A risk and control questionnaire (RCQ) is used during preliminary surveys to help the auditor ascertain the existence of controls in a specific process or program. It provides structured information about which controls are in place, which are missing, and how they are applied.
Option A refers to reconciliation, which is not the main purpose. Option C (testimonial information) suggests reliance on management statements, which is weaker than structured control identification. Option D involves external confirmation, which goes beyond the RCQ's purpose.
Reference:
IIA Practice Guide - Engagement Planning: Preliminary Survey and Risk Assessment.

Reference: IIA Business Knowledge for Internal Auditing, Cost Accounting section.

When employees work from home, secure remote access to the organization's network is essential to protect data and ensure confidentiality. A Virtual Private Network (VPN) is the best option for enabling this securely.
Correct Answer (D - A Virtual Private Network (VPN))
A VPN creates a secure, encrypted connection between the employee's device and the organization's internal network.
It prevents unauthorized access by ensuring that data is transmitted securely over the internet.
The IIA GTAG 17: Auditing Network Security recommends VPNs for secure remote work environments to prevent cyber threats.
Why Other Options Are Incorrect:
Option A (A Wireless Local Area Network - WLAN):
A WLAN is used within an office or home environment, but it does not provide secure remote access to an organization's network.
Option B (A Personal Area Network - PAN):
A PAN connects devices like smartphones and laptops within a short range (e.g., Bluetooth), but it is not suitable for secure remote access.
Option C (A Wide Area Network - WAN):
A WAN connects multiple locations, but it does not provide encryption or remote security like a VPN.
IIA GTAG 17: Auditing Network Security - Recommends VPNs for secure remote access.
IIA Practice Guide: Auditing IT Security Controls - Covers VPNs as a key security control for remote work.
Step-by-Step Explanation:IIA References for Validation:Thus, D is the correct answer because a VPN ensures secure, encrypted communication for employees working from home.

Analytical procedures involve evaluating financial and operational data by examining plausible relationships between numbers, trends, and industry benchmarks. These procedures assume that data relationships exist and will continue unless there is evidence to the contrary.
(A) Data relationships are assumed to exist and to continue where no known conflicting conditions exist. # Correct. Analytical procedures rely on historical trends and logical relationships between data (e.g., revenue vs. expenses, payroll vs. employee count). If no unusual variations or red flags are observed, auditors assume continuity.
IIA GTAG "Auditing Business Intelligence" supports the assumption that data relationships persist unless evidence suggests otherwise.
(B) Analytical procedures are intended primarily to ensure the accuracy of the information being examined.
Incorrect. The primary goal of analytical procedures is not absolute accuracy but rather identifying trends, anomalies, and risks that require further investigation.
(C) Data relationships cannot include comparisons between operational and statistical data.
Incorrect. Operational and statistical data are commonly used in analytical procedures (e.g., comparing production output with raw material consumption, or customer transactions with website visits).
IIA GTAG "Data Analytics: Elevating Internal Audit Performance" highlights the importance of using both financial and operational data in analytical testing.
(D) Analytical procedures can be used to identify unexpected differences, but cannot be used to identify the absence of differences.
Incorrect. Analytical procedures can identify both unexpected variances and expected consistency. Auditors analyze trends, seasonal fluctuations, and relationships, detecting both errors and missing anomalies.
IIA GTAG - "Auditing Business Intelligence"
IIA GTAG - "Data Analytics: Elevating Internal Audit Performance"
IIA Standard 2320 - Analysis and Evaluation
Analysis of Answer Choices:IIA References:Thus, the correct answer is A, as analytical procedures assume data relationships exist and continue unless conflicting conditions arise.

Understanding the "Something You Have" Concept:
Access control methods are classified into three main authentication factors:
Something You Know - Passwords, PINs, security questions.
Something You Have - Physical devices like keycards, smart cards, or security tokens.
Something You Are - Biometrics such as fingerprints, retina scans, or voice recognition.
Why a Card-Key Scanner is the Correct Answer:
A card-key scanner verifies access using a physical card, which aligns with the "something you have" authentication factor.
Users must possess the key card to gain entry, making it a classic example of physical token-based security.
Why Other Options Are Incorrect:
A). A retina characteristics reader - Incorrect, as retina scans fall under "something you are" (biometrics), not
"something you have".
B). A PIN code reader - Incorrect, as PIN codes are "something you know", not a physical possession.
D). A fingerprint scanner - Incorrect, as fingerprints are biometric ("something you are"), not a physical object.
IIA's Perspective on Physical Security Controls:
IIA Standard 2110 - Governance emphasizes the importance of using multi-factor authentication to enhance security.
IIA GTAG (Global Technology Audit Guide) on Access Control recommends the use of physical security devices like card-key scanners to prevent unauthorized access.
ISO 27001 Information Security Standard identifies "something you have" authentication methods as critical components of access control.
IIA References:
IIA Standard 2110 - Governance & IT Security
IIA GTAG - Physical Security & Access Controls
ISO 27001 Information Security Standard - Multi-Factor Authentication
Thus, the correct and verified answer is C. A card-key scanner.