IIA-CIA-Part3-CN Exam Question 206
關於使用者開發的應用程式 (UDA) 和傳統 IT 應用程序,下列哪項敘述是正確的?
Correct Answer: C
User-Developed Applications (UDAs) are software tools, typically spreadsheets or small databases, created by business users rather than IT professionals. These applications often lack formal security, documentation, and control measures, increasing the risk of data errors, unauthorized access, and compliance failures.
UDAs are often created quickly to meet immediate business needs, without following IT governance, security controls, or development standards.
Unlike traditional IT applications, UDAs lack structured testing, change management, and formal documentation.
The IIA's GTAG 14 - Auditing User-Developed Applications states that UDAs present higher risks because they are not subject to the same controls as IT-managed applications.
A). UDAs and traditional IT applications typically follow a similar development life cycle # Incorrect.
Traditional IT applications follow a formal Software Development Life Cycle (SDLC), whereas UDAs are developed informally by end-users.
B). A UDA usually includes system documentation to illustrate its functions, and IT-developed applications typically do not require such documentation. # Incorrect. IT applications require extensive documentation, whereas UDAs often lack documentation entirely.
D). IT testing personnel usually review both types of applications thoroughly to ensure they were developed properly. # Incorrect. IT applications undergo rigorous testing and quality assurance, while UDAs often bypass IT reviews altogether.
IIA GTAG 14 - Auditing User-Developed Applications highlights the risks of UDAs and emphasizes the need for internal controls.
COBIT Framework (Control Objectives for Information and Related Technologies) recommends IT governance measures for all business-critical applications.
ISO 27001 (Information Security Management System) warns against uncontrolled user-developed applications due to security risks.
Why Option C is Correct?Explanation of the Other Options:IIA References & Best Practices:Thus, the correct answer is C. Unlike traditional IT applications, UDAs typically are developed with little consideration of controls.
UDAs are often created quickly to meet immediate business needs, without following IT governance, security controls, or development standards.
Unlike traditional IT applications, UDAs lack structured testing, change management, and formal documentation.
The IIA's GTAG 14 - Auditing User-Developed Applications states that UDAs present higher risks because they are not subject to the same controls as IT-managed applications.
A). UDAs and traditional IT applications typically follow a similar development life cycle # Incorrect.
Traditional IT applications follow a formal Software Development Life Cycle (SDLC), whereas UDAs are developed informally by end-users.
B). A UDA usually includes system documentation to illustrate its functions, and IT-developed applications typically do not require such documentation. # Incorrect. IT applications require extensive documentation, whereas UDAs often lack documentation entirely.
D). IT testing personnel usually review both types of applications thoroughly to ensure they were developed properly. # Incorrect. IT applications undergo rigorous testing and quality assurance, while UDAs often bypass IT reviews altogether.
IIA GTAG 14 - Auditing User-Developed Applications highlights the risks of UDAs and emphasizes the need for internal controls.
COBIT Framework (Control Objectives for Information and Related Technologies) recommends IT governance measures for all business-critical applications.
ISO 27001 (Information Security Management System) warns against uncontrolled user-developed applications due to security risks.
Why Option C is Correct?Explanation of the Other Options:IIA References & Best Practices:Thus, the correct answer is C. Unlike traditional IT applications, UDAs typically are developed with little consideration of controls.
IIA-CIA-Part3-CN Exam Question 207
下列哪一項可能是外包的結果?
Correct Answer: A
Understanding Outsourcing and Its Impact:
Outsourcing refers to contracting external vendors to handle business functions that were previously managed in-house.
While it can reduce costs and improve efficiency, it increases reliance on external suppliers for critical services.
Why Increased Dependence on Suppliers is the Most Likely Result:
Loss of Internal Control: Companies lose direct oversight over quality, delivery times, and operational processes, depending on the supplier's performance.
Risk of Supplier Disruptions: If the supplier faces financial difficulties, operational failures, or compliance issues, the outsourcing company is directly affected.
Vendor Lock-in: Over time, switching suppliers becomes difficult due to integration costs and proprietary dependencies.
Why Other Options Are Incorrect:
B). Increased importance of market strategy - Incorrect.
While outsourcing can free up resources to focus on core business strategy, it does not necessarily increase the importance of market strategy.
C). Decreased sensitivity to government regulation - Incorrect.
Outsourcing often increases regulatory risks, as companies must ensure third-party compliance with data protection, labor laws, and industry regulations.
D). Decreased focus on costs - Incorrect.
Outsourcing is typically done to reduce costs, not decrease cost focus. Organizations still monitor costs closely to ensure vendor contracts remain cost-effective.
IIA's Perspective on Outsourcing and Risk Management:
IIA Standard 2120 - Risk Management requires internal auditors to evaluate risks associated with outsourcing.
IIA GTAG (Global Technology Audit Guide) on Third-Party Risk Management highlights risks related to supplier dependence, service quality, and compliance.
COSO ERM Framework recommends ongoing supplier performance monitoring to mitigate risks of over- dependence.
IIA References:
IIA Standard 2120 - Risk Management & Vendor Oversight
IIA GTAG - Third-Party Risk Management
COSO ERM - Managing Outsourcing Risks
Thus, the correct and verified answer is A. Increased dependence on suppliers.
Outsourcing refers to contracting external vendors to handle business functions that were previously managed in-house.
While it can reduce costs and improve efficiency, it increases reliance on external suppliers for critical services.
Why Increased Dependence on Suppliers is the Most Likely Result:
Loss of Internal Control: Companies lose direct oversight over quality, delivery times, and operational processes, depending on the supplier's performance.
Risk of Supplier Disruptions: If the supplier faces financial difficulties, operational failures, or compliance issues, the outsourcing company is directly affected.
Vendor Lock-in: Over time, switching suppliers becomes difficult due to integration costs and proprietary dependencies.
Why Other Options Are Incorrect:
B). Increased importance of market strategy - Incorrect.
While outsourcing can free up resources to focus on core business strategy, it does not necessarily increase the importance of market strategy.
C). Decreased sensitivity to government regulation - Incorrect.
Outsourcing often increases regulatory risks, as companies must ensure third-party compliance with data protection, labor laws, and industry regulations.
D). Decreased focus on costs - Incorrect.
Outsourcing is typically done to reduce costs, not decrease cost focus. Organizations still monitor costs closely to ensure vendor contracts remain cost-effective.
IIA's Perspective on Outsourcing and Risk Management:
IIA Standard 2120 - Risk Management requires internal auditors to evaluate risks associated with outsourcing.
IIA GTAG (Global Technology Audit Guide) on Third-Party Risk Management highlights risks related to supplier dependence, service quality, and compliance.
COSO ERM Framework recommends ongoing supplier performance monitoring to mitigate risks of over- dependence.
IIA References:
IIA Standard 2120 - Risk Management & Vendor Oversight
IIA GTAG - Third-Party Risk Management
COSO ERM - Managing Outsourcing Risks
Thus, the correct and verified answer is A. Increased dependence on suppliers.
IIA-CIA-Part3-CN Exam Question 208
在會計中,關於借方和貸方術語,下列哪一項敘述是正確的?
Correct Answer: C
In accounting, the terms debit (Dr.) and credit (Cr.) refer to the two sides of an account in the double-entry accounting system.
Definition of Debit and Credit in Accounting:
Every financial transaction affects at least two accounts in a double-entry system: one account is debited, and another is credited.
Debits (Dr.) appear on the left side, while credits (Cr.) appear on the right side of an account.
Accounting Equation:
Step-by-Step Justification:Assets=Liabilities+Equity\text{Assets} = \text{Liabilities} + \text{Equity} Assets=Liabilities+Equity Debits increase assets and expenses.
Credits increase liabilities, equity, and revenues.
Why the Other Options Are Incorrect:
A). Debit indicates the right side of an account and credit the left side # Incorrect, as debits are always recorded on the left side, and credits are always on the right side.
B). Debit means an increase in an account and credit means a decrease. # Partially incorrect; it depends on the type of account:
For assets and expenses, debits increase and credits decrease.
For liabilities, equity, and revenues, credits increase and debits decrease.
D). Credit means an increase in an account and debit means a decrease. # Also incorrect because increases and decreases depend on the type of account (e.g., debits increase assets but decrease liabilities).
IIA Standard 1210.A1: Internal auditors must be familiar with fundamental accounting principles.
IIA Practice Guide: Auditing Financial Statements: Ensures proper understanding of debits and credits in financial reporting.
GAAP & IFRS Accounting Standards: Define how debits and credits are recorded in financial statements.
IIA References:Thus, the correct answer is C. Credit indicates the right side of an account and debit the left side. #
Definition of Debit and Credit in Accounting:
Every financial transaction affects at least two accounts in a double-entry system: one account is debited, and another is credited.
Debits (Dr.) appear on the left side, while credits (Cr.) appear on the right side of an account.
Accounting Equation:
Step-by-Step Justification:Assets=Liabilities+Equity\text{Assets} = \text{Liabilities} + \text{Equity} Assets=Liabilities+Equity Debits increase assets and expenses.
Credits increase liabilities, equity, and revenues.
Why the Other Options Are Incorrect:
A). Debit indicates the right side of an account and credit the left side # Incorrect, as debits are always recorded on the left side, and credits are always on the right side.
B). Debit means an increase in an account and credit means a decrease. # Partially incorrect; it depends on the type of account:
For assets and expenses, debits increase and credits decrease.
For liabilities, equity, and revenues, credits increase and debits decrease.
D). Credit means an increase in an account and debit means a decrease. # Also incorrect because increases and decreases depend on the type of account (e.g., debits increase assets but decrease liabilities).
IIA Standard 1210.A1: Internal auditors must be familiar with fundamental accounting principles.
IIA Practice Guide: Auditing Financial Statements: Ensures proper understanding of debits and credits in financial reporting.
GAAP & IFRS Accounting Standards: Define how debits and credits are recorded in financial statements.
IIA References:Thus, the correct answer is C. Credit indicates the right side of an account and debit the left side. #
IIA-CIA-Part3-CN Exam Question 209
在審查組織的 IT 基礎設施風險時,應將下列哪項控製作為審查工作站的一部分進行測試?
Correct Answer: C
Understanding IT Infrastructure Risks and Workstation Security:
Reviewing an organization's IT infrastructure risks includes assessing the security of workstations (desktops, laptops, and terminals) that connect to the organization's network.
Workstations are vulnerable to physical theft, unauthorized access, and malware attacks, making physical controls a critical security measure.
Why Physical Controls Are the Most Relevant for Workstations:
Physical controls prevent unauthorized physical access, theft, tampering, and damage to workstations.
Examples include:
Locked office spaces or workstation enclosures to restrict access.
Security badges or biometric authentication to prevent unauthorized use.
Cable locks for laptops and desktop computers to deter theft.
Surveillance cameras and security guards to monitor access.
Why Other Options Are Incorrect:
A). Input controls - Incorrect.
Input controls ensure accuracy and completeness of data entry, which applies more to application security, not workstation security.
B). Segregation of duties - Incorrect.
Segregation of duties prevents fraud and conflicts of interest, but it does not directly address workstation security risks.
D). Integrity controls - Incorrect.
Integrity controls ensure data consistency and accuracy in databases and transactions, not workstation security.
IIA's Perspective on IT Risk and Physical Security Controls:
IIA Standard 2110 - Governance requires organizations to implement physical security measures for IT assets, including workstations.
IIA GTAG (Global Technology Audit Guide) on IT Risks highlights the importance of restricting physical access to IT devices to prevent unauthorized use or data breaches.
ISO 27001 Information Security Standard recommends physical controls to secure IT infrastructure and prevent workstation-related risks.
IIA References:
IIA Standard 2110 - IT Security & Physical Access Control
IIA GTAG - Physical Security of IT Assets
ISO 27001 - Physical Security and IT Risk Management
Thus, the correct and verified answer is C. Physical controls.
Reviewing an organization's IT infrastructure risks includes assessing the security of workstations (desktops, laptops, and terminals) that connect to the organization's network.
Workstations are vulnerable to physical theft, unauthorized access, and malware attacks, making physical controls a critical security measure.
Why Physical Controls Are the Most Relevant for Workstations:
Physical controls prevent unauthorized physical access, theft, tampering, and damage to workstations.
Examples include:
Locked office spaces or workstation enclosures to restrict access.
Security badges or biometric authentication to prevent unauthorized use.
Cable locks for laptops and desktop computers to deter theft.
Surveillance cameras and security guards to monitor access.
Why Other Options Are Incorrect:
A). Input controls - Incorrect.
Input controls ensure accuracy and completeness of data entry, which applies more to application security, not workstation security.
B). Segregation of duties - Incorrect.
Segregation of duties prevents fraud and conflicts of interest, but it does not directly address workstation security risks.
D). Integrity controls - Incorrect.
Integrity controls ensure data consistency and accuracy in databases and transactions, not workstation security.
IIA's Perspective on IT Risk and Physical Security Controls:
IIA Standard 2110 - Governance requires organizations to implement physical security measures for IT assets, including workstations.
IIA GTAG (Global Technology Audit Guide) on IT Risks highlights the importance of restricting physical access to IT devices to prevent unauthorized use or data breaches.
ISO 27001 Information Security Standard recommends physical controls to secure IT infrastructure and prevent workstation-related risks.
IIA References:
IIA Standard 2110 - IT Security & Physical Access Control
IIA GTAG - Physical Security of IT Assets
ISO 27001 - Physical Security and IT Risk Management
Thus, the correct and verified answer is C. Physical controls.
IIA-CIA-Part3-CN Exam Question 210
全球總部位於美國的組織在其他八個國家設有子公司。若組織以種族中心態度運作,下列哪一項敘述是正確的?
Correct Answer: B
An ethnocentric attitude in global business means that the parent company (headquarters) makes all key decisions and expects its foreign subsidiaries to follow directives without much autonomy. This approach often results in centralized control, standardized policies, and minimal local input.
(A) Standards used for evaluation and control are determined at local subsidiaries, not set by headquarters.
Incorrect. In an ethnocentric organization, standards and controls are determined by headquarters, not by local subsidiaries.
IIA Standard 2120 - Risk Management emphasizes that corporate governance should ensure consistent policies across all locations, which aligns with ethnocentric approaches.
(B) Orders, commands, and advice are sent to the subsidiaries from headquarters. # Correct. In ethnocentric organizations, decision-making authority is centralized at headquarters, and subsidiaries are expected to follow orders and policies without deviation.
IIA GTAG "Auditing Global Operations" discusses risks related to centralized control structures, where headquarters enforces policies globally.
(C) People of local nationality are developed for the best positions within their own country.
Incorrect. This describes a polycentric approach, where local talent is developed for leadership roles.
Ethnocentric organizations prefer to assign expatriates from headquarters to key positions in subsidiaries.
(D) There is a significant amount of collaboration between headquarters and subsidiaries.
Incorrect. Collaboration is more common in geocentric or regiocentric models, where decision-making is shared. Ethnocentric organizations have limited collaboration, as headquarters dictates policies.
IIA GTAG - "Auditing Global Operations"
IIA Standard 2120 - Risk Management
COSO Framework - Internal Control and Corporate Governance
Analysis of Answer Choices:IIA References:Thus, the correct answer is B, as ethnocentric organizations enforce top-down control, sending orders, commands, and advice to subsidiaries.
(A) Standards used for evaluation and control are determined at local subsidiaries, not set by headquarters.
Incorrect. In an ethnocentric organization, standards and controls are determined by headquarters, not by local subsidiaries.
IIA Standard 2120 - Risk Management emphasizes that corporate governance should ensure consistent policies across all locations, which aligns with ethnocentric approaches.
(B) Orders, commands, and advice are sent to the subsidiaries from headquarters. # Correct. In ethnocentric organizations, decision-making authority is centralized at headquarters, and subsidiaries are expected to follow orders and policies without deviation.
IIA GTAG "Auditing Global Operations" discusses risks related to centralized control structures, where headquarters enforces policies globally.
(C) People of local nationality are developed for the best positions within their own country.
Incorrect. This describes a polycentric approach, where local talent is developed for leadership roles.
Ethnocentric organizations prefer to assign expatriates from headquarters to key positions in subsidiaries.
(D) There is a significant amount of collaboration between headquarters and subsidiaries.
Incorrect. Collaboration is more common in geocentric or regiocentric models, where decision-making is shared. Ethnocentric organizations have limited collaboration, as headquarters dictates policies.
IIA GTAG - "Auditing Global Operations"
IIA Standard 2120 - Risk Management
COSO Framework - Internal Control and Corporate Governance
Analysis of Answer Choices:IIA References:Thus, the correct answer is B, as ethnocentric organizations enforce top-down control, sending orders, commands, and advice to subsidiaries.
- Other Version
- 1200IIA.IIA-CIA-Part3-CN.v2025-06-26.q187
- Latest Upload
- 135Microsoft.AB-731.v2026-07-03.q32
- 140Microsoft.AI-900-CN.v2026-07-03.q148
- 151GIAC.GICSP.v2026-07-03.q43
- 192EC-COUNCIL.212-89.v2026-07-03.q125
- 162Salesforce.Plat-Admn-201.v2026-07-02.q74
- 299AAPC.CPC.v2026-07-02.q224
- 177Cisco.820-605.v2026-07-02.q83
- 178Cisco.300-435.v2026-07-02.q95
- 138PaloAltoNetworks.XSIAM-Analyst.v2026-07-02.q35
- 234IIA.IIA-CIA-Part3-CN.v2026-07-02.q222
[×]
Download PDF File
Enter your email address to download IIA.IIA-CIA-Part3-CN.v2026-07-02.q222 Practice Test
