IIA-CIA-Part3 Exam Dumps - Business Knowledge for Internal Auditing
Which of the following types of date analytics would be used by a hospital to determine which patients are likely to require remittance for additional treatment?
Predictive analytics.
Prescriptive analytics.
Descriptive analytics.
Diagnostic analytics.
Answer:
Explanation:
Definition of Predictive Analytics:
Predictive analytics uses historical data, machine learning, and statistical algorithms to forecast future outcomes.
In the healthcare sector, it is used to predict patient readmission rates and identify those at high risk of needing additional treatment.
How Predictive Analytics Applies to Hospitals:
Hospitals analyze patient histories, symptoms, treatments, and recovery rates to determine the likelihood of readmission.
Predictive models help healthcare providers take proactive measures, such as tailored post-discharge care plans, to reduce readmission risks.
This leads to better patient outcomes and cost savings.
Why Other Options Are Incorrect:
B. Prescriptive analytics:
Prescriptive analytics goes beyond prediction and provides recommendations for action. In this case, the hospital is only determining which patients are likely to require additional treatment, not recommending treatments.
C. Descriptive analytics:
Descriptive analytics focuses on summarizing past data without making predictions. It would be used to report on past patient admissions but not to predict future readmissions.
D. Diagnostic analytics:
Diagnostic analytics analyzes the causes of past events but does not forecast future patient readmissions.
IIA’s Perspective on Data Analytics in Decision-Making:
IIA GTAG (Global Technology Audit Guide) on Data Analytics emphasizes the role of predictive analytics in risk assessment and operational efficiency.
COSO ERM Framework supports predictive modeling as part of strategic risk management.
IIA References:
IIA GTAG – Data Analytics in Risk Management
COSO Enterprise Risk Management (ERM) Framework
NIST Big Data Framework for Predictive Analytics
According to lIA guidance on IT, which of the following plans would pair the identification of critical business processes with recovery time objectives?
The business continuity management charter.
The business continuity risk assessment plan.
The business Impact analysis plan
The business case for business continuity planning
Answer:
Explanation:
The Business Impact Analysis (BIA) plan is a key component of business continuity planning that identifies critical business processes and determines their Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
Correct Answer (C - Business Impact Analysis Plan)
The BIA is a systematic process that identifies essential functions, assesses potential disruptions, and determines the recovery time requirements to ensure business continuity.
The Recovery Time Objective (RTO) defines the maximum acceptable downtime for critical business functions.
The Recovery Point Objective (RPO) identifies how much data loss is tolerable.
According to the IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management, a BIA is essential for assessing the financial, operational, and reputational impact of disruptions.
Why Other Options Are Incorrect:
Option A (Business Continuity Management Charter):
A charter defines the governance, responsibilities, and overall framework of business continuity but does not focus on RTOs or critical business processes.
Option B (Business Continuity Risk Assessment Plan):
A risk assessment identifies threats and vulnerabilities but does not define recovery time objectives.
While risk assessments inform the BIA, they do not replace it.
Option D (Business Case for Business Continuity Planning):
A business case justifies investment in continuity planning but does not map business processes to RTOs.
GTAG 10: Business Continuity Management – Defines BIA as the process for identifying critical business functions and their RTOs.
IIA Practice Guide: Auditing Business Continuity – Emphasizes the role of BIA in business resilience.
Step-by-Step Explanation:IIA References for Validation:Thus, the Business Impact Analysis (BIA) Plan (C) is the correct answer because it pairs critical business processes with recovery time objectives.
An internal auditor found the following information while reviewing the monthly financial siatements for a wholesaler of safety
The cost of goods sold was reported at $8,500. Which of the following inventory methods was used to derive this value?
Average cost method
First-in, first-out (FIFO) method
Specific identification method
Activity-based costing method
Answer:
Explanation:
To determine which inventory method was used, we calculate the cost of goods sold (COGS) under different inventory valuation methods.
Opening Inventory: 1,000 units @ $2 each = $2,000
Purchased: 5,000 units @ $3 each = $15,000
Total Inventory: 6,000 units
Units Sold: 3,000 at $7 per unit
Reported COGS: $8,500
Given Data:FIFO Calculation:FIFO (First-In, First-Out) assumes that the oldest inventory is sold first.
1,000 units from opening inventory @ $2 = $2,000
2,000 units from purchases @ $3 = $6,000
Total COGS under FIFO: $2,000 + $6,000 = $8,000
Average Cost Calculation:Average cost per unit =
Total Cost of InventoryTotal Units=(2,000+15,000)6,000=17,0006,000=2.83 per unit\frac{\text{Total Cost of Inventory}}{\text{Total Units}} = \frac{(2,000 + 15,000)}{6,000} = \frac{17,000}{6,000} = 2.83 \text{ per unit}Total UnitsTotal Cost of Inventory​=6,000(2,000+15,000)​=6,00017,000​=2.83 per unit
COGS using average cost method: 3,000×2.83=8,4903,000 \times 2.83 = 8,4903,000×2.83=8,490 This is not an exact match to the reported COGS of $8,500.
Since the closest method to the reported value is FIFO ($8,000 vs. $8,500 reported COGS, accounting for possible rounding errors or additional costs), FIFO is the most likely method used.
(A) Average cost method. ⌠Incorrect. The calculated COGS using the weighted average method was $8,490, which does not match exactly with the reported COGS of $8,500.
(B) First-in, first-out (FIFO) method. ✅ Correct. The FIFO method yielded $8,000, which is the closest match to the reported COGS. Minor rounding adjustments or other expenses could explain the difference of $500.
(C) Specific identification method. ⌠Incorrect. This method applies when each inventory item is individually tracked, which is not mentioned in the question.
(D) Activity-based costing method. ⌠Incorrect. Activity-based costing (ABC) is used for overhead allocation and is not a primary inventory valuation method.
IIA GTAG – "Auditing Inventory Management"
IIA Standard 2130 – Control Activities (Inventory and Costing Methods)
GAAP and IFRS – FIFO, Weighted Average, and Specific Identification Methods
Analysis of Answer Choices:IIA References:Thus, the correct answer is B (FIFO method) because it provides the closest cost match to the reported COGS.
An Internal auditor is using data analytics to focus on high-risk areas during an engagement. The auditor has obtained data and is working to eliminate redundancies in the data. Which of the following statements is true regarding this scenario?
The auditor is normalizing data in preparation for analyzing it.
The auditor is analyzing the data in preparation for communicating the results,
The auditor is cleaning the data in preparation for determining which processes may be involves .
The auditor is reviewing trio data prior to defining the question
Answer:
Explanation:
In data analytics, cleaning the data is a crucial step where the auditor eliminates redundancies, corrects inconsistencies, and removes errors to ensure accurate analysis. This step is taken before analyzing the data to identify high-risk areas and relevant processes.
Correct Answer (C - Cleaning the Data in Preparation for Determining Involved Processes)
Data cleaning involves:
Removing duplicate entries to prevent misinterpretation.
Standardizing data formats for consistency.
Handling missing or inaccurate values to ensure reliability.
This step prepares the data for analysis and identification of high-risk processes.
The IIA’s GTAG 16: Data Analysis Technologies emphasizes data cleaning as a critical part of internal audit analytics.
Why Other Options Are Incorrect:
Option A (Normalizing data in preparation for analyzing it):
Normalization refers to structuring data efficiently (e.g., in databases) but does not necessarily involve eliminating redundancies in the way described.
Option B (Analyzing data in preparation for communicating results):
The auditor is still in the data preparation phase, not the analysis or reporting phase.
Option D (Reviewing data prior to defining the question):
The auditor is already working with data. Defining questions typically happens before data collection.
GTAG 16: Data Analysis Technologies – Covers data preparation, cleaning, and analytics in internal auditing.
IIA Practice Guide: Data Analytics in Internal Auditing – Outlines best practices for data validation and cleaning.
Step-by-Step Explanation:IIA References for Validation:Thus, cleaning the data (C) is the correct answer, as it ensures data integrity before identifying relevant processes and risks.
Which of the following purchasing scenarios would gain the greatest benefit from implementing electronic cate interchange?
A just-in-time purchasing environment
A Large volume of custom purchases
A variable volume sensitive to material cost
A currently inefficient purchasing process
Answer:
Explanation:
Electronic Data Interchange (EDI) is a system that allows businesses to exchange documents (purchase orders, invoices, shipping notices) electronically, improving efficiency and accuracy.
Correct Answer (A - A Just-in-Time Purchasing Environment)
Just-in-time (JIT) purchasing requires real-time inventory management to reduce waste and costs.
EDI improves JIT by automating purchase orders, reducing lead times, and preventing stockouts.
The IIA GTAG 8: Audit of Inventory Management highlights that JIT purchasing benefits the most from automation through EDI.
Why Other Options Are Incorrect:
Option B (A large volume of custom purchases):
Custom purchases vary significantly in specifications, making standard EDI transactions less effective.
Option C (A variable volume sensitive to material cost):
While EDI helps with volume fluctuations, cost-sensitive purchasing requires additional financial analysis beyond EDI automation.
Option D (A currently inefficient purchasing process):
EDI improves efficiency, but implementing it in a failing process without first optimizing procedures could lead to automation of inefficiencies.
IIA GTAG 8: Audit of Inventory Management – Discusses automation benefits in JIT purchasing.
IIA Practice Guide: Auditing IT Controls – Covers EDI as a key tool for procurement efficiency.
Step-by-Step Explanation:IIA References for Validation:Thus, the greatest benefit from EDI is in a Just-in-Time (JIT) purchasing environment (A).
Which of the following bring-your-own-device (BYOD) practices is likely to increase the risk of Infringement on local regulations, such as copyright or privacy laws?
Not installing anti-malware software
Updating operating software in a haphazard manner,
Applying a weak password for access to a mobile device.
JoIIbreaking a locked smart device
Answer:
Explanation:
Understanding BYOD Risks and Legal Implications
Bring-your-own-device (BYOD) policies allow employees to use personal devices for work, but they introduce compliance risks.
Jailbreaking is the process of bypassing manufacturer-imposed security restrictions on a device (e.g., iPhones or Android devices).
This significantly increases the risk of privacy law violations, copyright infringements, and security breaches.
Why Option D is Correct?
Jailbreaking allows users to:
Install unauthorized software, which may violate software licensing agreements and copyright laws.
Remove security restrictions, increasing exposure to data breaches, malware, and non-compliance with privacy regulations (e.g., GDPR, HIPAA, or CCPA).
Bypass digital rights management (DRM), leading to potential copyright infringement issues.
IIA Standard 2110 – Governance mandates that internal auditors evaluate IT risks, including legal compliance related to mobile device usage.
ISO 27001 – Information Security Management also highlights the risks of unapproved software on enterprise devices.
Why Other Options Are Incorrect?
Option A (Not installing anti-malware software):
While a security risk, this primarily exposes devices to cyber threats rather than directly causing regulatory infringements.
Option B (Updating operating software in a haphazard manner):
Irregular updates pose security risks, but they do not directly violate copyright or privacy laws.
Option C (Applying a weak password):
Weak passwords increase security risks, but they do not inherently cause regulatory infringements like jailbreaking does.
Jailbreaking increases risks of copyright infringement (through unauthorized apps) and privacy violations (by removing security controls).
IIA Standard 2110 and ISO 27001 emphasize legal and regulatory compliance in IT security audits.
Final Justification:IIA References:
IPPF Standard 2110 – Governance (IT & Legal Compliance Risks)
ISO 27001 – Information Security Compliance
GDPR, HIPAA, and CCPA – Privacy Law Considerations for BYOD
Which of the following scenarios best illustrates a spear phishing attack?
Numerous and consistent attacks on the company's website caused the server to crash and service was disrupted.
A person posing as a representative of the company’s IT help desk called several employees and played a generic prerecorded message requesting password data.
A person received a personalized email regarding a golf membership renewal, and he click a hyperlink to enter his credit card data into a fake website
Many users of a social network service received fake notifications of e unique opportunity to invest in a new product.
Answer:
Explanation:
Understanding Spear Phishing Attacks:
Spear phishing is a targeted cyberattack where attackers send personalized emails to trick individuals into providing sensitive data (e.g., passwords, financial information).
Unlike regular phishing, which casts a wide net, spear phishing is highly customized and often appears to come from a trusted source.
Why Option C Is Correct?
The scenario describes a highly personalized email (related to a golf membership) that tricks the recipient into clicking a malicious hyperlink and entering sensitive data.
This matches the definition of a spear phishing attack, where an attacker tailors a scam specifically for an individual.
IIA GTAG 16 – Data Analytics and ISO 27001 emphasize the need for security awareness training to mitigate such threats.
Why Other Options Are Incorrect?
Option A (Website attack causing a server crash):
This describes a Denial-of-Service (DoS) attack, not spear phishing.
Option B (Generic recorded message requesting password data):
This is vishing (voice phishing), not spear phishing. Spear phishing relies on personalized emails.
Option D (Fake social media investment opportunity):
This describes mass phishing, which targets multiple users, unlike spear phishing, which is highly targeted.
Spear phishing is a targeted attack that uses personal details to deceive individuals, making option C the best choice.
IIA GTAG 16 and ISO 27001 emphasize cybersecurity awareness to prevent such attacks.
Final Justification:IIA References:
IIA GTAG 16 – Data Analytics in Cybersecurity Audits
ISO 27001 – Cybersecurity Best Practices
NIST SP 800-61 – Incident Response Guidelines for Phishing Attacks
Which of the following techniques would best detect on inventory fraud scheme?
Analyze invoice payments just under individual authorization limits.
Analyze stratification of inventory adjustments by warehouse location.
Analyze Inventory Invoice amounts and compare with approved contract amounts.
Analyze differences discovered curing duplicate payment testing.
Answer:
Explanation:
Understanding Inventory Fraud Detection:
Inventory fraud typically involves overstatement or understatement of inventory, fictitious inventory transactions, or misappropriation of stock.
A key way to detect fraud is analyzing inventory adjustments (e.g., write-offs, missing stock, excess inventory) to identify unusual patterns or discrepancies.
Why Stratifying Inventory Adjustments by Warehouse is the Best Approach:
Identifies high-risk locations: Certain warehouses may show significantly higher inventory losses or adjustments, indicating possible fraud.
Detects manipulation: Fraudsters may manipulate inventory records to cover theft or misstatements.
Supports data-driven audit procedures: Stratification allows internal auditors to prioritize high-risk areas for deeper investigation.
Why Other Options Are Incorrect:
A. Analyze invoice payments just under individual authorization limits – Incorrect, as this technique detects fraudulent disbursements, not inventory fraud.
C. Analyze inventory invoice amounts and compare with approved contract amounts – Incorrect, as this method detects pricing or procurement fraud, not inventory manipulation.
D. Analyze differences discovered during duplicate payment testing – Incorrect, as this technique is used to detect billing fraud, not inventory fraud.
IIA’s Perspective on Fraud Detection and Internal Controls:
IIA Standard 2120 – Risk Management requires internal auditors to assess fraud risk, including inventory manipulation.
IIA GTAG (Global Technology Audit Guide) on Fraud Detection recommends data analytics for inventory monitoring.
COSO Internal Control Framework highlights inventory control as a key component of financial accuracy and fraud prevention.
IIA References:
IIA Standard 2120 – Risk Management & Fraud Detection
IIA GTAG – Data Analytics for Fraud Detection in Inventory
COSO Internal Control Framework – Inventory and Asset Management Controls
Thus, the correct and verified answer is B. Analyze stratification of inventory adjustments by warehouse location.