IIA-CIA-Part3-CN Exam Question 1
如果一個組織的營運資金高於產業平均水平,下列哪一項最有可能是正確的?
Correct Answer: B
Working capital = Current Assets - Current Liabilities
A high amount of working capital compared to industry averages suggests that the organization may not be efficiently using its resources. This could mean that:
Excess cash is invested in inventory or accounts receivable, instead of being used for growth, investment, or shareholder returns.
The company may be holding too much inventory, which could lead to obsolescence or additional storage costs.
The business may have slow turnover in receivables, meaning cash is not being collected efficiently.
A). Settlement of short-term obligations may become difficult. (Incorrect) A high working capital means the organization has sufficient assets to cover short-term obligations, so liquidity issues are unlikely.
B). Cash may be tied up in items not generating financial value. (Correct) High working capital may indicate inefficient use of assets, such as excess inventory, high accounts receivable, or idle cash.
This can negatively impact return on assets (ROA) and overall financial performance.
C). Collection policies of the organization are ineffective. (Incorrect) While high receivables can be a factor, working capital includes all current assets and liabilities, not just accounts receivable.
The issue could be inventory mismanagement or excess liquidity, not just collection policies.
D). The organization is efficient in using assets to generate revenue. (Incorrect) A high working capital does not necessarily mean efficiency. In fact, it may indicate underutilized resources rather than optimized performance.
IIA GTAG 3 - Continuous Auditing: Implications for Internal Auditors highlights the importance of monitoring key financial metrics such as working capital.
IIA Practice Advisory 2130-1 - Assessing Organizational Performance emphasizes that internal auditors should assess whether financial resources are being used efficiently.
Financial Management Principles (IIA Guidance) discuss the impact of excessive working capital on liquidity and return on investment.
Explanation of Answer Choices:IIA References:Thus, the correct answer is B. Cash may be tied up in items not generating financial value.
A high amount of working capital compared to industry averages suggests that the organization may not be efficiently using its resources. This could mean that:
Excess cash is invested in inventory or accounts receivable, instead of being used for growth, investment, or shareholder returns.
The company may be holding too much inventory, which could lead to obsolescence or additional storage costs.
The business may have slow turnover in receivables, meaning cash is not being collected efficiently.
A). Settlement of short-term obligations may become difficult. (Incorrect) A high working capital means the organization has sufficient assets to cover short-term obligations, so liquidity issues are unlikely.
B). Cash may be tied up in items not generating financial value. (Correct) High working capital may indicate inefficient use of assets, such as excess inventory, high accounts receivable, or idle cash.
This can negatively impact return on assets (ROA) and overall financial performance.
C). Collection policies of the organization are ineffective. (Incorrect) While high receivables can be a factor, working capital includes all current assets and liabilities, not just accounts receivable.
The issue could be inventory mismanagement or excess liquidity, not just collection policies.
D). The organization is efficient in using assets to generate revenue. (Incorrect) A high working capital does not necessarily mean efficiency. In fact, it may indicate underutilized resources rather than optimized performance.
IIA GTAG 3 - Continuous Auditing: Implications for Internal Auditors highlights the importance of monitoring key financial metrics such as working capital.
IIA Practice Advisory 2130-1 - Assessing Organizational Performance emphasizes that internal auditors should assess whether financial resources are being used efficiently.
Financial Management Principles (IIA Guidance) discuss the impact of excessive working capital on liquidity and return on investment.
Explanation of Answer Choices:IIA References:Thus, the correct answer is B. Cash may be tied up in items not generating financial value.
IIA-CIA-Part3-CN Exam Question 2
下列哪一項關於被稱為折現回收期的資本預算程序的敘述是正確的?
Correct Answer: C
Comprehensive and Detailed In-Depth Explanation:
The discounted payback period is a capital budgeting technique that determines how long it takes for a project to recover its initial investment, accounting for the time value of money.
Option A (Calculates the overall project value) describes Net Present Value (NPV), not the payback period.
Option B (Ignores the time value of money) applies to the simple payback period, but the discounted payback period does account for the time value of money.
Option D (Begins at time zero) is true for all capital budgeting methods, not specific to this one.
Thus, option C is correct because the discounted payback period measures the break-even time while considering the present value of cash flows.
Reference: IIA Financial Management - Capital Budgeting Methods
The discounted payback period is a capital budgeting technique that determines how long it takes for a project to recover its initial investment, accounting for the time value of money.
Option A (Calculates the overall project value) describes Net Present Value (NPV), not the payback period.
Option B (Ignores the time value of money) applies to the simple payback period, but the discounted payback period does account for the time value of money.
Option D (Begins at time zero) is true for all capital budgeting methods, not specific to this one.
Thus, option C is correct because the discounted payback period measures the break-even time while considering the present value of cash flows.
Reference: IIA Financial Management - Capital Budgeting Methods
IIA-CIA-Part3-CN Exam Question 3
下列哪一項是系統軟體控制?
Correct Answer: D
Comprehensive and Detailed In-Depth Explanation:
System software controls are mechanisms designed to protect system integrity, security, and performance.
Among the given options, performing intrusion testing on a regular basis (D) is a proactive security measure that tests an organization's IT infrastructure to identify vulnerabilities and weaknesses in system security.
Option A (Restricting server room access) is a physical security control, not a system software control.
Option B (Housing servers securely) is an environmental control, focusing on protecting hardware.
Option C (Ensuring documentation of user requirements) relates to project management and system development, rather than system software security.
Since intrusion testing ensures system resilience against cyber threats, option D is the correct answer.
Reference: IIA CIA Exam Syllabus - IT Security & Controls
System software controls are mechanisms designed to protect system integrity, security, and performance.
Among the given options, performing intrusion testing on a regular basis (D) is a proactive security measure that tests an organization's IT infrastructure to identify vulnerabilities and weaknesses in system security.
Option A (Restricting server room access) is a physical security control, not a system software control.
Option B (Housing servers securely) is an environmental control, focusing on protecting hardware.
Option C (Ensuring documentation of user requirements) relates to project management and system development, rather than system software security.
Since intrusion testing ensures system resilience against cyber threats, option D is the correct answer.
Reference: IIA CIA Exam Syllabus - IT Security & Controls
IIA-CIA-Part3-CN Exam Question 4
一家出版公司的經理收到了一封似乎來自她的供應商的電子郵件,其中包含嵌入 Excel 電子表格中的惡意軟體的附件。當電子表格打開時,網路犯罪分子就能夠攻擊該公司的網路並存取一本未出版且備受期待的書籍。下列哪項控制措施對於防止此類攻擊最有效?
Correct Answer: D
This attack was caused by a phishing email containing malware embedded in an Excel spreadsheet. The most effective way to prevent such attacks is employee awareness training, as human error is the leading cause of successful phishing attempts.
Understanding Phishing Attacks:
Phishing emails trick employees into opening malicious links or attachments, leading to malware infections and data breaches.
Cybercriminals often disguise emails as coming from trusted vendors or colleagues.
Why Employee Training is the Most Effective Control:
Employees must be trained to identify suspicious emails, attachments, and links.
Training reduces the likelihood of employees accidentally opening malicious files.
Many cybersecurity frameworks (e.g., NIST, ISO 27001, and CIS) emphasize employee awareness as the first line of defense.
Why the Other Options Are Less Effective Alone:
A). Monitoring network traffic. #
Can detect unusual activity after an attack but does not prevent phishing attempts.
B). Using whitelists and blacklists to manage network traffic. #
Helps filter harmful websites, but phishing emails often appear legitimate and may bypass filters.
C). Restricting access and blocking unauthorized access to the network. # Helps limit damage after malware enters the network but does not stop employees from opening phishing emails.
IIA GTAG (Global Technology Audit Guide) on Cybersecurity: Recommends employee awareness programs as a key control.
IIA Standard 2110 (Governance): Internal auditors should assess cybersecurity training programs.
NIST Cybersecurity Framework - PR.AT (Protect - Awareness and Training): Emphasizes the role of employee education in preventing cyber threats.
ISO/IEC 27001 - Security Awareness and Training (A.7.2.2): Requires organizations to implement cybersecurity awareness programs.
Step-by-Step Justification:IIA References:Thus, the correct answer is D. Educating employees throughout the company to recognize phishing attacks. #
Understanding Phishing Attacks:
Phishing emails trick employees into opening malicious links or attachments, leading to malware infections and data breaches.
Cybercriminals often disguise emails as coming from trusted vendors or colleagues.
Why Employee Training is the Most Effective Control:
Employees must be trained to identify suspicious emails, attachments, and links.
Training reduces the likelihood of employees accidentally opening malicious files.
Many cybersecurity frameworks (e.g., NIST, ISO 27001, and CIS) emphasize employee awareness as the first line of defense.
Why the Other Options Are Less Effective Alone:
A). Monitoring network traffic. #
Can detect unusual activity after an attack but does not prevent phishing attempts.
B). Using whitelists and blacklists to manage network traffic. #
Helps filter harmful websites, but phishing emails often appear legitimate and may bypass filters.
C). Restricting access and blocking unauthorized access to the network. # Helps limit damage after malware enters the network but does not stop employees from opening phishing emails.
IIA GTAG (Global Technology Audit Guide) on Cybersecurity: Recommends employee awareness programs as a key control.
IIA Standard 2110 (Governance): Internal auditors should assess cybersecurity training programs.
NIST Cybersecurity Framework - PR.AT (Protect - Awareness and Training): Emphasizes the role of employee education in preventing cyber threats.
ISO/IEC 27001 - Security Awareness and Training (A.7.2.2): Requires organizations to implement cybersecurity awareness programs.
Step-by-Step Justification:IIA References:Thus, the correct answer is D. Educating employees throughout the company to recognize phishing attacks. #
IIA-CIA-Part3-CN Exam Question 5
內部稽核員發現一名資料庫管理員具有不相容的雙重角色。下列哪一項職責不應由已確定的管理員履行?
Correct Answer: D
A database administrator (DBA) should not perform duties that compromise segregation of duties (SoD). A conflict arises when a DBA has both design and security responsibilities, as this creates a risk of unauthorized changes, fraud, or data breaches.
(A) Designing and maintaining the database.
Incorrect: These tasks are related but do not create a major conflict, as maintenance follows the design phase.
(B) Preparing input data and maintaining the database.
Incorrect: While data preparation is typically a business function, maintaining the database does not create a direct security risk.
(C) Maintaining the database and providing its security.
Incorrect: Maintenance involves technical upkeep, and while security controls are crucial, they do not inherently conflict.
(D) Designing the database and providing its security. (Correct Answer) A DBA responsible for both design and security could create backdoors or override security settings, leading to potential data manipulation or fraud.
IIA Standard 2120 - Risk Management requires proper control segregation to prevent fraud and security risks.
IIA GTAG 4 - Management of IT Auditing recommends separation of design, security, and administration functions to minimize risks.
IIA Standard 2120 - Risk Management: Encourages proper separation of duties to mitigate risks.
IIA GTAG 4 - Management of IT Auditing: Recommends strict control over database access and security roles.
Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) because combining database design and security responsibilities creates a significant conflict of interest, increasing security risks.
(A) Designing and maintaining the database.
Incorrect: These tasks are related but do not create a major conflict, as maintenance follows the design phase.
(B) Preparing input data and maintaining the database.
Incorrect: While data preparation is typically a business function, maintaining the database does not create a direct security risk.
(C) Maintaining the database and providing its security.
Incorrect: Maintenance involves technical upkeep, and while security controls are crucial, they do not inherently conflict.
(D) Designing the database and providing its security. (Correct Answer) A DBA responsible for both design and security could create backdoors or override security settings, leading to potential data manipulation or fraud.
IIA Standard 2120 - Risk Management requires proper control segregation to prevent fraud and security risks.
IIA GTAG 4 - Management of IT Auditing recommends separation of design, security, and administration functions to minimize risks.
IIA Standard 2120 - Risk Management: Encourages proper separation of duties to mitigate risks.
IIA GTAG 4 - Management of IT Auditing: Recommends strict control over database access and security roles.
Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (D) because combining database design and security responsibilities creates a significant conflict of interest, increasing security risks.
- Other Version
- 1197IIA.IIA-CIA-Part3-CN.v2025-06-26.q187
- Latest Upload
- 141Salesforce.Plat-Admn-201.v2026-07-02.q74
- 208AAPC.CPC.v2026-07-02.q224
- 147Cisco.820-605.v2026-07-02.q83
- 153Cisco.300-435.v2026-07-02.q95
- 124PaloAltoNetworks.XSIAM-Analyst.v2026-07-02.q35
- 158IIA.IIA-CIA-Part3-CN.v2026-07-02.q222
- 323IIA.IIA-CIA-Part2-CN.v2026-07-01.q341
- 190ServiceNow.CIS-DF.v2026-06-30.q37
- 167ASET.ASET-Ethics-Examination.v2026-06-30.q49
- 346PMI.PMI-ACP.v2026-06-29.q235
[×]
Download PDF File
Enter your email address to download IIA.IIA-CIA-Part3-CN.v2026-07-02.q222 Practice Test
