Internal audit may rely on the work of other internal assurance providers (such as finance or compliance), provided it has assessed the adequacy, competence, and objectivity of the work. This avoids duplication and increases efficiency.
Option B incorrectly assumes internal work cannot be relied upon. Option C shifts responsibility inappropriately. Option D ignores coordination opportunities.
Reference:
IIA Standards - Standard 2050: Coordination and Reliance.

Understanding The IIA's Three Lines Model:
The Three Lines Model defines responsibilities for risk management and control across different organizational functions:
First Line: Operational management (owns and manages risks).
Second Line: Risk and compliance functions (monitors and facilitates risk management).
Third Line: Internal audit (provides independent assurance).
Why Third-Party and Supplier Assessments Are Shared Across All Three Lines:
First Line (Operational Teams & IT Security): Ensures that vendors comply with security standards.
Second Line (Risk & Compliance Teams): Conducts due diligence and ensures compliance with cybersecurity regulations.
Third Line (Internal Audit): Independently evaluates supplier risk management processes.
Why Other Options Are Less Relevant:
B). Recruitment and retention of certified IT talent - Primarily a first-line management responsibility (HR and IT departments).
C). Classification of data and design of access privileges - Typically a first-line IT security function, with oversight from the second line.
D). Creation and maintenance of secure network configurations - Falls under first-line IT operations with oversight but not shared by all three lines.
IIA's Three Lines Model (2020 Update): Emphasizes shared responsibilities in areas like third-party risk.
IIA Practice Guide on Third-Party Risk Management: Internal audit must assess supplier security and compliance.
COSO ERM Framework: Highlights vendor risk management as a cross-functional responsibility.
Relevant IIA References:# Final Answer: Assessments of third parties and suppliers (Option A).

Residual income (RI) is a performance measure that considers both profits and the investment base by calculating the excess income generated over a required minimum return on investment (ROI).
(A) Residual income (Correct Answer):
Formula: Residual Income=Operating Income#(Required Rate of Return×Investment Base)\text{Residual Income} = \text{Operating Income} - (\text{Required Rate of Return} \times \text{Investment Base}) Residual Income=Operating Income#(Required Rate of Return×Investment Base) RI evaluates profitability after accounting for the cost of capital, making it a better measure of financial performance than net income alone.
It considers both profits (net operating income) and the investment base (capital employed).
(B) A flexible budget:
A flexible budget adjusts based on changes in activity levels but does not directly include investment base considerations.
(C) Variance analysis:
Variance analysis compares actual vs. budgeted performance but does not consider investment base.
(D) A contribution margin income statement by segment:
The contribution margin shows revenue minus variable costs but does not factor in the investment base.
IIA Practice Guide: Measuring Performance - Recognizes residual income as a key metric for evaluating divisional performance.
COSO ERM Framework - Performance Measurement Component - Emphasizes using metrics that account for both profitability and investment.
IIA Standard 2120 - Risk Management - Highlights the importance of financial metrics in evaluating strategic objectives.
Analysis of Each Option:IIA References:Conclusion:Since Residual Income (RI) considers both profits and investment base, option (A) is the correct answer.

Comprehensive and Detailed In-Depth Explanation:
Data privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), emphasize restricting access to personally identifiable information (PII) to only those who require it for business purposes.
Option B (Data backup within 24 hours) is an IT best practice but is not a core requirement of privacy laws.
Option C (Approval for system updates) is a change management policy, unrelated to data privacy.
Option D (Insider trading restrictions) falls under corporate governance and securities regulations, not data privacy laws.
Thus, Option A is correct, as it aligns with legal requirements for protecting sensitive personal data.
Reference: IIA Data Privacy Compliance - GDPR & CCPA Standards

The auditor used an analytics tool to examine vendor payment transactions over 24 months and identify the top five vendors receiving the highest payments. This process involves examining, summarizing, and interpreting data, which falls under data analysis.
(A) Process analysis. #
Incorrect. Process analysis focuses on evaluating the workflow, efficiency, and control effectiveness of a business process, rather than analyzing data trends.
Example: Reviewing how invoices are processed to identify bottlenecks.
(B) Process mining. #
Incorrect. Process mining uses event logs and transactional data to analyze workflow patterns and deviations from standard procedures.
Example: Identifying inefficiencies in an invoice approval workflow.
(C) Data analysis. #
Correct. The auditor reviewed historical transaction data and extracted meaningful insights (i.e., the top five vendors by payment volume).
IIA GTAG - "Data Analytics: Elevating Internal Audit Performance" describes data analysis as using structured financial and operational data to identify trends, risks, or anomalies.
(D) Data mining. #
Incorrect. Data mining involves advanced statistical or machine learning techniques to discover hidden patterns in data, whereas data analysis focuses on summarizing and interpreting known data.
Example: Identifying fraudulent transactions using predictive modeling.
IIA GTAG - "Data Analytics: Elevating Internal Audit Performance"
IIA Standard 2320 - Analysis and Evaluation
COSO Framework - Data-Driven Internal Auditing
Analysis of Answer Choices:IIA References:Thus, the correct answer is C (Data analysis), as the auditor examined past transactions to summarize and interpret payment trends.