Free IIA IIA-CIA-Part3-3P Practice Questions 2026 - Page 2

Explanation:
COBIT (Control Objectives for Information and Related Technology) distinguishes between pervasive (general) controls and detailed (application) controls. Pervasive controls apply across the entire IT environment (e.g., governance, security policies). Detailed controls are specific to individual applications or processes (e.g., input validation, disaster recovery planning).

Correct Option:

A. 1 and 4 only.

Statement 1:
True. Pervasive controls are general, cross-cutting controls (IT governance, security policies). Detailed controls are specific to particular applications or functions.

Statement 4:
True. Disaster recovery planning is considered a detailed (or specific) control because it addresses recovery of specific systems/functions, not the entire pervasive control environment.

Incorrect Options:

Statement 2: False.
Application controls are not a subset of pervasive controls. In COBIT, application controls and pervasive controls are separate categories. Pervasive controls support the overall environment, while application controls operate within specific applications.

Statement 3: False.
Software implementation is an operational activity or change management process, not a type of pervasive control. Pervasive controls include areas like risk assessment, organizational structure, and IT strategy—not the act of implementation.

Why not B, C, or D?

B (2,3 only) both statements are false.

C (2,3,4 only) includes false statements 2 and 3.

D (1,2,4 only) includes false statement 2.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Governance / COBIT Framework section); COBIT 5/2019 (Enabling Processes—Pervasive vs. Application Controls); ISACA publications.

Explanation:
Internal auditors often rely on user-developed spreadsheets for testing or operational review. However, spreadsheets carry inherent risks such as errors, lack of version control, hidden data, complexity creep, and integration issues. The ability to meet user needs is typically the intended benefit, not a concern, when users develop spreadsheets themselves.

Correct Option:

C. Ability to meet user needs.
This is the primary advantage of user-developed spreadsheets, not a concern. Users build spreadsheets specifically to address their unique requirements. Meeting user needs is the goal, not a risk. Therefore, this is correctly identified as "not a potential area of concern" for reliance.

Incorrect Option:

A. Increasing complexity over time.
This is a major concern. Spreadsheets often evolve through undocumented modifications, adding formulas, macros, and links. Complexity increases error risk, reduces auditability, and makes verification difficult. What starts simple becomes fragile and hard to maintain.

B. Interface with corporate systems.
Manual or semi-automated interfaces between spreadsheets and corporate systems (e.g., data exports, copy-paste) introduce risks of data corruption, omission, or version mismatch. Lack of controlled integration can lead to unreliable information for decision-making or auditing.

D. Hidden data columns or worksheets.
Hidden rows, columns, or cells are common spreadsheet risks. Users may hide data intentionally (to simplify views) or accidentally, leading auditors to overlook relevant information. Hidden data can conceal errors, assumptions, or manual overrides, compromising audit evidence reliability.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Controls / End-User Computing section); GTAG (Global Technology Audit Guide) on Auditing User-Developed Applications/Spreadsheets; IFAC guidance on spreadsheet risk management.

Explanation:
This question tests understanding of typical end-user workstation characteristics in a corporate environment. A standard desktop workstation is a personal computing device used by an individual employee for daily tasks such as processing transactions, creating documents, or running applications. It is typically non-shared and user-dedicated.

Correct Option:

C. Workstation contains software that enables the processing of transactions and is not shared among users of the organization's network.
This accurately describes a typical desktop workstation. It emphasizes two key features: (1) transaction processing capability (office suites, ERP clients, email), and (2) dedicated, non-shared usage. Each employee has their own assigned workstation for daily work.

Incorrect Option:

A. Workstation contains software that prevents unauthorized transmission of information into and out of the organization's network.
This describes firewall or DLP (Data Loss Prevention) software, which typically resides on network perimeter servers or security appliances, not as a defining feature of an employee's standard desktop workstation.

B. Workstation contains software that controls information flow between the organization's network and the Internet.
This describes proxy server, gateway, or firewall functionality. These controls are implemented at the network level, not primarily on individual employee workstations, though endpoints may have personal firewalls as secondary protection.

D. Workstation contains software that manages user's access and processing of stored data on the organization's network.
This describes network operating system or file server functions (e.g., Active Directory, network file sharing). While a workstation accesses such services, it does not typically manage network-wide access and data processing for other users.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Infrastructure / End-User Computing section); Common definitions of workstation vs. server vs. network security appliances.

Explanation: Effective communication can be hindered by various barriers that distort or block the intended message. Common barriers include filtering (manipulating information), information overload, credibility issues, semantic differences, and emotional interference. Conversely, similar frames of reference (shared experiences, knowledge, or perspectives) actually enhance understanding between communicators.

Correct Option:

C. Similar frames of reference.
This is not a barrier to effective communication; it is an enabler. When sender and receiver share similar backgrounds, experiences, language, and mental models, they interpret messages more accurately, make fewer assumptions, and require less explanation. Shared frames of reference improve clarity and reduce misunderstandings.

Incorrect Option:

A. Filtering.
Filtering occurs when a sender manipulates information to make it appear more favorable to the receiver (e.g., subordinates telling bosses only good news). This distorts truth, omits critical details, and prevents accurate decision-making, making it a significant communication barrier.

B. Communication overload.
When individuals receive more information than they can process, they may ignore, miss, or misinterpret messages. Overload reduces attention, retention, and comprehension, leading to poor decisions and frustration. It is a well-recognized barrier, especially in the digital age.

D. Lack of source credibility.
If the receiver does not trust the sender's expertise, honesty, or motives, they will dismiss or question the message regardless of its content. Low credibility leads to resistance, selective hearing, and failed persuasion, creating a major barrier to effective communication.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Organizational Communication / Soft Skills section); Robbins & Judge, Organizational Behavior (Communication Barriers chapter).

Explanation:
IIA guidance permits internal audit to perform various CSR-related activities, including consulting on design, advising on governance, and reviewing third-party compliance. However, internal audit should not assume management’s role of identifying and mitigating risks to meet objectives, as that impairs independence and objectivity.

Correct Option:

A. 1, 2, and 3. IIA allows internal audit to:
1 Consult on CSR program design/implementation (advisory role).
2 Advise on CSR governance and risk management (consulting).
3 Review third parties for CSR contractual compliance (assurance).
All three are permissible without assuming management responsibility.

Incorrect Option:
4. Identify and mitigate risks to help meet the CSR program objectives. This is a management function, not an internal audit activity. Performing risk identification and mitigation for CSR objectives crosses into operational responsibility, impairing auditor independence and objectivity. Internal audit may evaluate the effectiveness of management’s risk mitigation but cannot perform it.

Why not B, C, or D?

B (1,2,4) includes #4 (management role – not allowed).

C (1,3,4) includes #4.

D (2,3,4) includes #4.

Only A excludes the impermissible activity.

Reference:
IIA International Professional Practices Framework (IPPF) – Practice Guide: Auditing Corporate Social Responsibility; IIA Position Paper: Role of Internal Auditing in CSR; Standard 1130 (Impairment to Independence/Objectivity).

Explanation:
This question tests knowledge of network types based on access levels. An intranet is internal to an organization. An extranet extends controlled access to external parties (customers, suppliers, partners) via technologies like VPN over the Internet. DSL and broadband are connection technologies, not network access types.

Correct Option:

B. Extranet.
An extranet is a private network that uses Internet protocols and VPN technology to securely share parts of an organization's internal information with approved external users (e.g., customers, vendors). It sits between the public internet and the private intranet, providing controlled, authenticated access.

Incorrect Option:

A. Intranet.
An intranet is a private network accessible only to an organization's internal employees. It is not designed for external users such as customers. While it may use similar technologies, access is restricted to members of the organization, not to third parties.

C. Digital subscriber line (DSL).
DSL is a physical broadband transmission technology that delivers internet connectivity over telephone lines. It describes the connection method, not the type of network (intranet/extranet) or who has access to internal systems via VPN.

D. Broadband.
Broadband is a high-capacity transmission technology (cable, fiber, DSL) used for internet access. Like DSL, it refers to the communication medium/speed, not to the logical network architecture or access permissions for external users to internal resources.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Infrastructure / Networks section); Common definitions: Intranet (internal only), Extranet (external authorized access via VPN), Internet (public).

Explanation:
Cultural dimensions in a work environment are well-studied frameworks (e.g., Hofstede's model) used to understand cross-cultural differences in international business. Recognized dimensions include power distance, masculinity vs. femininity, uncertainty avoidance, individualism vs. collectivism, and long-term orientation. Self-control is a personality trait, not a cultural dimension.

Correct Option:

A. Self control.
This is not a recognized cultural dimension in cross-cultural management frameworks. Self-control refers to an individual's ability to regulate impulses and emotions, which falls under psychology or personality theory. It does not describe systematic differences between national or organizational cultures.

Incorrect Option:

B. Power distance.
This is a core cultural dimension (Hofstede) describing the extent to which less powerful members of organizations accept that power is distributed unequally. High power distance cultures accept hierarchy; low power distance prefer equality and participative decision-making.

C. Masculinity versus femininity.
This is a recognized Hofstede dimension. Masculine cultures value competitiveness, achievement, and material success; feminine cultures value cooperation, modesty, quality of life, and relationship-building. It affects workplace behavior, motivation, and communication styles.

D. Uncertainty avoidance.
This is a recognized Hofstede dimension measuring how comfortable members of a culture feel with ambiguity and unstructured situations. High uncertainty avoidance cultures prefer strict rules and job security; low uncertainty avoidance cultures are more tolerant of risk and innovation.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Organizational / International Business section); Hofstede, G. (1980) Culture's Consequences; Trompenaars & Hampden-Turner cross-cultural models. Self-control is not among them.

Explanation:
Capacity expansion refers to increasing an organization's ability to produce goods or services. Limiting factors are constraints that prevent or restrict such expansion. Diversification (entering new markets or products) often diverts financial, managerial, and operational resources away from expanding existing capacity, thereby acting as a limiting factor.

Correct Option:

D. Company diversification.
Diversification requires significant capital investment, management attention, and operational resources for new businesses or markets. These resources are then unavailable for expanding existing production capacity. Thus, diversification competes with and limits capacity expansion in current operations.

Incorrect Option:

A. Government pressure to increase or maintain employment.
Such pressure generally encourages expansion (hiring more workers) rather than limiting it. While it may raise costs, it does not directly restrict physical capacity expansion and can sometimes motivate growth.

B. Production orientation of management.
A production-oriented management focuses on efficient manufacturing and volume. This orientation typically supports capacity expansion decisions, not limits them. Limitations arise from market orientation (lack of demand), not from production focus.

C. Lack of credible market leader in the industry.
Absence of a market leader might indicate fragmentation but does not directly limit an individual firm's capacity expansion. In fact, it could provide expansion opportunities without strong competitive retaliation. This is not a recognized limiting factor.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Operations Management / Capacity Planning section); Chase, Jacobs, & Aquilano, Operations Management for Competitive Advantage (Capacity constraints and strategic trade-offs).

Explanation:
Stimulating innovation requires actively encouraging new ideas, risk-taking, and learning from external sources. Strategies include learning from advanced suppliers, rewarding employee initiative, and benchmarking best-practice competitors. However, ensuring performance targets are always achieved can discourage experimentation and risk-taking, which are essential for innovation.

Correct Option:

C. 1, 2, and 3 only.
1: Sourcing from advanced suppliers exposes the organization to new technologies and processes, sparking innovation through knowledge transfer.
2: Rewarding initiative encourages employees to propose and test novel ideas without fear of punishment.
3: Identifying best-practice competitors creates performance gaps that motivate creative solutions and process improvements.

Incorrect Option:
4. Ensure that performance targets are always achieved. This is not an innovation stimulus. Consistently forcing target achievement discourages experimentation, since new approaches carry short-term failure risk. It promotes risk-averse, incremental behavior rather than breakthrough thinking. Innovation requires tolerance for controlled failure.

Why not A, B, or D?

A (1 and 3 only) omits employee reward programs (item 2), which are critical for internal innovation culture.

B (2 and 4 only) incorrectly includes item 4 (anti-innovation) and omits items 1 and 3.

D (all four) incorrectly includes item 4 as a valid innovation stimulus.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Innovation & Change Management section); Tidd, Bessant, & Pavitt, Managing Innovation (sources of innovation – external linkages, internal rewards, benchmarking).

Explanation:
Auditing application change control focuses on ensuring changes are properly authorized, tested, and managed to prevent unauthorized or faulty code from entering production. Emergency changes are a reality in IT operations; the audit should ensure they are controlled, not prevented entirely. Evaluating procedure adequacy is also within scope.

Correct Option:

D. 1, 3, and 4 only.
1: Formal initiation, documentation, and approval of change requests are fundamental controls to ensure accountability and prevent unauthorized changes.
3: Adequate testing before production deployment prevents system failures, data corruption, or security vulnerabilities.
4: Evaluating the adequacy of change management procedures is a core audit objective to identify weaknesses and recommend improvements.

Incorrect Option:
2. Ensure processes are in place to prevent emergency changes from taking place. This is incorrect. Emergency changes (e.g., critical security patches, outage fixes) are necessary and legitimate. Auditors should ensure emergency changes follow a defined, controlled process with after-the-fact documentation and approval, not that they are prevented entirely.

Why not A, B, or C?

A (1 only) omits testing (3) and procedure evaluation (4), which are essential.

B (1 and 3 only) omits evaluating procedure adequacy (4), a key audit step.

C (2 and 4 only) includes incorrect item 2 and omits 1 and 3.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Change Management Controls section); GTAG: Change and Patch Management; COBIT 5 DSS06 – Manage Changes (emergency changes are managed, not prevented).