IIA-CIA-Part3 IIA Business Knowledge for Internal Auditing Free Practice Exam Questions (2025 Updated)

A database administrator (DBA) should not perform duties that compromise segregation of duties (SoD). A conflict arises when a DBA has both design and security responsibilities, as this creates a risk of unauthorized changes, fraud, or data breaches.

(A) Designing and maintaining the database.

Incorrect: These tasks are related but do not create a major conflict, as maintenance follows the design phase.

(B) Preparing input data and maintaining the database.

Incorrect: While data preparation is typically a business function, maintaining the database does not create a direct security risk.

(C) Maintaining the database and providing its security.

Incorrect: Maintenance involves technical upkeep, and while security controls are crucial, they do not inherently conflict.

(D) Designing the database and providing its security. (Correct Answer)

A DBA responsible for both design and security could create backdoors or override security settings, leading to potential data manipulation or fraud.

IIA Standard 2120 – Risk Management requires proper control segregation to prevent fraud and security risks.

IIA GTAG 4 – Management of IT Auditing recommends separation of design, security, and administration functions to minimize risks.

IIA Standard 2120 – Risk Management: Encourages proper separation of duties to mitigate risks.

IIA GTAG 4 – Management of IT Auditing: Recommends strict control over database access and security roles.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) because combining database design and security responsibilities creates a significant conflict of interest, increasing security risks.

A systems development methodology refers to a structured approach used in software development and systems engineering to guide the design, development, and implementation of software applications.

Why Option A (Waterfall) is Correct:

Waterfall methodology is a linear and sequential systems development methodology where each phase (e.g., requirements, design, implementation, testing, deployment) must be completed before moving to the next.

It is widely established and historically one of the first software development methodologies.

Used in large-scale enterprise projects where detailed planning and structured execution are required.

Why Other Options Are Incorrect:

Option B (PRINCE2 - Projects in Controlled Environments):

Incorrect because PRINCE2 is a project management framework, not a systems development methodology.

Option C (ITIL - Information Technology Infrastructure Library):

Incorrect because ITIL is a set of IT service management (ITSM) best practices, not a software development methodology.

Option D (COBIT - Control Objectives for Information and Related Technologies):

Incorrect because COBIT is a governance framework for IT management and controls, not a development methodology.

IIA GTAG – "Auditing IT Projects and Systems Development": Highlights Waterfall as a traditional systems development methodology.

IIA’s Global Technology Audit Guide on IT Risks: Discusses software development lifecycle risks, including Waterfall methodology.

COBIT Framework – BAI03 (Manage Solutions Identification and Build): References structured methodologies like Waterfall in IT governance.

IIA References:

When implementing big data systems, organizations must establish ongoing production monitoring to ensure system performance, efficiency, and reliability.

Why Option A (Key performance indicators) is Correct:

KPIs (Key Performance Indicators) measure the effectiveness and success of big data systems.

KPIs help track system efficiency, data processing speed, accuracy, and resource utilization during production.

Examples of KPIs in big data systems include data ingestion rate, processing time, query performance, system uptime, and error rates.

Why Other Options Are Incorrect:

Option B (Reports of software customization):

Incorrect because software customization reports document system modifications but do not monitor system performance.

Option C (Change and patch management):

Incorrect because change and patch management deals with software updates and security fixes, not ongoing performance monitoring.

Option D (Master data management):

Incorrect because master data management focuses on data governance and consistency, not real-time system performance.

IIA GTAG – "Auditing Big Data Systems": Recommends using KPIs to measure the effectiveness of big data implementation.

COBIT 2019 – APO08 (Manage Performance and Capacity): Emphasizes KPI tracking for IT and data system performance.

NIST Big Data Framework: Highlights the importance of KPIs for monitoring big data system performance.

IIA References:

A declining inventory turnover combined with an increasing gross margin rate suggests that the organization is not selling inventory as quickly as before, but still reporting higher profitability. This can indicate overstated inventory values, meaning that financial statements show higher inventory balances than what actually exists.

(A) Incorrect – The organization’s operating expenses are increasing.

Operating expenses do not directly affect inventory turnover, which measures how quickly inventory is sold.

Higher expenses could reduce net profit, but they would not explain a higher gross margin.

(B) Incorrect – The organization has adopted just-in-time (JIT) inventory.

JIT inventory systems increase inventory turnover by reducing excess stock.

Since turnover is declining, this suggests the opposite of JIT.

(C) Incorrect – The organization is experiencing inventory theft.

Inventory theft usually reduces inventory levels, potentially increasing inventory turnover due to lower stock.

Theft could lower gross margins if significant losses occur.

(D) Correct – The organization’s inventory is overstated.

Overstated inventory leads to lower COGS, artificially inflating gross margin.

If inventory levels are inflated, turnover appears lower because reported inventory is higher than actual sales justify.

IIA’s Global Internal Audit Standards – Financial Statement Audits and Fraud Risk

Covers risks related to inventory misstatements and financial fraud.

IFRS & GAAP Accounting Standards – Inventory Valuation

Defines how inventory overstatement impacts financial ratios.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Biometric access controls use unique physical or behavioral characteristics for identification and security. Among the listed options, retinal print comparison is the most unique and secure, as it relies on the intricate patterns of blood vessels in the retina, which are nearly impossible to replicate or alter.

(A) Facial comparison using photo identification.

Incorrect: Facial recognition is widely used but less unique than retinal scanning because it can be affected by lighting, aging, or facial hair.

IIA GTAG 9 – Identity and Access Management mentions facial recognition as a medium-security method.

(B) Signature comparison.

Incorrect: Signatures can be forged or changed over time, making this a low-security biometric method.

(C) Voice comparison.

Incorrect: Voice patterns are unique but can be affected by illness, background noise, or recording quality, reducing reliability.

(D) Retinal print comparison. (Correct Answer)

Retinal patterns are highly unique, more than fingerprints, and do not change over time.

Difficult to forge, making it the most secure biometric authentication method.

IIA GTAG 9 – Identity and Access Management ranks retinal scanning among the highest security biometric controls.

IIA GTAG 9 – Identity and Access Management: Discusses biometric authentication and ranks retinal scanning as one of the most secure options.

IIA Standard 2120 – Risk Management: Emphasizes strong authentication controls for access security.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) Retinal print comparison because it is the most unique, secure, and reliable biometric characteristic for authentication.

In an assurance engagement involving smart devices, the first step is to obtain a comprehensive inventory of all devices in use. This ensures that the audit covers all relevant assets and allows the internal auditor to assess risks, controls, and policies effectively.

(A) Incorrect – Train all employees on bring-your-own-device (BYOD) policies.

While employee training is important, it is a control measure rather than the first step in an assurance engagement.

Without an inventory of devices, training effectiveness cannot be assessed.

(B) Incorrect – Understand what procedures are in place for locking lost devices.

This is a specific control measure but not the starting point for an engagement.

The first step should be to identify what devices exist before evaluating security measures.

(C) Correct – Obtain a list of all smart devices in use.

The foundation of an assurance engagement is identifying the scope, which includes listing all smart devices in use.

This allows the auditor to evaluate security risks, compliance, and control measures effectively.

(D) Incorrect – Test encryption of all smart devices.

Testing encryption is an audit procedure that should be performed after understanding the inventory and existing controls.

Without knowing which devices exist, encryption testing would not be effective.

IIA’s Global Internal Audit Standards – Technology Assurance and Cybersecurity Audits

Outlines steps for conducting technology-related assurance engagements.

IIA’s GTAG (Global Technology Audit Guide) on Auditing Smart Devices

Recommends obtaining an inventory of devices as the first step in an audit.

COBIT Framework – IT Asset Management and Control

Emphasizes identifying assets as the foundation of IT governance and risk management.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

A preventive control is designed to stop security breaches before they happen. In data center security, preventing unauthorized physical access is crucial.

Prevents Unauthorized Entry – Restricts access only to authorized personnel.

Tracks and Logs Access – Records who enters and exits the data center, enhancing security monitoring.

Enhances Security Layers – Often combined with biometric authentication or PINs for stronger access control.

Meets IT Security Standards – Aligns with ISO 27001, NIST, and IIA’s GTAG recommendations on physical security.

A. Motion detectors – These are detective controls, identifying movement but not preventing unauthorized access.

C. Security cameras – Also detective, as they record events but do not prevent physical breaches.

D. Monitoring access to data center workstations – This ensures data integrity but does not prevent physical access.

IIA’s GTAG (Global Technology Audit Guide) on Information Security – Recommends strong physical access controls like key cards.

NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems) – Emphasizes access control as a preventive security measure.

ISO 27001 Annex A.11 (Physical and Environmental Security) – Requires access control for secure areas, including data centers.

Why Key Card Access is the Best Preventive Control?Why Not the Other Options?IIA References:

Detecting an inventory fraud scheme requires analyzing patterns of inventory adjustments, particularly across different locations. Fraudulent activities often involve unauthorized write-offs, stock transfers, or misstatements of inventory levels.

(A) Analyze invoice payments just under individual authorization limits.

Incorrect: This technique is useful for detecting procurement fraud or invoice splitting, but not directly related to inventory fraud.

(B) Analyze stratification of inventory adjustments by warehouse location. (Correct Answer)

Fraudulent inventory write-offs often occur in specific warehouses or locations where controls are weak.

Stratifying inventory adjustments helps identify abnormal patterns, such as excessive losses in one location.

IIA Standard 2120 (Risk Management) recommends data analytics and trend analysis to detect anomalies.

COSO ERM – Control Activities emphasizes monitoring and review of inventory adjustments to prevent fraud.

(C) Analyze inventory invoice amounts and compare with approved contract amounts.

Incorrect: This technique is effective for detecting overbilling or procurement fraud, but not inventory fraud, which involves physical stock manipulation.

(D) Analyze differences discovered during duplicate payment testing.

Incorrect: Duplicate payment testing helps uncover billing fraud, not inventory fraud.

IIA Standard 2120 – Risk Management: Encourages fraud detection through trend analysis and data monitoring.

IIA Practice Guide – Auditing Inventory Management: Suggests stratification of inventory adjustments to identify fraud.

COSO ERM – Control Activities: Recommends monitoring inventory transactions to prevent fraud.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because analyzing stratification of inventory adjustments by warehouse location helps detect irregular patterns indicative of fraud.

When deciding whether to sell a product as-is or process it further, a manufacturer should consider only relevant costs—those that will change based on the decision.

Why Option A (Incremental processing costs, incremental revenue, and variable manufacturing expenses) is Correct:

Incremental processing costs: These are additional costs required to process the material further, making them directly relevant.

Incremental revenue: The additional revenue that would be generated if the product is processed further is a key factor in decision-making.

Variable manufacturing expenses: These costs change with production levels, making them important in the decision-making process.

Why Other Options Are Incorrect:

Option B (Joint costs, incremental processing costs, and variable manufacturing expenses):

Incorrect because joint costs (costs incurred before the split-off point) are sunk costs and are not relevant in the decision.

Option C (Incremental revenue, joint costs, and incremental processing costs):

Incorrect because, again, joint costs are not relevant to the decision.

Option D (Variable manufacturing expenses, incremental revenue, and joint costs):

Incorrect because joint costs should be ignored in a sell-or-process-further decision.

IIA GTAG – "Auditing Cost Accounting Decisions": Discusses relevant costs in decision-making.

IFRS & GAAP Cost Accounting Standards: Explain cost classification and decision-making.

COSO Internal Control – Integrated Framework: Recommends proper cost allocation methods for financial decisions.

IIA References:

Understanding Data Recovery and Security Risks:

Data must be protected, recoverable, and accessible when needed while maintaining security.

The best practice is to store encrypted backups offsite while keeping encryption keys separate but accessible.

Why Option D is Correct?

Storing encrypted data offsite (a few hours away) ensures protection against disasters (e.g., fire, cyberattacks, physical damage).

Keeping encryption keys at the organization ensures that recovery is quick and controlled without risking unauthorized access.

This aligns with the IIA's IT Audit Practices and ISO 27001 (Information Security Management), which emphasize separate storage of encrypted data and encryption keys for security and recoverability.

IIA Standard 2110 – Governance requires internal auditors to assess whether IT governance ensures the availability and security of critical data.

Why Other Options Are Incorrect?

Option A (Encrypted physical copies and keys stored together at the organization):

If both data and keys are in the same location, a disaster or breach would make recovery impossible.

Option B (Encrypted copies and keys stored in separate locations far away):

While secure, if encryption keys are stored too far, recovery could be delayed, impacting business continuity.

Option C (Encrypted usage reports in a cloud database):

This does not ensure full data recovery; it only provides logs and structure changes, not the actual data.

Storing encrypted data offsite while keeping encryption keys accessible onsite follows best IT security and disaster recovery practices.

IIA Standard 2110 supports evaluating IT governance, including data security and recovery controls.

Final Justification:IIA References:

IPPF Standard 2110 – Governance

ISO 27001 – Information Security Management

NIST SP 800-34 – Contingency Planning Guide for IT Systems

COBIT Framework – Data Security & Recovery Controls

To efficiently protect business data from corruption and errors, the best approach is proactive detection through validation controls. Batch total calculations help verify data integrity before approval, ensuring errors are caught early.

(A) Controls to ensure data is unable to be accessed without authorization.

Incorrect: Access controls prevent unauthorized access, but they do not detect or prevent data corruption/errors.

(B) Controls to calculate batch totals to identify an error before approval. (Correct Answer)

Batch control totals ensure that data entries match expected values before processing, helping detect errors before approval.

IIA GTAG 3 – Continuous Auditing recommends automated validation and reconciliation checks for data integrity.

(C) Controls to encrypt the data so that corruption is likely ineffective.

Incorrect: Encryption protects data confidentiality, but it does not prevent or detect errors or corruption.

(D) Controls to quickly identify malicious intrusion attempts.

Incorrect: Intrusion detection systems focus on cybersecurity, not data corruption or errors.

IIA Standard 2120 – Risk Management: Recommends controls for error prevention and early detection.

IIA GTAG 3 – Continuous Auditing: Suggests automated validation processes like batch totals to detect errors before approval.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because batch total calculations effectively detect errors before approval, ensuring data integrity.

In contract law, a witness's primary role is to confirm that the signatures on the contract were made by the actual parties (promisor and promisee) and that they signed it in the witness’s presence. This helps prevent disputes regarding forgery or coercion.

(A) A witness verifies the quantities of the copies signed.

Incorrect: The witness's role is not to verify how many copies were signed but rather to confirm authenticity.

(B) A witness verifies that the contract was signed with the free consent of the promisor and promisee.

Partially correct but not the primary role: The witness’s presence may discourage coercion, but their main function is not to confirm free consent (that is a legal principle covered by contract law and not necessarily the witness's duty).

(C) A witness ensures the completeness of the contract between the promisor and promisee.

Incorrect: The completeness of the contract is the responsibility of the parties involved, not the witness.

(D) A witness validates that the signatures on the contract were signed by the promisor and promisee. (Correct Answer)

This aligns with the legal definition of a witness in contract law: verifying the identity of signatories and ensuring that they physically signed the contract.

The witness does not interpret the contract's terms or validate its content, only the signatures.

IIA Standard 2410 – Criteria for Communicating: Requires auditors to confirm the authenticity and validity of documents.

IIA Standard 2330 – Documenting Information: Supports the principle of ensuring reliable and complete documentation.

Contract Law Principles: A witness’s role is to verify the signatories’ identities and confirm they signed the document in their presence.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) because a witness’s main duty is to validate that the contract was signed by the identified parties, ensuring authenticity and reducing legal disputes.

A focus strategy targets a specific market segment, geographical area, or niche customer base rather than competing in the entire market.

Why Option D (Focus strategy) is Correct:

The car manufacturer introduced a hybrid vehicle specifically for the European market to address increasing emission taxes, meaning they are focusing on a specific region and customer need.

Focus strategy aims at tailoring products to meet the needs of a particular group of consumers (e.g., environmentally conscious European customers).

Why Other Options Are Incorrect:

Option A (Reactive strategy):

Incorrect because while the company is responding to regulatory changes, "reactive strategy" is not a recognized competitive strategy under Porter’s model.

Option B (Cost leadership strategy):

Incorrect because cost leadership focuses on minimizing costs and offering the lowest price in the broad market. This scenario does not emphasize cost reduction.

Option C (Differentiation strategy):

Incorrect because differentiation involves offering unique products across a broad market, whereas the hybrid vehicle is targeted specifically for the European market.

IIA Practice Guide – "Auditing Strategic Risk Management": Discusses competitive strategies, including focus strategy.

Porter's Competitive Strategy Model: Defines focus strategy as targeting a niche market.

COSO ERM Framework – "Strategic Decision-Making": Recommends market-specific focus strategies to mitigate regulatory risks.

IIA References:

Fixed manufacturing costs refer to costs that do not vary with the level of production activity within a relevant range. These costs include expenses such as depreciation, rent, property taxes, and salaries of permanent employees in the production facility. Their primary purpose is to ensure the availability and operational readiness of production facilities, regardless of fluctuations in production levels.

(A) Correct – To ensure availability of production facilitiesFixed manufacturing costs are incurred to maintain and operate production facilities, ensuring that they remain functional and available for production when needed. These costs exist even if no units are produced, emphasizing their role in sustaining the production infrastructure.

(B) Incorrect – To decrease direct expenses related to productionFixed manufacturing costs are unrelated to direct expenses, such as raw materials and labor, which vary with production volume. Instead, they remain constant regardless of output levels.

(C) Incorrect – To incur stable costs despite operating capacityWhile fixed costs remain stable within a relevant range, their primary purpose is not just cost stability but ensuring production facilities' availability and functionality.

(D) Incorrect – To increase the total unit cost under absorption costingUnder absorption costing, fixed manufacturing costs are allocated to units produced, affecting per-unit cost calculations. However, this is an accounting treatment rather than the core purpose of fixed manufacturing costs.

IIA’s Global Internal Audit Standards – Managing Resources Effectively

Fixed manufacturing costs ensure operational resources are available and managed efficiently.

IIA’s Guide on Cost Management and Internal Control

Highlights the role of cost structures, including fixed costs, in ensuring business continuity.

IIA’s Practice Advisory on Cost Accounting Controls

Discusses the importance of maintaining production facilities to ensure operational readiness.

Breakdown of Answer Choices:IIA References and Internal Auditing Standards:Would you like further clarification on any point?

Decentralization refers to the process by which decision-making authority is distributed to lower levels of management within an organization. The degree, importance, and range of decision-making at lower levels are directly related to the extent of decentralization.

Direct Relationship Defined:

As decentralization increases, more decision-making power is transferred to lower levels of the organization.

This means that managers and employees at lower levels are empowered to make a broader range of decisions with greater significance.

The Importance of Lower-Level Decision-Making in a Decentralized Structure:

A decentralized structure allows lower-level managers to respond quickly to operational issues and make important decisions without seeking approval from top management.

This enables increased efficiency, innovation, and adaptability in a dynamic business environment.

IIA's Perspective on Governance and Decision-Making:

According to the International Professional Practices Framework (IPPF) by the Institute of Internal Auditors (IIA), internal auditors must assess the governance structure of an organization, which includes understanding how decision-making authority is allocated.

The IIA’s Three Lines Model highlights the role of management in decision-making, emphasizing the need for a clear and effective delegation of authority.

IIA Standard 2110 – Governance states that internal auditors must evaluate decision-making processes to ensure they align with the organization’s objectives and risk management strategies.

Supporting Business Concepts:

Decentralized organizations like multinational corporations, franchises, and divisional structures benefit from empowering lower levels with decision-making authority.

In contrast, centralized organizations retain control at the top, limiting the scope of decisions at lower levels.

A direct relationship exists because the more decentralized a company is, the greater the responsibility of lower levels in making crucial decisions.

IIA References:

IPPF Standards: Standard 2110 – Governance

IIA’s Three Lines Model – Emphasizing clear delegation of authority

COSO Internal Control Framework – Discusses decentralized decision-making in control environments

Business Knowledge for Internal Auditing (IIA Study Guide) – Governance and decision-making structure

In organizations, authority types define how power and influence are exercised. Since the technician is prioritizing projects, their authority comes from their specialized knowledge or expertise, making this an example of expert authority.

Why Option D (Expert Authority) is Correct:

Expert authority is based on specialized knowledge, skills, or expertise rather than formal position or hierarchical power.

The technician is trusted to prioritize projects because of their technical knowledge and understanding of project impact.

Expert authority is commonly seen in IT specialists, consultants, and industry professionals who guide decision-making based on expertise.

Why Other Options Are Incorrect:

Option A (Legitimate Authority):

Incorrect because legitimate authority is derived from a formal position or title within an organizational hierarchy (e.g., CEO, manager).

Option B (Coercive Authority):

Incorrect because coercive authority relies on threats, punishment, or force, which is not applicable in this scenario.

Option C (Referent Authority):

Incorrect because referent authority is based on personal influence, charisma, or relationships, rather than expertise.

IIA Practice Guide – "Auditing Organizational Governance": Discusses different types of authority in decision-making.

COSO ERM Framework – "Risk Governance & Decision-Making": Recognizes expert authority as a key factor in risk-based project prioritization.

IIA’s GTAG – "Auditing IT Governance": Highlights the role of expert authority in IT project prioritization and governance.

IIA References:

The Define, Measure, Analyze, Improve, and Control (DMAIC) methodology is the core framework of Six Sigma, a data-driven process improvement approach that aims to reduce defects, enhance efficiency, and optimize performance.

(A) Correct – Six Sigma.

DMAIC is a structured Six Sigma methodology used for problem-solving and process improvement.

It helps organizations identify inefficiencies, eliminate errors, and standardize processes.

(B) Incorrect – Quality circle.

A quality circle is a group of employees who meet to discuss and resolve work-related issues, but it does not follow the structured DMAIC approach.

(C) Incorrect – Value chain analysis.

Value chain analysis focuses on evaluating business activities to improve competitive advantage, not structured process improvement like Six Sigma.

(D) Incorrect – Theory of constraints.

The Theory of Constraints (TOC) focuses on identifying and eliminating bottlenecks in processes, but it does not use the DMAIC approach.

IIA’s Global Internal Audit Standards – Process Improvement and Risk Management

Emphasizes methodologies like Six Sigma for operational efficiency.

COSO’s ERM Framework – Continuous Improvement and Quality Management

Discusses the role of Six Sigma in improving processes and reducing risks.

IIA’s Guide on Business Process Auditing

Recommends structured approaches such as Six Sigma for evaluating process efficiency.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Cybersecurity is primarily focused on protecting information assets by preventing unauthorized access, data breaches, cyberattacks, and other security threats. The confidentiality, integrity, and availability (CIA) triad is the foundation of cybersecurity, with access control playing a key role in mitigating risks.

(A) Incorrect – To protect the effective performance of IT general and application controls.

While cybersecurity supports IT controls, its primary goal is information security, not just control performance.

(B) Incorrect – To regulate users' behavior in the web and cloud environment.

Cybersecurity includes user behavior policies, but its primary goal is preventing unauthorized access rather than regulation.

(C) Correct – To prevent unauthorized access to information assets.

The core objective of cybersecurity is to prevent unauthorized access, protecting data from cyber threats.

This aligns with the CIA (Confidentiality, Integrity, Availability) security model.

(D) Incorrect – To secure application of protocols and authorization routines.

Protocols and authorization routines are part of cybersecurity controls, but they are not the primary objective.

IIA’s GTAG (Global Technology Audit Guide) – Cybersecurity Risks and Controls

Defines cybersecurity as the protection of information assets from unauthorized access and threats.

NIST Cybersecurity Framework – Access Control and Information Security

Focuses on preventing unauthorized access to sensitive systems.

COBIT Framework – IT Governance and Security

Emphasizes the protection of data and IT assets through cybersecurity measures.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Data governance refers to the policies, processes, and controls an organization implements to ensure data integrity, security, and compliance. When an organization has a weak data governance culture, the most compromised attribute of data is "veracity," which refers to the accuracy, reliability, and trustworthiness of data.

Why Option D (Veracity) is Correct:

Weak data governance leads to poor data quality, inconsistencies, and errors, reducing data veracity (trustworthiness and accuracy).

Without strong governance, data may be incomplete, outdated, or manipulated, leading to flawed decision-making.

Data veracity is critical for risk management, internal audit, and regulatory compliance, as unreliable data can lead to financial misstatements and operational risks.

Why Other Options Are Incorrect:

Option A (Variety):

Variety refers to different types and sources of data (structured, unstructured, semi-structured).

A weak data governance culture does not necessarily affect the diversity of data sources.

Option B (Velocity):

Velocity refers to the speed at which data is generated, processed, and analyzed.

Weak governance impacts data quality more than processing speed.

Option C (Volume):

Volume refers to the quantity of data being processed and stored.

Weak data governance might lead to data duplication or loss but does not directly impact data volume.

IIA GTAG – "Auditing Data Governance": Emphasizes the importance of data veracity in decision-making.

COSO Internal Control Framework: Highlights the role of data integrity in financial and operational controls.

IIA’s Global Technology Audit Guide on Data Analytics: Discusses the risks of poor data governance affecting veracity.

IIA References: