IIA-CIA-Part3 Exam Dumps - Internal Audit Function

The auditor’s responsibility does not end with reporting a control deficiency. The CAE must monitor progress and follow up periodically with management to confirm whether corrective actions have been implemented.

Option A stops at documentation and fails to ensure corrective action. Option C incorrectly assumes no further audit is needed. Option D assigns management’s responsibility to the auditor, which would impair independence.

Detecting an inventory fraud scheme requires analyzing patterns of inventory adjustments, particularly across different locations. Fraudulent activities often involve unauthorized write-offs, stock transfers, or misstatements of inventory levels.

(A) Analyze invoice payments just under individual authorization limits.

Incorrect: This technique is useful for detecting procurement fraud or invoice splitting, but not directly related to inventory fraud.

(B) Analyze stratification of inventory adjustments by warehouse location. (Correct Answer)

Fraudulent inventory write-offs often occur in specific warehouses or locations where controls are weak.

Stratifying inventory adjustments helps identify abnormal patterns, such as excessive losses in one location.

IIA Standard 2120 (Risk Management) recommends data analytics and trend analysis to detect anomalies.

COSO ERM – Control Activities emphasizes monitoring and review of inventory adjustments to prevent fraud.

(C) Analyze inventory invoice amounts and compare with approved contract amounts.

Incorrect: This technique is effective for detecting overbilling or procurement fraud, but not inventory fraud, which involves physical stock manipulation.

(D) Analyze differences discovered during duplicate payment testing.

Incorrect: Duplicate payment testing helps uncover billing fraud, not inventory fraud.

IIA Standard 2120 – Risk Management: Encourages fraud detection through trend analysis and data monitoring.

IIA Practice Guide – Auditing Inventory Management: Suggests stratification of inventory adjustments to identify fraud.

COSO ERM – Control Activities: Recommends monitoring inventory transactions to prevent fraud.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (B) because analyzing stratification of inventory adjustments by warehouse location helps detect irregular patterns indicative of fraud.

Comprehensive and Detailed In-Depth Explanation:

A favorable labor efficiency variance (Option 1) occurs because experienced workers complete tasks more efficiently, reducing time and waste.

An adverse labor rate variance (Option 2) arises because hiring experienced employees increases labor costs compared to budgeted rates.

Option 3 (Adverse labor efficiency variance) is incorrect because skilled workers typically improve efficiency.

Option 4 (Favorable labor rate variance) is incorrect because higher wages increase costs, leading to an adverse variance.

Thus, the correct answer is A (1 and 2 only).

A globalization strategy focuses on delivering standardized products and marketing campaigns across multiple international markets with minimal local customization. This approach ensures brand consistency and cost efficiencies while targeting a broad audience.

(A) Export strategy.

Incorrect. An export strategy refers to selling domestic products overseas without significant marketing adaptation. It does not involve a unique advertising campaign tailored for global markets.

(B) Transnational strategy.

Incorrect. A transnational strategy balances global efficiency with local responsiveness, meaning advertising campaigns would be adapted based on regional preferences rather than being uniform across all markets.

(C) Multi-domestic strategy.

Incorrect. A multi-domestic strategy involves customizing products and marketing approaches for each local market. This is the opposite of a standardized advertising campaign.

(D) Globalization strategy. ✅

Correct. A globalization strategy implements a standardized marketing approach to maintain a consistent brand message across all markets while reducing costs.

Example: Companies like Apple, Coca-Cola, and Nike use globalized advertising to promote identical products across different countries.

IIA Standard 2110 – Governance emphasizes the need for alignment between business strategy and risk management, which includes global marketing decisions.

IIA Standard 2110 – Governance

COSO Framework – Strategic Risk Management

IIA GTAG – "Auditing Business Strategy Alignment"

Analysis of Answer Choices:IIA References:Thus, the correct answer is D, as a globalization strategy effectively supports a uniform advertising campaign for identical products across multiple markets.

To ensure security when employees use their own smart devices to access organizational applications, the best approach is to allow only pre-approved devices that meet the organization’s security standards.

Device Security & Compliance: Approved devices are verified for security measures like encryption, mobile device management (MDM), and antivirus protection.

Risk Management: Restricting access to pre-approved devices reduces the risk of malware, unauthorized access, and vulnerabilities.

IT Control & Monitoring: IT can enforce security updates, compliance policies, and access control mechanisms on pre-approved devices.

Option A (Using a jailbroken or rooted smart device feature): Jailbroken or rooted devices remove security protections and create severe security vulnerabilities.

Option C (Obtaining written assurance from the employee that security policies and procedures are followed): Written assurances alone are not a security measure; technical controls must be enforced.

Option D (Introducing a security question known only by the employee): Security questions are weak authentication measures and do not verify the legitimacy of a device.

IIA's GTAG on Information Security Management stresses the importance of device security and requiring IT-approved devices.

NIST Special Publication 800-124 (referenced in IIA’s IT Audit Guidance) highlights best practices for securing mobile devices in an enterprise setting, recommending pre-approved devices.

Why Option B is Correct:Why Other Options Are Incorrect:IIA References:Thus, the most appropriate answer is B. Using only smart devices previously approved by the organization.

The described situation is a classic social engineering attack, specifically a phishing or CEO fraud (business email compromise) attempt. Social engineering exploits human psychology rather than technical vulnerabilities. In this case, the attacker attempted to impersonate the CEO and trick the board member into making an unauthorized payment.

(A) Incorrect – A risk of spyware and malware.

Spyware and malware typically involve malicious software installed on a device, which is not the case here.

This attack relied on deception rather than malware to obtain unauthorized funds.

(B) Incorrect – A risk of corporate espionage.

Corporate espionage involves unauthorized data theft, sabotage, or insider threats.

The attacker here attempted financial fraud, not intellectual property theft.

(C) Incorrect – A ransomware attack risk.

Ransomware encrypts files and demands payment for decryption.

There is no mention of system encryption or ransom demands in this case.

(D) Correct – A social engineering risk.

The attacker impersonated the CEO and used urgency to manipulate the board member into processing a fraudulent payment.

This technique is a business email compromise (BEC) scam, a well-known social engineering tactic.

IIA’s GTAG (Global Technology Audit Guide) – Cybersecurity Risks and Controls

Discusses social engineering and its impact on financial fraud.

NIST Cybersecurity Framework – Social Engineering Threats

Defines social engineering tactics, including email impersonation and phishing.

COBIT Framework – Information Security Governance

Recommends controls to mitigate social engineering risks, such as employee training and email authentication mechanisms.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Change management is a structured approach to transitioning individuals, teams, and organizations from a current state to a desired future state while minimizing risk and disruption.

Definition of Change Management:

Change management ensures that all modifications to IT systems, processes, and applications are controlled and documented.

As per the IIA GTAG on Change Management, an effective change management process should be repeatable, defined, and predictable to reduce errors and system failures.

Why Change Management Must Be Structured?

Uncontrolled changes increase risks such as security vulnerabilities, data loss, and system downtime.

Best practices (e.g., ITIL, COBIT) require organizations to follow a consistent change management process to protect the production environment.

A structured approach includes:

Documenting change requests

Testing in non-production environments

Gaining approvals before deployment

Why Not Other Options?

A. The degree of risk associated with a proposed change determines whether the change request requires authorization:

All changes should require authorization, not just high-risk ones.

B. Program changes generally are developed and tested in the production environment:

Changes should never be tested in production due to risk exposure. Best practice is to test in a development or staging environment first.

C. Changes are only required by software programs:

Change management applies broadly to IT infrastructure, business processes, security protocols, and governance frameworks, not just software.

IIA GTAG – Change Management Controls

COBIT 2019 – Change Management Best Practices

ITIL Change Management Framework

IIA Standard 2120 – Risk Management

Step-by-Step Justification:IIA References:Thus, the correct and verified answer is D. To protect the production environment, changes must be managed in a repeatable, defined, and predictable manner.

Depreciation is the systematic allocation of an asset’s cost over its useful life. It reflects how much of the asset’s value is used up in each accounting period.

Spreads Cost Over Time – Instead of expensing the total cost immediately, depreciation distributes it across multiple periods.

Matches Expenses with Revenue – Ensures that the cost of long-term assets is allocated in the periods they generate revenue.

Required for Financial Reporting – Compliance with GAAP and IFRS requires proper allocation of asset costs.

B. It is a process of asset valuation – Incorrect because depreciation does not determine market value; it only spreads cost over time.

C. It is a process of accumulating adequate funds to replace assets – Incorrect because depreciation is an accounting concept, not a savings mechanism.

D. It is a process of measuring decline in the value of assets because of obsolescence – Incorrect because depreciation allocates cost, not necessarily measuring value decline (which is impairment).

IIA’s GTAG on Financial Controls and Reporting – Defines depreciation as a cost allocation method.

International Financial Reporting Standards (IFRS 16) & US GAAP (ASC 360) – State that depreciation is used to allocate asset costs over time.

COSO’s Internal Control Framework – Covers accounting treatments for fixed assets.

Why Depreciation is an Allocation Process?Why Not the Other Options?IIA References:✅ Final Answer: A. It is a process of allocating cost of assets between periods.