IIA-CIA-Part3 IIA Business Knowledge for Internal Auditing Free Practice Exam Questions (2025 Updated)

An intangible asset is an asset that lacks physical substance but has value due to its legal rights or expected economic benefits. Some intangible assets have finite useful lives (e.g., copyrights, patents) and are amortized, while others have indefinite useful lives and are not amortized but tested for impairment.

(A) Underground oil deposits. ❌

Incorrect. Oil deposits are natural resources, not intangible assets. They are classified as depletable assets because their value declines as they are extracted.

(B) Copyright. ❌

Incorrect. A copyright grants exclusive rights to reproduce and distribute creative works, but it has a finite legal life (typically 50-100 years, depending on jurisdiction). It is amortized over time.

(C) Trademark. ✅

Correct. A trademark (e.g., a company’s logo or brand name) is considered an indefinite-life intangible asset because it can be renewed indefinitely as long as the business continues to use it and follows renewal requirements.

According to IIA GTAG – "Auditing Intangible Assets", trademarks are subject to impairment testing, but they are not amortized unless their useful life becomes definite.

(D) Land. ❌

Incorrect. Land is a tangible asset, not an intangible one. While it has an indefinite life, it does not fit the category of intangible assets.

IIA GTAG – "Auditing Intangible Assets"

IIA Standard 2130 – Control Activities (Asset Management)

IFRS and GAAP Guidelines – Indefinite and Finite-Lived Intangible Assets

Analysis of Answer Choices:IIA References:Thus, the correct answer is C (Trademark), as trademarks have indefinite lives unless there is evidence to the contrary.

A hot site is a fully operational, ready-to-use backup site that allows an organization to quickly resume business operations after a disaster. For an Internet Service Provider (ISP), maintaining continuous operations is critical, and a hot site ensures minimal downtime by providing pre-configured hardware, software, and network connectivity.

A. On-site – Keeping backups and disaster recovery infrastructure on-site is risky because it can be affected by the same disaster that damaged the primary servers.

B. Cold site – A cold site is a backup location that has infrastructure but lacks pre-installed systems and configurations. It takes significant time to become operational, making it unsuitable for an ISP needing quick recovery.

C. Hot site (Correct Answer) – A hot site is fully operational, with replicated data, applications, and network configurations that allow an ISP to quickly switch operations, minimizing service disruption.

D. Warm site – A warm site is partially equipped with some hardware and software but requires configuration before becoming operational. This delays recovery compared to a hot site.

IIA GTAG (Global Technology Audit Guide) 10 – Business Continuity Management emphasizes the importance of hot sites for organizations requiring real-time service restoration.

IIA IPPF Standard 2120 – Risk Management advises organizations to assess disaster recovery plans and ensure continuity strategies align with business needs.

COBIT 2019 – DSS04 (Managed Continuity) discusses different recovery site types and their impact on business continuity.

Explanation of Each Option:IIA References:

A differentiation strategy focuses on creating unique products or services to stand out from competitors. This strategy requires a flexible, decentralized structure that encourages innovation and market responsiveness, which is best achieved through a divisional structure.

Divisional Structure Supports Differentiation:

A divisional structure organizes the company into semi-autonomous business units, each focusing on a specific product, market, or geographic area.

This allows businesses to adapt strategies based on customer needs and competitive positioning.

Enhances Responsiveness and Innovation:

Each division operates independently, making quicker decisions that align with the differentiation strategy.

Fits Competitive Strategies:

Companies using differentiation need flexibility and customer focus, which a divisional structure provides better than rigid structures.

A. Functional structure:

Functional structures group employees by departments (e.g., finance, marketing) and are more suited for cost-leadership strategies, not differentiation.

C. Mechanistic structure:

A mechanistic structure is highly centralized and rigid, making it incompatible with innovation and differentiation.

D. Functional structure with cross-functional teams:

While this adds flexibility, it does not provide the autonomy needed for differentiation like a divisional structure does.

IIA Standard 2110 - Governance: Internal auditors assess business structures and strategies for alignment with organizational objectives.

COSO Framework - Performance Component: Ensures organizational structure supports strategic goals.

Key Reasons Why Option B is Correct:Why Other Options Are Incorrect:IIA References:Thus, the correct answer is B. Divisional structure.

Total Quality Management (TQM) focuses on continuous improvement, teamwork, and process efficiency. The CAE’s goal is to reduce audit time and improve client satisfaction, which requires collaborative decision-making and diverse skill sets to ensure a high-quality, efficient audit process.

(A) Assign a team with a trained audit manager to plan each audit and distribute fieldwork tasks to various staff auditors. ❌

Incorrect. While structured planning is beneficial, TQM emphasizes decentralized decision-making rather than relying solely on the audit manager.

(B) Assign a team of personnel who have different specialties to each audit and empower team members to participate fully in key decisions. ✅

Correct. TQM encourages cross-functional teams, collaboration, and shared decision-making, which helps in reducing audit time and improving quality.

IIA GTAG "Auditing Continuous Improvement Initiatives" highlights diverse audit teams as a best practice for improving audit effectiveness.

(C) Assign a team to each audit, designate a single person to be responsible for each phase of the audit, and limit decision-making outside of their area of responsibility. ❌

Incorrect. This approach is too rigid and limits team collaboration, which contradicts TQM principles.

(D) Assign a team of personnel who have similar specialties to specific engagements that would benefit from those specialties and limit key decisions to the senior person. ❌

Incorrect. Specializing teams in certain audits may improve technical accuracy, but TQM promotes diverse perspectives rather than restricting decisions to one senior auditor.

IIA GTAG – "Auditing Continuous Improvement Initiatives"

IIA Standard 2110 – Governance (Process Improvement)

ISO 9001 – Total Quality Management Principles

Analysis of Answer Choices:IIA References:Thus, the correct answer is B, as TQM supports cross-functional teams and shared decision-making to improve audit efficiency and client satisfaction.

Understanding Competitive Business Strategies:

The board of directors' focus is on industry leadership and outperforming competitors.

A strong research and development (R&D) strategy drives innovation, allowing the organization to introduce new and differentiated products that enhance competitive advantage.

Why Option C (Investment in R&D) Is Correct?

R&D drives product innovation, helping the organization stay ahead of competitors.

Investing in new technologies and unique product features differentiates the company and strengthens market leadership.

IIA Standard 2120 – Risk Management supports evaluating strategic investments that enhance business growth and competitive positioning.

Why Other Options Are Incorrect?

Option A (Divesting unprofitable product lines):

While divestment improves financial health, it does not directly contribute to market leadership.

Option B (Increasing diversity of business units):

Expanding into new business areas spreads risk but may not provide a focused competitive advantage in the primary industry.

Option D (Relocating manufacturing to another country):

Lowering costs improves efficiency, but it does not directly position the company as an industry leader.

Investing in R&D aligns best with the board’s goal of industry leadership and competitive advantage.

IIA Standard 2120 supports strategic risk management and innovation investment.

Final Justification:IIA References:

IPPF Standard 2120 – Risk Management (Strategic Investment & Competitive Advantage)

COSO ERM – Business Growth & Innovation Risk Management

Porter’s Competitive Strategy Model – R&D as a Market Differentiator

The discussion between the internal auditor and the database administrator is most likely centered around the security risk present in the period between account creation and password change. When a system generates a default password such as "123456," it introduces a temporary vulnerability until the user changes it.

Understanding Default Password Security Risks:

Default passwords, especially predictable ones (e.g., "123456"), pose a security threat because they are easy to guess.

If an unauthorized user gains access before the legitimate user changes the password, data confidentiality and integrity may be compromised (IIA GTAG - Global Technology Audit Guide).

Evaluating the Window of Exposure:

The primary concern is the time between account creation and password reset.

During this time, an attacker could exploit the default password to gain unauthorized access to sensitive systems.

Why Other Options Are Less Relevant:

Option A (Replacing numbers with characters) – While this improves security, it does not directly address the risk of an attacker exploiting the default password before the user resets it.

Option B (Users continuing to use the initial password) – This is a security issue, but it is mitigated by requiring a password reset upon first login. The primary concern is the time before the reset happens.

Option D (User training on password management) – While training is crucial for long-term security, it does not directly address the immediate vulnerability of default passwords before they are changed.

IIA Global Technology Audit Guide (GTAG) 16: Data Management and Security

IIA Standard 2110 – Governance: Recommends addressing IT security risks, including credential management.

IIA Practice Advisory 2130.A1-1: Internal auditors should assess whether management has identified, assessed, and mitigated IT security risks, such as weak authentication practices.

Step-by-Step Analysis:Relevant IIA References:

Recovery Point Objective (RPO) Defined:

RPO is the maximum amount of data loss an organization can tolerate before it significantly impacts business operations.

It determines how frequently backups should be performed to minimize data loss in the event of a system failure, cyberattack, or disaster.

For example: If an organization has an RPO of 4 hours, backups must be performed at least every 4 hours to ensure minimal data loss.

IIA GTAG on Business Continuity Management states that RPO should align with business risk tolerance and data criticality.

A. The maximum tolerable downtime after the occurrence of an incident. (Incorrect)

This defines the Recovery Time Objective (RTO), which refers to the time needed to restore operations.

RPO relates to data loss, not downtime.

C. The maximum tolerable risk related to the occurrence of an incident. (Incorrect)

Risk tolerance is a separate concept related to risk management strategies, not data recovery.

D. The minimum recovery resources needed after the occurrence of an incident. (Incorrect)

This refers to disaster recovery planning and resource allocation, not the specific metric of data loss tolerance.

Explanation of Incorrect Answers:Conclusion:The Recovery Point Objective (RPO) measures the maximum allowable data loss (Option B) before it significantly affects business continuity.

IIA References:

IIA GTAG - Business Continuity Management

IIA Standard 2120 - Risk Management

When an organization faces unexpected disruptions, such as the inability to receive raw materials due to a military conflict, it should have contingency plans in place to manage such risks.

Contingency Planning for Unforeseen Events (Correct Answer: C)

Contingency plans are designed to prepare for and respond to unexpected disruptions, such as supply chain failures, political instability, or natural disasters.

IIA Standard 2120 – Risk Management requires organizations to have business continuity and disaster recovery plans, which include contingencies for supply chain disruptions.

A well-prepared contingency plan could involve alternative suppliers, stockpiling critical materials, or adjusting production schedules.

Why the Other Options Are Incorrect:

A. Just-in-time (JIT) delivery plans (Incorrect)

JIT is a supply chain management strategy that minimizes inventory and relies on timely delivery.

While JIT increases efficiency, it is not a backup plan for unexpected disruptions.

In fact, JIT makes companies more vulnerable to supply chain interruptions.

B. Backup plans (Incorrect)

A backup plan generally refers to IT/data backup or system recovery strategies, not a comprehensive risk management approach for supply chain issues.

Contingency plans encompass broader business continuity strategies beyond simple backup plans.

D. Standing plans (Incorrect)

Standing plans are routine, long-term procedures for normal operations, such as HR policies or standard operating procedures.

They do not specifically address unexpected crises like supply chain failures due to war.

IIA Standard 2120 – Risk Management (Ensuring business continuity planning)

IIA Standard 2110 – Governance (Assessing organizational resilience strategies)

IIA Standard 2130 – Compliance (Evaluating regulatory and risk mitigation plans)

Step-by-Step Justification:IIA References for This Answer:Thus, the correct answer is C. Contingency plans, as they are specifically designed to address unexpected disruptions like supply chain failures due to military conflict.

When reviewing personal data consent and opt-in/opt-out management processes, internal auditors should focus on ensuring compliance with data protection regulations, such as the General Data Protection Regulation (GDPR) and other applicable data privacy laws. The most critical aspect is ensuring that personal data is processed strictly in line with the consent obtained from individuals.

Data Processing in Accordance with Consent (Correct Choice: B)

IIA Standard 2110 – Governance requires internal auditors to assess whether the organization has effective processes for ensuring compliance with laws and regulations, including data privacy obligations.

GDPR Article 5(1)(b) (Purpose Limitation Principle) mandates that personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes.

Internal auditors should verify that the organization adheres to this principle by ensuring that data is only used for the purpose for which consent was granted.

Why the Other Options Are Incorrect:

Option A: "Whether customers are asked to renew their consent for their data processing at least quarterly." (Incorrect)

GDPR does not mandate a quarterly renewal of consent. Instead, it requires that consent be freely given, specific, informed, and unambiguous. Periodic renewal may be advisable in some cases, but it is not a strict regulatory requirement.

IIA Standard 2120 – Risk Management requires auditors to evaluate compliance risk exposure, but excessive consent renewals could lead to inefficiencies without adding value.

Option C: "Whether the organization has established explicit and entitywide policies on data transfer to third parties." (Incorrect)

While data transfer policies are critical (as required under GDPR Articles 44-50 on international data transfers), they do not directly relate to the opt-in/opt-out process or consent management.

IIA Standard 2201 – Engagement Planning encourages reviewing policies, but the key focus should be on processing data according to the purpose of consent.

Option D: "Whether customers have an opportunity to opt-out the right to be forgotten from organizational records and systems." (Incorrect)

The right to be forgotten (GDPR Article 17) allows individuals to request data deletion, but it is not an opt-out feature in the traditional sense. Organizations must evaluate each request based on legal grounds before erasing data.

IIA Standard 2130 – Compliance requires verifying whether the organization ensures compliance with data privacy rights, but an opt-out for the right to be forgotten is not a primary audit focus.

IIA Standard 2110 – Governance (Ensuring regulatory compliance)

IIA Standard 2120 – Risk Management (Managing data privacy risks)

IIA Standard 2130 – Compliance (Reviewing legal obligations on personal data)

IIA Standard 2201 – Engagement Planning (Evaluating policies and controls)

GDPR Article 5(1)(b) – Purpose Limitation Principle (Processing data as per consent)

GDPR Articles 17, 44-50 (Data protection and right to be forgotten considerations)

Step-by-Step Justification for the Answer:IIA References for This Answer:Thus, Option B is the correct choice as it aligns with the purpose limitation principle and internal audit’s role in assessing compliance with data protection laws.

The best method to collect job satisfaction data is one that provides anonymous, broad, and consistent feedback while minimizing response bias. Online surveys are the most effective method because they allow employees to express their views freely and ensure statistical reliability in results.

Online Surveys (Correct Answer: A)

Online surveys allow anonymous responses, which encourage honest feedback without fear of retaliation.

Surveys can be distributed randomly, increasing representation and reducing bias.

They allow for large-scale data collection and quantitative analysis, which improves decision-making.

IIA Standard 2120 – Risk Management suggests that internal auditors evaluate employee engagement as part of organizational risk assessments.

Why the Other Options Are Incorrect:

B. Direct Onsite Observations (Incorrect)

Observation helps assess behavior, but it does not capture employees' emotions, satisfaction, or personal concerns effectively.

Employees may alter their behavior when being observed (Hawthorne Effect).

C. Town Hall Meetings (Incorrect)

Town halls encourage group discussion, but employees may be reluctant to share negative opinions publicly.

This format is not anonymous, which reduces the likelihood of honest feedback.

D. Face-to-Face Interviews (Incorrect)

While interviews provide detailed qualitative feedback, they are time-consuming and may not be scalable for large organizations.

Employees may hesitate to be fully honest due to potential supervisor influence.

IIA Standard 2120 – Risk Management (Assessing employee engagement and morale risks)

IIA Standard 2130 – Compliance (Ensuring ethical and employee engagement policies)

IIA Standard 2210 – Engagement Objectives (Using appropriate methodologies for employee feedback collection)

Step-by-Step Justification:IIA References for This Answer:Thus, the best answer is A. Online surveys sent randomly to employees because they ensure confidentiality, broad participation, and reliable data collection.

Understanding Financial Statements:

Income Statement (Option A) shows a company's revenues and expenses over a period but does not detail cash movements.

Owner's Equity Statement (Option B) tracks changes in the ownership interest but does not explain cash usage comprehensively.

Balance Sheet (Option C) provides a snapshot of financial position (assets, liabilities, and equity) at a given time, but not the flow of cash.

Statement of Cash Flows (Option D) details where cash comes from and how it is spent during a specific period, making it the best disclosure of money movement.

Why the Statement of Cash Flows is the Best Answer:

It categorizes cash flows into operating, investing, and financing activities to explain how cash is generated and utilized.

It is critical for assessing liquidity, solvency, and overall financial health.

Investors, auditors, and management use this statement to evaluate a company's ability to generate cash and meet obligations.

IIA Standard 2120 – Risk Management: Internal auditors assess financial risks, including cash management.

IIA GTAG (Global Technology Audit Guide) on Business Continuity and Liquidity: Emphasizes the importance of cash flow analysis for financial stability.

COSO’s Internal Control Framework: Highlights the role of financial reporting, including cash flows, in risk management.

Relevant IIA References:✅ Final Answer: Statement of Cash Flows (Option D).

Managerial accounting differs from financial accounting in that it focuses on internal decision-making, cost control, and performance evaluation based on predetermined standards. Unlike financial accounting, which follows GAAP (Generally Accepted Accounting Principles) for external reporting, managerial accounting sets internal benchmarks to guide operational efficiency and strategic planning.

Use of Predetermined Standards:

Managerial accounting often uses standard costing, budgets, and variance analysis to compare actual performance against pre-set benchmarks.

This helps management make data-driven decisions and improve efficiency.

Internal Decision-Making:

Managerial accounting reports are used by internal stakeholders (e.g., managers, executives) rather than external entities.

Control and Performance Measurement:

It focuses on variance analysis (actual vs. expected performance) to highlight areas requiring corrective action.

Not Governed by GAAP:

Unlike financial accounting, managerial accounting does not require compliance with GAAP or IFRS since it is meant for internal use only.

A. Managerial accounting uses double-entry accounting and cost data:

While cost data is relevant to managerial accounting, double-entry accounting is a fundamental principle of all accounting systems, including financial accounting.

B. Managerial accounting uses generally accepted accounting principles (GAAP):

GAAP is required for financial accounting (external reporting), but managerial accounting does not follow GAAP since it focuses on internal decision-making.

C. Managerial accounting involves decision making based on quantifiable economic events:

While managerial accounting analyzes economic data, its distinguishing feature is using predetermined standards to evaluate and improve performance, which makes Option D the best choice.

IIA Standard 2110 - Governance: Internal auditors should assess decision-making processes, including managerial accounting techniques.

IIA Standard 2120 - Risk Management: Cost control and budget variance analysis are key components of risk management.

COSO Framework - Performance Monitoring: Emphasizes variance analysis, which aligns with predetermined standards in managerial accounting.

Key Reasons Why Option D is Correct:Why Other Options Are Incorrect:IIA References:Thus, the correct answer is D. Managerial accounting involves decision making based on predetermined standards.

The cost principle (historical cost principle) states that assets should be recorded at their original purchase price, regardless of changes in market value.

Correct Answer (B - A Building Purchased Last Year for $1 Million Is Still Reported at $1 Million, Despite an Increase in Value)

Under the cost principle, assets remain recorded at their historical cost, not adjusted for market fluctuations.

The only exception is for certain financial instruments, such as trading securities, which are reported at fair market value.

The IIA Practice Guide: Auditing Financial Reporting and Accounting Estimates states that fixed assets (such as buildings) should be recorded at cost unless an impairment occurs.

Why Other Options Are Incorrect:

Option A (Trading and Investment Securities Reported at Market Cost):

Securities can be reported at market value, but this does not follow the cost principle, which applies to tangible assets.

Option C (Adjusting the Building's Value to $1.2 Million):

Violates the cost principle—historical cost does not change due to market appreciation.

Option D (Reporting Assets at Either Historical or Fair Value):

This is not the cost principle; it describes fair value accounting, which is different.

IIA Practice Guide: Auditing Financial Reporting and Accounting Estimates – Defines the cost principle and asset valuation rules.

Generally Accepted Accounting Principles (GAAP) – Requires fixed assets to be recorded at historical cost.

Step-by-Step Explanation:IIA References for Validation:Thus, B is the correct answer because the cost principle requires assets to be recorded at their original purchase price, regardless of market value changes.

A right-to-audit clause in a contract allows an organization to review and assess the operations, controls, and security measures of a third-party service provider (such as payroll service providers). Providing "read-only" functionalities supports this clause by enabling internal auditors to access and review relevant data without modifying it.

Read-only access allows auditors to verify transactions, data integrity, and compliance without affecting system operations.

This ensures that internal audit functions can review third-party controls without interference, supporting contractual audit rights.

The IIA’s Standard 2070 – External Service Provider Relationships states that organizations should retain the right to audit outsourced functions to ensure compliance with internal control policies.

B. This will enforce robust risk assessment practices → Incorrect. While read-only access can contribute to risk assessment, it does not directly enforce risk management policies.

C. This will address cybersecurity considerations and concerns. → Incorrect. Cybersecurity concerns involve encryption, authentication, and intrusion detection—not just read-only access.

D. This will enhance the third party's ability to apply data analytics → Incorrect. The request is for audit purposes, not to improve the third party’s analytics capabilities.

IIA’s Global Technology Audit Guide (GTAG) 7: IT Outsourcing recommends a right-to-audit clause in third-party agreements.

IIA Standard 1312 emphasizes that external audits should have transparent access to outsourced functions.

ISACA's COBIT Framework highlights the importance of audit access in managing third-party risks.

Why Option A is Correct?Explanation of the Other Options:IIA References & Best Practices:Thus, the correct answer is A. This will support execution of the right-to-audit clause.

 Understanding Resource Coordination in Project Management:

Resource coordination involves assigning and managing human, financial, and technological resources to ensure the project runs smoothly.

The Execution phase is when project plans are implemented, and resources are actively utilized.

 Why Execution?

During execution, the project manager must coordinate resources, monitor performance, and resolve conflicts to keep the project on track.

This phase involves managing teams, distributing tasks, and ensuring resources are used efficiently.

 Why Other Options Are Incorrect:

A. Initiation: Focuses on defining project objectives, scope, and feasibility but does not involve active resource coordination.

B. Planning: Deals with creating resource allocation plans but does not handle real-time coordination.

D. Monitoring: Involves tracking performance and making adjustments but does not actively assign or manage resources.

 IIA Standards and References:

IIA Practice Guide: Auditing Project Management (2020): Recommends evaluating resource management practices during the execution phase.

IIA Standard 2110 – Governance: Internal auditors should ensure project resources are managed effectively to achieve objectives.

PMBOK Guide – Project Resource Management: Specifies that resource coordination primarily happens in the execution phase.

When executive compensation is tied to financial results, there is a strong incentive to manipulate financial reporting or focus solely on short-term performance at the expense of stakeholders’ interests.

Potential for Unethical Behavior:

Executives may prioritize profit-driven decisions (e.g., cost-cutting, aggressive revenue recognition) over long-term sustainability.

As per IIA Standard 2110 – Governance, incentive structures should align with ethical business practices and stakeholder interests.

Increased Risk of Fraud and Misrepresentation:

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Fraud Risk Management Guide highlights how executive incentives can lead to financial statement manipulation.

This could result in actions like aggressive revenue recognition, improper expense deferrals, or overstating earnings to boost compensation.

Misalignment with Stakeholder Interests:

Employees, customers, and investors suffer if executive compensation encourages short-term gains over long-term stability.

IIA GTAG 3: Continuous Auditing supports monitoring financial reporting risks to detect such inconsistencies.

A. The organization reports inappropriate estimates and accruals due to poor accounting controls. (Incorrect)

Reason: While poor controls can contribute to misstatements, the root cause in this scenario is compensation structure, not control weakness.

B. The organization uses an unreliable process for gathering and reporting executive compensation data. (Incorrect)

Reason: This issue relates to HR and payroll data integrity, not the impact of performance-based compensation on behavior.

C. The organization experiences increasing discontent of employees, if executives are eligible for compensation amounts that are deemed unreasonable. (Incorrect)

Reason: While excessive executive pay may cause employee dissatisfaction, the question focuses on behavioral impacts on stakeholders, making D the more relevant choice.

IIA Standard 2110 – Governance – Ensures executive compensation aligns with organizational ethics and stakeholder interests.

IIA Standard 2120 – Risk Management – Covers the risks associated with incentive-based compensation.

COSO Fraud Risk Management Guide – Discusses financial fraud linked to executive compensation.

IIA GTAG 3: Continuous Auditing – Supports risk-based monitoring of financial statements.

Why is Answer D Correct?Analysis of Incorrect Answers:IIA References:Thus, the correct answer is D. The organization encourages employee behavior that is inconsistent with the interests of relevant stakeholders.

The organization suffered significant damage to its local file and application servers due to a hurricane but managed to recover all backed-up information through its overseas third-party contractor. This scenario highlights the management of data storage, backup, and recovery processes, which are critical components of data center management.

Definition of Data Center Management:

Data center management refers to the administration and control of data storage, backup, recovery, and overall infrastructure to ensure business continuity and disaster recovery (BC/DR).

As per the IIA’s Global Technology Audit Guide (GTAG) on Business Continuity Management (BCM), organizations must have robust backup strategies to mitigate risks from natural disasters.

Third-Party Backup and Recovery:

The fact that the organization recovered data from an overseas third-party contractor aligns with offsite data backup and disaster recovery planning, which falls under data center management.

According to IIA Practice Guide: Auditing Business Continuity and Disaster Recovery, organizations should store critical data at geographically dispersed locations to mitigate disaster risks.

Why Not Other Options?

A. Application Management – This pertains to managing software applications throughout their lifecycle but does not focus on disaster recovery.

C. Managed Security Services – While third-party security services protect against cyber threats, they do not specifically cover data backup and recovery.

D. Systems Integration – This deals with connecting different IT systems, not managing backup and recovery.

IIA GTAG (Global Technology Audit Guide) – Business Continuity Management

IIA Practice Guide: Auditing Business Continuity and Disaster Recovery

IIA Standard 2110 – Governance: Ensuring IT Governance Supports Business Continuity

Step-by-Step Justification:IIA References:Thus, the correct and verified answer is B. Data center management.

Understanding the Margin of Safety Concept:

Margin of Safety (MoS) measures how much sales can drop before the business reaches its break-even point.

It is calculated as: Margin of Safety Sales=Actual Sales−Break-even Sales\text{Margin of Safety Sales} = \text{Actual Sales} - \text{Break-even Sales}Margin of Safety Sales=Actual Sales−Break-even Sales

Applying the Formula:

Selling Price per Shirt: $8

Break-even Sales Volume: 25,000 shirts

Break-even Sales Value: 25,000×8=200,00025,000 \times 8 = 200,00025,000×8=200,000

Actual Sales Revenue: $300,000

Margin of Safety: 300,000−100,000=200,000300,000 - 100,000 = 200,000300,000−100,000=200,000

Why Option B ($200,000) Is Correct?

The margin of safety is the difference between actual and break-even sales.

The correct calculation confirms $200,000 as the margin of safety.

IIA Standard 2120 – Risk Management supports financial risk analysis, including break-even and margin of safety evaluations.

Why Other Options Are Incorrect?

Option A ($100,000): Incorrect subtraction.

Option C ($275,000): Incorrect calculation, not based on break-even sales.

Option D ($500,000): Irrelevant and exceeds actual sales.

The correct margin of safety is $200,000, calculated using standard break-even analysis.

IIA Standard 2120 emphasizes financial risk evaluation in decision-making.

Final Justification:IIA References:

IPPF Standard 2120 – Risk Management (Financial Performance & Cost Analysis)

COSO ERM – Financial Stability & Revenue Risk

Management Accounting Best Practices – Break-even & Margin of Safety Calculations