IIA-CIA-Part3-CN Exam Question 31
一家乳製品企業的高階管理層要求內部稽核部門在財務部門內部提供諮詢服務,內部稽核部門隨後發布了一份報告。下列哪一項符合IIA關於監控此類專案結果的指導?
Correct Answer: C
According to the IIA Standards, follow-up is mandatory only for assurance engagements, where corrective action plans are agreed and tracked. Advisory services are intended to add value and offer recommendations but do not require formal follow-up by internal audit. Responsibility for implementing recommendations lies with management.
Options A and B improperly delegate follow-up responsibilities, and Option D incorrectly suggests mandatory follow-up for advisory engagements.
Reference:
IIA Standards - Standard 2500: Monitoring Progress (applies to assurance, not advisory services).
Options A and B improperly delegate follow-up responsibilities, and Option D incorrectly suggests mandatory follow-up for advisory engagements.
Reference:
IIA Standards - Standard 2500: Monitoring Progress (applies to assurance, not advisory services).
IIA-CIA-Part3-CN Exam Question 32
下列哪一個場景最能說明魚叉式網路釣魚攻擊?
Correct Answer: C
A spear phishing attack is a targeted email attack aimed at a specific individual, organization, or business.
Unlike general phishing, which casts a wide net, spear phishing is highly personalized and designed to deceive the recipient into providing sensitive information.
Personalization - The email references a golf membership renewal, making it relevant and believable to the recipient.
Social Engineering - The attacker exploits the victim's trust by pretending to be a legitimate entity.
Malicious Link - The victim clicks a fraudulent hyperlink and enters sensitive credit card details.
Financial Fraud - The goal is to steal payment information, leading to unauthorized transactions.
A). Numerous and consistent attacks on the company's website caused the server to crash.
This describes a Denial-of-Service (DoS) attack, not spear phishing.
B). A person posing as an IT help desk representative called employees and played a generic message requesting passwords.
This describes vishing (voice phishing) rather than spear phishing.
D). Many users of a social network service received fake notifications about a new investment opportunity.
This is general phishing, as it targets multiple users instead of one individual.
IIA's GTAG (Global Technology Audit Guide) on Cybersecurity - Emphasizes the risk of spear phishing in cyber fraud.
NIST SP 800-61 (Computer Security Incident Handling Guide) - Defines spear phishing as a highly targeted attack method.
COBIT 2019 (Governance and Management of IT) - Highlights social engineering risks in IT security.
Why Option C is Correct?Why Not the Other Options?IIA References:# Final Answer: C. A person received a personalized email regarding a golf membership renewal, and he clicked a hyperlink to enter his credit card data into a fake website.
Unlike general phishing, which casts a wide net, spear phishing is highly personalized and designed to deceive the recipient into providing sensitive information.
Personalization - The email references a golf membership renewal, making it relevant and believable to the recipient.
Social Engineering - The attacker exploits the victim's trust by pretending to be a legitimate entity.
Malicious Link - The victim clicks a fraudulent hyperlink and enters sensitive credit card details.
Financial Fraud - The goal is to steal payment information, leading to unauthorized transactions.
A). Numerous and consistent attacks on the company's website caused the server to crash.
This describes a Denial-of-Service (DoS) attack, not spear phishing.
B). A person posing as an IT help desk representative called employees and played a generic message requesting passwords.
This describes vishing (voice phishing) rather than spear phishing.
D). Many users of a social network service received fake notifications about a new investment opportunity.
This is general phishing, as it targets multiple users instead of one individual.
IIA's GTAG (Global Technology Audit Guide) on Cybersecurity - Emphasizes the risk of spear phishing in cyber fraud.
NIST SP 800-61 (Computer Security Incident Handling Guide) - Defines spear phishing as a highly targeted attack method.
COBIT 2019 (Governance and Management of IT) - Highlights social engineering risks in IT security.
Why Option C is Correct?Why Not the Other Options?IIA References:# Final Answer: C. A person received a personalized email regarding a golf membership renewal, and he clicked a hyperlink to enter his credit card data into a fake website.
IIA-CIA-Part3-CN Exam Question 33
下列哪一種措施可能會降低違反轉讓定價法規的風險?
Correct Answer: A
Transfer pricing regulations aim to prevent tax evasion and ensure that intercompany transactions reflect fair market value, preventing profit shifting to low-tax jurisdictions. Selling inventory at fair value (arm's length price) aligns with regulatory requirements, reducing the risk of non-compliance.
(A) Correct - The organization sells inventory to an overseas subsidiary at fair value.
Ensuring that transactions reflect fair market value prevents regulatory violations.
Adhering to the arm's length principle minimizes transfer pricing risks and potential tax penalties.
(B) Incorrect - The local subsidiary purchases inventory at a discounted price.
A discounted price could be seen as an attempt to shift profits between entities, increasing regulatory scrutiny.
(C) Incorrect - The organization sells inventory to an overseas subsidiary at the original cost.
Selling at the original cost does not account for market conditions, potential markup, and fair valuation.
Regulators may view this as non-compliance with the arm's length principle.
(D) Incorrect - The local subsidiary purchases inventory at the depreciated cost.
Depreciated cost may not represent fair market value and could be interpreted as a tax avoidance mechanism.
IIA's Global Internal Audit Standards - Compliance with Tax and Transfer Pricing Regulations Emphasizes fair pricing in intercompany transactions to prevent regulatory violations.
OECD Transfer Pricing Guidelines
Reinforces the arm's length principle as the standard for pricing related-party transactions.
COSO's ERM Framework - Compliance Risk Management
Highlights the need for adherence to tax laws and fair-value pricing in financial transactions.
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
(A) Correct - The organization sells inventory to an overseas subsidiary at fair value.
Ensuring that transactions reflect fair market value prevents regulatory violations.
Adhering to the arm's length principle minimizes transfer pricing risks and potential tax penalties.
(B) Incorrect - The local subsidiary purchases inventory at a discounted price.
A discounted price could be seen as an attempt to shift profits between entities, increasing regulatory scrutiny.
(C) Incorrect - The organization sells inventory to an overseas subsidiary at the original cost.
Selling at the original cost does not account for market conditions, potential markup, and fair valuation.
Regulators may view this as non-compliance with the arm's length principle.
(D) Incorrect - The local subsidiary purchases inventory at the depreciated cost.
Depreciated cost may not represent fair market value and could be interpreted as a tax avoidance mechanism.
IIA's Global Internal Audit Standards - Compliance with Tax and Transfer Pricing Regulations Emphasizes fair pricing in intercompany transactions to prevent regulatory violations.
OECD Transfer Pricing Guidelines
Reinforces the arm's length principle as the standard for pricing related-party transactions.
COSO's ERM Framework - Compliance Risk Management
Highlights the need for adherence to tax laws and fair-value pricing in financial transactions.
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
IIA-CIA-Part3-CN Exam Question 34
在災難復原規劃期間,組織建立了復原點目標。下列哪一項最能描述這個概念?
Correct Answer: B
Recovery Point Objective (RPO) Defined:
RPO is the maximum amount of data loss an organization can tolerate before it significantly impacts business operations.
It determines how frequently backups should be performed to minimize data loss in the event of a system failure, cyberattack, or disaster.
For example: If an organization has an RPO of 4 hours, backups must be performed at least every 4 hours to ensure minimal data loss.
IIA GTAG on Business Continuity Management states that RPO should align with business risk tolerance and data criticality.
A). The maximum tolerable downtime after the occurrence of an incident. (Incorrect) This defines the Recovery Time Objective (RTO), which refers to the time needed to restore operations.
RPO relates to data loss, not downtime.
C). The maximum tolerable risk related to the occurrence of an incident. (Incorrect) Risk tolerance is a separate concept related to risk management strategies, not data recovery.
D). The minimum recovery resources needed after the occurrence of an incident. (Incorrect) This refers to disaster recovery planning and resource allocation, not the specific metric of data loss tolerance.
Explanation of Incorrect Answers:Conclusion:The Recovery Point Objective (RPO) measures the maximum allowable data loss (Option B) before it significantly affects business continuity.
IIA References:
IIA GTAG - Business Continuity Management
IIA Standard 2120 - Risk Management
RPO is the maximum amount of data loss an organization can tolerate before it significantly impacts business operations.
It determines how frequently backups should be performed to minimize data loss in the event of a system failure, cyberattack, or disaster.
For example: If an organization has an RPO of 4 hours, backups must be performed at least every 4 hours to ensure minimal data loss.
IIA GTAG on Business Continuity Management states that RPO should align with business risk tolerance and data criticality.
A). The maximum tolerable downtime after the occurrence of an incident. (Incorrect) This defines the Recovery Time Objective (RTO), which refers to the time needed to restore operations.
RPO relates to data loss, not downtime.
C). The maximum tolerable risk related to the occurrence of an incident. (Incorrect) Risk tolerance is a separate concept related to risk management strategies, not data recovery.
D). The minimum recovery resources needed after the occurrence of an incident. (Incorrect) This refers to disaster recovery planning and resource allocation, not the specific metric of data loss tolerance.
Explanation of Incorrect Answers:Conclusion:The Recovery Point Objective (RPO) measures the maximum allowable data loss (Option B) before it significantly affects business continuity.
IIA References:
IIA GTAG - Business Continuity Management
IIA Standard 2120 - Risk Management
IIA-CIA-Part3-CN Exam Question 35
根據 IIA 指南,下列哪一項連接電腦並使它們能夠相互通訊?
Correct Answer: D
* Understanding Computer Communication Systems:
* Computers communicate with each other using network infrastructure, which allows data transfer, resource sharing, and remote access.
* A network connects multiple devices, enabling them to exchange information, access shared resources, and collaborate efficiently.
* Why Option D (Networks) Is Correct?
* A computer network consists of hardware (routers, switches, and cables) and software (protocols like TCP/IP) that facilitate communication.
* Networks can be local (LAN), wide-area (WAN), or cloud-based, providing the backbone for IT operations.
* IIA GTAG 11 - Developing the IT Audit Plan emphasizes auditing network security and communication controls.
* Why Other Options Are Incorrect?
* Option A (Application program code):
* Application programs allow users to perform specific tasks but do not link computers for communication.
* Option B (Database system):
* A database stores and retrieves data, but it does not enable direct communication between computers.
* Option C (Operating system):
* The operating system manages a single computer's resources but does not connect multiple computers.
* Networks are responsible for linking computers and enabling communication, making option D the correct choice.
* IIA GTAG 11 highlights the importance of network infrastructure in IT auditing.
Final Justification:IIA References:
* IIA GTAG 11 - Developing the IT Audit Plan
* ISO 27001 - IT Network Security Management
* NIST SP 800-53 - Network Security Controls
* Computers communicate with each other using network infrastructure, which allows data transfer, resource sharing, and remote access.
* A network connects multiple devices, enabling them to exchange information, access shared resources, and collaborate efficiently.
* Why Option D (Networks) Is Correct?
* A computer network consists of hardware (routers, switches, and cables) and software (protocols like TCP/IP) that facilitate communication.
* Networks can be local (LAN), wide-area (WAN), or cloud-based, providing the backbone for IT operations.
* IIA GTAG 11 - Developing the IT Audit Plan emphasizes auditing network security and communication controls.
* Why Other Options Are Incorrect?
* Option A (Application program code):
* Application programs allow users to perform specific tasks but do not link computers for communication.
* Option B (Database system):
* A database stores and retrieves data, but it does not enable direct communication between computers.
* Option C (Operating system):
* The operating system manages a single computer's resources but does not connect multiple computers.
* Networks are responsible for linking computers and enabling communication, making option D the correct choice.
* IIA GTAG 11 highlights the importance of network infrastructure in IT auditing.
Final Justification:IIA References:
* IIA GTAG 11 - Developing the IT Audit Plan
* ISO 27001 - IT Network Security Management
* NIST SP 800-53 - Network Security Controls
- Other Version
- 1200IIA.IIA-CIA-Part3-CN.v2025-06-26.q187
- Latest Upload
- 133Microsoft.AB-731.v2026-07-03.q32
- 140Microsoft.AI-900-CN.v2026-07-03.q148
- 150GIAC.GICSP.v2026-07-03.q43
- 190EC-COUNCIL.212-89.v2026-07-03.q125
- 158Salesforce.Plat-Admn-201.v2026-07-02.q74
- 280AAPC.CPC.v2026-07-02.q224
- 166Cisco.820-605.v2026-07-02.q83
- 171Cisco.300-435.v2026-07-02.q95
- 135PaloAltoNetworks.XSIAM-Analyst.v2026-07-02.q35
- 225IIA.IIA-CIA-Part3-CN.v2026-07-02.q222
[×]
Download PDF File
Enter your email address to download IIA.IIA-CIA-Part3-CN.v2026-07-02.q222 Practice Test
