IIA-CIA-Part3 Exam Dumps - Internal Audit Function

Understanding Inventory Fraud Detection:

Inventory fraud typically involves overstatement or understatement of inventory, fictitious inventory transactions, or misappropriation of stock.

A key way to detect fraud is analyzing inventory adjustments (e.g., write-offs, missing stock, excess inventory) to identify unusual patterns or discrepancies.

Why Stratifying Inventory Adjustments by Warehouse is the Best Approach:

Identifies high-risk locations: Certain warehouses may show significantly higher inventory losses or adjustments, indicating possible fraud.

Detects manipulation: Fraudsters may manipulate inventory records to cover theft or misstatements.

Supports data-driven audit procedures: Stratification allows internal auditors to prioritize high-risk areas for deeper investigation.

Why Other Options Are Incorrect:

A. Analyze invoice payments just under individual authorization limits – Incorrect, as this technique detects fraudulent disbursements, not inventory fraud.

C. Analyze inventory invoice amounts and compare with approved contract amounts – Incorrect, as this method detects pricing or procurement fraud, not inventory manipulation.

D. Analyze differences discovered during duplicate payment testing – Incorrect, as this technique is used to detect billing fraud, not inventory fraud.

IIA’s Perspective on Fraud Detection and Internal Controls:

IIA Standard 2120 – Risk Management requires internal auditors to assess fraud risk, including inventory manipulation.

IIA GTAG (Global Technology Audit Guide) on Fraud Detection recommends data analytics for inventory monitoring.

COSO Internal Control Framework highlights inventory control as a key component of financial accuracy and fraud prevention.

IIA References:

IIA Standard 2120 – Risk Management & Fraud Detection

IIA GTAG – Data Analytics for Fraud Detection in Inventory

COSO Internal Control Framework – Inventory and Asset Management Controls

Thus, the correct and verified answer is B. Analyze stratification of inventory adjustments by warehouse location.

A QAIP includes both internal and external assessments. While internal assessments can be performed by audit staff or within the activity, external assessments must be conducted by a qualified, independent party outside of the internal audit activity.

Options B and C are the CAE’s responsibilities. Option D (internal assessments) is not independent and is part of routine quality control.

Understanding the Financing Section of a Cash Budget:

A cash budget is a financial plan that outlines expected cash inflows and outflows over a specific period.

The financing section records activities related to borrowing, repaying debt, issuing securities, and managing interest payments.

Why Debt and Interest Payments Belong in the Financing Section:

Debt repayment (principal and interest) is a financial activity rather than an operational or investing activity.

Companies must plan for financing costs to ensure liquidity and compliance with loan agreements.

Why Other Options Are Incorrect:

A. Collections from customers – Incorrect.

Customer payments belong in the operating section of the cash budget, as they represent core business activities.

B. Sale of securities – Incorrect.

The sale of securities is an investing activity unless related to issuing new debt or equity.

C. Purchase of trucks – Incorrect.

Buying trucks is a capital expenditure, which belongs in the investing section of the cash budget.

IIA’s Perspective on Financial Planning and Budgeting:

IIA Standard 2120 – Risk Management requires organizations to assess financial risks, including debt repayment obligations.

COSO ERM Framework highlights the importance of cash flow forecasting to maintain financial stability.

GAAP and IFRS Financial Reporting Standards classify debt repayment and interest under financing activities.

IIA References:

IIA Standard 2120 – Risk Management & Cash Flow Oversight

COSO ERM – Financial Planning and Liquidity Management

GAAP & IFRS – Cash Flow Statement Classifications

Thus, the correct and verified answer is D. Payment of debt, including interest.

Two-level (or multi-factor) authentication (MFA) is the most efficient and effective security control for authenticating customers when accessing online shopping accounts. It provides an extra layer of security beyond just passwords, making it more difficult for unauthorized users to gain access.

Stronger Authentication – It requires two independent verification methods, such as:

Something you know (password, PIN)

Something you have (one-time code, mobile device, smart card)

Something you are (biometric feature)

Reduces Risk of Credential Theft – Even if hackers obtain a user's password, they still need the second factor to gain access.

Meets Regulatory Standards – Many cybersecurity frameworks (NIST, ISO 27001, PCI-DSS) recommend or mandate MFA for customer authentication.

Enhanced Customer Trust – Provides users with better security, reducing risks of fraud or account takeovers.

A. 12-digit password feature – Longer passwords improve security, but they can still be compromised through phishing or brute force attacks.

B. Security question feature – These are often weak because users choose predictable answers (e.g., mother's maiden name).

C. Voice recognition feature – Biometric authentication is useful, but voice recognition can be bypassed using deepfake or recorded audio.

IIA’s GTAG (Global Technology Audit Guide) on Information Security Management – Recommends multi-factor authentication for access control.

IIA’s International Professional Practices Framework (IPPF) – Standard 2110.A2 – Highlights the need for strong security controls to protect customer data.

NIST SP 800-63 (Digital Identity Guidelines) – Encourages multi-factor authentication as a best practice for securing user accounts.

Why Two-Level Sign-On (MFA) Is the Best Choice?Why Not the Other Options?IIA References:✅ Final Answer: D. Two-level sign-on feature (Most effective for online customer authentication).

===============

A flat organizational structure is characterized by fewer hierarchical levels and wider spans of control, meaning that managers oversee a larger number of employees directly.

Definition of a Flat Structure:

A flat structure reduces middle management layers, promoting direct communication between top executives and employees.

According to IIA’s Organizational Governance Guidelines, organizations with a flat structure empower employees and reduce bureaucratic delays.

Key Characteristics of a Flat Structure:

Wide Span of Control: Managers oversee more employees due to fewer hierarchical levels.

Faster Decision-Making: Less bureaucracy allows for quicker responses.

Greater Employee Autonomy: Employees have more decision-making responsibilities.

Why Not Other Options?

A. The structure is dispersed geographically:

A geographically dispersed organization is not necessarily flat; it could be hierarchical or matrix-based.

B. The hierarchy levels are more numerous:

Flat structures have fewer levels, while tall structures have numerous levels.

D. The lower-level managers are encouraged to exercise creativity when solving problems:

While creativity may be encouraged, this is not a defining feature of a flat structure.

IIA Practice Guide: Organizational Governance

IIA Standard 2110 – Governance

Step-by-Step Justification:IIA References:Thus, the correct and verified answer is C. The span of control is wide.

Understanding Project Cost Overruns and Controls

Cost overruns occur when actual project costs exceed the budgeted or planned costs. Effective controls are required to prevent, detect, and correct deviations from the cost baseline.

The most effective way to control cost overruns is through continuous monitoring and comparison of project costs against the approved cost baseline.

Why Option D is Correct?

A formal process to monitor the project status and compare it to the cost baseline ensures that deviations are identified early and corrective actions are taken.

This aligns with the IIA's International Standards for the Professional Practice of Internal Auditing (IPPF), specifically:

Standard 2120 – Risk Management: Internal auditors must evaluate how organizations manage risks, including financial risks related to project cost overruns.

Standard 2500 – Monitoring Progress: Ensures that corrective actions are implemented when issues arise.

IIA Practice Advisory 2130-1: Stresses the importance of monitoring activities to mitigate financial risks.

The Project Management Body of Knowledge (PMBOK) also supports cost monitoring as a key control to prevent overruns.

Why Other Options Are Incorrect?

Option A: Reviewing and approving scope change requests is important, but it does not directly monitor or control cost overruns. Scope creep is a risk, but cost monitoring is a more direct control.

Option B: Having a control committee review overruns after they occur is a reactive measure. Proactive monitoring (option D) is more effective.

Option C: A quality assurance process for scope changes is valuable but does not directly prevent cost overruns. It focuses on project quality rather than financial control.

Effective internal controls for cost management emphasize real-time monitoring and comparison against the cost baseline to prevent and mitigate cost overruns.

IIA Standards 2120, 2500, and 2130-1 support proactive risk management and monitoring as essential best practices for internal auditors.

Final Justification:IIA References:

IPPF Standard 2120 – Risk Management

IPPF Standard 2500 – Monitoring Progress

IIA Practice Advisory 2130-1 – Internal Control and Risk Management

PMBOK – Cost Monitoring and Control

c

The four-level model for reviewing application controls follows a hierarchy:

Level 1 - Activity: Smallest unit of work within a process.

Level 2 - Subprocess: A collection of related activities that accomplish a part of the process.

Level 3 - Major Process: A significant business function consisting of multiple subprocesses.

Level 4 - Mega Process: The highest level, representing an end-to-end business process, often spanning multiple departments or systems.

Mega processes encompass entire business functions (e.g., order-to-cash or procure-to-pay cycles).

They involve multiple major processes and provide a high-level perspective on business operations.

At level 4, the focus is on strategic alignment of IT application controls with enterprise-wide objectives.

A. Activity – Too detailed and only represents individual tasks.

B. Subprocess – A subset of a major process, not a high-level business function.

C. Major Process – A significant function but not the highest-level view.

IIA’s GTAG on Business Process Controls – Recommends a hierarchical review model to assess IT application controls.

COBIT 2019 (Governance and Management of IT) – Defines mega processes as enterprise-wide workflows.

ISO 27001 Annex A.12 (Operational Security) – Highlights process-based security in IT controls.

Why "Mega Process" is the Correct Answer?Why Not the Other Options?IIA References:✅ Final Answer: D. Mega process.

A risk and control questionnaire (RCQ) is used during preliminary surveys to help the auditor ascertain the existence of controls in a specific process or program. It provides structured information about which controls are in place, which are missing, and how they are applied.

Option A refers to reconciliation, which is not the main purpose. Option C (testimonial information) suggests reliance on management statements, which is weaker than structured control identification. Option D involves external confirmation, which goes beyond the RCQ’s purpose.