Free IIA IIA-CIA-Part3-3P Practice Questions 2026 - Page 6

Explanation:
Marginal tax rate is the tax paid on an additional dollar of income. Average tax rate is total tax divided by total income. In a progressive tax system, higher income portions are taxed at higher rates, so the marginal rate (on the last dollar) exceeds the average rate (across all dollars). Regressive systems invert this relationship.

Correct Option:

D. In a progressive personal tax system, an individual's marginal tax rate is normally greater than his average tax rate.
Progressive systems have increasing marginal rates as income rises. Because lower portions are taxed at lower rates and higher portions at higher rates, the average rate is pulled down below the top marginal rate, making marginal > average.

Incorrect Option:

A. Regressive system –
marginal > average. False. In a regressive system, higher incomes face lower effective rates. Marginal rate on additional income may be lower than average rate, not greater. This describes a progressive system, not regressive.

B. Regressive system –
marginal = average. False. Equality of marginal and average occurs only in a proportional (flat) tax system, not in a regressive system. Regressive systems have marginal rates below average rates for higher income levels.

C. Progressive system –
marginal = average. False. Equality would imply a proportional (flat) rate structure. In progressive systems, marginal exceeds average except at the very first tax bracket where both may start equal before rising.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Taxation / Public Finance section); Economics definitions: progressive tax (marginal > average), proportional (marginal = average), regressive (marginal < average).

Explanation:
The firm is small (100 employees), stable (no expansion), produces standard (not custom) furniture, and operates in a single building. Functional departmentalization groups employees by specialized functions (production, sales, finance, HR). This structure is simple, efficient, and ideal for small, stable organizations producing standardized products.

Correct Option:

A. Functional departmentalization.
This structure organizes by business functions (e.g., manufacturing, assembly, finishing, shipping, accounting, sales). It suits small, stable firms with standardized products, providing clear career paths, efficient resource use, and minimal coordination overhead. No need for product or divisional complexity.

Incorrect Option:

B. Product departmentalization.
Organizing by product lines (e.g., chairs division, tables division) is used when product lines are diverse or large. This firm has 100 employees and standard furniture; creating separate product departments would duplicate functions inefficiently.

C. Matrix organization.
Matrix uses dual reporting (function + project/product). It suits complex, project-based environments requiring flexibility. This small, stable firm with no expansion plans has no need for matrix complexity, which increases overhead and potential conflict.

D. Divisional organization.
Divisional structure organizes by geography, customer type, or product, with each division having its own functional departments. This is for large, diversified organizations. A 100-employee, non-expanding furniture maker lacks scale to support divisional structure.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Organizational Structure section); Robbins & Judge, Organizational Behavior (functional structure: best for small, stable, single-product or standardized product organizations).

Explanation:
This is a constrained resource optimization problem. The limiting factor is materials (500 kg/month). Calculate contribution margin per kg of material (since other costs are fixed). Product X: ($10 - $2 material cost) = $8 contribution per unit ÷ 2 kg = $4 per kg. Product Y: ($13 - $6 material cost) = $7 contribution per unit ÷ 6 kg ≈ $1.167 per kg. Product X yields higher contribution per kg, so prioritize X first.

Correct Option:

A. 50 units.
Produce maximum X (100 units) first: 100 units × 2 kg = 200 kg used.
Remaining material: 500 kg - 200 kg = 300 kg.
Each Y requires 6 kg: 300 kg ÷ 6 kg = 50 units of Y.
This maximizes total contribution: (100×$8) + (50×$7) = $800 + $350 = $1,150.

Incorrect Option:

B. 60 units.
Would require 360 kg of material (60×6). But with 100 X (200 kg), total would be 560 kg > 500 kg limit. Cannot produce 60 Y after fulfilling X demand. If reduce X to produce more Y, total contribution decreases because X is more efficient per kg.

C. 100 units.
100 Y × 6 kg = 600 kg > 500 kg limit, impossible alone. Even without X, materials insufficient. Cannot produce 100 Y.

D. 120 units.
120 Y × 6 kg = 720 kg, far exceeding 500 kg limit. Impossible regardless of X production.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Managerial Accounting / Constraint Analysis section); Horngren, Datar, & Rajan, Cost Accounting (theory of constraints, contribution per unit of limiting factor).

Explanation:
The COSO ERM Framework (2017 update) is designed to integrate with but not depend upon the COSO Internal Control – Integrated Framework. ERM is broader, including strategy-setting and risk appetite, while internal control focuses on achieving objectives. The ERM framework can be used independently, but its components reference internal control concepts.

Correct Option:

D. The framework integrates with, but is not dependent upon, the corresponding internal control framework.
COSO ERM complements the Internal Control framework, sharing common concepts (e.g., control activities, information & communication). However, ERM can be implemented without full internal control framework adoption. Integration is encouraged but not dependency.

Incorrect Option:

A. Distinct, non-overlapping objectives.
False. COSO ERM categorizes objectives into four types (strategic, operations, reporting, compliance). These overlap in practice (e.g., compliance affects operations). They are distinct categories but not completely non-overlapping.

B. Control environment is one of the eight components.
False in current COSO ERM 2017. The eight components are: Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; Information, Communication & Reporting. "Control environment" is from the Internal Control framework, not ERM.

C. Facilitates effective risk management even if objectives not established.
False. ERM cannot function without established objectives. Risk management identifies risks to achieving objectives; without objectives, risk identification lacks context and direction. Objectives are foundational.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (ERM Frameworks / COSO ERM section); COSO Enterprise Risk Management – Integrating with Strategy and Performance (2017). Relationship to Internal Control framework (integrated but not dependent).

Explanation:
Cost X is calculated by multiplying Output Produced by its percentage. Quarter 1: $4.75M × 2.9% = $137,750; Quarter 2: $4.70M × 3.0% = $141,000; Quarter 3: $4.35M × 3.2% = $139,200; Quarter 4: $4.00M × 3.5% = $140,000. Cost X remains approximately constant ($137k–$141k) despite output falling 15.8%, indicating a fixed cost.

Correct Option:

B. Cost X is a fixed cost.
Calculations show Cost X stays around $139,000 per quarter while output declines from $4.75M to $4.00M. Fixed costs do not change with production volume. The increasing percentage offsets the declining output, keeping the absolute cost stable.

Incorrect Option:

A. Cost X is a variable cost.
Variable costs change proportionally with output. If Cost X were variable, it would decline ~15.8% (same as output). Instead, it remained nearly constant, ruling out variable cost behavior.

C. Cost X is a semi-fixed (mixed) cost.
Semi-fixed costs have both fixed and variable components. The data shows nearly perfect stability, not a mixed pattern. No evidence of a variable portion changing with output.

D. Cost X and output are unrelated.
They are related inversely: as output falls, the percentage rises to keep absolute cost constant. This relationship is intentional to maintain fixed cost behavior, not unrelated.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Managerial Accounting / Cost Behavior section); Fixed cost definition: total cost remains constant within relevant range; variable cost changes proportionally with activity.

Explanation:
During an audit of existing business continuity plans (BCP), the internal auditor's role is to evaluate the plans' adequacy and currency. The other activities (preparing business impact analysis, identifying key personnel, prioritizing resources) are management responsibilities during the development phase of BCP, not audit steps. Auditors assess, not create.

Correct Option:

A. 1 only.
1: Evaluating BCP adequacy and currency is a core audit procedure. The auditor reviews whether plans exist, are up-to-date, address identified risks, and align with organizational needs.
Steps 2, 3, and 4 are design/development activities that management should perform; performing them as an auditor would create a conflict of interest.

Incorrect Option:

2. Prepare a business impact analysis.
BIA is a management responsibility during BCP development. Auditors may review management's BIA for reasonableness but should not prepare it themselves. Preparing BIA impairs independence and objectivity.

3. Identify key personnel.
Identifying personnel for plan implementation is management's role, based on organizational structure and recovery strategies. Auditors may test whether key personnel are correctly identified, but not perform the identification.

4. Identify and prioritize resources.
Resource identification and prioritization (e.g., backup servers, alternate facilities) is part of BCP design, owned by management. Auditors evaluate whether management has done this adequately, not perform it themselves.

Why not B, C, or D? All include auditor execution of management responsibilities (2, 3, or 4), which violates IIA independence and objectivity standards.

Reference:
IIA International Professional Practices Framework (IPPF) – *Standard 1130: Impairment to Independence/Objectivity* (auditors should not assume management roles); GTAG: Business Continuity Management (audit vs. management responsibilities in BCP).

Explanation:
The Waterfall model is a linear, sequential systems development lifecycle (SDLC). Each phase must be fully completed before the next begins. The classical order starts with gathering system requirements, followed by software design, analysis, program design (detailed design), coding, testing, and finally operations & maintenance.

Correct Option:

C. System requirements, software design, analysis, program design, coding, testing, operations.
System requirements: Defines what the system must do.
Software design: High-level architecture and modules.
Analysis: Analyzes requirements and refines them (often overlaps/integrates with design in classic texts; placed here to match option C sequence).
Program design: Detailed design of components.
Coding: Implementation.
Testing: Verification and validation.
Operations: Deployment and maintenance.

Incorrect Option:

A. Program design, system requirements, software design, analysis, coding, testing, operations.
Incorrect because program design cannot precede system requirements. Requirements gathering is the foundational first step.

B. System requirements, software design, analysis, program design, testing, coding, operations.
Incorrect because coding must occur before testing (testing requires code to test). This sequence places testing before coding.

D. System requirements, analysis, coding, software design, program design, testing, operations.
Incorrect because design (software and program design) must be completed before coding. Placing coding before software/program design violates the waterfall principle.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Systems Development Life Cycle / Waterfall section); Pressman, R. Software Engineering: A Practitioner's Approach (Waterfall model: Requirements → Design → Implementation → Testing → Maintenance).

Explanation:
When evaluating social and environmental impact on the local community, internal audit focuses on accountability, incident management, and transparency. Reviewing past incident resolution ensures the organization learns from mistakes. Assessing reporting transparency verifies that stakeholders receive honest disclosures. Contingency planning and cost/benefit analyses are less directly related to community impact evaluation.

Correct Option:

A. 1 and 3.

1: Determining whether previous incidents (e.g., spills, emissions, community complaints) were reported, managed, and resolved shows whether the organization takes corrective action and prevents recurrence.

3: Transparency in reporting (e.g., sustainability reports, community disclosures) provides assurance that the organization communicates honestly about its social and environmental footprint.

Incorrect Option:

2. Determine whether a business contingency plan exists.
Contingency planning (e.g., disaster recovery) is important for business resilience but does not directly evaluate social and environmental impact on the community. It addresses organizational survival, not external impact assessment.

4. Determine whether a cost/benefit analysis was performed for all related projects.
While useful for project justification, cost/benefit analysis focuses on financial efficiency, not on measuring or evaluating actual social/environmental outcomes for the community. It is a management decision tool, not a community impact evaluation step.

Why not B, C, or D?

B (1 and 4) includes #4 (CBA not directly relevant).

C (2 and 3) includes #2 (contingency plan not directly relevant).

D (2 and 4) includes both less relevant items and omits #1 and #3.

Reference:
IIA International Professional Practices Framework (IPPF) – Practice Guide: Auditing Social Responsibility and Sustainability; IIA Position Paper: Role of Internal Auditing in Social Responsibility (key areas: incident management, transparency, stakeholder reporting).

Explanation:
Emerging industries are newly formed or re-formed industries created by technological innovation, shifts in demand, or new regulations. They are characterized by high technological uncertainty (rapid change, unproven standards), government subsidies (to encourage development), and spin-offs (new companies formed by ex-employees of established firms).

Correct Option:

D. Emerging industries.

Technological uncertainty: Rapid evolution, competing standards, unknown dominant design.

Subsidy: Governments often fund R&D or provide tax incentives to nurture infant industries.

Spin-offs: Employees leave existing firms to start new ventures in the same space. All three are hallmark features of emerging industries.

Incorrect Option:

A. Fragmented industries.
Fragmented industries have many small competitors, low barriers, and no dominant player (e.g., dry cleaning, restaurants). They do not typically feature high technological uncertainty or significant subsidies.

B. Declining industries.
Declining industries face falling demand, excess capacity, and consolidation. Technological uncertainty is low (technology is mature), subsidies are rare (no growth incentive), and spin-offs are unlikely.

C. Mature industries.
Mature industries have stable technology, standardized products, and slow growth. Technological uncertainty is low; subsidies are uncommon; spin-offs are minimal because opportunities are limited.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (Industry Analysis / Industry Lifecycle section); Porter, M.E. Competitive Strategy (Chapter 9: Emerging Industries – uncertainty, subsidies, spin-offs).

Explanation:
Database Management Systems (DBMS) provide controlled access to data, but they do not restrict data manipulation solely to the DBMS administrator. Authorized users and applications (via SQL queries, APIs, or front-end tools) can manipulate data based on their granted privileges. The administrator has full rights, but others can also manipulate data.

Correct Option:

D. The data within the database management system can only be manipulated directly by the database management system administrator.
This statement is incorrect. Regular users with appropriate permissions (SELECT, INSERT, UPDATE, DELETE) can manipulate data through applications, reporting tools, or direct SQL queries. The administrator is not the only manipulator.

Incorrect Option:

A. DBMS handles data manipulation inside tables, not by OS in files.
Correct. DBMS manages data at the logical level (tables, rows, columns) while the OS handles physical file storage. DBMS abstracts file structures.

B. DBMS acts as a layer between application software and OS.
Correct. Applications interact with DBMS via APIs or SQL; DBMS translates these to OS-level file operations.

C. Applications pass instructions for data manipulation executed by DBMS.
Correct. Applications send data manipulation commands (INSERT, UPDATE, DELETE, SELECT) to DBMS, which executes them and returns results.

Reference:
IIA CIA Part 3—Business Knowledge for Internal Auditing (IT / Database Management section); Database fundamentals: DBMS architecture, access control (role-based, user privileges beyond administrator).