IIA-CIA-Part3 Exam Questions Instant Access

Question 1

When evaluating the help desk services provided by a third-party service provider which of the following is likely to be the internal auditor's greatest concern?

AWhether every call that the service provider received was logged by the help desk.

BWhether a unique identification number was assigned to each issue identified by the service provider

CWhether the service provider used its own facilities to provide help desk services

DWhether the provider's responses and resolutions were well defined according to the service-level agreement.

Answer : D

An internal auditor's primary concern in evaluating third-party help desk services is ensuring that the provider meets Service-Level Agreement (SLA) requirements, particularly regarding response times, issue resolution, and service quality.

Step-by-Step

Correct Answer (D - Whether the provider's responses and resolutions were well defined according to the SLA)

The SLA defines expected service levels, including:

Response and resolution times.

Performance metrics (e.g., first-call resolution rate).

Escalation procedures.

Compliance with contractual obligations.

The IIA Practice Guide: Auditing Third-Party Relationships states that internal auditors must assess SLA compliance as a key control in outsourcing arrangements.

Why Other Options Are Incorrect:

Option A (Whether every call was logged):

While logging all calls is good practice, the focus should be on meeting SLA requirements, not just documentation.

The IIA GTAG 7: Continuous Auditing emphasizes measuring performance, not just recording activities.

Option B (Whether a unique ID was assigned to each issue):

Issue tracking is important, but an ID alone does not guarantee service quality or SLA compliance.

Option C (Whether the provider used its own facilities):

The location of the service provider's facilities does not impact SLA compliance.

IIA Reference for Validation:

IIA Practice Guide: Auditing Third-Party Relationships -- Outlines how auditors should evaluate SLAs and vendor performance.

IIA GTAG 7: Continuous Auditing -- Highlights the importance of performance measurement in outsourced services.

Thus, ensuring the provider meets SLA-defined response and resolution times (D) is the internal auditor's greatest concern.

Question 2

An internal audit engagement team found that the risk register of the project under review did not include significant risks identified by the internal audit function. The project manager explained that risk register preparations are facilitated by risk managers and that each project's risk review follows the same set of questions. Which of the following recommendations will likely add the greatest value to the project management process of the organization?

AUpdate the risk register of the project with the newly identified risks

BTrain senior management on risk management principles

CRevise the methodology of the project risk identification process

DReassign the responsibility of risk register completion to risk managers

Answer : C

The root cause of the missing significant risks lies in the methodology used for risk identification. If the process relies too rigidly on a standard set of questions, it may overlook critical risks. By revising the risk identification methodology, the organization ensures that future projects capture relevant risks comprehensively and consistently, adding long-term value.

Option A addresses only the current project, not the underlying issue. Option B may improve knowledge but does not fix the flawed process. Option D merely shifts responsibility but does not address the methodology weakness.

IIA Standards -- Standard 2120: Risk Management.

Question 3

Which of the following represents a basis for consolidation under the International Financial Reporting Standards?

AVariable entity approach.

BControl ownership.

CRisk and reward.

DVoting interest.

Answer : B

Under International Financial Reporting Standards (IFRS 10 -- Consolidated Financial Statements), an entity is required to consolidate its financial statements based on the control principle rather than ownership percentage alone.

Why Option B (Control ownership) is Correct:

According to IFRS 10, consolidation is required when an entity has control over another entity.

Control is defined as having power over the investee, exposure to variable returns, and the ability to influence those returns.

Even if an entity owns less than 50% of voting rights, it may still have control through contractual arrangements, rights over key decisions, or majority board influence.

Why Other Options Are Incorrect:

Option A (Variable entity approach):

This is a concept used in U.S. GAAP (ASC 810 -- Variable Interest Entities) rather than IFRS. IFRS focuses on the broader control model.

Option C (Risk and reward):

IFRS previously considered risk and reward under IAS 27/SIC-12, but IFRS 10 replaced this with the control model.

Option D (Voting interest):

Voting rights alone do not determine consolidation under IFRS. Control can exist even without majority voting rights through contractual arrangements or potential voting rights.

IIA Reference:

IFRS 10 -- Consolidated Financial Statements: Defines the principle of control for consolidation.

IIA GTAG -- 'Auditing Financial Reporting Risks': Discusses the impact of IFRS consolidation principles.

COSO ERM Framework: Emphasizes risk assessment in financial reporting, including consolidation decisions.

Thus, the correct answer is B. Control ownership.

Question 4

The management of working capital is most crucial for which of the following aspects of business?

ALiquidity

BProfitability

CSolvency

DEfficiency

Answer : A

Working capital management focuses on short-term assets and liabilities to ensure a business has enough cash and liquid assets to meet its short-term obligations. Effective management of working capital directly impacts liquidity, allowing an organization to maintain operational stability.

Let's analyze each option:

Option A: Liquidity.

Correct.

Liquidity refers to an organization's ability to meet its short-term obligations, such as payroll, supplier payments, and operational expenses.

Working capital management ensures sufficient cash flow and current assets to cover immediate liabilities, making liquidity the primary concern.

IIA Reference: Internal auditors assess financial risk by evaluating liquidity management and cash flow strategies. (IIA Practice Guide: Auditing Liquidity Risk Management)

Option B: Profitability.

Incorrect.

While working capital impacts profitability (e.g., through cost control and investment decisions), profitability is more related to revenue and cost management, not just liquidity.

Option C: Solvency.

Incorrect.

Solvency refers to a company's long-term financial stability and its ability to meet debts over time.

Working capital is a short-term financial measure and does not directly determine solvency.

Option D: Efficiency.

Incorrect.

Efficiency relates to resource utilization and operational effectiveness, which are indirectly affected by working capital management but are not its primary focus.

Thus, the verified answer is A. Liquidity.

Question 5

Which type of bond sells at & discount from face value, then increases in value annually until it reaches maturity and provides the owner with the total payoff?

AHigh-yield bonds

BCommodity-backed bonds

CZero coupon bonds

DJunk bonds

Answer : C

A zero-coupon bond is a type of bond that sells at a discount from its face value and gradually increases in value over time until maturity when the bondholder receives the full face value. Unlike regular bonds, zero-coupon bonds do not pay periodic interest (coupons) but instead accumulate interest over the bond's life.

Let's analyze each option:

Option A: High-yield bonds

Incorrect.

High-yield bonds (junk bonds) offer higher interest rates due to higher risk but pay periodic interest rather than being sold at a discount and growing in value over time.

Option B: Commodity-backed bonds

Incorrect.

Commodity-backed bonds are linked to the price of a commodity (e.g., gold, oil) rather than increasing in value over time from an initial discount.

Option C: Zero coupon bonds

Correct.

These bonds are issued at a discount and increase in value each year as interest accrues.

The investor receives the full face value at maturity, which includes the principal and accumulated interest.

IIA Reference: Internal auditors evaluate investment risks, including bond valuation and discount amortization. (IIA Practice Guide: Auditing Investment and Treasury Functions)

Option D: Junk bonds

Incorrect.

Junk bonds are simply high-risk, high-yield bonds that pay interest periodically and do not necessarily sell at a deep discount.

Thus, the verified answer is C. Zero coupon bonds.

Question 6

An organization has decided to allow its managers to use their own smart phones at work. With this change, which of the following is most important to Include In the IT department's comprehensive policies and procedures?

ARequired documentation of process for discontinuing use of the devices

BRequired removal of personal pictures and contacts.

CRequired documentation of expiration of contract with service provider.

DRequired sign-off on conflict of interest statement.

Answer : A

When an organization allows managers to use their own smartphones at work under a Bring Your Own Device (BYOD) policy, IT security and risk management become critical. The most important policy and procedure to include would be documenting the process for discontinuing use of the devices to ensure data security, compliance, and risk mitigation when employees leave the company or change roles.

Why Option A is Correct:

Data Security & Compliance: Ensuring that sensitive company data is removed securely when an employee leaves or replaces a device is crucial to prevent unauthorized access.

Access Control & Endpoint Management: The IT department needs a clear policy to revoke access to corporate applications and networks when a device is no longer in use.

Risk Mitigation: Unauthorized access to company systems through lost, stolen, or retired devices can lead to security breaches.

Why Other Options Are Incorrect:

Option B (Required removal of personal pictures and contacts): Personal data does not impact company security and is irrelevant to corporate IT policies.

Option C (Required documentation of expiration of contract with service provider): This is the employee's responsibility, not the organization's, and does not address security risks.

Option D (Required sign-off on conflict of interest statement): While conflict of interest policies are important, they are unrelated to IT security concerns related to BYOD.

IIA Reference:

IIA's GTAG (Global Technology Audit Guide) on Managing and Auditing IT Vulnerabilities emphasizes the importance of BYOD risk management, including clear procedures for device decommissioning.

IIA's Business Knowledge for Internal Auditing (CIA Exam Syllabus - Part 3) highlights IT governance frameworks that require policies for data access and security when using personal devices.

Thus, the most appropriate answer is A. Required documentation of process for discontinuing use of the devices.

Question 7

A large retail customer made an offer to buy 10,000 units at a special price of $7 per unit. The manufacturer usually sells each unit for $10. Variable manufacturing costs are $5 per unit and fixed manufacturing costs are $3 per unit. For the manufacturer to accept the offer, which of the following assumptions needs to be true?

AFixed and variable manufacturing costs are less than the special offer selling price

BThe manufacturer can fulfill the order without expanding the capacities of the production facilities

CCosts related to accepting this offer can be absorbed through the sale of other products

DThe manufacturer's production facilities are currently operating at full capacity

Answer : B

IIA Certified Internal Auditor-Internal Audit Knowledge Elements IIA-CIA-Part3 Exam Questions