IIA-CIA-Part3 IIA Business Knowledge for Internal Auditing Free Practice Exam Questions (2025 Updated)

According to the IIA Standards, the CAE must ensure that the internal audit activity is appropriately staffed with competent individuals to achieve the approved audit plan. While risk-based planning and collaboration with risk functions support effectiveness, the most direct way to ensure resources are adequate is by developing and maintaining the competencies of internal audit staff through training, recruitment, and professional development.

Mapping the audit risk assessment (Option B), collaboration with risk functions (Option C), or refining processes (Option D) may strengthen planning and alignment, but they do not directly address the resource requirement. Only enhancing and ensuring competencies ensures the internal audit activity has the skills necessary to execute the plan.

The Global Internal Audit Standards require that workpapers be properly supervised and reviewed to ensure quality and compliance. A sole auditor cannot perform a meaningful self-review (Option A). Having clients review workpapers (Option B) compromises independence. Having management or the board sign off (Option C) is also inappropriate as it undermines audit objectivity.

The most suitable solution is to arrange for peer reviews from external auditors or other organizations, with confidentiality and legal safeguards in place. This provides independent oversight while maintaining audit quality.

When an organization outsources IT services, risks can be categorized as:

Risks specific to the organization – Risks that arise internally within the company.

Risks specific to the service provider – Risks that are under the control of the third-party provider.

Shared risks – Risks that require joint management by both the organization and the service provider.

Let’s analyze the answer choices:

Option A: Unexpected increases in outsourcing costs.

Incorrect. While cost increases can be a risk, they are often a shared risk because the organization and the provider negotiate pricing terms.

Option B: Loss of data privacy.

Incorrect. Data privacy concerns are shared between the organization (which must ensure compliance with regulations like GDPR or CCPA) and the service provider (which must implement proper security controls).

Option C: Inadequate staffing.

Correct. The service provider is responsible for maintaining adequate staffing levels to deliver the contracted services effectively. If they fail to do so, service quality can deteriorate, posing risks to the organization.

IIA Reference: Internal auditors should assess vendor risk management, including the provider’s staffing capabilities. (IIA GTAG: Auditing IT Outsourcing)

Option D: Violation of contractual terms.

Incorrect. While the service provider may be responsible for upholding contract terms, the organization is also responsible for contract enforcement. This makes it a shared risk rather than one specific to the provider.

When developing the annual internal audit plan, the CAE must consider input from senior management, the board, and other internal assurance providers to ensure coordination and avoid duplication of efforts. While operational management, external auditors, and the CEO may also provide input, IIA Standards emphasize coordination with internal assurance providers as a mandatory step.

The specific identification method is an inventory costing approach where the actual cost of each individual unit sold is recorded. This method is used when items are uniquely identifiable, such as in industries dealing with luxury goods, automobiles, or custom-manufactured products.

Correct Answer (D - Specific identification)

Under the specific identification method, each inventory unit is tracked separately, and its actual purchase cost is assigned to the cost of goods sold (COGS) when sold.

This method is commonly used for high-value, low-volume items where unique tracking is feasible.

The IIA’s GTAG 8: Audit of Inventory Management explains how different costing methods impact financial reporting and internal controls.

Why Other Options Are Incorrect:

Option A (LIFO - Last-in, First-out):

LIFO assumes that the most recent (last-in) inventory is sold first, but it does not track actual unit cost. Instead, it assigns the cost of the newest inventory to COGS.

LIFO is often used for tax benefits but does not follow actual unit cost identification.

Option B (Average cost):

The weighted average cost method calculates an average cost for all inventory units rather than assigning actual unit costs.

This method smooths out price fluctuations but does not track specific items' costs.

Option C (FIFO - First-in, First-out):

FIFO assumes that the oldest (first-in) inventory is sold first, assigning its cost to COGS.

However, like LIFO, it does not track individual unit costs.

IIA GTAG 8: Audit of Inventory Management – Explains different inventory costing methods, including specific identification.

IIA Practice Guide: Assessing Inventory Risks – Covers inventory valuation and fraud risks.

Step-by-Step Explanation:IIA References for Validation:Thus, the specific identification method (D) is the only one that accounts for the actual cost paid for each unit sold.

Business continuity planning (BCP) requires a recovery strategy that minimizes downtime and ensures that critical operations resume within the organization’s desired recovery time objective (RTO).

Since the organization wants to recover within four to seven days, it does not require an expensive real-time recovery site (hot site).

The best strategy is a warm site: a pre-secured location with configurable hardware and data backups that can be activated within the required timeframe.

(A) Incorrect – A recovery strategy whereby a separate site has not yet been determined, but hardware has been reserved for purchase and data backups.

This is a cold site, requiring time for setup and hardware installation.

It does not meet the four to seven-day recovery timeframe efficiently.

(B) Incorrect – A recovery strategy whereby a separate site has been secured and is ready for use, with fully configured hardware and real-time synchronized data.

This describes a hot site, which allows instant failover with real-time synchronization.

While effective, it is costly and unnecessary for a four-to-seven-day recovery target.

(C) Incorrect – A recovery strategy whereby a separate site has been secured and the necessary funds for hardware and data backups have been reserved.

While a site has been secured, the absence of pre-configured hardware would delay recovery, making it an inefficient choice.

(D) Correct – A recovery strategy whereby a separate site has been secured with configurable hardware and data backups.

This describes a warm site, which is the best balance between cost and recovery efficiency.

Configurable hardware and data backups ensure that operations can resume within four to seven days.

IIA’s GTAG (Global Technology Audit Guide) – Business Continuity and IT Disaster Recovery

Recommends warm sites for recovery within a few days.

ISO 22301 – Business Continuity Management Systems

Defines recovery time objectives (RTOs) and site classifications (hot, warm, cold).

COBIT Framework – IT Risk Management

Guides organizations on cost-effective recovery site selection based on risk tolerance.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

A risk and control questionnaire (RCQ) is used during preliminary surveys to help the auditor ascertain the existence of controls in a specific process or program. It provides structured information about which controls are in place, which are missing, and how they are applied.

Option A refers to reconciliation, which is not the main purpose. Option C (testimonial information) suggests reliance on management statements, which is weaker than structured control identification. Option D involves external confirmation, which goes beyond the RCQ’s purpose.

A QAIP includes both internal and external assessments. While internal assessments can be performed by audit staff or within the activity, external assessments must be conducted by a qualified, independent party outside of the internal audit activity.

Options B and C are the CAE’s responsibilities. Option D (internal assessments) is not independent and is part of routine quality control.

Subjective factors are based on judgment or opinion, whereas objective factors rely on measurable data. The quality of staff supervision is a judgment-based assessment, making it subjective.

Options A, C, and D are measurable, quantitative factors and thus objective.

Maintaining the infrastructure for a real-time database backup involves ensuring that backups are correctly configured, continuously running, and fail-safe mechanisms are in place to prevent data loss. The most appropriate role for this responsibility is the IT database administrator (DBA) because:

Primary Role of a DBA:

The DBA is responsible for managing database performance, availability, backup strategies, and recovery processes.

Ensures that real-time backups are functioning properly and failure risks are mitigated.

Database Infrastructure & Backup Strategies:

DBAs configure, monitor, and troubleshoot real-time backup solutions such as replication, mirroring, and log shipping.

They work with backup tools like Oracle Data Guard, SQL Server Always On, and MySQL replication.

Disaster Recovery & Data Integrity:

The DBA ensures data consistency and integrity, especially during system failures or cyber incidents.

They set up recovery point objectives (RPO) and recovery time objectives (RTO) for database resilience.

Option B (IT Data Center Manager):

Oversees physical and environmental infrastructure (e.g., servers, cooling, and power systems). Not directly responsible for database backup failure prevention. (Incorrect)

Option C (IT Help Desk Function):

Provides user support and troubleshooting but does not manage backup infrastructure. (Incorrect)

Option D (IT Network Administrator):

Manages network configurations, security, and connectivity but does not handle database backup infrastructure. (Incorrect)

IIA GTAG – "Auditing Business Continuity and Disaster Recovery": Emphasizes the role of DBAs in backup infrastructure.

COBIT 2019 – BAI10.02 (Manage Backup and Restore): Assigns database backup management responsibilities primarily to DBAs.

IIA's "Auditing IT Operations": Recommends that database administration teams ensure backup mechanisms are tested regularly.

Why Other Options Are Incorrect:IIA References:Thus, the correct answer is A. IT database administrator.

Cybersecurity is primarily focused on protecting information assets by preventing unauthorized access, data breaches, cyberattacks, and other security threats. The confidentiality, integrity, and availability (CIA) triad is the foundation of cybersecurity, with access control playing a key role in mitigating risks.

(A) Incorrect – To protect the effective performance of IT general and application controls.

While cybersecurity supports IT controls, its primary goal is information security, not just control performance.

(B) Incorrect – To regulate users' behavior in the web and cloud environment.

Cybersecurity includes user behavior policies, but its primary goal is preventing unauthorized access rather than regulation.

(C) Correct – To prevent unauthorized access to information assets.

The core objective of cybersecurity is to prevent unauthorized access, protecting data from cyber threats.

This aligns with the CIA (Confidentiality, Integrity, Availability) security model.

(D) Incorrect – To secure application of protocols and authorization routines.

Protocols and authorization routines are part of cybersecurity controls, but they are not the primary objective.

IIA’s GTAG (Global Technology Audit Guide) – Cybersecurity Risks and Controls

Defines cybersecurity as the protection of information assets from unauthorized access and threats.

NIST Cybersecurity Framework – Access Control and Information Security

Focuses on preventing unauthorized access to sensitive systems.

COBIT Framework – IT Governance and Security

Emphasizes the protection of data and IT assets through cybersecurity measures.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

When internal audit identifies a risk that appears unacceptable, the CAE should first discuss the matter with the responsible management. This ensures management has an opportunity to explain their rationale or adjust actions before escalation.

Option A (direct escalation to senior management) or Option C (to the board) are appropriate only if management refuses to act. Option B (sending a letter with a deadline) is not aligned with IIA guidance.

The purpose of a guest auditor program is to leverage subject matter expertise from other areas while also enhancing collaboration and mutual learning between business units and internal audit. Allowing guest auditors to interact with internal audit staff fosters knowledge sharing, trust, and future cooperation.

Option A may create conflicts of interest. Option B compromises independence by allowing guest auditors to design and test audit procedures. Option C provides feedback but occurs after the engagement, not during.

Comprehensive and Detailed Step-by-Step Explanation with all IIA References: =

Understanding the Impact of an Understated Ending Inventory:

Ending inventory is a key component of the cost of goods sold (COGS) calculation: COGS=BeginningInventory+Purchases−EndingInventoryCOGS = Beginning Inventory + Purchases - Ending InventoryCOGS=BeginningInventory+Purchases−EndingInventory

If the ending inventory is understated, it means the reported inventory is lower than its actual value.

This results in an overstated COGS because a smaller amount is subtracted in the formula above.

An overstated COGS leads to an understated net income in the current year.

Effect on the Following Year’s Income Statement:

The beginning inventory for the next year is based on the ending inventory of the previous year.

Since the prior year's ending inventory was understated, the new year's beginning inventory is also understated.

A lower beginning inventory leads to a lower COGS in the new year.

Since COGS is lower, net income in the following year will be overstated.

IIA’s Perspective on Financial Reporting Errors:

The IIA’s International Standards for the Professional Practice of Internal Auditing (IPPF) emphasize the importance of accurate financial reporting.

IIA Standard 1220 – Due Professional Care requires internal auditors to consider the probability of errors, fraud, or misstatements in financial reporting.

COSO’s Internal Control – Integrated Framework highlights that inventory valuation errors can impact financial integrity and decision-making.

GAAP & IFRS Accounting Standards also require proper inventory reporting to ensure accurate financial statements.

IIA References:

IPPF Standard 1220 – Due Professional Care

COSO Internal Control – Integrated Framework

GAAP & IFRS Accounting Principles on Inventory Valuation

Thus, the correct and verified answer is C. Net income would be overstated.

A systems development methodology refers to a structured approach used in software development and systems engineering to guide the design, development, and implementation of software applications.

Why Option A (Waterfall) is Correct:

Waterfall methodology is a linear and sequential systems development methodology where each phase (e.g., requirements, design, implementation, testing, deployment) must be completed before moving to the next.

It is widely established and historically one of the first software development methodologies.

Used in large-scale enterprise projects where detailed planning and structured execution are required.

Why Other Options Are Incorrect:

Option B (PRINCE2 - Projects in Controlled Environments):

Incorrect because PRINCE2 is a project management framework, not a systems development methodology.

Option C (ITIL - Information Technology Infrastructure Library):

Incorrect because ITIL is a set of IT service management (ITSM) best practices, not a software development methodology.

Option D (COBIT - Control Objectives for Information and Related Technologies):

Incorrect because COBIT is a governance framework for IT management and controls, not a development methodology.

IIA GTAG – "Auditing IT Projects and Systems Development": Highlights Waterfall as a traditional systems development methodology.

IIA’s Global Technology Audit Guide on IT Risks: Discusses software development lifecycle risks, including Waterfall methodology.

COBIT Framework – BAI03 (Manage Solutions Identification and Build): References structured methodologies like Waterfall in IT governance.

IIA References:

The CAE’s role is to provide assurance that risks are identified and managed appropriately. When residual risk appears to exceed the organization’s tolerance, the CAE should first communicate the matter with senior management to discuss the issue and understand management’s acceptance of risk. Only if the risk remains unresolved should it be escalated to the board.

Option A is management’s responsibility, not internal audit’s. Option B is incomplete as evidence alone does not fulfill the communication requirement. Option C is premature because immediate escalation to the board skips management dialogue.

The CAE must communicate the results of the QAIP to the board and senior management. This includes results from ongoing monitoring, periodic self-assessments, and external assessments.

Option A (board oversight) is part of governance but not a QAIP requirement. Option B is incorrect because conformance is assessed for the activity overall, not per engagement. Option C is incorrect because self-assessments are ongoing, while external assessments are required at least once every five years.

Thus, the essential QAIP requirement for conformance is reporting results to the board (Option D).

Organizations that rely on third-party vendors for IT services must ensure secure and controlled communication, especially in areas where external connections are involved. External connections typically include:

Cloud services (e.g., SaaS, PaaS, IaaS)

Third-party APIs

Remote access (VPNs, firewalls, network gateways)

IoT devices and external sensors

These connections introduce cybersecurity risks, requiring continuous monitoring, vendor communication, and security controls.

(A) Applications.

Incorrect. While application security is important, it is typically managed internally. Vendor involvement is needed for software patches and updates, but communication is not as tightly monitored.

(B) Technical infrastructure.

Incorrect. This layer includes internal IT components like servers, databases, and networks, which are mostly managed in-house. Vendor involvement is required for hardware/software updates but not to the same extent as external connections.

(C) External connections. ✅

Correct. External connections require tightly controlled communication with vendors to prevent security breaches, unauthorized access, and data leaks.

IIA GTAG "Auditing IT Governance" highlights third-party risk management as a key area for IT audits.

IIA Standard 2110 requires organizations to establish governance structures for vendor and IT security management.

(D) IT management.

Incorrect. IT management focuses on internal oversight of IT policies and compliance, but does not necessarily require tightly controlled vendor communication.

IIA GTAG – "Auditing IT Governance"

IIA GTAG – "Managing Third-Party Risks"

IIA Standard 2110 – Governance

Analysis of Answer Choices:IIA References:

A focus strategy targets a specific market segment, geographical area, or niche customer base rather than competing in the entire market.

Why Option D (Focus strategy) is Correct:

The car manufacturer introduced a hybrid vehicle specifically for the European market to address increasing emission taxes, meaning they are focusing on a specific region and customer need.

Focus strategy aims at tailoring products to meet the needs of a particular group of consumers (e.g., environmentally conscious European customers).

Why Other Options Are Incorrect:

Option A (Reactive strategy):

Incorrect because while the company is responding to regulatory changes, "reactive strategy" is not a recognized competitive strategy under Porter’s model.

Option B (Cost leadership strategy):

Incorrect because cost leadership focuses on minimizing costs and offering the lowest price in the broad market. This scenario does not emphasize cost reduction.

Option C (Differentiation strategy):

Incorrect because differentiation involves offering unique products across a broad market, whereas the hybrid vehicle is targeted specifically for the European market.

IIA Practice Guide – "Auditing Strategic Risk Management": Discusses competitive strategies, including focus strategy.

Porter's Competitive Strategy Model: Defines focus strategy as targeting a niche market.

COSO ERM Framework – "Strategic Decision-Making": Recommends market-specific focus strategies to mitigate regulatory risks.

IIA References:

In organizations, authority types define how power and influence are exercised. Since the technician is prioritizing projects, their authority comes from their specialized knowledge or expertise, making this an example of expert authority.

Why Option D (Expert Authority) is Correct:

Expert authority is based on specialized knowledge, skills, or expertise rather than formal position or hierarchical power.

The technician is trusted to prioritize projects because of their technical knowledge and understanding of project impact.

Expert authority is commonly seen in IT specialists, consultants, and industry professionals who guide decision-making based on expertise.

Why Other Options Are Incorrect:

Option A (Legitimate Authority):

Incorrect because legitimate authority is derived from a formal position or title within an organizational hierarchy (e.g., CEO, manager).

Option B (Coercive Authority):

Incorrect because coercive authority relies on threats, punishment, or force, which is not applicable in this scenario.

Option C (Referent Authority):

Incorrect because referent authority is based on personal influence, charisma, or relationships, rather than expertise.

IIA Practice Guide – "Auditing Organizational Governance": Discusses different types of authority in decision-making.

COSO ERM Framework – "Risk Governance & Decision-Making": Recognizes expert authority as a key factor in risk-based project prioritization.

IIA’s GTAG – "Auditing IT Governance": Highlights the role of expert authority in IT project prioritization and governance.

IIA References:

The most effective mitigation is to embed ongoing controls within vendor management processes to ensure that both new and existing vendors are continuously screened against updated sanctions lists. This creates a sustainable and automated compliance mechanism.

Option A is reactive and does not address future compliance. Option B only addresses onboarding of new vendors but ignores existing ones. Option D undermines compliance obligations and does not mitigate risk.

A declining inventory turnover means that inventory is sitting longer before being sold, while an increasing gross margin rate suggests the company is making higher profits on each sale. This combination is often a sign of inventory overstatement, possibly due to accounting errors or fraud.

Correct Answer (D - The Organization’s Inventory is Overstated)

Inventory turnover ratio = Cost of Goods Sold (COGS) / Average Inventory. A declining inventory turnover indicates higher inventory levels relative to sales.

Gross margin rate = (Revenue - COGS) / Revenue. An increasing gross margin means either higher selling prices or lower COGS.

Overstating inventory artificially reduces COGS, making gross margin appear higher.

The IIA’s GTAG 8: Audit of Inventory Management explains that inflated inventory levels can distort financial reporting and lead to misinterpretations of business performance.

Why Other Options Are Incorrect:

Option A (Operating expenses are increasing):

An increase in operating expenses would not directly explain declining inventory turnover or increasing gross margin.

Gross margin focuses on revenue and COGS, not operating expenses.

Option B (Just-in-Time Inventory):

A just-in-time (JIT) system reduces inventory levels, leading to higher inventory turnover, which contradicts the scenario.

Option C (Inventory Theft):

If theft were occurring, inventory levels would decrease, leading to higher turnover, not declining turnover.

GTAG 8: Audit of Inventory Management – Discusses inventory valuation risks, including overstatement and its impact on financial ratios.

IIA Practice Guide: Assessing Inventory Risks – Covers fraud risks related to inventory manipulation.

Step-by-Step Explanation:IIA References for Validation:Thus, the best explanation for a declining inventory turnover with an increasing gross margin rate is inventory overstatement (D).

Fraud in time-tracking systems—such as "buddy punching" (where one employee clocks in/out for another)—is a common payroll fraud scheme. The most effective method to prevent this is biometric authentication, which ensures that only the actual employee can clock in or out.

(A) Face or finger recognition equipment. ✅

Correct. Biometric authentication (such as fingerprint or facial recognition) is the most effective solution because it uniquely identifies each individual, making it impossible for an employee to clock in on behalf of a colleague.

IIA GTAG "Managing and Auditing IT Vulnerabilities" recommends biometric authentication as a strong fraud prevention measure.

IIA Practice Guide "Fraud Prevention and Detection in an Automated Environment" highlights the use of biometrics for enhancing security in access control systems.

(B) Radio-frequency identification (RFID) chips to authenticate employees with cards.

Incorrect. RFID cards can be shared between employees, allowing fraud to continue. They are useful for access control but do not verify the identity of the person using the card.

(C) A requirement to clock in and clock out with a unique personal identification number (PIN).

Incorrect. PINs can be shared or stolen, making them ineffective in preventing buddy punching.

(D) A combination of a smart card and a password to clock in and clock out.

Incorrect. Like RFID and PIN systems, smart cards and passwords can be shared, making them ineffective against fraudulent time-tracking practices.

IIA GTAG – "Managing and Auditing IT Vulnerabilities"

IIA Practice Guide – "Fraud Prevention and Detection in an Automated Environment"

COSO Framework – Fraud Risk Management

Analysis of Answer Choices:IIA References:Thus, the correct answer is A, as biometric authentication directly verifies the employee’s identity, preventing time-tracking fraud.

Definition of Project Crashing:

Project crashing is a schedule compression technique used in project management to reduce the project completion time without changing its scope.

It involves adding extra resources (labor, equipment, budget) to critical path activities to complete them faster.

Key Aspects of Project Crashing:

Reduces project duration by increasing resources.

Leads to higher costs due to additional labor or expedited material procurement.

Used when project deadlines must be met and standard scheduling techniques are insufficient.

Why Other Options Are Incorrect:

A. It leads to an increase in risk and often results in rework:

While crashing can increase costs and risk, it does not necessarily result in rework unless poorly executed.

B. It is an optimization technique where activities are performed in parallel rather than sequentially:

This describes fast-tracking, not crashing. Fast-tracking involves overlapping tasks, while crashing adds resources to speed up tasks.

C. It involves a revaluation of project requirements and/or scope:

Crashing does not change project scope; it only shortens the schedule by allocating additional resources.

IIA’s Perspective on Project Risk and Management:

IIA Standard 2110 – Governance emphasizes the importance of project risk assessment, including schedule compression risks.

COSO ERM Framework identifies project cost overruns and resource misallocations as key risks in project execution.

PMBOK (Project Management Body of Knowledge) defines crashing as a schedule compression technique used when deadlines must be met at additional cost.

IIA References:

IIA Standard 2110 – Governance & Risk Oversight in Project Management

COSO Enterprise Risk Management (ERM) – Project Risk Considerations

PMBOK Guide – Schedule Compression Techniques (Crashing & Fast-Tracking)

Thus, the correct and verified answer is D. It is a compression technique in which resources are added so the project is completed faster.

Understanding Outsourcing and Its Impact:

Outsourcing refers to contracting external vendors to handle business functions that were previously managed in-house.

While it can reduce costs and improve efficiency, it increases reliance on external suppliers for critical services.

Why Increased Dependence on Suppliers is the Most Likely Result:

Loss of Internal Control: Companies lose direct oversight over quality, delivery times, and operational processes, depending on the supplier’s performance.

Risk of Supplier Disruptions: If the supplier faces financial difficulties, operational failures, or compliance issues, the outsourcing company is directly affected.

Vendor Lock-in: Over time, switching suppliers becomes difficult due to integration costs and proprietary dependencies.

Why Other Options Are Incorrect:

B. Increased importance of market strategy – Incorrect.

While outsourcing can free up resources to focus on core business strategy, it does not necessarily increase the importance of market strategy.

C. Decreased sensitivity to government regulation – Incorrect.

Outsourcing often increases regulatory risks, as companies must ensure third-party compliance with data protection, labor laws, and industry regulations.

D. Decreased focus on costs – Incorrect.

Outsourcing is typically done to reduce costs, not decrease cost focus. Organizations still monitor costs closely to ensure vendor contracts remain cost-effective.

IIA’s Perspective on Outsourcing and Risk Management:

IIA Standard 2120 – Risk Management requires internal auditors to evaluate risks associated with outsourcing.

IIA GTAG (Global Technology Audit Guide) on Third-Party Risk Management highlights risks related to supplier dependence, service quality, and compliance.

COSO ERM Framework recommends ongoing supplier performance monitoring to mitigate risks of over-dependence.

IIA References:

IIA Standard 2120 – Risk Management & Vendor Oversight

IIA GTAG – Third-Party Risk Management

COSO ERM – Managing Outsourcing Risks

Thus, the correct and verified answer is A. Increased dependence on suppliers.

Hacking refers to unauthorized access to an IT system, typically with the intent to disrupt, steal, or manipulate data. In this scenario, activists attacking an oil company's IT system as a protest falls under hacking because they are illegally breaking into the company’s digital infrastructure to make a statement.

Let’s analyze each option:

Option A: Tampering

Incorrect. Tampering refers to physically altering or interfering with a system (e.g., changing sensor readings in an oil rig), rather than attacking an IT system digitally.

Option B: Hacking

Correct.

The individuals are gaining unauthorized access to the company’s IT system.

This action is commonly associated with hacktivism, where hackers attack organizations for political or ideological reasons.

IIA Reference: Internal auditors assess cybersecurity threats, including hacking and unauthorized access risks. (IIA GTAG: Auditing Cybersecurity Risks)

Option C: Phishing

Incorrect. Phishing involves tricking individuals into revealing sensitive information (e.g., login credentials) through fraudulent emails or websites, but this scenario describes a direct attack on the IT system.

Option D: Piracy

Incorrect. Piracy typically refers to copyright infringement (e.g., unauthorized software use) rather than hacking an IT system.

Thus, the verified answer is B. Hacking.

Project governance refers to a broad collection of integrated policies, standards, and procedures that provide a framework for planning and executing projects. It establishes decision-making processes, accountability, and risk management controls to ensure that projects align with organizational objectives.

(A) Project portfolio. ❌

Incorrect. A project portfolio refers to a collection of projects managed together to achieve strategic objectives. It does not specifically define the policies, standards, and procedures for project execution.

(B) Project development. ❌

Incorrect. Project development focuses on designing, building, and testing a project, but it does not encompass governance structures like policies, standards, and oversight.

(C) Project governance. ✅

Correct. Project governance includes integrated policies, standards, and procedures that guide project planning, execution, and oversight.

IIA GTAG "Auditing IT Projects" emphasizes project governance as the primary control framework for managing project risks and ensuring alignment with organizational goals.

(D) Project management methodologies. ❌

Incorrect. Project management methodologies (e.g., Agile, Waterfall, PRINCE2) provide structured approaches for executing projects but do not encompass the full governance framework.

IIA GTAG – "Auditing IT Projects"

IIA Standard 2110 – Governance (Project Risk Management)

COSO ERM Framework – Project Oversight and Risk Governance

Analysis of Answer Choices:IIA References:Thus, the correct answer is C (Project governance), as it provides the integrated policies, standards, and procedures needed for effective project oversight.

Electronic Data Interchange (EDI) is a system that allows businesses to exchange documents (purchase orders, invoices, shipping notices) electronically, improving efficiency and accuracy.

Correct Answer (A - A Just-in-Time Purchasing Environment)

Just-in-time (JIT) purchasing requires real-time inventory management to reduce waste and costs.

EDI improves JIT by automating purchase orders, reducing lead times, and preventing stockouts.

The IIA GTAG 8: Audit of Inventory Management highlights that JIT purchasing benefits the most from automation through EDI.

Why Other Options Are Incorrect:

Option B (A large volume of custom purchases):

Custom purchases vary significantly in specifications, making standard EDI transactions less effective.

Option C (A variable volume sensitive to material cost):

While EDI helps with volume fluctuations, cost-sensitive purchasing requires additional financial analysis beyond EDI automation.

Option D (A currently inefficient purchasing process):

EDI improves efficiency, but implementing it in a failing process without first optimizing procedures could lead to automation of inefficiencies.

IIA GTAG 8: Audit of Inventory Management – Discusses automation benefits in JIT purchasing.

IIA Practice Guide: Auditing IT Controls – Covers EDI as a key tool for procurement efficiency.

Step-by-Step Explanation:IIA References for Validation:Thus, the greatest benefit from EDI is in a Just-in-Time (JIT) purchasing environment (A).

Understanding Labor Variances in Cost Accounting:

Labor efficiency variance measures the difference between the actual hours worked and the standard hours allowed for actual production.

Labor rate variance measures the difference between the actual labor cost per hour and the standard rate set for labor.

Why Options 1 (Favorable Labor Efficiency Variance) and 2 (Adverse Labor Rate Variance) Are Correct?

Favorable Labor Efficiency Variance (1):

Hiring more experienced researchers should lead to higher productivity, meaning that the team completes tasks faster, reducing the total labor hours required.

This results in a favorable labor efficiency variance because less time is spent on the project than initially expected.

Adverse Labor Rate Variance (2):

More experienced employees command higher salaries, leading to an increase in labor costs per hour compared to the budgeted rate.

This results in an adverse labor rate variance because the actual wage rate exceeds the standard rate.

Why Other Options Are Incorrect?

Option 3 (Adverse Labor Efficiency Variance):

This would occur if the new hires were less productive, which contradicts the scenario.

Option 4 (Favorable Labor Rate Variance):

A favorable variance in labor rate occurs when labor costs are lower than expected, which is unlikely when hiring more experienced (higher-paid) employees.

Hiring more experienced employees improves efficiency (favorable efficiency variance) but increases wages (adverse rate variance).

IIA Standard 1220 – Due Professional Care requires auditors to consider operational efficiency in decision-making evaluations.

Final Justification:IIA References:

IPPF Standard 1220 – Due Professional Care

IIA Practice Guide – Assessing Business Performance Metrics