Extrinsic rewards are external incentives that motivate an employee to perform a task or stay in a job. These rewards include salary, bonuses, benefits, promotions, and other tangible incentives. In this case, the sales manager explicitly states that she remains in the organization because of the high bonuses, making this an example of extrinsic motivation.
(A) Incorrect - Intrinsic reward.
Intrinsic rewards are derived from internal satisfaction, such as personal growth, job fulfillment, or passion for work.
Since the manager stays primarily for monetary bonuses rather than job satisfaction, this is not intrinsic motivation.
(B) Incorrect - Job enrichment.
Job enrichment involves enhancing job roles by adding responsibilities, autonomy, or variety to improve motivation.
The scenario does not mention job enhancement as a reason for staying.
(C) Correct - Extrinsic reward.
High bonuses are a classic example of extrinsic motivation.
The manager is staying for financial incentives rather than job satisfaction.
(D) Incorrect - The hierarchy of needs.
Maslow's Hierarchy of Needs explains different levels of human motivation, but the question asks for a specific type of motivation rather than a broad theoretical framework.
IIA's Guide on Human Resources Risk Management
Highlights the impact of extrinsic vs. intrinsic motivation on employee retention.
COSO's ERM Framework - Employee Retention and Performance Management
Discusses the role of financial incentives in retaining employees.
IIA's Global Internal Audit Standards - Organizational Behavior and Employee Motivation Explains intrinsic vs. extrinsic rewards in workforce management.
Analysis of Answer Choices:IIA References and Internal Auditing Standards:

The discussion between the internal auditor and the database administrator is most likely centered around the security risk present in the period between account creation and password change. When a system generates a default password such as "123456," it introduces a temporary vulnerability until the user changes it.
Understanding Default Password Security Risks:
Default passwords, especially predictable ones (e.g., "123456"), pose a security threat because they are easy to guess.
If an unauthorized user gains access before the legitimate user changes the password, data confidentiality and integrity may be compromised (IIA GTAG - Global Technology Audit Guide).
Evaluating the Window of Exposure:
The primary concern is the time between account creation and password reset.
During this time, an attacker could exploit the default password to gain unauthorized access to sensitive systems.
Why Other Options Are Less Relevant:
Option A (Replacing numbers with characters) - While this improves security, it does not directly address the risk of an attacker exploiting the default password before the user resets it.
Option B (Users continuing to use the initial password) - This is a security issue, but it is mitigated by requiring a password reset upon first login. The primary concern is the time before the reset happens.
Option D (User training on password management) - While training is crucial for long-term security, it does not directly address the immediate vulnerability of default passwords before they are changed.
IIA Global Technology Audit Guide (GTAG) 16: Data Management and Security IIA Standard 2110 - Governance: Recommends addressing IT security risks, including credential management.
IIA Practice Advisory 2130.A1-1: Internal auditors should assess whether management has identified, assessed, and mitigated IT security risks, such as weak authentication practices.
Step-by-Step Analysis:Relevant IIA References:

Reference: IIA Business Knowledge for Internal Auditing, Data Privacy and Regulation section.

Reference: IIA Business Knowledge for Internal Auditing, Data Analytics in Auditing section.

Cloud-based applications accessible outside the VPN perimeter increase the possibility of data leakage through unapproved or unsecured applications (shadow IT). Even with multi-factor authentication, risks remain around the use of personal devices and uncontrolled storage or sharing.
Option B is incorrect because VPNs are generally secure if configured correctly. Option C is misleading, as remote access controls can be effective in cloud solutions when properly designed. Option D (employees accessing emails after hours) is not a risk related to security but rather a work-life balance issue.
Thus, the key risk is potential leakage of organizational data via unapproved or uncontrolled applications (Option A).
Reference:
IIA Global Technology Audit Guide (GTAG): Auditing Cloud Computing; IIA Standards - Standard 2110:
Governance.