Comprehensive and Detailed In-Depth Explanation:
Application controls are specific to software applications and help ensure data integrity and accuracy within systems.
Option A (Automated password change requirements) - A system security control, not specific to a single application.
Option B (System data backup) - A general IT control, not an application control.
Option C (User testing of system changes) - Part of software development controls, not an application-level control.
Formatted data fields ensure that users enter information in the correct format, preventing errors and improving data accuracy.
Since formatted data fields are an application-specific control, Option D is correct.
Reference: IIA IT Controls - Application Security & Data Integrity

Comprehensive and Detailed In-Depth Explanation:
The Three Lines of Defense Model classifies risk management roles as follows:
First Line of Defense: Operational management responsible for risk controls (e.g., blocking unauthorized traffic, encrypting data).
Second Line of Defense: Risk management and compliance functions that monitor and assess the effectiveness of first-line controls (e.g., reviewing disaster recovery test results).
Third Line of Defense: Independent audit functions providing assurance (e.g., conducting security assessments).
Option C (Reviewing disaster recovery test results) aligns with the second line of defense because it involves oversight and evaluation of IT controls rather than direct execution.
Reference: IIA Three Lines Model - Risk Management

The first step in defining the internal audit function's structure and processes is to understand the needs and expectations of the board, senior management, and external stakeholders. This ensures alignment with organizational priorities and risk appetite.
Option A (recommend improvements) is a later activity. Option B (hiring plan) comes after the structure and resourcing needs are identified. Option C (quality assessments) occurs after processes are established.
Reference:
IIA Standards - Standard 1000: Purpose, Authority, and Responsibility.

A spear phishing attack is a targeted email attack aimed at a specific individual, organization, or business.
Unlike general phishing, which casts a wide net, spear phishing is highly personalized and designed to deceive the recipient into providing sensitive information.
Personalization - The email references a golf membership renewal, making it relevant and believable to the recipient.
Social Engineering - The attacker exploits the victim's trust by pretending to be a legitimate entity.
Malicious Link - The victim clicks a fraudulent hyperlink and enters sensitive credit card details.
Financial Fraud - The goal is to steal payment information, leading to unauthorized transactions.
A). Numerous and consistent attacks on the company's website caused the server to crash.
This describes a Denial-of-Service (DoS) attack, not spear phishing.
B). A person posing as an IT help desk representative called employees and played a generic message requesting passwords.
This describes vishing (voice phishing) rather than spear phishing.
D). Many users of a social network service received fake notifications about a new investment opportunity.
This is general phishing, as it targets multiple users instead of one individual.
IIA's GTAG (Global Technology Audit Guide) on Cybersecurity - Emphasizes the risk of spear phishing in cyber fraud.
NIST SP 800-61 (Computer Security Incident Handling Guide) - Defines spear phishing as a highly targeted attack method.
COBIT 2019 (Governance and Management of IT) - Highlights social engineering risks in IT security.
Why Option C is Correct?Why Not the Other Options?IIA References:# Final Answer: C. A person received a personalized email regarding a golf membership renewal, and he clicked a hyperlink to enter his credit card data into a fake website.

Reference: IIA Business Knowledge for Internal Auditing, Supply Chain Management section.