Free IIA IIA-CIA-Part3-3P Practice Questions 2026 - Page 3

Explanation:
In mainframe environments, program changes are typically centralized on a single system, making version control straightforward. In client/server environments, applications often run on multiple distributed servers and workstations. Ensuring synchronized program versions across all network nodes is critical and uniquely challenging due to distributed architecture.

Correct Option:

A. Program versions are synchronized across the network.
Client/server environments distribute application components across multiple servers and clients. Version mismatches can cause system failures or data corruption. Synchronization (ensuring same version runs everywhere) is required. Mainframes centralize execution, so synchronization across network nodes is not a concern.

Incorrect Option:

B. Emergency move procedures are documented and followed.
Both mainframe and client/server environments require controlled emergency change procedures. Emergency fixes are needed in all platforms. This is not unique to client/server.

C. Appropriate users are involved in program change testing.
User involvement in testing is a universal best practice for both mainframe and client/server environments. End users validate that changes meet requirements regardless of platform architecture.

D. Movement from the test library to the production library is controlled.
Controlled migration from test to production is a fundamental change control requirement in all environments (mainframe, client/server, cloud). This prevents untested code from going live and is not unique to client/server.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Change Control / Distributed Systems section); ISACA Control Objectives for Client/Server Environments; GTAG on Change and Patch Management – distributed version synchronization.

Explanation:
Unauthorized modifications to production software indicate a failure in the process that governs how changes are requested, approved, tested, and moved into production. This process is known as change control or change management. The deficiency directly relates to weaknesses in that specific control environment, not broader production or application controls.

Correct Option:

D. Change controls weakness.
Change controls specifically govern the migration of software modifications from development/testing to production. Unauthorized changes indicate that change control procedures (e.g., segregation of duties, approval requirements, access controls over production code) were either absent or ineffective.

Incorrect Option:

A. Production controls weakness.
Production controls ensure operational stability, job scheduling, backup, and processing accuracy. While unauthorized changes affect production, the root cause is a failure in the change control process that permits unauthorized access to modify production code.

B. Application controls weakness.
Application controls are automated and manual controls embedded within an application to ensure complete, accurate, and valid processing (e.g., input validation, reasonableness checks). Unauthorized modifications are not an application control issue; they are a change management issue.

C. Authorization controls weakness.
Authorization controls ensure transactions or actions are approved by appropriate personnel. While related (changes require authorization), "authorization controls weakness" is too narrow and less precise than "change controls weakness," which encompasses authorization, testing, migration, and version management.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT Change Management section); IIA GTAG: Change and Patch Management; COBIT 5 DSS06 – Manage Changes – unauthorized changes indicate change control deficiency.

Explanation:
In strategic management, activities or capabilities that complement each other to produce greater combined value than individually are referred to as strategic fit. This concept is central to synergy, where the whole becomes greater than the sum of parts, creating sustainable competitive advantage through aligned resources and processes.

Correct Option:

B. Strategic fit.
Strategic fit exists when an organization's resources, capabilities, and activities are mutually reinforcing and aligned with its external environment. This complementarity creates synergies, reduces costs, differentiates products, and builds competitive advantage. Examples include aligned supply chain, R&D, and marketing activities.

Incorrect Option:

A. Merger.
A merger is a specific legal transaction where two companies combine into one. While mergers may aim to achieve strategic fit, the term "merger" itself does not describe complementary activities creating advantage. It describes a structural combination event.

C. Joint venture.
A joint venture is a business arrangement where two or more parties create a separate entity for a specific project or purpose. It is a cooperative structure, not the description of complementary activities generating competitive advantage.

D. Strategic goal.
A strategic goal is a broad, long-term objective an organization aims to achieve (e.g., market leadership, 20% ROI). It is an outcome target, not the characterization of mutually reinforcing activities that create advantage.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Strategic Management section); Porter, M.E. Competitive Advantage (fit and sustainability); Rumelt, R. Good Strategy/Bad Strategy (coherent actions).

Explanation:
In negotiation, the bargaining zone is the range between the seller's reservation price (minimum acceptable) and the buyer's reservation price (maximum willing to pay). Here, the textile company's market value to another buyer is $55 million (seller's floor), and the retailer's NPV forecast is $60 million (buyer's ceiling). The zone is $55-$60 million.

Correct Option:

D. Develop a bargaining zone that lies between $55 million and $60 million and create sets of outcomes between $55 million and $60 million.
This correctly identifies the realistic bargaining zone. The seller will not accept below $55 million (better alternative exists). The buyer will not pay above $60 million (forecasted value). Synergies above $70 million motivate the seller but do not expand the buyer's ceiling.

Incorrect Option:

A. Bargaining zone between $50 million and $70 million. Incorrect because:
$50 million is below the seller's alternative ($55 million from another buyer), so seller would reject.
$70 million exceeds buyer's $60 million valuation, so buyer would reject. This zone is unrealistic.

B. Added-value strategy with $50-$70 million zone.
While added-value negotiation is useful, the stated zone ($50-$70 million) remains unrealistic for the same reasons as option A. The seller's floor is $55M, not $50M; buyer's ceiling is $60M, not $70M.

C. Involve a mediator to determine bargaining zone.
Mediation may help, but the question asks for the approach most likely to result in successful negotiation. A mediator does not change the fundamental economic realities ($55M seller floor, $60M buyer ceiling). Option D directly addresses the correct bargaining zone.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Negotiation / Procurement section); Fisher & Ury, Getting to Yes (BATNA and bargaining zone); negotiation theory (reservation prices define zone of possible agreement).

Explanation:
Connectivity to other systems (interfaces, APIs, data exchanges) must be verified before functional testing of the new application begins. If connectivity is incorrect or broken, testing results will be invalid. Verifying connectivity prior to testing ensures that the test environment accurately represents the production architecture and that integration points work as designed.

Correct Option:

A. Prior to testing the new application.
Connectivity should be established and verified in the test environment before any functional or integration testing occurs. This ensures that tests run against correctly connected systems, avoiding false failures or successes caused by connectivity issues rather than application logic problems.

Incorrect Option:

B. During testing of the new application.
While connectivity may be re-tested during testing cycles, relying on discovery during testing wastes time and resources. Faulty connectivity can mask or distort test results, making it difficult to distinguish between application defects and connection problems. Proactive pre-testing verification is superior.

C. During implementation of the new application.
Verifying connectivity during implementation is too late. If problems are found then, the go-live may be delayed, or the application may be deployed with broken interfaces. Implementation is for final deployment, not for initial verification of correct connectivity.

D. During maintenance of the new application.
Maintenance occurs after the application is live. Verifying connectivity during maintenance is post-production and reactive. By then, errors may have already affected data integrity, operations, or downstream systems. Correct connectivity should be ensured much earlier in the SDLC.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Systems Development Life Cycle / Testing section); IEEE Standard for Software Verification and Validation; GTAG on Auditing Application Development – pre-testing environment readiness.

Explanation:
Disaster recovery planning (DRP) follows a structured lifecycle. Identifying critical business units, assets, and systems is the primary objective of the Business Impact Analysis (BIA) phase. BIA determines which functions are essential, quantifies impact of downtime, and establishes recovery priorities based on operational necessity, not during scoping, development, or testing.

Correct Option:

B. Business impact analysis.
BIA is specifically designed to identify and prioritize critical business processes, systems, assets, and dependencies. It assesses the operational and financial impacts of disruptions and determines Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical function.

Incorrect Option:

A. Scope and initiation phase.
This phase defines the project's overall boundaries, objectives, team, and budget. While it sets the stage, it does not perform the detailed identification and prioritization of critical units and systems. That detailed analysis occurs during BIA.

C. Plan development.
Plan development uses the outputs of BIA (critical systems list, RTOs, RPOs) to create specific recovery strategies, procedures, and resource assignments. Identification of critical elements must happen before plan development, not during it.

D. Testing.
Testing occurs after the plan is developed. It validates whether the recovery procedures work as intended. By the testing phase, critical units and systems have already been identified in the BIA and documented in the plan. Testing does not involve initial identification.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Business Continuity / Disaster Recovery section); NFPA 1600 (Standard on Disaster/Emergency Management); DRI International Professional Practices for Business Continuity (BIA phase defines criticality).

Explanation:
A matrix organization combines functional and project-based reporting structures, creating dual reporting lines. While it offers flexibility and efficient resource use, it does not minimize costs or simplify communication. In fact, matrix structures often increase administrative costs and create complex communication channels due to multiple reporting relationships.

Correct Option:

D. Matrix organizations minimize costs and simplify communication.
This statement is false. Matrix structures typically increase costs (additional coordination roles, meetings, conflict resolution) and complicate communication (dual reporting, multiple approvals, overlapping authority). They prioritize flexibility and resource sharing over cost minimization or communication simplicity.

Incorrect Option:

A. Conflict between functional and product managers may arise.
True statement. Dual authority creates inevitable conflict over resource allocation, priorities, and employee evaluation. Functional managers focus on technical excellence; product managers focus on project goals. This tension is a known disadvantage of matrix structures.

B. Staff under dual command is more likely to suffer stress.
True statement. Employees reporting to two managers face conflicting demands, divided loyalties, role ambiguity, and increased pressure. This role stress can lead to burnout, reduced job satisfaction, and higher turnover, a well-documented matrix drawback.

C. Matrix organizations offer the advantage of greater flexibility.
True statement. Matrix structures allow dynamic resource allocation across projects, rapid adaptation to changing priorities, and efficient use of specialized staff across multiple initiatives. This flexibility is a primary reason organizations adopt matrix designs.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Organizational Structures section); Robbins & Judge, Organizational Behavior (Matrix organization advantages: flexibility, resource efficiency; disadvantages: cost, complexity, conflict, stress).

Explanation:
The theory of comparative advantage, developed by David Ricardo, states that global output maximizes when countries specialize in producing goods where they have the lowest opportunity cost (i.e., what they give up producing other goods). Even if one nation is absolutely more efficient at everything, trade based on comparative advantage benefits all.

Correct Option:

B. Each good is produced by the nation that has the lowest opportunity cost for that good.
This is the core of comparative advantage. Opportunity cost measures trade-offs. When each country produces goods where its opportunity cost is lowest relative to others, total worldwide output increases through specialization and trade, regardless of absolute efficiencies.

Incorrect Option:

A. Each nation's total imports approximately equal its total exports.
This describes trade balance, not comparative advantage. Comparative advantage focuses on production efficiency and specialization, not on balancing imports with exports. A country can have trade surpluses or deficits and still benefit from comparative advantage.

C. Goods that contribute to a nation's balance-of-payments deficit are no longer imported.
This is a protectionist or mercantilist idea, opposite of comparative advantage. Comparative advantage encourages importing goods where other nations have lower opportunity cost, even if that causes trade deficits in specific product categories.

D. International trade is unrestricted and tariffs are not imposed.
Free trade allows comparative advantage to operate fully, but the theory itself proposes that maximum output results from producing according to lowest opportunity cost, not merely from absence of trade barriers. Unrestricted trade enables the theory, but is not the theory's proposal.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (International Economics section); Ricardo, D. Principles of Political Economy and Taxation (comparative advantage); Krugman & Obstfeld, International Economics (opportunity cost basis).

Explanation:
Firewalls are network security devices that filter traffic based on rules (IP addresses, ports, protocols). They are effective against unauthorized access and certain network-based attacks. However, firewalls do not scan file contents for malicious code. Virus protection requires antivirus software, which uses signature-based or heuristic detection, not firewall functionality.

Correct Option:

A. Firewalls can protect against computer viruses.
This statement is false. Firewalls do not scan files for viruses, worms, or other malware embedded in legitimate traffic (e.g., email attachments, downloaded files). Antivirus software is required for virus protection. Firewalls and antivirus are complementary but distinct controls.

Incorrect Option:

B. Firewalls monitor attacks from the Internet.
True. Firewalls log and alert on suspicious connection attempts, port scans, and known attack patterns. They provide visibility into external threats targeting the network, making monitoring a core function.

C. Firewalls provide network administrators tools to retaliate against hackers.
True. Firewalls allow administrators to block specific IP addresses, drop malicious packets, and implement countermeasures such as automated blacklisting or shunning, which can be considered retaliatory or defensive actions.

D. Firewalls may be software-based or hardware-based.
True. Software firewalls run on individual hosts (e.g., Windows Defender Firewall). Hardware firewalls are dedicated appliances (e.g., Cisco ASA, Palo Alto) deployed at network perimeters. Both types exist widely.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Information Security / Network Security section); NIST SP 800-41 (Guidelines on Firewalls and Firewall Policy) – firewalls do not provide antivirus protection.

Explanation:
Entry barriers are obstacles that make it difficult for new competitors to enter an industry (e.g., high capital requirements, brand loyalty, limited distribution channels). Overcoming these barriers requires leveraging existing advantages. Using established distribution relationships bypasses one of the most common barriers—lack of access to distribution networks.

Correct Option:

D. Use an established distribution relationship.
Distribution access is a major entry barrier. By leveraging existing relationships (from current operations or partnerships), a new entrant can place products in front of customers without building a distribution network from scratch. This reduces time, cost, and resistance from incumbent distributors.

Incorrect Option:

A. Offer a standard product targeted in recognized market.
Standard products face intense competition and commodity pricing, making entry harder. Differentiation or niche targeting is typically better for overcoming barriers. A standard product does not help bypass barriers like brand loyalty or economies of scale.

B. Invest in commodity or commodity-like product businesses.
Commodity businesses compete almost exclusively on price and cost efficiency. They typically have low margins and high volume requirements. New entrants without scale face severe disadvantages, making this a poor approach to overcoming entry barriers.

C. Enter into a slow-growing market.
Slow-growth markets often intensify competition as incumbents fight for stagnant or shrinking revenue. Entry barriers may be higher because incumbents aggressively defend market share. Fast-growing markets typically offer more opportunities for new entrants.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Strategic Management / Market Entry section); Porter, M.E. (1980) Competitive Strategy – entry barriers (capital, scale, distribution access) and how established relationships reduce them.