The Internal Audit Function (IIA-CIA-Part3)

Understanding How IoT Impacts Data Attributes:

The Internet of Things (IoT) refers to connected devices that continuously collect and transmit data in real-time.

IoT generates massive amounts of data at high speeds, affecting the velocity of data processing and analysis.

Why Velocity is the Most Affected Attribute:

Velocity refers to the speed at which data is generated, processed, and transmitted.

IoT devices continuously stream data, requiring real-time or near-real-time processing.

Examples include:

Smart sensors in factories sending real-time equipment status.

Wearable devices tracking health metrics every second.

Smart cities using IoT for traffic monitoring and instant updates.

Why Other Options Are Incorrect:

A. Normalization – Incorrect.

Normalization refers to organizing database structures, but IoT deals with data transmission speed rather than database design.

C. Structuration – Incorrect.

Structuration relates to how data is formatted (structured vs. unstructured), but IoT’s biggest challenge is real-time data flow.

D. Veracity – Incorrect.

Veracity concerns data accuracy and reliability, which is a challenge in IoT but not the most significant impact compared to velocity.

IIA’s Perspective on IoT and Data Management:

IIA Standard 2110 – Governance emphasizes the need for robust data processing frameworks to handle IoT-generated data velocity.

IIA GTAG (Global Technology Audit Guide) on Big Data highlights real-time data analytics and IoT challenges.

ISO 27001 Information Security Standard recommends ensuring real-time data processing controls for IoT security and management.

IIA References:

IIA Standard 2110 – IT Governance & Data Management

IIA GTAG – IoT and Big Data Risks

ISO 27001 – Information Security and Real-Time Data Processing

Thus, the correct and verified answer is B. Velocity.

Database backup methodologies ensure data protection and recovery in case of failures, system crashes, or cyber incidents. The most efficient method balances performance, storage, and recovery speed.

Incremental Backup on a Daily Basis (Correct Answer: D)

Incremental backups store only the changes made since the last backup.

This method saves storage space and reduces backup time, making it highly efficient for large production databases.

IIA Standard 2120 – Risk Management emphasizes that auditors must assess the efficiency and reliability of IT controls, including backup strategies.

This approach minimizes downtime and ensures the most recent data is available for recovery.

Why the Other Options Are Incorrect:

A. Disk Mirroring (Incorrect)

Disk mirroring (RAID 1) creates an exact real-time copy of data, but it is not a backup method—it only provides redundancy.

If corruption occurs in the database, the mirrored disk will also have corrupted data.

B. Weekly Differential Backup (Incorrect)

Differential backups store changes since the last full backup, but performing them only weekly means data loss could be significant if a failure occurs mid-week.

They consume more storage over time compared to incremental backups.

C. Independent Disk Array (Incorrect)

Redundant Arrays of Independent Disks (RAID) are primarily used for storage performance and fault tolerance, not as an efficient backup methodology.

RAID does not replace the need for incremental or full backups.

IIA Standard 2120 – Risk Management (Assessing IT controls, including backup and data recovery strategies)

IIA Standard 2110 – Governance (Ensuring IT risk management aligns with organizational objectives)

IIA Standard 2130 – Compliance (Verifying adherence to IT security and backup policies)

Step-by-Step Justification:IIA References for This Answer:Thus, the best answer is D. An incremental backup of the database on a daily basis, as it optimizes efficiency, reduces storage usage, and ensures up-to-date backups with minimal disruption.

Losing the only IT auditor in the internal audit function significantly impacts the ability to perform IT audits in the approved plan. This resource limitation requires the CAE to revise the plan and seek board approval for changes.

Option A does not change the plan. Option C was foreseeable and should already have been included in prior planning. Option D has no material impact since the vacancy was quickly filled with a qualified replacement.

To effectively mitigate and manage risks during a crisis, organizations must implement a combination of preventive and reactive measures:

Preventive measures: These are proactive steps taken before a crisis to reduce the likelihood of occurrence (e.g., risk assessments, internal controls, security protocols).

Reactive measures: These are actions taken after a crisis occurs to minimize damage, restore operations, and recover from the event (e.g., business continuity plans, incident response strategies).

(A) Incorrect – Only preventive measures.

While prevention is essential, not all crises can be avoided. Organizations also need response mechanisms.

(B) Incorrect – Alternative and reactive measures.

Alternative measures (e.g., backup systems) are part of risk management, but without prevention, risks may escalate.

(C) Incorrect – Preventive and alternative measures.

Alternative measures (e.g., backup resources) help maintain operations but do not directly address crisis response.

(D) Correct – Preventive and reactive measures.

Best practice in risk management includes both preventing crises and responding effectively when they occur.

IIA’s Global Internal Audit Standards – Crisis Management and Business Resilience

Emphasizes the need for both prevention and response strategies.

COSO’s ERM Framework – Risk Management in Crisis Situations

Recommends a combination of risk avoidance, mitigation, and crisis response.

ISO 22301 – Business Continuity Management

Highlights the importance of preventive controls and reactive response planning.

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

Authorization controls ensure that users have appropriate access levels based on their roles and responsibilities. The primary concern arises when all users have uniform access, as it violates the principle of least privilege (PoLP) and increases the risk of unauthorized access and data breaches.

(A) Users can only see certain screens in the system.

Incorrect. This is a good security practice, as it limits user access based on job roles, preventing unauthorized access to sensitive information.

(B) Users are making frequent password change requests.

Incorrect. Frequent password resets might indicate poor password management but are not directly related to authorization controls.

(C) Users input incorrect passwords and get denied system access.

Incorrect. This indicates authentication issues, not an authorization control concern. If users are denied access due to incorrect passwords, the system’s authentication mechanisms are working correctly.

(D) Users are all permitted uniform access to the system. ✅

Correct. Authorization should be role-based, meaning different users should have different levels of access depending on their responsibilities. Uniform access violates security best practices and increases the risk of fraud, data misuse, and compliance violations.

IIA GTAG " Identity and Access Management " emphasizes that authorization controls should be based on job functions to prevent unnecessary exposure to sensitive data.

IIA Standard 2120 – Risk Management highlights the importance of access control policies to mitigate cybersecurity risks.

IIA GTAG – " Identity and Access Management "

IIA Standard 2120 – Risk Management

COBIT Framework – Access Control and Identity Management

Analysis of Answer Choices:IIA References:Thus, the correct answer is D, as uniform access across all users is a major security concern in authorization control.

Preventive security controls proactively stop unauthorized access before it occurs. The most effective method is strict access management, where new or additional access rights require formal validation before being granted.

Prevents Unauthorized Entry – Ensures that only approved personnel have access to the power plant.

Implements Segregation of Duties (SoD) – Supervisors validate access requests, reducing insider threats.

Aligns with Least Privilege Principle – Employees get only the minimum access necessary for their role.

Prevents Security Risks Before They Happen – Unlike detective or corrective controls, this method stops unauthorized access before it occurs.

A. Offboarding procedure (monthly review) – This is a detective control, identifying issues after access is granted, not preventing them.

B. Smart lock anomaly scanning – Also detective, as it identifies suspicious behavior after access has been used.

D. Automatic notifications for after-hours entry – A corrective control, responding to potential violations instead of preventing them.

IIA’s GTAG on Identity and Access Management – Recommends pre-approval processes for sensitive locations.

ISO 27001 Annex A.9 (Access Control) – Requires role-based access management for critical infrastructures.

NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems) – Defines supervisor approval as a key preventive measure.

Why Approval-Based Access Control is the Best Preventive Measure?Why Not the Other Options?IIA References:

Managerial accounting differs from financial accounting in that it focuses on internal decision-making, cost control, and performance evaluation based on predetermined standards. Unlike financial accounting, which follows GAAP (Generally Accepted Accounting Principles) for external reporting, managerial accounting sets internal benchmarks to guide operational efficiency and strategic planning.

Use of Predetermined Standards:

Managerial accounting often uses standard costing, budgets, and variance analysis to compare actual performance against pre-set benchmarks.

This helps management make data-driven decisions and improve efficiency.

Internal Decision-Making:

Managerial accounting reports are used by internal stakeholders (e.g., managers, executives) rather than external entities.

Control and Performance Measurement:

It focuses on variance analysis (actual vs. expected performance) to highlight areas requiring corrective action.

Not Governed by GAAP:

Unlike financial accounting, managerial accounting does not require compliance with GAAP or IFRS since it is meant for internal use only.

A. Managerial accounting uses double-entry accounting and cost data:

While cost data is relevant to managerial accounting, double-entry accounting is a fundamental principle of all accounting systems, including financial accounting.

B. Managerial accounting uses generally accepted accounting principles (GAAP):

GAAP is required for financial accounting (external reporting), but managerial accounting does not follow GAAP since it focuses on internal decision-making.

C. Managerial accounting involves decision making based on quantifiable economic events:

While managerial accounting analyzes economic data, its distinguishing feature is using predetermined standards to evaluate and improve performance, which makes Option D the best choice.

IIA Standard 2110 - Governance: Internal auditors should assess decision-making processes, including managerial accounting techniques.

IIA Standard 2120 - Risk Management: Cost control and budget variance analysis are key components of risk management.

COSO Framework - Performance Monitoring: Emphasizes variance analysis, which aligns with predetermined standards in managerial accounting.

Key Reasons Why Option D is Correct:Why Other Options Are Incorrect:IIA References:Thus, the correct answer is D. Managerial accounting involves decision making based on predetermined standards.

Understanding the Contracting Process PhasesThe contracting process generally follows these phases:

Initiation Phase: Identifies the need for a contract and sets initial objectives.

Bidding Phase: Potential vendors or partners submit proposals, and negotiations begin.

Development Phase: Contracts are drafted, negotiated, and finalized before execution.

Management Phase: The contract is executed, monitored, and evaluated for compliance.

Why Option C is Correct?

The development phase is where contracts are formally drafted based on agreements made during bidding and negotiation.

This phase includes legal review, compliance verification, and risk assessment, ensuring the contract aligns with business objectives and legal requirements.

IIA Standard 2110 – Governance requires auditors to assess how contract risks are managed, ensuring formal contract development processes.

Why Other Options Are Incorrect?

Option A (Initiation phase):

This phase defines the business need but does not involve drafting contracts.

Option B (Bidding phase):

In this phase, businesses solicit proposals, but contracts are not fully drafted until vendor selection.

Option D (Management phase):

The management phase involves executing and monitoring the contract, not drafting it.

Contracts are drafted during the development phase after vendor selection and before execution.

IIA Standard 2110 supports governance over contract risk and formal agreement processes.

Final Justification:IIA References:

IPPF Standard 2110 – Governance (Contract Risk & Compliance)

COSO ERM – Risk Management in Contracting

A Wide Area Network (WAN) is the most suitable type of network for an organization that has operations in multiple cities and countries. WANs connect multiple local area networks (LANs) and other types of networks across long geographical distances, enabling seamless communication and data sharing among remote offices and branches.

A. Wide Area Network (WAN) (Correct Answer)

WANs cover extensive geographical areas, such as multiple cities, countries, or even continents.

They use various communication technologies, including leased lines, satellite connections, VPNs, and MPLS.

WANs enable organizations with distributed operations to centralize data management and enhance business continuity.

Example: An international corporation like a multinational bank or a global retail chain relies on a WAN to link its offices worldwide.

B. Local Area Network (LAN) (Incorrect Answer)

LANs are confined to a small area, such as an office building, factory, or campus.

They provide high-speed connectivity but are not designed for geographically dispersed locations.

Example: A single office using Ethernet and Wi-Fi to connect employees’ devices.

C. Metropolitan Area Network (MAN) (Incorrect Answer)

MANs span a city or a large campus but do not extend to multiple countries.

Example: A city ' s government agencies using a fiber-optic MAN for interdepartmental communication.

D. Storage Area Network (SAN) (Incorrect Answer)

SANs are dedicated high-speed networks designed for large-scale data storage and retrieval.

They are not meant for interconnecting geographically dispersed locations.

Example: A financial institution using a SAN for high-speed access to critical databases.

The IIA’s Global Technology Audit Guide (GTAG) – IT Risks and Controls emphasizes the importance of network infrastructure in securing and managing organizational data across multiple locations.

IIA Standard 2110 – Governance requires internal auditors to evaluate whether the organization’s IT strategy (including WAN infrastructure) supports business objectives and risk management.

IIA GTAG 17 – Auditing Network Security highlights the importance of WAN security, VPNs, and encryption when managing international operations.

Explanation of Answer Choices:IIA References:Thus, the correct answer is A. Wide Area Network (WAN).