (Identify security breaches after they occur)

Corrective Controls (Address security issues after detection)

Why Identity Request Approval is the Most Effective Preventive Control?

User access approval ensures that only verified personnel receive credentials.

According to IIA GTAG on Identity and Access Management, user provisioning must follow strict approval workflows to prevent unauthorized access.

By restricting access before a breach occurs, organizations reduce risks related to insider threats, phishing attacks, and credential misuse.

Why Not Other Options?

B . Access Logging:

Access logs record activity but do not prevent security breaches.

C . Monitoring Privileged Accounts:

Monitoring privileged accounts helps detect suspicious activity but does not stop unauthorized access beforehand.

D . Audit of Access Rights:

Regular audits ensure compliance but do not actively prevent unauthorized access in real-time.

IIA Reference:

IIA GTAG -- Identity and Access Management

IIA Standard 2120 -- Risk Management and IT Controls

COBIT 2019 -- Access Control and Security Management

Thus, the correct and verified answer is A. Approval of identity request.

Answer : B

To maximize profit with a limited material supply of 500 kg per month, the company should prioritize producing the product that generates the highest contribution margin per kg of material used.

Step 1: Calculate Contribution Margin Per Unit for Each Product

Since fixed costs are not relevant in this decision, we focus on the contribution margin per unit of raw material:

Product X

Selling price per unit = $10

Material cost per unit = 2 kg $1/kg = $2

Contribution margin per unit = $10 - $2 = $8

Contribution margin per kg = $8 2 kg = $4 per kg

Product Y

Selling price per unit = $13

Material cost per unit = 6 kg $1/kg = $6

Contribution margin per unit = $13 - $6 = $7

Contribution margin per kg = $7 6 kg = $1.17 per kg

Step 2: Prioritize Product with Higher Contribution Margin Per Kg

Product X ($4 per kg) is more profitable per kg than Product Y ($1.17 per kg).

To maximize profit, produce as many units of Product X as possible first, then allocate the remaining material to Product Y.

Step 3: Allocate Limited Material (500 kg)

First, maximize production of Product X

Each unit of Product X requires 2 kg.

Maximum units of Product X = 500 kg 2 kg per unit = 250 units.

However, demand is only 70 units, so produce 70 units of Product X.

Material used for 70 units of X = 70 2 kg = 140 kg.

Material remaining = 500 kg - 140 kg = 360 kg.

Use remaining material for Product Y

Each unit of Product Y requires 6 kg.

Maximum units of Product Y = 360 kg 6 kg per unit = 60 units.

Final Decision:

Produce 70 units of Product X (to meet demand).

Produce 60 units of Product Y (using the remaining material).

IIA Reference for Validation:

IIA GTAG 13: Business Performance Management -- Discusses maximizing profit by prioritizing high contribution margin products.

IIA Practice Guide: Cost Analysis for Decision-Making -- Covers constraints and resource allocation for maximizing profitability.

Thus, B (60 units) is the correct answer because it optimally allocates the 500 kg of material to maximize profit.

Answer : C

A firewall is a security control mechanism designed to prevent unauthorized access to or from a private network. It monitors and filters incoming and outgoing network traffic based on predefined security rules.

Step-by-Step Justification:

Definition of Control Types:

Preventive Control: Stops an undesirable event from occurring.

Detective Control: Identifies and records events after they have happened.

Corrective Control: Takes action to correct an issue after it has been detected.

Discretionary Control: Provides access control based on user discretion.

Why a Firewall is a Preventive Control:

Firewalls block unauthorized access to protect networks before a security breach can occur.

They enforce security policies in real-time, preventing cyber threats such as malware, intrusions, and unauthorized data access.

As per IIA GTAG (Global Technology Audit Guide) on Information Security, firewalls are categorized as preventive controls because they proactively mitigate threats before they materialize.

Why Not Other Options?

A . Corrective: Firewalls do not correct security breaches; they prevent them.

B . Detective: Firewalls do not just detect threats but actively block them.

D . Discretionary: Firewalls operate based on preset security rules rather than user discretion.

IIA Reference:

IIA GTAG -- Information Security

IIA Standard 2110 -- IT Governance & Risk Management

Thus, the correct and verified answer is C. Preventive.

Answer : B

When auditing logical access controls for a workstation, the focus should be on user authentication methods, including:

Password policies (length, complexity, change frequency)

User access rights and permissions

Login activity logs to detect unauthorized access attempts

Step-by-Step

Correct Answer (B - Reviewing Password Policies and User List for Login Process)

Logical access controls ensure only authorized users can access a workstation.

Reviewing password length, complexity, and change frequency helps assess if security best practices are followed.

Reviewing the list of authorized users ensures that only appropriate personnel have access.

The IIA's GTAG 9: Identity and Access Management recommends evaluating password policies and user access lists as key control measures.

Why Other Options Are Incorrect:

Option A (Reviewing access badges and room logs):

Physical access controls are important but do not assess logical access (login security, user authentication).

Option C (Reviewing failed access attempts and error messages):

Reviewing failed login attempts identifies security breaches but does not directly assess password policies or user access lists.

Option D (Reviewing unsuccessful passwords and activity logs):

Passwords should not be reviewed due to privacy and security policies. Logs should be checked, but reviewing actual passwords is a security violation.

IIA Reference for Validation:

IIA GTAG 9: Identity and Access Management -- Covers password controls and user authentication.

IIA Practice Guide: Auditing IT Security Controls -- Recommends reviewing password policies as a key security measure.

Thus, B is the correct answer because reviewing password policies and user lists is essential for auditing logical access controls.

Answer : A

The CAE must communicate the results of the QAIP, including both ongoing monitoring and periodic assessments, to the board and senior management. Specifically, results of ongoing monitoring must be reported annually, ensuring the board remains informed about the internal audit activity's quality and conformance.

Options B and C are incorrect because results are reported after completion, not before. Option D is useful for external assessors but not a reporting requirement.

IIA Standards -- Standard 1320: Reporting on the Quality Assurance and Improvement Program.

Answer : C

Explanation of Answer Choice C (Correct Answer):

Remote wipe is not always 100% effective: While remote wiping can delete most user data, some residual data may remain on the device, especially in cases where:

The device has built-in storage redundancies.

Deleted data can be recovered using forensic tools.

The remote wipe command fails to execute properly due to network issues or device settings.

Security Risk: This limitation poses a risk for organizations handling sensitive or confidential data, as unauthorized individuals may recover wiped data.

IIA Standard 2110 - Governance: Internal auditors must assess how organizations manage IT security risks, including risks related to mobile devices and data protection.

IIA Practice Guide: Auditing Cybersecurity Risks highlights the need to evaluate mobile security controls and limitations of data removal techniques.

Explanation of Incorrect Answers:

A . Encrypted data cannot be locked to prevent further access (Incorrect)

Encrypted data remains secure even if the device is lost.

Many enterprise security solutions allow organizations to revoke encryption keys remotely, making data inaccessible.

IIA Standard 2120 - Risk Management advises that effective encryption reduces the impact of data loss.

B . Default settings cannot be restored on the device. (Incorrect)

Most remote wipe solutions allow factory reset, restoring the device to default settings.

Many mobile device management (MDM) tools support full device restoration.

D . Mobile device management software is required for a successful remote wipe. (Incorrect)

While MDM enhances remote wiping capabilities, it is not strictly required.

Some consumer and enterprise mobile operating systems (e.g., iOS, Android) provide built-in remote wipe functionality without MDM.

Conclusion:

Remote wipe has limitations, and the inability to completely remove all data from the device (Option C) is a primary concern.

IIA Reference:

IIA Standard 2110 - Governance

IIA Standard 2120 - Risk Management

IIA Practice Guide: Auditing Cybersecurity Risks