IIA Certified Internal Auditor-Internal Audit Knowledge Elements IIA-CIA-Part3 Exam Practice Test

Answer : B

Vertical analysis expresses each financial statement item as a percentage of a base figure (e.g., revenue). In this case, the internal auditor calculates electricity and depreciation expenses as a percentage of revenue, which is a clear application of vertical analysis.

Analysis of Each Option:

(A) Horizontal analysis:

Compares financial data across different periods to identify trends and growth.

The given scenario does not compare financial statements over time, making this incorrect.

(B) Vertical analysis (Correct Answer):

Expresses each line item as a percentage of a base figure (e.g., revenue for income statements, total assets for balance sheets).

In this case, electricity and depreciation expenses are calculated as a percentage of revenue, confirming vertical analysis.

(C) Ratio analysis:

Involves calculating financial ratios (e.g., profitability, liquidity, efficiency).

This scenario does not involve ratios but rather percentage-based comparisons, making it incorrect.

(D) Trend analysis:

Identifies patterns over multiple periods (e.g., revenue growth over five years).

The question does not involve time-based comparisons, so this answer is incorrect.

IIA Reference:

IIA Practice Guide: Internal Audit and Financial Reporting -- Recommends vertical analysis for financial statement assessment.

IIA Standard 2320 -- Analysis and Evaluation -- Requires auditors to apply relevant analytical techniques, including percentage-based evaluations.

COSO Internal Control Framework -- Financial Reporting Component -- Supports financial data analysis techniques such as vertical and horizontal analysis.

Conclusion:

Since the auditor expressed financial statement items as a percentage of revenue, option (B) is the correct answer.

Answer : D

Managerial accounting differs from financial accounting in that it focuses on internal decision-making, cost control, and performance evaluation based on predetermined standards. Unlike financial accounting, which follows GAAP (Generally Accepted Accounting Principles) for external reporting, managerial accounting sets internal benchmarks to guide operational efficiency and strategic planning.

Key Reasons Why Option D is Correct:

Use of Predetermined Standards:

Managerial accounting often uses standard costing, budgets, and variance analysis to compare actual performance against pre-set benchmarks.

This helps management make data-driven decisions and improve efficiency.

Internal Decision-Making:

Managerial accounting reports are used by internal stakeholders (e.g., managers, executives) rather than external entities.

Control and Performance Measurement:

It focuses on variance analysis (actual vs. expected performance) to highlight areas requiring corrective action.

Not Governed by GAAP:

Unlike financial accounting, managerial accounting does not require compliance with GAAP or IFRS since it is meant for internal use only.

Why Other Options Are Incorrect:

A . Managerial accounting uses double-entry accounting and cost data:

While cost data is relevant to managerial accounting, double-entry accounting is a fundamental principle of all accounting systems, including financial accounting.

B . Managerial accounting uses generally accepted accounting principles (GAAP):

GAAP is required for financial accounting (external reporting), but managerial accounting does not follow GAAP since it focuses on internal decision-making.

C . Managerial accounting involves decision making based on quantifiable economic events:

While managerial accounting analyzes economic data, its distinguishing feature is using predetermined standards to evaluate and improve performance, which makes Option D the best choice.

IIA Reference:

IIA Standard 2110 - Governance: Internal auditors should assess decision-making processes, including managerial accounting techniques.

IIA Standard 2120 - Risk Management: Cost control and budget variance analysis are key components of risk management.

COSO Framework - Performance Monitoring: Emphasizes variance analysis, which aligns with predetermined standards in managerial accounting.

Thus, the correct answer is D. Managerial accounting involves decision making based on predetermined standards.

Answer : D

A false positive occurs when a system incorrectly identifies a legitimate item as a threat or an unwanted entity. In the case of a spam filter, a false positive happens when the filter mistakenly classifies a genuine email as spam, even though it is legitimate.

Analysis of Each Option:

Option A: 'The spam filter removed incoming communication that included certain keywords and domains.'

This describes a general filtering mechanism but does not indicate a mistake. If the filter was correctly configured, it is not necessarily a false positive. (Incorrect)

Option B: 'The spam filter deleted commercial ads automatically, as they were recognized as unwanted.'

If the ads were indeed unwanted, this is a true positive, meaning the system worked correctly. (Incorrect)

Option C: 'The spam filter routed to the 'junk' folder a newsletter that appeared to include links to fake websites.'

If the newsletter contained suspicious links, the filter was functioning as designed. This is not necessarily an error. (Incorrect)

Option D: 'The spam filter blocked a fitness club gift card that coworkers sent to an employee for her birthday.'

This is a clear example of a false positive because the email was not spam or malicious, yet the filter mistakenly blocked it. (Correct Answer)

IIA Reference:

IIA GTAG (Global Technology Audit Guide) on Cybersecurity and IT Risks: Discusses false positives and negatives in automated security controls.

IIA's 'Auditing IT Security Controls' Report: Emphasizes the need for tuning security filters to reduce false positives.

COBIT 2019 -- DSS05.07 (Manage Security Services): Highlights the importance of minimizing false positives to ensure business communication is not disrupted.

Thus, the correct answer is D. The spam filter blocked a fitness club gift card that coworkers sent to an employee for her birthday.

Answer : B

A detective control is a security measure that identifies and alerts an organization to potential cyberthreats after they occur but before they cause harm. Detective controls do not prevent attacks but help detect them in a timely manner.

Why Option B (Monitoring for vulnerabilities based on industry intelligence) is Correct:

Continuous monitoring for vulnerabilities helps detect emerging threats, security breaches, and weaknesses in IT systems.

Uses threat intelligence feeds, security information and event management (SIEM) systems, and intrusion detection systems (IDS).

Helps organizations respond quickly to cyberattacks by identifying patterns, suspicious activity, or known vulnerabilities.

Why Other Options Are Incorrect:

Option A (A list of trustworthy, good traffic and a list of unauthorized, blocked traffic):

Incorrect because this describes a whitelisting/blacklisting technique, which is a preventive control, not a detective control.

Option C (Comprehensive service level agreements with vendors):

Incorrect because service level agreements (SLAs) ensure contractual obligations, but do not detect security threats.

Option D (Firewall and other network perimeter protection tools):

Incorrect because firewalls are preventive controls, designed to block unauthorized access, not detect threats after they occur.

IIA Reference:

IIA GTAG -- 'Auditing Cybersecurity Risks': Discusses detective controls such as vulnerability monitoring and threat intelligence.

COBIT 2019 -- DSS05 (Manage Security Services): Recommends continuous monitoring for cyber threats as a detective control.

NIST Cybersecurity Framework -- Detect Function: Highlights vulnerability management and threat monitoring as key detective measures.

Thus, the correct answer is B. Monitoring for vulnerabilities based on industry intelligence.

Answer : C

The most effective way to ensure adherence to updated methodologies is through training that reviews and explains the changes in detail. A recorded training session allows all auditors to learn consistently and revisit the content as needed.

Option A improves accessibility but does not ensure understanding or compliance. Option B documents acknowledgment but does not ensure comprehension. Option D provides awareness but lacks sufficient depth.

IIA Practice Guide -- Developing Internal Audit Methodologies.

Answer : C

Answer : A

Internal audit may rely on the work of other internal assurance providers (such as finance or compliance), provided it has assessed the adequacy, competence, and objectivity of the work. This avoids duplication and increases efficiency.

Option B incorrectly assumes internal work cannot be relied upon. Option C shifts responsibility inappropriately. Option D ignores coordination opportunities.

IIA Standards -- Standard 2050: Coordination and Reliance.