IIA-CIA-Part3 Exam Dumps - Internal Audit Function

Two-factor authentication (2FA) enhances security by requiring two different authentication factors from the following categories:

Something you know (e.g., password, PIN)

Something you have (e.g., smart card, key fob)

Something you are (e.g., fingerprint, facial recognition)

The combination of a fingerprint (biometric authentication) and a PIN (knowledge-based authentication) satisfies two-factor authentication requirements.

A. The user's facial geometry and voice recognition – Incorrect. Both are biometric factors (something you are), meaning this is single-factor authentication.

B. The user's password and a separate passphrase – Incorrect. Both are knowledge-based factors (something you know), making this single-factor authentication.

C. The user's key fob and a smart card – Incorrect. Both are possession-based factors (something you have), meaning this is not true two-factor authentication.

D. The user's fingerprint and a personal identification number (PIN) (Correct Answer) – This combines biometric authentication (fingerprint) with knowledge-based authentication (PIN), fulfilling two-factor authentication.

IIA GTAG 15 – Information Security Governance emphasizes multi-factor authentication as a key security control.

NIST SP 800-63B – Digital Identity Guidelines defines two-factor authentication as requiring two distinct categories of authentication.

COBIT 2019 – DSS05 (Managed Security Services) highlights 2FA as a best practice for access control.

Explanation of Each Option:IIA References:

Comprehensive and Detailed In-Depth Explanation:

The Internal Rate of Return (IRR) is the discount rate that makes the net present value (NPV) of a project equal to zero. It is used to evaluate the profitability of investments.

Option A (Annual cost of capital) – While related, the IRR should be compared directly to the required rate of return (hurdle rate).

Option B (Annual interest rate) – Not always relevant, as the cost of borrowing may differ from the required return on investments.

Option D (Compare to NPV) – NPV is a different method of capital budgeting; while related, it is not used for direct comparison with IRR.

Since the IRR is accepted if it meets or exceeds the required rate of return, Option C is correct.

When internal audit identifies a serious issue, the CAE must first discuss the matter with management to confirm facts and obtain explanations. If the issue remains unresolved or poses unacceptable risk, it is then escalated to senior management, the board, and regulators as required. Direct reporting to regulators (Option C) or the audit committee (Option D) without first engaging management bypasses proper escalation. Option A (ongoing monitoring) delays action on a compliance breach.

Even when outsourcing the internal audit function, the organization retains responsibility for ensuring the internal audit activity complies with the Standards. This includes maintaining a QAIP to assess effectiveness and quality. The provider executes the function, but the CAE and the organization’s oversight bodies remain accountable for quality.

Options B and C are incorrect since internal and external assessments may be performed by the provider, but ultimate responsibility rests with the organization. Option D (postponement) would violate the Standards.

Effective change management ensures that IT changes (such as software updates, system modifications, or infrastructure upgrades) are well-controlled, minimizing disruptions. Poor change management leads to instability, inefficiencies, and operational risks.

Unplanned Downtime (2) – Indicates that changes are being implemented without proper testing or failover planning, disrupting business operations.

Excessive Troubleshooting (3) – Suggests that changes are causing recurring issues, leading to increased workload for IT support teams.

Unavailability of Critical Services (4) – Highlights that change-related failures are affecting essential business functions, indicating improper risk assessment.

While inadequate control design is a general IT risk, it is not a direct indicator of poor change management. Instead, it relates more to weaknesses in IT governance and security frameworks.

IIA’s GTAG (Global Technology Audit Guide) on Change Management – Identifies unplanned downtime, excessive troubleshooting, and service unavailability as key red flags of poor change management.

COBIT 2019 (Governance and Management of IT) – Emphasizes structured change management to minimize disruptions.

ITIL Change Management Framework – Highlights these issues as symptoms of ineffective change control.

Why 2, 3, and 4 Are Indicators of Poor Change Management?Why Not Option 1 (Inadequate Control Design)?IIA References:✅ Final Answer: D. 2, 3, and 4 only.

Comprehensive and Detailed In-Depth Explanation:

Two key management principles apply to both hierarchical and open organizational structures:

Delegation of authority, but not responsibility (Principle 1) – Managers can delegate tasks but remain accountable for outcomes.

Authority must accompany responsibility (Principle 3) – Employees must have the authority to act in accordance with their responsibilities to be effective.

Option 2 (Span of control should not exceed seven subordinates) is not a universal rule, as span of control varies by industry and organization.

Option 4 (Employees should be empowered at all levels) is more applicable to open structures but not a core principle of hierarchical organizations.

Thus, the correct answer is A (1 and 3 only).