IIA-CIA-Part3-CN Exam Question 86
根據赫茲伯格的雙重激勵理論,滿意的員工最常提到下列哪一個因素?
Correct Answer: B
Comprehensive and Detailed In-Depth Explanation:
Herzberg's Two-Factor Theory identifies:
Motivators (Intrinsic factors) - Lead to job satisfaction (e.g., responsibility, recognition, growth).
Hygiene factors (Extrinsic factors) - Prevent dissatisfaction but do not create motivation (e.g., salary, work conditions).
Option A (Salary and status) - Hygiene factors that prevent dissatisfaction but do not drive motivation.
Option C (Work conditions and security) - Also hygiene factors, not motivators.
Option D (Peer relationships and personal life) - Affect job satisfaction indirectly, but are not primary motivators.
Since responsibility and advancement directly drive motivation, Option B is correct.
Reference: IIA Human Resource Management - Employee Motivation Theories
Herzberg's Two-Factor Theory identifies:
Motivators (Intrinsic factors) - Lead to job satisfaction (e.g., responsibility, recognition, growth).
Hygiene factors (Extrinsic factors) - Prevent dissatisfaction but do not create motivation (e.g., salary, work conditions).
Option A (Salary and status) - Hygiene factors that prevent dissatisfaction but do not drive motivation.
Option C (Work conditions and security) - Also hygiene factors, not motivators.
Option D (Peer relationships and personal life) - Affect job satisfaction indirectly, but are not primary motivators.
Since responsibility and advancement directly drive motivation, Option B is correct.
Reference: IIA Human Resource Management - Employee Motivation Theories
IIA-CIA-Part3-CN Exam Question 87
下列哪一項是集中式組織結構的缺點?
Correct Answer: B
A centralized organizational structure concentrates decision-making authority at the top levels of management. While this ensures control and consistency, it can lead to slower decision-making due to the need for approvals from higher levels.
Let's analyze each option:
Option A: Communication conflicts.
Incorrect.
Centralized structures generally have clear lines of authority and communication, reducing conflicts.
Communication conflicts are more common in decentralized structures where multiple decision-makers exist.
Option B: Slower decision making.
Correct.
Since all decisions must pass through top management, it delays responses to market changes and reduces flexibility.
Lower-level employees have less authority to make operational decisions, leading to bottlenecks.
IIA Reference: Internal auditors assess organizational governance, including decision-making efficiency in centralized vs. decentralized structures. (IIA Practice Guide: Organizational Governance) Option C: Loss of economies of scale.
Incorrect.
Centralization improves economies of scale by standardizing processes and consolidating resources.
Decentralization (not centralization) is more likely to lead to duplication of efforts and a loss of economies of scale.
Option D: Vulnerabilities in sharing knowledge.
Incorrect.
Centralized organizations tend to have structured knowledge-sharing frameworks, such as standardized policies and corporate training programs.
Let's analyze each option:
Option A: Communication conflicts.
Incorrect.
Centralized structures generally have clear lines of authority and communication, reducing conflicts.
Communication conflicts are more common in decentralized structures where multiple decision-makers exist.
Option B: Slower decision making.
Correct.
Since all decisions must pass through top management, it delays responses to market changes and reduces flexibility.
Lower-level employees have less authority to make operational decisions, leading to bottlenecks.
IIA Reference: Internal auditors assess organizational governance, including decision-making efficiency in centralized vs. decentralized structures. (IIA Practice Guide: Organizational Governance) Option C: Loss of economies of scale.
Incorrect.
Centralization improves economies of scale by standardizing processes and consolidating resources.
Decentralization (not centralization) is more likely to lead to duplication of efforts and a loss of economies of scale.
Option D: Vulnerabilities in sharing knowledge.
Incorrect.
Centralized organizations tend to have structured knowledge-sharing frameworks, such as standardized policies and corporate training programs.
IIA-CIA-Part3-CN Exam Question 88
一家製藥公司的內部稽核師負責規劃網路安全審計並進行風險評估。下列哪一項被認為是對組織最重要的網路威脅?
Correct Answer: B
When conducting a cybersecurity risk assessment, an internal auditor must evaluate the most significant threats based on their potential impact on the organization. In the pharmaceutical industry, intellectual property (IP), such as research and development (R&D) data, is one of the most valuable and sensitive assets.
(A) Cybercriminals hacking into the organization's time and expense system to collect employee personal data:
While the loss of employee personal data is a serious concern due to privacy and regulatory implications (e.g., GDPR, CCPA), it does not pose as critical a threat as the loss of proprietary pharmaceutical research.
(B) Hackers breaching the organization's network to access research and development reports (Correct Answer):R&D reports contain proprietary drug formulas, clinical trial results, and patent-pending innovations, making them highly valuable to competitors and cybercriminals. A breach could lead to intellectual property theft, financial losses, loss of competitive advantage, and regulatory non-compliance (e.g., FDA, EMA requirements). This is considered the most significant threat because:
It could result in billions of dollars in lost revenue.
Competitors or state-sponsored hackers could exploit stolen research.
It could disrupt drug development and approval processes.
(C) A denial-of-service (DoS) attack that prevents access to the organization's website:While DoS attacks can damage an organization's reputation and disrupt operations, they generally do not cause the same level of financial or strategic harm as the loss of critical R&D data. Most organizations have cybersecurity measures (e.g., load balancers, CDNs) to mitigate DoS risks.
(D) A hacker accessing the financial information of the company:Unauthorized access to financial data can be serious, leading to fraud or reputational damage. However, publicly traded companies already disclose much of their financial data, and financial breaches typically have a lower long-term impact compared to intellectual property theft.
IIA Global Technology Audit Guide (GTAG) 15: Information Security Governance: Recommends that internal auditors prioritize risks that impact strategic assets, such as intellectual property.
IIA Standard 2120 - Risk Management: Requires internal auditors to evaluate the organization's risk management processes, emphasizing risks with significant financial and operational consequences.
IIA Practice Advisory 2110-2: Assessing the Adequacy of Risk Management Processes: Highlights that internal auditors must identify risks that could threaten the organization's long-term objectives, such as IP theft.
COSO ERM Framework: Encourages prioritization of risks that have high impact on an organization's value and strategic objectives, such as cyber threats to proprietary research.
Analysis of Each Option:IIA References:Conclusion:Given the pharmaceutical industry's reliance on proprietary R&D, a breach compromising research reports represents the most significant cyber threat.
Therefore, option (B) is the correct answer.
(A) Cybercriminals hacking into the organization's time and expense system to collect employee personal data:
While the loss of employee personal data is a serious concern due to privacy and regulatory implications (e.g., GDPR, CCPA), it does not pose as critical a threat as the loss of proprietary pharmaceutical research.
(B) Hackers breaching the organization's network to access research and development reports (Correct Answer):R&D reports contain proprietary drug formulas, clinical trial results, and patent-pending innovations, making them highly valuable to competitors and cybercriminals. A breach could lead to intellectual property theft, financial losses, loss of competitive advantage, and regulatory non-compliance (e.g., FDA, EMA requirements). This is considered the most significant threat because:
It could result in billions of dollars in lost revenue.
Competitors or state-sponsored hackers could exploit stolen research.
It could disrupt drug development and approval processes.
(C) A denial-of-service (DoS) attack that prevents access to the organization's website:While DoS attacks can damage an organization's reputation and disrupt operations, they generally do not cause the same level of financial or strategic harm as the loss of critical R&D data. Most organizations have cybersecurity measures (e.g., load balancers, CDNs) to mitigate DoS risks.
(D) A hacker accessing the financial information of the company:Unauthorized access to financial data can be serious, leading to fraud or reputational damage. However, publicly traded companies already disclose much of their financial data, and financial breaches typically have a lower long-term impact compared to intellectual property theft.
IIA Global Technology Audit Guide (GTAG) 15: Information Security Governance: Recommends that internal auditors prioritize risks that impact strategic assets, such as intellectual property.
IIA Standard 2120 - Risk Management: Requires internal auditors to evaluate the organization's risk management processes, emphasizing risks with significant financial and operational consequences.
IIA Practice Advisory 2110-2: Assessing the Adequacy of Risk Management Processes: Highlights that internal auditors must identify risks that could threaten the organization's long-term objectives, such as IP theft.
COSO ERM Framework: Encourages prioritization of risks that have high impact on an organization's value and strategic objectives, such as cyber threats to proprietary research.
Analysis of Each Option:IIA References:Conclusion:Given the pharmaceutical industry's reliance on proprietary R&D, a breach compromising research reports represents the most significant cyber threat.
Therefore, option (B) is the correct answer.
IIA-CIA-Part3-CN Exam Question 89
經國際評等機構評估具有穩定評等的組織發行了沒有資產或抵押品支持的債券。債券持有人的利息和本金的支付由該組織擔保。該組織發行了哪種類型的債券?
Correct Answer: D
A debenture bond is an unsecured bond that is not backed by specific assets or collateral. Instead, it is backed only by the issuer's creditworthiness and general reputation. Since the organization in this scenario has a stable rating from international rating agencies and guarantees interest and principal payments, it aligns perfectly with the definition of a debenture bond.
A). A sinking fund bond - A bond that has a special account (sinking fund) where money is set aside to pay off bondholders over time. This is not mentioned in the scenario.
B). A secured bond - This type of bond is backed by specific assets or collateral to reduce investor risk.
However, the scenario states that the bond is not backed by assets or collateral, eliminating this choice.
C). A junk bond - These are high-risk, high-yield bonds issued by companies with low credit ratings. The scenario specifies that the company has a stable rating, making this incorrect.
D). A debenture bond (Correct Answer) - Since this bond is unsecured and relies solely on the organization's financial health, it matches the definition of a debenture bond.
IIA IPPF Standard 2120 - Risk Management discusses financial risk management, including bond issuance.
COSO ERM Framework - Financial Risk Management emphasizes evaluating creditworthiness before issuing debt.
IFRS 9 - Financial Instruments provides accounting guidance on different bond types.
Explanation of Each Option:IIA References:
A). A sinking fund bond - A bond that has a special account (sinking fund) where money is set aside to pay off bondholders over time. This is not mentioned in the scenario.
B). A secured bond - This type of bond is backed by specific assets or collateral to reduce investor risk.
However, the scenario states that the bond is not backed by assets or collateral, eliminating this choice.
C). A junk bond - These are high-risk, high-yield bonds issued by companies with low credit ratings. The scenario specifies that the company has a stable rating, making this incorrect.
D). A debenture bond (Correct Answer) - Since this bond is unsecured and relies solely on the organization's financial health, it matches the definition of a debenture bond.
IIA IPPF Standard 2120 - Risk Management discusses financial risk management, including bond issuance.
COSO ERM Framework - Financial Risk Management emphasizes evaluating creditworthiness before issuing debt.
IFRS 9 - Financial Instruments provides accounting guidance on different bond types.
Explanation of Each Option:IIA References:
IIA-CIA-Part3-CN Exam Question 90
一名冒充該組織執行長的入侵者發送了一封電子郵件,並欺騙薪資管理人員提供員工的私人稅務資訊。實施了什麼類型的攻擊?
Correct Answer: B
A spear phishing attack is a highly targeted email-based attack where an attacker impersonates a trusted individual (e.g., the CEO) to trick recipients into providing sensitive information.
* In this scenario, an intruder posed as the CEO and deceived payroll staff into sharing employees' private tax information.
* Spear phishing is more targeted than general phishing, often using personal details to make the fraudulent request seem legitimate.
* A. Boundary attack. (Incorrect)
* A boundary attack refers to attempts to breach an organization's network perimeter defenses, such as firewalls and intrusion detection systems.
* This scenario describes a social engineering attack, not a technical boundary attack.
* B. Spear phishing attack. (Correct)
* Spear phishing attacks are highly personalized email attacks, usually targeting specific employees within an organization.
* Attackers research their targets and use realistic messages to trick them into divulging sensitive data.
* This fits the scenario, as the attacker impersonated the CEO to steal tax information.
* C. Brute force attack. (Incorrect)
* A brute force attack involves systematically guessing passwords to gain unauthorized access to systems.
* This attack was based on deception, not password cracking.
* D. Spoofing attack. (Incorrect, but closely related)
* Email spoofing is a technique where an attacker falsifies the sender's email address.
* While spear phishing often includes spoofing, the broader technique used here is spear phishing, as it involved social engineering and deception.
* IIA GTAG 16 - Security Risk: IT and Cybersecurity discusses phishing and social engineering threats, emphasizing internal controls to mitigate them.
* IIA Standard 2120 - Risk Management highlights the need for risk assessments in cybersecurity, including employee awareness training for phishing attacks.
* National Institute of Standards and Technology (NIST) Special Publication 800-61 classifies spear phishing as a high-risk cyber threat to organizations.
Explanation of Answer Choices:IIA References:
* In this scenario, an intruder posed as the CEO and deceived payroll staff into sharing employees' private tax information.
* Spear phishing is more targeted than general phishing, often using personal details to make the fraudulent request seem legitimate.
* A. Boundary attack. (Incorrect)
* A boundary attack refers to attempts to breach an organization's network perimeter defenses, such as firewalls and intrusion detection systems.
* This scenario describes a social engineering attack, not a technical boundary attack.
* B. Spear phishing attack. (Correct)
* Spear phishing attacks are highly personalized email attacks, usually targeting specific employees within an organization.
* Attackers research their targets and use realistic messages to trick them into divulging sensitive data.
* This fits the scenario, as the attacker impersonated the CEO to steal tax information.
* C. Brute force attack. (Incorrect)
* A brute force attack involves systematically guessing passwords to gain unauthorized access to systems.
* This attack was based on deception, not password cracking.
* D. Spoofing attack. (Incorrect, but closely related)
* Email spoofing is a technique where an attacker falsifies the sender's email address.
* While spear phishing often includes spoofing, the broader technique used here is spear phishing, as it involved social engineering and deception.
* IIA GTAG 16 - Security Risk: IT and Cybersecurity discusses phishing and social engineering threats, emphasizing internal controls to mitigate them.
* IIA Standard 2120 - Risk Management highlights the need for risk assessments in cybersecurity, including employee awareness training for phishing attacks.
* National Institute of Standards and Technology (NIST) Special Publication 800-61 classifies spear phishing as a high-risk cyber threat to organizations.
Explanation of Answer Choices:IIA References:
- Other Version
- 1200IIA.IIA-CIA-Part3-CN.v2025-06-26.q187
- Latest Upload
- 140Microsoft.AB-731.v2026-07-03.q32
- 146Microsoft.AI-900-CN.v2026-07-03.q148
- 160GIAC.GICSP.v2026-07-03.q43
- 200EC-COUNCIL.212-89.v2026-07-03.q125
- 162Salesforce.Plat-Admn-201.v2026-07-02.q74
- 317AAPC.CPC.v2026-07-02.q224
- 182Cisco.820-605.v2026-07-02.q83
- 184Cisco.300-435.v2026-07-02.q95
- 138PaloAltoNetworks.XSIAM-Analyst.v2026-07-02.q35
- 252IIA.IIA-CIA-Part3-CN.v2026-07-02.q222
[×]
Download PDF File
Enter your email address to download IIA.IIA-CIA-Part3-CN.v2026-07-02.q222 Practice Test
