Questions for the IIA CIA PART3 3P were updated on : Dec 02 ,2025
A manager decided to build his team's enthusiasm by giving encouraging talks about employee
empowerment, hoping to change the perception that management should make all decisions in the
department.
The manager is most likely trying to impact which of the following components of his team's
attitude?
A
Which of the following can be classified as debt investments?
B
Reference:
https://www.investopedia.com/terms/g/government-bond.asp
Which of the following devices best controls both physical and logical access to information systems?
B
Reference:
https://mytechdecisions.com/physical-security/biometrics-access-control-technology/
Which of the following is a cybersecurity monitoring activity intended to deter disruptive codes from
being installed on an organization's systems?
B
Reference:
https://www.techtarget.com/searchsecurity/tip/6-common-types-of-cyber-attacks-and-
how-to-prevent-them
Which of the following activities best illustrates a user's authentication control?
A
A company produces water buckets with the following costs per bucket:
Direct labor = $2
Direct material = $5
Fixed manufacturing = $3.50
Variable manufacturing = $2.50
The water buckets are usually sold for $15. However, the company received a special order for
50,000 water buckets at $11 each.
Assuming there is adequate manufacturing capacity and all other variables are constant, what is the
relevant cost per unit to consider when deciding whether to accept this special order at the reduced
price?
B
Which of the following IT disaster recovery plans includes a remote site designated for recovery with
available space for basic services, such as internet and telecommunications, but does not have
servers or infrastructure equipment?
B
Reference:
https://www.sciencedirect.com/topics/computer-science/disaster-recovery
Which of the following organization structures would most likely be able to cope with rapid changes
and uncertainties?
A
Reference:
https://hbr.org/2017/12/when-to-decentralize-decision-making-and-when-not-to
A chief audit executive wants to implement an enterprisewide resource planning software.
Which of the following internal audit assessments could provide overall assurance on the likelihood
of the software implementation's success?
B
Reference:
https://www.oecd.org/daf/ca/risk-management-corporate-governance.pdf
Which of the following statements is true regarding change management?
D
Reference:
https://chapters.theiia.org/montreal/ChapterDocuments/GTAG%202%20-
%20Change%20and%20Patch%20Management%20Controls%20Critical%20for%20Organizational
%20Success_2nd%20ed.pdf
During disaster recovery planning, the organization established a recovery point objective. Which of
the following best describes this concept?
B
Reference:
https://www.druva.com/glossary/what-is-a-disaster-recovery-plan-definition-and-
related-faqs/#:~:text=The%20recovery%20point%20objective%20refers,hour%20to%20meet%20this
%20objective
Which of the following statements is true regarding user-developed applications (UDAs) and
traditional IT applications?
D
In reviewing an organization's IT infrastructure risks, which of the following controls is to be tested as
part of reviewing workstations?
D
Which of the following is an example of internal auditors applying data mining techniques for
exploratory purposes?
B
Reference:
https://www.researchgate.net/publication/221174455_Data_Mining_Technique_in_the_Internal_Au
diting_of_Enterprise_Groups
Which of the following is likely to occur when an organization decides to adopt a decentralized
organizational structure?
B
Reference:
https://opentextbc.ca/principlesofaccountingv2openstax/chapter/differentiate-between-
centralized-and-decentralized-management/