IIA-CIA-Part3-CN Exam Question 136
下列哪一項資料屬性受物聯網影響最顯著?
Correct Answer: B
Understanding How IoT Impacts Data Attributes:
The Internet of Things (IoT) refers to connected devices that continuously collect and transmit data in real- time.
IoT generates massive amounts of data at high speeds, affecting the velocity of data processing and analysis.
Why Velocity is the Most Affected Attribute:
Velocity refers to the speed at which data is generated, processed, and transmitted.
IoT devices continuously stream data, requiring real-time or near-real-time processing.
Examples include:
Smart sensors in factories sending real-time equipment status.
Wearable devices tracking health metrics every second.
Smart cities using IoT for traffic monitoring and instant updates.
Why Other Options Are Incorrect:
A). Normalization - Incorrect.
Normalization refers to organizing database structures, but IoT deals with data transmission speed rather than database design.
C). Structuration - Incorrect.
Structuration relates to how data is formatted (structured vs. unstructured), but IoT's biggest challenge is real- time data flow.
D). Veracity - Incorrect.
Veracity concerns data accuracy and reliability, which is a challenge in IoT but not the most significant impact compared to velocity.
IIA's Perspective on IoT and Data Management:
IIA Standard 2110 - Governance emphasizes the need for robust data processing frameworks to handle IoT- generated data velocity.
IIA GTAG (Global Technology Audit Guide) on Big Data highlights real-time data analytics and IoT challenges.
ISO 27001 Information Security Standard recommends ensuring real-time data processing controls for IoT security and management.
IIA References:
IIA Standard 2110 - IT Governance & Data Management
IIA GTAG - IoT and Big Data Risks
ISO 27001 - Information Security and Real-Time Data Processing
Thus, the correct and verified answer is B. Velocity.
The Internet of Things (IoT) refers to connected devices that continuously collect and transmit data in real- time.
IoT generates massive amounts of data at high speeds, affecting the velocity of data processing and analysis.
Why Velocity is the Most Affected Attribute:
Velocity refers to the speed at which data is generated, processed, and transmitted.
IoT devices continuously stream data, requiring real-time or near-real-time processing.
Examples include:
Smart sensors in factories sending real-time equipment status.
Wearable devices tracking health metrics every second.
Smart cities using IoT for traffic monitoring and instant updates.
Why Other Options Are Incorrect:
A). Normalization - Incorrect.
Normalization refers to organizing database structures, but IoT deals with data transmission speed rather than database design.
C). Structuration - Incorrect.
Structuration relates to how data is formatted (structured vs. unstructured), but IoT's biggest challenge is real- time data flow.
D). Veracity - Incorrect.
Veracity concerns data accuracy and reliability, which is a challenge in IoT but not the most significant impact compared to velocity.
IIA's Perspective on IoT and Data Management:
IIA Standard 2110 - Governance emphasizes the need for robust data processing frameworks to handle IoT- generated data velocity.
IIA GTAG (Global Technology Audit Guide) on Big Data highlights real-time data analytics and IoT challenges.
ISO 27001 Information Security Standard recommends ensuring real-time data processing controls for IoT security and management.
IIA References:
IIA Standard 2110 - IT Governance & Data Management
IIA GTAG - IoT and Big Data Risks
ISO 27001 - Information Security and Real-Time Data Processing
Thus, the correct and verified answer is B. Velocity.
IIA-CIA-Part3-CN Exam Question 137
內部稽核師認為下列哪項控制措施與降低專案成本超支風險最相關?
Correct Answer: D
Understanding Project Cost Overruns and Controls
Cost overruns occur when actual project costs exceed the budgeted or planned costs. Effective controls are required to prevent, detect, and correct deviations from the cost baseline.
The most effective way to control cost overruns is through continuous monitoring and comparison of project costs against the approved cost baseline.
Why Option D is Correct?
A formal process to monitor the project status and compare it to the cost baseline ensures that deviations are identified early and corrective actions are taken.
This aligns with the IIA's International Standards for the Professional Practice of Internal Auditing (IPPF), specifically:
Standard 2120 - Risk Management: Internal auditors must evaluate how organizations manage risks, including financial risks related to project cost overruns.
Standard 2500 - Monitoring Progress: Ensures that corrective actions are implemented when issues arise.
IIA Practice Advisory 2130-1: Stresses the importance of monitoring activities to mitigate financial risks.
The Project Management Body of Knowledge (PMBOK) also supports cost monitoring as a key control to prevent overruns.
Why Other Options Are Incorrect?
Option A: Reviewing and approving scope change requests is important, but it does not directly monitor or control cost overruns. Scope creep is a risk, but cost monitoring is a more direct control.
Option B: Having a control committee review overruns after they occur is a reactive measure. Proactive monitoring (option D) is more effective.
Option C: A quality assurance process for scope changes is valuable but does not directly prevent cost overruns. It focuses on project quality rather than financial control.
Effective internal controls for cost management emphasize real-time monitoring and comparison against the cost baseline to prevent and mitigate cost overruns.
IIA Standards 2120, 2500, and 2130-1 support proactive risk management and monitoring as essential best practices for internal auditors.
Final Justification:IIA References:
IPPF Standard 2120 - Risk Management
IPPF Standard 2500 - Monitoring Progress
IIA Practice Advisory 2130-1 - Internal Control and Risk Management
PMBOK - Cost Monitoring and Control
c
Cost overruns occur when actual project costs exceed the budgeted or planned costs. Effective controls are required to prevent, detect, and correct deviations from the cost baseline.
The most effective way to control cost overruns is through continuous monitoring and comparison of project costs against the approved cost baseline.
Why Option D is Correct?
A formal process to monitor the project status and compare it to the cost baseline ensures that deviations are identified early and corrective actions are taken.
This aligns with the IIA's International Standards for the Professional Practice of Internal Auditing (IPPF), specifically:
Standard 2120 - Risk Management: Internal auditors must evaluate how organizations manage risks, including financial risks related to project cost overruns.
Standard 2500 - Monitoring Progress: Ensures that corrective actions are implemented when issues arise.
IIA Practice Advisory 2130-1: Stresses the importance of monitoring activities to mitigate financial risks.
The Project Management Body of Knowledge (PMBOK) also supports cost monitoring as a key control to prevent overruns.
Why Other Options Are Incorrect?
Option A: Reviewing and approving scope change requests is important, but it does not directly monitor or control cost overruns. Scope creep is a risk, but cost monitoring is a more direct control.
Option B: Having a control committee review overruns after they occur is a reactive measure. Proactive monitoring (option D) is more effective.
Option C: A quality assurance process for scope changes is valuable but does not directly prevent cost overruns. It focuses on project quality rather than financial control.
Effective internal controls for cost management emphasize real-time monitoring and comparison against the cost baseline to prevent and mitigate cost overruns.
IIA Standards 2120, 2500, and 2130-1 support proactive risk management and monitoring as essential best practices for internal auditors.
Final Justification:IIA References:
IPPF Standard 2120 - Risk Management
IPPF Standard 2500 - Monitoring Progress
IIA Practice Advisory 2130-1 - Internal Control and Risk Management
PMBOK - Cost Monitoring and Control
c
IIA-CIA-Part3-CN Exam Question 138
下列哪些文件可以提供內部稽核師在完成工作後保存文件的時間長度的資訊?
Correct Answer: C
The retention and maintenance of internal audit engagement records, including the period of time they must be kept, is governed by the internal audit activity's policies and procedures. These policies provide guidance on record retention consistent with organizational requirements, legal and regulatory obligations, and professional standards.
The charter (Option A) defines purpose, authority, and responsibility but does not detail document retention.
The annual plan (Option B) outlines engagements but not recordkeeping. The quality assurance and improvement program (Option D) addresses continuous improvement and compliance with standards, not retention guidelines.
Therefore, the correct source for document retention requirements is internal audit policies (Option C).
Reference:
IIA Standards - Standard 2330: Documenting Information; Implementation Guide 2330.
The charter (Option A) defines purpose, authority, and responsibility but does not detail document retention.
The annual plan (Option B) outlines engagements but not recordkeeping. The quality assurance and improvement program (Option D) addresses continuous improvement and compliance with standards, not retention guidelines.
Therefore, the correct source for document retention requirements is internal audit policies (Option C).
Reference:
IIA Standards - Standard 2330: Documenting Information; Implementation Guide 2330.
IIA-CIA-Part3-CN Exam Question 139
一位新經理收到了有關專案提案的內部回報命運的計算結果。經理應該將計算結果與什麼進行比較,以確定專案是否可以接受?
Correct Answer: C
The internal rate of return (IRR) is a measure used to evaluate the profitability of an investment. The project is considered acceptable if its IRR is greater than or equal to the required rate of return (RRR), which is the minimum return an organization expects from an investment.
Correct Answer (C - Compare to the Required Rate of Return)
The required rate of return (RRR) represents the minimum acceptable return for the project.
If IRR # RRR, the project is acceptable. If IRR < RRR, the project is rejected.
The IIA Practice Guide: Auditing Capital Investments suggests comparing IRR to the RRR to ensure financial feasibility.
Why Other Options Are Incorrect:
Option A (Compare to the annual cost of capital):
The cost of capital (WACC - Weighted Average Cost of Capital) is an important factor, but RRR is the direct benchmark for IRR comparison.
Option B (Compare to the annual interest rate):
Interest rates do not determine project feasibility-they only affect financing costs.
Option D (Compare to the net present value - NPV):
NPV and IRR are related, but they serve different purposes.
IRR is compared against RRR, while NPV measures absolute profitability in dollar terms.
IIA Practice Guide: Auditing Capital Investments - Discusses IRR, RRR, and investment decision-making.
IIA GTAG 3: Business Case Development - Explains how financial metrics like IRR and RRR are used in decision-making.
Step-by-Step Explanation:IIA References for Validation:Thus, C is the correct answer because IRR should be compared to the required rate of return to determine project acceptability.
Correct Answer (C - Compare to the Required Rate of Return)
The required rate of return (RRR) represents the minimum acceptable return for the project.
If IRR # RRR, the project is acceptable. If IRR < RRR, the project is rejected.
The IIA Practice Guide: Auditing Capital Investments suggests comparing IRR to the RRR to ensure financial feasibility.
Why Other Options Are Incorrect:
Option A (Compare to the annual cost of capital):
The cost of capital (WACC - Weighted Average Cost of Capital) is an important factor, but RRR is the direct benchmark for IRR comparison.
Option B (Compare to the annual interest rate):
Interest rates do not determine project feasibility-they only affect financing costs.
Option D (Compare to the net present value - NPV):
NPV and IRR are related, but they serve different purposes.
IRR is compared against RRR, while NPV measures absolute profitability in dollar terms.
IIA Practice Guide: Auditing Capital Investments - Discusses IRR, RRR, and investment decision-making.
IIA GTAG 3: Business Case Development - Explains how financial metrics like IRR and RRR are used in decision-making.
Step-by-Step Explanation:IIA References for Validation:Thus, C is the correct answer because IRR should be compared to the required rate of return to determine project acceptability.
IIA-CIA-Part3-CN Exam Question 140
根據 IIA 指南,以下關於滲透測試的哪些敘述是正確的?
Correct Answer: D
Penetration testing is a security practice used to identify vulnerabilities in an organization's information systems by simulating cyberattacks. It is an essential component of IT risk management and internal auditing under The Institute of Internal Auditors (IIA) standards, particularly in the context of IT governance, cybersecurity risk management, and control assurance.
Focus on Preventive Controls:
Penetration testing evaluates how well preventive controls (e.g., firewalls, encryption, authentication mechanisms) work against potential cyberattacks.
According to the IIA Global Technology Audit Guide (GTAG) 11: Developing an IT Audit Plan, testing should emphasize preventive security measures to minimize risks.
Management's Response Assessment:
The effectiveness of an organization's incident response plan is also evaluated.
Management's reaction to simulated cyber threats ensures that detection and response mechanisms are functional and aligned with IIA Standard 2120 - Risk Management and IIA GTAG 1: Information Security Governance.
A). Testing should not be announced to anyone within the organization to solicit a real-life response.
(Incorrect)
Reason: While unannounced tests (e.g., red team exercises) can provide real-world insights, penetration testing should be coordinated with IT and security personnel.
IIA GTAG 11 emphasizes structured and ethical testing approaches, ensuring that necessary stakeholders are informed to prevent operational disruptions.
B). Testing should take place during heavy operational time periods to test system resilience. (Incorrect) Reason: While resilience testing is important, penetration testing is typically performed in controlled conditions to avoid disrupting business operations.
IIA Standard 2130 - Control supports minimizing business risks during testing.
C). Testing should be wide in scope and primarily address detective management controls for identifying potential attacks. (Incorrect) Reason: While detection controls (e.g., intrusion detection systems) are important, penetration testing focuses primarily on preventive controls.
IIA GTAG 1 and IIA GTAG 11 stress proactive security strategies over purely detective measures.
IIA Global Technology Audit Guide (GTAG) 11: Developing an IT Audit Plan - Covers IT security testing, including penetration testing.
IIA GTAG 1: Information Security Governance - Emphasizes the role of security assessments.
IIA Standard 2120 - Risk Management - Highlights the importance of testing preventive security measures.
IIA Standard 2130 - Control - Discusses ensuring operational effectiveness during testing.
Explanation of the Correct Answer (D):Analysis of Incorrect Answers:IIA References:Thus, D is the most accurate choice as per IIA guidance.
Focus on Preventive Controls:
Penetration testing evaluates how well preventive controls (e.g., firewalls, encryption, authentication mechanisms) work against potential cyberattacks.
According to the IIA Global Technology Audit Guide (GTAG) 11: Developing an IT Audit Plan, testing should emphasize preventive security measures to minimize risks.
Management's Response Assessment:
The effectiveness of an organization's incident response plan is also evaluated.
Management's reaction to simulated cyber threats ensures that detection and response mechanisms are functional and aligned with IIA Standard 2120 - Risk Management and IIA GTAG 1: Information Security Governance.
A). Testing should not be announced to anyone within the organization to solicit a real-life response.
(Incorrect)
Reason: While unannounced tests (e.g., red team exercises) can provide real-world insights, penetration testing should be coordinated with IT and security personnel.
IIA GTAG 11 emphasizes structured and ethical testing approaches, ensuring that necessary stakeholders are informed to prevent operational disruptions.
B). Testing should take place during heavy operational time periods to test system resilience. (Incorrect) Reason: While resilience testing is important, penetration testing is typically performed in controlled conditions to avoid disrupting business operations.
IIA Standard 2130 - Control supports minimizing business risks during testing.
C). Testing should be wide in scope and primarily address detective management controls for identifying potential attacks. (Incorrect) Reason: While detection controls (e.g., intrusion detection systems) are important, penetration testing focuses primarily on preventive controls.
IIA GTAG 1 and IIA GTAG 11 stress proactive security strategies over purely detective measures.
IIA Global Technology Audit Guide (GTAG) 11: Developing an IT Audit Plan - Covers IT security testing, including penetration testing.
IIA GTAG 1: Information Security Governance - Emphasizes the role of security assessments.
IIA Standard 2120 - Risk Management - Highlights the importance of testing preventive security measures.
IIA Standard 2130 - Control - Discusses ensuring operational effectiveness during testing.
Explanation of the Correct Answer (D):Analysis of Incorrect Answers:IIA References:Thus, D is the most accurate choice as per IIA guidance.
- Other Version
- 1200IIA.IIA-CIA-Part3-CN.v2025-06-26.q187
- Latest Upload
- 140Microsoft.AB-731.v2026-07-03.q32
- 146Microsoft.AI-900-CN.v2026-07-03.q148
- 160GIAC.GICSP.v2026-07-03.q43
- 200EC-COUNCIL.212-89.v2026-07-03.q125
- 162Salesforce.Plat-Admn-201.v2026-07-02.q74
- 317AAPC.CPC.v2026-07-02.q224
- 182Cisco.820-605.v2026-07-02.q83
- 184Cisco.300-435.v2026-07-02.q95
- 138PaloAltoNetworks.XSIAM-Analyst.v2026-07-02.q35
- 257IIA.IIA-CIA-Part3-CN.v2026-07-02.q222
[×]
Download PDF File
Enter your email address to download IIA.IIA-CIA-Part3-CN.v2026-07-02.q222 Practice Test
