Sample of CIA Part 3 Study Guide 2024

This is a sample version. Full version is available for subscription from www.zainacademy.
us
This is a sample version. Full version is available for subscription from www.zainacademy.us
CIA Part 3 Study Guide 2024

Special Credit for Contribution
I am grateful to Ms. Maha Zahid for being the Co-Author in this book.
Special thanks to Mr. Abdullah Yousaf and Ms. Hira Muhammad for their
sincere efforts in making this book a reality.
Let’s Connect With Each Other

Web: zainacademy.us
mzain.org
Email: help@zainacademy.us
help@mzain.org
WhatsApp (Messaging & Call): +92 311 222 4261
International Call: +92 311 222 4261
US & Canada Call: +1 646 979 0865
Facebook: https://www.facebook.com/zainacademy
YouTube: https://www.youtube.com/c/zainacademy
LinkedIn: https://www.linkedin.com/in/mzainhabib/
Twitter: https://twitter.com/mzaincpacmacia
Instagram: https://www.instagram.com/mzain.cpa.cma.cia/
Pinterest: https://www.pinterest.com/mzainhabib/
Page 2 of 485

INDEX
MAIN COVER……………………………………………………….……………………………………………………….…………...01
SPECIAL CREDIT FOR CONTRIBUTION & LETS CONNECT WITH EACH OTHER………….….02
PREFACE………………………………..……………………………….……………….…..…………………………………..……….04
CERTIFIED INTERNAL AUDITOR (CIA) EXAM GUIDE………………….………………………...…………….06
LETTER FROM MUHAMMAD ZAIN…………………………………………………………..……………….…..……...20
SECTION A – BUSINESS ACUMEN – STUDY POINTS…………………...……………….………………..…23
SECTION A – BUSINESS ACUMEN – TRUE / FALSE QUESTIONS.………….……………………...120
SECTION B – INFORMATION SECURITY – STUDY POINTS…………………………….………….……152
SECTION B – INFORMATION SECURITY – TRUE / FALSE QUESTIONS………..……………....182
SECTION C – INFORMATION TECHNOLOGY – STUDY POINTS………….…………………….……195
SECTION C – INFORMATION TECHNOLOGY – TRUE / FALSE QUESTIONS………………….229
SECTION D – FINANCIAL MANAGEMENT – STUDY POINTS…………..…………...………………..242
SECTION D – FINANCIAL MANAGEMENT – TRUE / FALSE QUESTIONS…………………….…429
ABOUT THE AUTHOR……………………………………………………..………………………..………………….…….....485
Page 3 of 485

PREFACE
Every thread of knowledge woven into the tapestry of my understanding is a
divine gift from the Supreme Architect, the Almighty Allah. It is His infinite
mercy and blessing that empowered me to conquer the daunting peaks of
the Certified Public Accountant (CPA), Certified Management Accountant
(CMA), Certified Internal Auditor (CIA), and Masters of Business
Administration (MBA) exams in my maiden attempt.
My heart thrums with gratitude as I recall the unceasing support of my
family. Their enduring sacrifices – the surrendering of resources and time –
have fueled my growth in all dimensions: moral, physical, and spiritual. I
extend a profound token of thanks to my mentors, whose wisdom,
experience, and teachings have sculpted me into the person I am today.
This book reflects the symphony of wisdom bestowed upon me by Allah, in
conjunction with the tapestry of experiences and learnings acquired over a
lifetime. My thirst for knowledge has led me on countless quests, diving into
the endless seas of information found on the Internet, Blogs, Social Media,
and Wikipedia. To all the scribes and curators of Google, Blogs, Social
Media, and Wikipedia, I owe a debt of gratitude for feeding my insatiable
curiosity and illuminating my path with their wisdom.
Yet, as I delved deeper, a profound realization dawned upon me: our human
understanding is but a mere droplet in the boundless ocean of knowledge
yet to be explored and discovered. This very human curiosity sparks a
cascade of innovations, discoveries, and ideas, nudging us ever so slightly
closer to the vast unknown.
In the grand scheme of this infinite wisdom, if my words happen to echo any
copyrighted material, I assure you it is nothing but a coincidence. Any
perceived resemblance is unintentional, a serendipitous concurrence of
thoughts and ideas.
I warmly welcome you, dear readers, to freely explore this book for your
personal growth and enlightenment, devoid of any time or device
constraints. To make this treasure trove of knowledge accessible to all, I
have consciously kept the price minimal, thereby encouraging genuine
engagement with the material.
Page 4 of 485
I strive for accuracy and integrity in every word that this book carries, yet I
am aware of the fallibility of human knowledge. If you stumble upon any
discrepancies or inaccuracies, I graciously invite your critique and
correction for future updates.
In the spirit of learning and wisdom, I implore our Lord, the Supreme Master
and Judge, to bless us with greater understanding and wisdom in this world,
and eternal grace in the Life Hereafter. Ameen.
Page 5 of 485

CERTIFIED INTERNAL AUDITOR (CIA) EXAM GUIDE
Certified Internal Auditor (CIA) certification is offered by the Institute of
Internal Auditors (IIA), US. It is a premium internal auditing qualification
having a global presence. CIA is a symbol of excellence in internal auditing,
compliance reporting, risk management, and consultancy. CIA has three
parts. Part 1 is known as Essentials of Internal Auditing, Part 2 is known as
Practice of Internal Auditing, and Part 3 is known as Business Knowledge
for Internal Auditing.
The IIA releases the profession's primary guidance, such as the International
Professional Practices Framework (IPPF), Code of Ethics, and International
Standards for the Professional Practice of Internal Auditing. Membership
with IIA is not required to earn a CIA designation. Candidates can save their
earned money by not choosing the membership.
Chapters and affiliated institutes hold regular meetings, seminars, and
conferences to develop networking, contacts, and social bonding. Attending
these types of events is advisable to learn about the current practices in
internal auditing.
Why Choose Zain Academy’s CIA Study Material
Zain provides four things for each part of Certified Internal Auditor:
a. Study Guide,
b. Exam Questions,
c. Learning Videos and
d. Personal Support and Guidance.
Study Guide and Exam Questions are available for subscription from
websites www.zainacademy.us and www.mzain.org at nominal pricing.
They are optimized for all screen sizes. The candidates will have access as
long as they wish to. There are no time and device restrictions. Learning
Videos will always be free and accessible from Zain Academy’s YouTube
channel.
Muhammad Zain’s personal support and guidance are all complimentary till
you pass the exams. You can ask as many questions as you wish to either
through WhatsApp (+92 311 222 4261) or Email (help@zainacademy.us or
help@mzain.org) and he will answer to the best of his ability. Zain
Academy’s purpose is to create the best CIA Exam Prep Course (study guide
and exam questions) at affordable pricing.
Page 6 of 485

Why Choose CIA
The Certified Internal Auditor (CIA) credential offers many benefits. CIA
certification can help you move forward in a focused direction. CIA
certification conveys that you are a proficient internal auditor who can bring
valuable insights and experience. CIA holders can be entrusted with
significant responsibility. CIA also helps in increasing accounting
knowledge and skill.
CIA holders earning potential is excellent as compared to non-certified
peers. Companies retain talented individuals by giving them market-based
remuneration, bonuses, perks, fringe benefits, and vacations. Qualified
individuals' earnings are multiplied if he/she opens a consultancy,
compliance, or internal auditing firm. CIA certified deserves the respect of
their peers.
Way To Achieve CIA Credential
To achieve the CIA designation, the candidates must meet the four Es
requirements, i.e., Education, Ethics, Examination, and Experience. The
Institute provides three years to get certified. However, the candidates can
apply for one of the three types of 1-year eligibility extension, i.e., hardship,
non-hardship, and exam eligibility. Each type of extension has its procedures
and fees. Please refer to the CIA Candidate Handbook as available on the
IIA website.
Education -
With Post-Secondary Education
In North America Outside North America
Bachelor’s degree or Three or four years of the post-secondary
higher degree (or higher)
Associate’s degree Three A-level certificates or equivalent
Without Post-Secondary Education

Candidates with seven years of verifiable experience in Internal Auditing or
its equivalent may become eligible, subject to approval.
Ethics – Reflect high moral and professional character and agree to abide
by the IIA’s Code of Ethics. Submit a Character Reference Form signed by a
CIA certified or supervisor or professor.
Page 7 of 485

Examination – This is the most important of all the requirements.
Candidates spend considerable time clearing the three parts of the CIA
exam.
Experience –
Master’s degree or equivalent 12 months
Bachelor’s degree or equivalent 24 months
Associate’s degree, three A-level certificates or equivalent 60 months
The candidates can fulfill experience requirements even after passing the
CIA exams. The experience gained can be in the accounting, finance, or
internal audit department.
CIA Examination
Candidates have to pass three parts to become certified. If a candidate
cannot pass all three parts within three years’ time period, then the
candidate will lose the credit for any part passed and will have to apply again
to the Institute. The table is necessary to become familiar with the CIA
structure.
Part Title MCQs Time
1 Essentials of Internal Auditing 125 2.5 hours (150
mins)
2 Practice of Internal Auditing 100 2 hours (120 mins)
3 Business Knowledge for Internal 100 2 hours (120 mins)
Auditing
IIA Retired Questions

Test Bank or Exam Questions available with all the publishers are retired
questions by IIA. 75% of the questions are the same with every publisher.
The rest, 25%, is their creativity.
REMEMBER that actual CIA Exam Questions are confidential, non-disclosed,
and unavailable to anyone.
Review providers rely on the publicly available exam syllabus, the IPPF,
retired CIA Exam Questions, and their knowledge of the trends in the field to
equip candidates to pass the exam. At Zain Academy, we rely on qualified
CIAs, CPAs, and CMAs to ensure our review materials are of the highest
quality.
Page 8 of 485

CIA Exam Scoring
The CIA Exam is computer-graded. The candidate will receive the result
within five minutes of finishing the exam. Scores are determined by the
difficulty level of questions asked and converting the value of questions
answered correctly to a scale that ranges between 250 to 750. A score of at
least 600 is required to pass the exam, i.e., 80%. If the questions are of
higher IQ level, the passing score can go below 600, but if the items tested
are easy, then passing criteria can go up from 600.
Whether the questions being asked are easy or difficult, I suggest you target
achieving an overall 85% in exams by accurately attempting the 85 correct
questions out of 100 questions in CIA Part 3.
The trend analysis for several years of CIA exam passing ratio shows that it
is 43% for Part 1, 46% for Part 2, and 56% for Part 3.
CIA Exam Dates
CIA Exam can be taken at any day and time of your choice, subject to two
conditions:
 The day must be a normal working day except for weekends and
public holidays; and
 The time of the exam must be within regular working hours.
It is highly recommended to select your exam date and time as early as
possible to get the preferred appointment.
Page 9 of 485

Documents Required By IIA
The following documents are required by the Institute when a candidate
makes a profile at the Certification Candidate Management System (CCMS):
i. A soft copy of an unexpired official passport or national candidate ID
card;
ii. A soft copy of degree and transcripts;
iii. A soft copy of the character reference form duly attested;
iv. A soft copy of the experience reference form verified by a CIA or
supervisor.
Once the candidate registers for an exam part and gets the authorization to
test email from IIA, he has 180 days to schedule and sit for the exam. This
email from IIA must be printed and carried by the candidate when he takes
his exam.
Pearson VUE www.pearsonvue.com/iia conducts CIA Examinations
globally. Select the testing center location that is easily reachable for you.
Investment in CIA
Investment in the CIA is one time if the candidates pass all three parts in the
first attempt. Investment in the CIA is advantageous throughout life.
The following table presents the CIA Exam Fee, payable to IIA.
S.No Description Member Non-Member Student*
1. Application fee $ 115 $ 230 $ 65
2. Part 1 fee $ 295 $ 425 $ 245
3. Part 2 fee $ 265 $ 395 $ 215
4. Part 3 fee $ 265 $ 395 $ 215
TOTAL $ 940 $ 1,445 $ 740
* To qualify for student discounts, you must either be enrolled as a full-time
student in your senior year or a full-time graduate student.
Page 10 of 485

Investment in Zain CIA Study Material is presented in the following table.
S.No Product Price
1. CIA Part 1 Study Guide 2024 $ 73
2. CIA Part 1 Exam Questions 2024 $ 77


7. CIA Exam Review Complete Set 2024 - (this includes the $315
study guide and exam questions for all three parts mentioned
above in 30% discounted pricing).
* Subscribing to CIA Exam Review Complete Set 2024 will

allow you to get upgraded 2025 materials for free when
released, for the remaining parts only.
I highly recommend that the candidates pay their dues through DEBIT CARD
only. This way, you will be free from all bank claims and will be much
relieved. The target must be to clear the exams on 1st Attempt so that the
examination fee is paid only once, and benefits of opportunity costs can be
derived.
REMEMBER to subscribe to Zain’s study guide and exam questions as they
are economical, comprehensive, updated, and excellent.
ALSO, REMEMBER that a discount of 20% is offered to candidates for
subscribing to all three parts together. However, if funds availability is an
issue, then subscribe for each part separately to get the time benefit.
CIA Parts Selection Order
I recommend that the candidates begin their preparation with Part 1 first
and then move to Part 2 and Part 3. The candidates can pass all three parts
easily in six months.
Page 11 of 485

Difficulty Level of CIA Part 3
CIA Part 3 is the challenging of all three parts. The CIA Part 3 exam can be
passed quickly if the candidates exhibit the traits of Excellency, Creativity,
Passionate, and Patience in their preparation and, in particular, on exam day.
The Candidates must have a clear vision of their future. They must be able
to define their purpose of life. The will to win, the desire to succeed, and the
urge to reach full potential are the keys that will unlock the door of CIA
Certification.
The reason that many candidates find it difficult to achieve the CIA is that
they are not able to define their goals or ever seriously consider them as
believable or achievable. Champions can tell you where they are going, what
they plan to do along the way, and with whom they will be sharing their
adventure.
Keep looking for creativity, and don’t settle for the less. You have that
potential. It is just a matter of time that you explore and discover yourself.
Once you find yourself and your capability, you will never be the same again.
CIA Part 3 – Syllabus
There are four sections in CIA Part 3.
a. Section A – Business Acumen – 35% weightage
b. Section B – Information Security – 25% weightage
c. Section C – Information Technology – 20% weightage
d. Section D – Financial Management – 20% weightage
Page 12 of 485
CIA Part 3 Preparation Time

It is generally observed that many of the CIA candidates are working
executives. They have to allocate time for work, family, studies, and personal
leisure. The candidates are ready for the Part 3 exam if they can
continuously give at least 3 hours on weekdays and at least 6 hours on
weekends for 2 months.
Zain CIA Review makes it easy to study anywhere. Access your course on
your phone, tablet, or laptop. Look for nearby libraries, hotels, coffee shops,
and restaurants with free Wi-Fi, a pleasing ambiance, and comfortable
chairs. If your commute is long or you use public transportation, consider
spending that time viewing video lectures.
The candidates must follow the steps to understand the concepts being part
of the syllabus of CIA Part 3.
a. Read a whole particular section from the study guide first with the
questioning mind approach. Mark or highlight only the important
paras or sentences in the book.
b. Attempt the True / False Questions of that particular section

presented in the study guide to clarify the already read topics.
c. Attempt the Multiple Choice Questions of that particular section from

the Exam Questions without any time constraints. The focus must be
on selecting the correct answers in the first place.
If you attempt any question correctly, proceed to the next question.

These questions do not need to be reviewed ever again because a
question once attempted successfully, will always be correct in the
future.
Page 13 of 485

If any question attempted is wrong in the 1st place, mark or highlight
or flag those questions. Furthermore, there might be instances in
which you have selected the correct answer, but you doubt the result's
outcome if attempted later. These questions also need to be marked
or highlighted. These marked questions will form the basis of the
review, revision, and rehearsal at a later stage.
d. Read the explanation of the incorrect answers selected and try to

understand the logic of the question and correct answer explanation.
This habit is the difference between passing and failing for many CIA
candidates and improves your educated guess technique. You will
sharpen your intuition and feel confident on exam day.
e. As you complete 80% of the total questions of a particular section,

move to the next section, and repeat the steps from (a) to (d).
f. Revision of the already learned topics every week is warranted.

Dedicate a particular day in a week in which you will only revise the
already learned topics. Read only those paras from the book which
have been highlighted. Attempt only those questions from Exam
Questions, which have been marked or highlighted. Time
Management must come into effect while re-attempting the
questions. Each MCQ has to be attempted in 1.1 minutes. This way,
you will revise the entire section smartly, decreasing your anxiety
level.
g. As you complete all the sections of the CIA Part 3, then focus on
completing 100% of the MCQs from the Exam Questions.
REMEMBER that each topic has an equal chance of selection in the

exam. So you have to be prepared for every concept.
ALSO REMEMBER that CIA Exams are of continuous 2-hour duration.

Train your mind to be active for at least 3 hours during MCQs
preparation.
The candidates must have an updated study guide and exam questions.
They are simple, concise, and easy to understand in English. The majority of
finance graduates and working executives prefer self-studies.
Learning Videos are of great aid. They increase the retention power of the
candidates by at least 25%. Furthermore, the candidates can view them later
Page 14 of 485

at their ease and convenience. Many of the candidates prefer live classes or
online interactive sessions. This can also increase the odds in your favor
exponentially.
Recommended Study Approach
CIA exams are computer-based. It is recommended that all your preparation,
highlighting, and practice must be on the computer or laptop. The
candidates must avoid the traditional method of studying and making notes
via pen and paper. Pen and paper shall be used only for calculation-related
purposes while attempting the exam questions.
The candidates can study at any time of day or night, but my preferable time
is an early morning daily at 4:30 am. This is the time when the human brain
is at a high energy level. This is also the time of great silence.
You will be provided with earplugs in the center and must use them to avoid
distractions from other candidates' noise. Silence also has its voice, which
you will agree with me on your exam day. Your mind needs to be
accustomed to it. Therefore, use good quality foam-based earplugs from
day 1 of your preparation. You can find these earplugs from your local
pharmacy.
You will be provided with black pens at the center and two sheets. Start
using a black pen from day 1. Your mind must be able to recognize and work
in a black pen.
Please become familiar with the MCQ screens and navigation of the
Pearson VUE Testing Environment before the exams. The tour can be
arranged from your computer. This will make you comfortable on your exam
day.
Page 15 of 485

How to Answer the MCQs in preparation and exams?
My preferable way of approaching any MCQ is provided below. Ask yourself
three bold phrases in every MCQ.
a. What are the requirements of the question? The question's

requirements are generally presented in the second last, or last line of
the question. Read it thoroughly and then reread the whole question
to filter out the extra information.
b. What is the answer? Read twice the answer choices carefully and then
select the best answer. Numerical questions require double-checking
of formulas and calculations.
c. If you do not know the answer, make an educated guess. The

educated guess is a technique to filter out the two options out of four
based on your insights. Now the two options are left to be paid
attention to. Read the requirements of the question again and then
the remaining two answer choices. Select the best one. This way, you
will increase your odds in favor by 50%.
In the exam, attempt all the questions even if the testlet is more challenging,
and time management is crucial. You will not be penalized for any incorrect
choices being made. Your score is determined out of correct questions only.
Mark or Flag all those questions which you want to review in the end if the
time allows. The Flag for Review button will be on the top right corner of the
exam screen.
Page 16 of 485

Types of Multiple Choice Questions
There are five different types of CIA Exam Multiple Choice Questions
(MCQs):
a. Direct Questions - This is the type of MCQ most candidates will be familiar
with, and it’s the most common type of question on the CIA exam. Most will
either ask you a question or have you complete a sentence, but all are
straightforward and present four single-statement answer choices.
b. Negative Questions - Sometimes MCQs include negative phrasing, with

words like except, not, unless, least, etc. The IIA may or may not print
negative words in bold, but you should always read the question stem wholly
and carefully. These questions can be tricky because they ask you to select
the false answer choice among three correct answers, which can feel
counterintuitive. To avoid being caught off guard, always give the question
stem your undivided attention.
c. Questions with Two or Three Answer Options - Other times, the exam will
pose a question and provide several statements separate from the answer
choices. The four answer choices will ask you to specify if one or more of
the statements satisfy the question. The best strategy is to determine which
sentences you’re sure are right or wrong and use them to eliminate answer
choices. Read the entire question stem carefully. Even if you’re not certain
about the right answer, you have high odds of making a correct educated
guess.
d. Questions with Several Variables - Some MCQs present several variables

within each answer choice. The answer choices appear in columns, like in the
example to the right, and you must select the one containing the right mix of
variables.
e. Questions with Graphical Illustrations - IA exam questions occasionally

require you to interpret a graph or other image before selecting the appropriate
answer choice. Any of the question types we have mentioned could include a
graphical illustration.
Page 17 of 485

Pearson VUE Testing Site Visit
After you schedule your appointment with Pearson VUE, visit the center at
least three days before the exam to become familiar with the location. If the
center is in a building, make yourself familiar with the security perimeters of
the building as well. Make contingency plans to reach the exam center in
case of any unexpected circumstances. Double-check the weather
conditions in advance of the exam day.
Day Before Exam Day
This day is also vital in the candidate’s life. Leave all the reviews, revisions,
or attempting exam questions at least 24 hours before the exam day. CIA is
a professional paper, and the candidate has to be ready at any time. You
have done enough preparation. Trust in Allah and have confidence in your
abilities. You have done enough training. It is now time to showcase your
talent.
You will be intimidated to see the study guide, revise the exam questions, or
watch the learning videos. Keep aside all these urges. Divert your mind to
the most enjoyable activity. That enjoyable activity can be praying,
meditating, walking in the garden, or even watching a good movie. Arrange
all the required documents, clothes, shoes, calculators, funds, and other
items in advance. Charge your cell phone if you plan to travel and navigate
by Apps. The Mobile Data Connection package must be active. Sleep for at
least 10 hours at night before the exam day.
Activities on Exam Day
 Take a good shower and wear comfortable clothing according to the
weather conditions.
 Have a comprehensive meal that is easily digestible and consume any

necessary medicines.
 Bring printouts of Authorization Letter / Confirmation Letter / Notice

to Schedule received through email from Pearson VUE and Institute,
mentioning candidate’s name, section part, exam date, time, and
venue.
 Two original forms of non-expired identification with a photograph

and signature are required. Therefore, bring your unexpired and
signed passport and national identity card/driver’s license.
Page 18 of 485

 Reach the exam center at least 60 minutes’ prior of your appointment
time.
 Drink coffee or tea before the exam so that you are charged enough.
 Visit the washroom before the start of the exam.
 The mobile phone has to be switched off and placed in a locker along
with wallets.
 You will not be given any complimentary breaks during the 2-hour
exam. However, you can take one for taking a slight break for
recharging yourself, visiting the washroom, and having water.
However, the clock will continue to run.
 Do not make noise or stand up from the seat without permission.

Raise your hand first. The invigilator will visit you, and then you can
ask for pens, extra sheets for working or taking a break, or any
malfunction encountered in exams.
 Once you finish your exam, review the mark or flagged questions and
try to attempt in the remaining time. Your score is based on the
number of questions you answer correctly. You are not penalized for
selecting the wrong answer.
 Make sure to submit your exam and watch for the system's incoming
message for acknowledging your submitted questions.
What To Do after Passing CIA Exams
Hats off to you for passing all three parts. Meet all other program
requirements and complete the Certificate Order Form by logging into CCMS
to get your certificate.
Page 19 of 485

LETTER FROM MUHAMMAD ZAIN
18 September 2023
Dear CIAs,
May Peace, Blessings, and Mercy of Allah be upon you and, in particular, on
the Noble Messenger Prophet Muhammad (Peace Be Upon Him), his Family,
and his Companions.
Be a symbol of excellence in your life. Always dream big and think beyond
the dimensions of the Universe. Man is made to conquer the seven Heavens.
Explore the purpose of your existence and discover the enormous potential
that is within oneself. Having faith and trust in Creator will give you the light
in the darkness and unchartered territories. There is always a silver lining
beneath the dark skies. A creative mindset makes life simple. Work on your
passion by synchronizing your soul, heart, and mind. We all will die one day,
but only a few dare to live the life they wish for.
The Creator has created the entire Universe in six days. There is great
potential to discover the magnificent beauty that remains unexplored to
date. This is only possible by seeking knowledge and applying them in our
daily lives.
We are witnessing a moment in time that humanity has not ever experienced
before. This is the digital transformation age. Business norms are artificial
intelligence, Blockchain Technology, Cryptocurrency, Business Intelligence,
and big data.
All the information is available in the blink of an eye. Whatever we think in
mind comes in front of our screens. These advancements will change the
dynamics of the whole world we live in today. Cloud computing will replace
all the traditional and so-called “modern” work methods. The work of
accountants, doctors, engineers, and pilots will no longer exist. The
irredeemable paper money will be replaced by electronic money. Central
Governments will only exist in name only. Universal Government and a
unified taxation system will emerge. Virtual reality will be ordinary. Blind will
be able to see, deaf will be able to hear, without limbs persons will be able
to run, and mentally disabled people will utilize the maximum brain capacity
through mental chip implants. Teleportation of humans will be done in a
blink of an eye.
Page 20 of 485

I advise all readers worldwide to focus on entrepreneurship after the
certification. This is the only way of survival. Only those businesses that
are operational who have inelastic demand for their products or services
and who are on cloud computing / virtual workplaces. Furthermore, invest
surplus funds in real assets such as Gold, Silver, and property. They are
effective hedges against inflation and devaluation. They generate positive
returns even in times of economic distress.
I highly recommend that my potential readers pay their interest-bearing debt
at the earliest to avoid the debt trap and never go for this easy money for
the foreseeable future, even credit cards. These are all the means to enslave
the human race. Always spend out of your realized income. Save some
funds for your family as a contingency measure.
Allow me the opportunity to present to you the 2024 edition of Certified
Internal Auditor (CIA) Part 3 Business Knowledge for Internal Auditing
[Study Guide]. It covers all the essential and relevant 875 concepts and
topics that will be tested in the CIA Exam. It also includes the 718 True /
False questions to reinforce the core concepts. After reading this guide, you
will feel the difference. The practice of 1,258 Exam Questions is essential
from CIA Part 3 Exam Questions 2024, available from the Zain Academy
website.
This Study Guide can also be used by any person who wishes to become
familiar with accounting, finance, and management topics. However,
extreme care is required when rendering professional advice to clients.
Study with complete dedication and commitment. Make the goal of learning
something new and different each day. Replace your fear with curiosity.
Let’s work together towards the common goal of earning a Certified Internal
Auditor (CIA) credential. My support and guidance will be with you TILL YOU
PASS THE EXAMS. Furthermore, you can ask as many questions as you
wish, either through WhatsApp or email, and I will answer to the best of my
ability.
Your work is going to fill a large part of your life and the only way to be truly
satisfied is to do what you believe is great work. The only way to do great
work is to love what you do. If you haven’t found it yet, keep looking. Don’t
settle. As with all matters of the heart, you will know when you find it.
Have the courage to follow your heart and intuition. They somehow already
know what you truly want to become. Everything else is secondary.
Page 21 of 485
Your imagination is everything. It is the preview of life’s coming attractions.

Only those who believe anything is possible can achieve things most would
consider impossible.
Don’t let the noise of others’ opinions drown out your own inner voice.
Remembering that you are going to die is the best way I know to avoid the
trap of thinking you have something to lose. You are already naked. There is
no reason not to follow your heart.
I dedicate this work to the Prophet Muhammad (Peace Be Upon Him), Mercy
to all the Creation, who has been humanity's source of inspiration and
guidance.
May the Knowledge delivered by me shall be a continuing blessing for me in
the Life Hereafter (Ameen).
With Love and Care,
Muhammad Zain
Page 22 of 485

SECTION A – BUSINESS ACUMEN (WEIGHTAGE 35%)
STUDY POINTS
S.No DESCRIPTION
1. Describe Planning?
Planning generally refers to the process that provides guidance

and direction regarding what an organization needs to do
throughout its operations. It determines the answers to a business
operation's “who, what, when, where, and how” questions.
Planning is the first activity management must undertake when
creating yearly budgets and making other critical decisions
affecting the company’s future.
2. What purpose does the company plan serve?
A company’s plan serves as its guide for the activities and

decisions made by individuals throughout the entire organization.
The planning process defines the company’s objectives and goals
and sets the stage for prioritizing how to develop, communicate,
and accomplish them.
3. State the Ultimate Objective of Companies?
For most companies, if not all, the ultimate objective is to achieve

superior performance in comparison with the performance of
their competitors. When superior performance is achieved,
company profitability will increase. When profits are growing,
shareholder value will grow. A publicly-owned for-profit company
must have maximizing shareholder value as its ultimate goal.
4. Explain the relationship between profits and shareholder value?
The profits of the company are directly proportional to

shareholders’ value. The higher the profits, the higher
shareholder’s value.
5. Describe the result of attaining superior performance?
The result of attaining superior performance will be a competitive

advantage. Competitive advantage is a company's benefit over its
competitors that it gains by offering consumers higher value than
they can get from its competitors.
Page 23 of 485

6. How is competitive advantage derived?
Competitive advantage is derived from attributes that enable an

organization to outperform its competitors, such as access to:
 Natural resources.
 Highly-skilled personnel.
 A favorable geographic location.
 High entry barriers.
7. What is meant by Strategic Planning?
Strategic planning is the formulation of strategies. The strategies

managers pursue create the activities that can set the company
apart from its competitors and cause it to outperform them
consistently.
8. Discuss the Internal and External Factors in the context of

strategic planning?
Strategic planning is neither detailed nor focused on specific

financial targets. Instead, it examines the company's strategies,
objectives, and goals by examining the internal and external
factors affecting the company.
 Internal factors include current facilities, products, market share,

corporate goals and objectives, long-term targets, technology
investment, and anything else within the company's direct
control.
 External factors include the economy, labor market, domestic

and international competition, environmental issues,
technological developments, developing new markets, and
political risk in other countries (or the home country).
9. List the steps involved in the Strategic Planning Process?
The formal strategic planning process consists of five steps, as

follows:
Page 24 of 485

a. Defining the company’s mission, vision, values, and goals or
developing its mission statement. The company’s mission
statement provides the context for formulating its strategies.
b. Analyzing the organization’s external competitive environment

to identify opportunities and threats.
c. Analyzing the internal operating environment to identify the

organization's strengths, weaknesses, and limitations.
d. Formulating and selecting strategies consistent with the

organization’s mission and goals will optimize its strengths and
correct its weaknesses and limitations of external opportunities
while countering external threats.
e. Developing and implementing the chosen strategies.
10. List the Components of a Mission Statement?
The mission statement includes four components:
a. A statement of the company’s mission, or “reason to be.”
b. Its vision, or a statement of a desired future state.
c. A statement of the organization’s values.
d. A statement of its major goals.
11. How will you define a Mission?
The company’s mission is a reason to be of its existence. A

company’s mission is what the company does. A company’s
mission statement should be comprehensive because customer
demands can shift quickly, and a given need can be served in
multiple ways.
12. Define the Vision?
The vision is what the company wants to achieve or become, and

it should be challenging. A good vision statement should
challenge the company by stating an ambitious future state that
will:
Page 25 of 485

developed using audit-specific software, specialized audit utilities,
CAATs, commercially packaged solutions, and custom-developed
production systems.
239. What Benefits can be accrued by enabling Continuous

Monitoring?
Continuous monitoring can:
 Enhance the ability to identify and curtail control problems

promptly.
 Reduce incidences of error and fraud.
 Enhance operational efficiency.
 Improve bottom-line results through a combination of cost
savings and a reduction in overpayments and lost revenue.
 Improve customer satisfaction through enhanced customer
service quality and integrity.
240. Describe Data Analysis Software and its Benefits?
Data analysis software can assist the internal auditor in managing

and using all available data.
Benefits include:
 Can analyze entire data populations covering the entire scope of

the audit engagement.
 Makes data imports easy to perform and also maintains data

integrity.
 Allows for accessing, joining, relating, and comparing data from

multiple sources.
 Provides the commands and functions that support the scope

and type of analysis needed in audit procedures.
 Generates the audit trail of analysis conducted that is

maintained to facilitate review.
 Supports centralized access, processing, and management of

data analysis.
Page 117 of 485


 Requires minimum IT support for data access or analysis, and
this ensures auditor independence.
 Provides the ability to automate audit tasks to increase audit

efficiency, repeatability, and support for continuous auditing.
241. What is meant by Business Intelligence?
Business intelligence combines architectures, analytical and

other tools, databases, applications, and methodologies that
enable interactive access—sometimes in real time—to data such
as sales revenue, costs, income, and product data. Business
intelligence provides historical, current, and predicted values for
internal, structured data regarding products and segments.
Further, business intelligence allows managers and analysts to
analyze to make more informed strategic decisions and thus
optimize performance.
242. List the Components of Business Intelligence?
A business intelligence system has four main components:
a. A data warehouse containing the source data.
b. Business analytics is the collection of tools used to mine,

manipulate, and analyze the data in the DW. Many Business
Intelligence systems include artificial intelligence capabilities, as
well as analytical capabilities.
c. A business performance management component to

monitor and analyze performance.
d. A user interface, usually in the form of a dashboard.
243. Explain Dashboard?
A dashboard is an information management tool. It is a screen in

a software application, browser-based application, or desktop
application, and it organizes and displays information relevant to
a given objective or process or for senior management in one
place. It may show patterns and trends in data across the
organization.
Page 118 of 485


244. What is the Future of Data Analytics?
Data analytics will become even more potent with technologies

like machine learning, allowing computers to recommend action
courses. Under such conditions, a computer could look at the
company’s data, decide where the most significant risk of fraud
exists, and suggest which controls would mitigate that risk. An
internal auditor armed with such information could improve the
organization’s controls with precision. Such a future is not here
yet, but it is clear that the value of internal audit hinges on its ability
to utilize data analytics to enhance its capabilities.
Page 119 of 485


SECTION A – BUSINESS ACUMEN (WEIGHTAGE 35%)
TRUE / FALSE QUESTIONS AND ANSWERS
S.No Questions Answers
1. Planning is the TRUE. Planning is the process that provides
first activity guidance and direction regarding what an
management organization needs to do throughout its
must undertake operations.
when creating
yearly budgets
and making other
critical decisions.
2. A company’s TRUE. A company’s plan serves as its guide for the
plan serves as its activities and decisions made by individuals
way for throughout the entire organization. The planning
individuals' process defines the company’s objectives and
activities and goals and sets the stage for prioritizing how to
decisions develop, communicate, and accomplish them.
throughout the
organization.
3. Profits and FALSE. The profits of the company are directly
Shareholders’ proportional to shareholders’ value. The higher the
value are profits, the higher shareholder’s value.
inversely related.
4. The company's TRUE. For most companies, if not all, the ultimate
ultimate objective is to achieve superior performance in
objective is to comparison with the performance of their
achieve superior competitors.
performance.
5. The result of FALSE. The result of attaining superior
attaining performance will be a competitive advantage.
superior Competitive advantage is a company's benefit over
performance will its competitors by offering consumers higher value
be an absolute than they can get from its competitors.
advantage.
6. Competitive FALSE. Competitive advantage is derived from
advantage is attributes that enable an organization to
derived by outperform its competitors, such as access to:
working day in
and day out.  Natural resources.
 Highly-skilled personnel.
 A favorable geographic location.
 High entry barriers.
Page 120 of 485


7. Strategic FALSE. Strategic planning is neither detailed nor
planning is focused on specific financial targets but instead
focused on looks at the company's strategies, objectives, and
specific financial goals.
targets.
8. Strategic FALSE. Strategic planning considers both the
planning internal and external factors affecting the
considers only company.
the internal
factors affecting
the company.
9. External factors FALSE. Internal factors include current facilities,
include anything products, market share, corporate goals and
within the direct objectives, long-term targets, technology
control of the investment, and anything else within the
company itself. company's direct control.
10. The formal TRUE.
strategic
planning process a. Developing its mission statement.
consists of five b. Analyzing the organization’s external
steps. competitive environment.
c. Analyzing the internal operating environment.
d. Formulating and selecting strategies consistent
with the organization’s mission and goals.
e. Developing and implementing the chosen
strategies.
11. A mission is a FALSE. A vision is a statement of the desired

statement of the future state.
desired future
state.
12. The vision of the TRUE. A good vision statement should challenge
company shall the company by stating an ambitious future state
motivate that will:
employees at all
levels.  Motivate employees at all levels.
 Drive the strategies the company’s management
will formulate and implement to achieve the
vision.
13. A goal is a FALSE. A goal is a precise and measurable future

precise and state the company wants to achieve.
measurable
Page 121 of 485

present state the
company wants
to achieve.
14. A company’s TRUE. The organization’s values describe how
values are the managers and employees should behave and do
foundation of its business.
organizational
culture.
15. Opportunities TRUE. They exist in the environment.
and threats exist
in the
environment.
16. Opportunities FALSE. Threats include conditions in the external
include environment that pose a danger to profitability.
conditions in the
external
environment that
pose a danger to
profitability.
17. The internal TRUE. The company’s resources and capabilities
analysis aims to need to be assessed. Strengths lead to superior
identify the performance. Weaknesses and limitations lead to
organization's inferior performance.
strengths,
weaknesses, and
limitations.
18. The strategy's FALSE. The strategy's primary objective is to
primary objective create a sustained competitive advantage, leading
is to create a to superior profitability and profit growth.
reasonable
sustained
advantage,
leading to
superior
profitability and
profit growth.
19. A cost advantage FALSE. A differentiation advantage creates value
creates value for for a firm’s customers by providing them with
a firm’s benefits that exceed those offered by its
customers by competitors.
providing them
with benefits that
exceed those
Page 122 of 485


189. Variety refers to FALSE. Volume refers to the amount of data that
the amount of exists. In contrast, variety refers to the diverse
data that exists. forms of data organizations create and collect.
190. Velocity is called TRUE. Velocity refers to the speed at which data is
the flow rate of generated and changed.
data.
191. Variability is the FALSE. Veracity is the accuracy of data.
accuracy of data.
192. The data TRUE.
analytics
process has five a. Define the question.
steps. b. Obtain relevant data.
c. Clean/normalize the data.
d. Analyze the data.
e. Communicate results.
193. Sensitivity TRUE. Sensitivity analysis can determine how

analysis is much a model's prediction will change if one input
known as “what- changes.
if” analysis.
194. Monte Carlo TRUE. Monte Carlo simulation analysis can be
simulation can used to find solutions to mathematical problems
develop an that involve changes to multiple variables at the
expected value same time.
when the
situation is
complex, and the
values cannot be
expected to
behave
predictably.
195. Business TRUE. Business intelligence combines
intelligence architectures, analytical and other tools,
provides databases, applications, and methodologies that
historical, enable interactive access—sometimes in real
current, and time—to data such as sales revenue, costs,
predicted values income, and product data.
for internal,
structured data
regarding
products and
segments.
Page 150 of 485


196. Information is FALSE. Data is facts and figures, whereas
facts and figures. information is data that has been processed,
analyzed, interpreted, organized, and put into
context, such as in a report, so that it is meaningful
and useful.
197. A dashboard is a TRUE. A dashboard is an information management

component of a tool. It is a screen in a software application, a
business browser-based application, or a desktop
intelligence application, and it organizes and displays in one
system. place information relevant to a given objective or
process for senior management; it may show
patterns and trends in data across the
organization.
Page 151 of 485


SECTION B – INFORMATION SECURITY (WEIGHTAGE 25%)
STUDY POINTS
S.No DESCRIPTION
1. What are the Goals of controls for Information Systems?
There are four goals:
• Promoting effectiveness and efficiency of operations to achieve

the company’s objectives.
• Maintaining the reliability of financial reporting by checking

accounting data's accuracy and reliability.
• Assuring compliance with all laws and regulations the company

is subject to and adherence to managerial policies.
• Safeguarding assets.
2. What does Physical Security represent?
Physical security includes physical access control and security of

the equipment and premises. These controls aim to reduce the
risk of losing organizational assets and harming employees' risk.
Controls should be identified, selected, and implemented based on
a thorough risk analysis.
3. List the Examples of Physical Security controls?
 Alarm system.
 Smoke detectors.
 CCTV cameras.
 Guards.
 Walls and fences.
4. How is Physical Access to Servers provided?
Physical access to servers and networking equipment should be

limited to authorized persons.
Card access effectively allows a magnetically encoded card to be

inserted into or placed near a reader. The card access provides an
audit trail that records the date, time, and identity of the person
Page 152 of 485


who entered. The limitation of card access is that anyone can use
a lost or stolen card until it is deactivated.
5. What are Biometric Access Systems?
Biometric access systems can be used when physical security

needs to be rigorous. Biometric access systems use physical
characteristics such as blood vessel patterns on the retina,
handprints, or voice authentication to authorize access. There is a
low error rate with such systems. Biometric access systems are
usually combined with other controls.
6. What is the auditor's role in evaluating controls and security?
The auditor’s role is to evaluate the effectiveness of the existing

controls and security. If weaknesses are found in any of the
controls, the auditor should report and document the exposures.
7. List the techniques to assess security risks?
Techniques for assessing security risks include:
• Analyzing past incidents.
• Reviewing industry-wide incident statistics.
• Auditing processes and procedures for possible gaps.
• Mapping all possible situations, even worst-case scenarios.
8. Define the Scope of Logical Security and Logical Access Control?
Logical security focuses on who can use which computer

equipment and who can access data.
Logical access controls identify authorized users and control the

actions that they can perform.
9. What strategies are adopted to restrict access to authorized

users?
To restrict data access only to authorized users, the combination

of the following strategies can be adopted:
Page 153 of 485


a. Something you know – requires remembrance.
b. Something you are – requires physical traits.
c. Something you have – requires devices.
10. Elaborate on the Something You Know Strategy?
User IDs and passwords are “something you know” ways of

authenticating users. Security software can encrypt passwords,
require changing passwords frequently, and require passwords to
conform to a particular structure (e.g., minimal length, no
dictionary words, restrict the use of symbols). Procedures should
be established for issuing, suspending, and closing user accounts.
Access rights should be reviewed periodically.
11. Elaborate on the Something You Are Strategy?
Biometrics is the standard form of “something you are”

authentication. Biometrics can recognize physical characteristics
such as:
• Iris or retina of the eyes.

• Fingerprints.
• Vein patterns.
• Faces.
• Voices.
Biometric scanners provide a high level of security.
12. Elaborate on the Something You Have strategy?
Some high-security systems require a physical device to certify an

authorized user’s identity. The most common authentication
example is a fob, a tiny electronic device that generates a unique
code to permit access. It changes the code at regular intervals for
increased security. If a fob is lost, it can be deactivated remotely.
13. Define the Two-Factor Authentication?
Two-factor authentication requires two independent,

simultaneous actions before access to a system is granted. The
following are examples of two-factor authentication:
Page 154 of 485


• After entering passwords into the system, it requires additional
information known only to the authorized user, such as a mother’s
maiden name or a social security number. This security feature
can be undermined if the secondary information can be obtained
easily by an unauthorized third party.
• Passwords can be linked to biometrics.
• In addition to entering the password, a verification code is

emailed or sent via text message that must be entered within a
few minutes to complete the login.
• A biometric scan and a code from a fob are combined to allow

access.
14. Describe the points the auditor should consider when evaluating
the effectiveness of a logical data security system?
The auditor should consider the following:
• Does the system ensure that only authorized users have access
to data?
• Is each person's access level appropriate to that person’s needs?
• Is there a complete audit trail whenever access rights and data

are modified?
• Are unauthorized access attempts denied and reported?
15. What are the Other User Access Considerations?
There are other security controls related to user access and

authentication to prevent abuse or fraud:
• Automatic locking or logoff policies. Any inactive login for a

specific time can automatically be logged out.
• Logs of all login attempts, whether successful or not. Automatic

logging of all login attempts can detect activities designed to gain
access to an account by repeatedly guessing passwords.
Accounts under attack could be proactively locked to prevent
unauthorized access.
Page 155 of 485


 Centralizing software installations so that only licensed
software can be used.
57. Discuss the Function of Information Security Policies?
Information security policies direct how technology should be

used and detail the penalties for failure to comply with those
policies. It is essential to distinguish operating procedures from
policies.
For example, operating procedures would provide instructions on

receiving and sending email, while policies would detail the
acceptable uses of email. Therefore, policies are less about
technical controls and more about management and ethics.
58. What are the Categories of Information Security Related Policies?
Information security-related policies will generally fall into one of

three categories:
• The enterprise-wide security policy is the “general” security

policy that details the structure of information security, the shared
responsibilities for security for all organization members, and
specific security responsibilities that apply only to certain
departments or roles. This policy will guide the creation and
management of specific security policies.
• An issue-specific security policy covers the proper use of

technology such as email, the Internet, photocopiers, portable
storage devices, cloud storage, using work computers at home,
using home devices at work, and so forth. Usually, all such policies
are combined into one centrally managed document for ease of
maintenance and distribution. Appropriate penalties for violations
should be included, and there should also be a mechanism for
anonymously reporting violations.
• A system-specific security policy details the procedures for

configuring and maintaining systems and which security
protocols must be implemented.
59. What is the Three Lines of Defense Model?
Page 179 of 485


The three lines of defense model “provides a simple and effective
way to enhance communications on risk management and control
by clarifying essential roles and duties.” The three lines of defense
model is not specific to IT controls but is a crucial resource for
internal auditors implementing information technology and
cybersecurity controls.
60. Define the First Line of Defense – Operational Management?
Operational managers are responsible for identifying risks and

taking corrective actions to address control deficiencies. For
cybersecurity, IT managers and officers such as the Chief
Information Officer, Chief Technology Officer, and Chief Security
Officer are collectively responsible for identifying threats to the
organization’s information assets and the controls that protect
those assets. Common first-line defense activities include:
• Keeping systems and software up-to-date.

• Implementing firewalls and intrusion detection systems.
• Using encryption wherever possible.
• Creating and implementing physical and user-access security
controls.
• Creating an inventory of information assets.
61. Define the Second Line of Defense – Risk Management and

Compliance Functions?
The second line of defense is a separate risk management

function that monitors the first line of defense (i.e., the operational
management) that may intervene to modify or develop the internal
controls. For cybersecurity, the second line of defense would
include the IT risk management and IT compliance functions,
which are responsible for assessing cybersecurity risks against
the organization’s risk appetite, creating cybersecurity awareness
at all levels of the organization, assessing and monitoring security
risks from outside vendors, and overseeing the first line of
defense. A common second line of defense activities includes:
• Conducting cybersecurity risk assessments.
• Implementing cybersecurity policies and training.
• Monitoring and responding to any security incidents.
Page 180 of 485


• Writing, implementing, and testing disaster recovery plans.
62. Define the Third Line of Defense – Internal Audit?
The third line of defense is internal audit, which provides the

organization with the highest possible independence and
objectivity level. Internal auditors are responsible for auditing
cybersecurity risks and controls across the organization. They,
therefore, provide an essential layer of additional oversight over
the controls in the first defense line. The internal auditors will
usually work closely with the second line of defense and can
usually rely on—with verification—the work of the second line of
defense. Any observed deficiencies should be reported to senior
management and the board. A common third line of defense
activities includes:
• Auditing IT controls.
• Tracking any control deficiencies or security events for proper

remediation.
• Ongoing risk assessment of outside parties in conjunction with

first and second lines of defense.
Page 181 of 485


SECTION B – INFORMATION SECURITY (WEIGHTAGE 25%)
1. Physical FALSE. Physical security includes physical access
security control and security of the equipment and premises.
includes
physical access
security of the
premises.
2. Physical access FALSE. Physical access to servers and networking
to servers and equipment should be limited to authorized persons.
networking
equipment
should not be
limited to
authorized
persons.
3. Biometric TRUE. Biometric access systems use physical
access characteristics such as blood vessel patterns on the
systems use retina, handprints, or voice authentication to authorize
physical access. There is a low error rate with such systems.
characteristics Biometric access systems are usually combined with
to authorize other controls.
access.
4. If weaknesses FALSE. If weaknesses are found in any of the controls,
are found in any the auditor should report and document the exposures.
of the controls,
the auditor
corrects the
exposures.
5. Logical access FALSE. Logical security focuses on who can use which
controls focus computer equipment and who can access data.
on who can use
which
computer
equipment and
who can
access data.
6. User IDs and FALSE. User IDs and passwords are the most common
passwords are something you know authentication.
the most
common
Page 182 of 485


something you
are
authentication.
7. Biometrics is TRUE. Biometrics can recognize physical
the most characteristics such as the iris or retina of the eyes,
common form fingerprints, etc.
of something
you are
authentication.
8. Biometric FALSE. Biometric scanners provide a high level of
scanners security.
provide a
reasonable
level of
security.
9. Linking TRUE. Two-factor authentication requires two
passwords to independent, simultaneous actions before access to a
biometrics is an system is granted.
example of two-
factor
authentication.
10. Software and TRUE. General controls relate to the general
hardware environment within which transaction processing takes
controls are place. General controls ensure the company’s control
general environment is stable and well-managed.
controls.
11. Application TRUE. Input, processing, and output controls.
controls are
divided into
three main
categories.
12. Processing FALSE. Input controls are designed to provide
controls are reasonable assurance that input entered into the
designed to system has proper authorization, has been converted to
provide machine-sensible form, and has been entered
reasonable accurately. Input controls can also ensure that data has
assurance that not been lost, suppressed, added, or changed in
input entered transmission.
into the system
has proper
authorization,
has been
converted to
machine-
Page 183 of 485


sensible form,
and has been
entered
accurately.
13. Edit check is FALSE. A redundancy check sends additional data sets
sending to confirm the original data.
additional sets
of data to
confirm the
original data.
14. An echo check FALSE. Completeness checks determine whether all
determines necessary information has been sent.
whether all
necessary
information has
been sent.
15. Output controls FALSE. Processing controls are designed to provide
are designed to reasonable assurance that processing has occurred
provide properly and that no transactions have been lost or
reasonable incorrectly added.
assurance that
processing has
occurred
properly and
that no
transactions
have been lost
or incorrectly
added.
16. A closed door FALSE. A back door is an exploitable point of entry to
is an re-enter it at a later time. Therefore, if the original entry
exploitable point is detected and closed, the “back door” functions
point of entry to as a hidden, undetected way back in.
re-enter at a
later time.
17. The best TRUE. A firewall serves as a barrier between the internal
defense against and the external networks and prevents unauthorized
port scans is a access to the internal network.
strong firewall.
18. A proxy server TRUE. A proxy server creates a gateway to and from the
creates a Internet. The proxy server contains a list of approved
gateway to and websites and handles all web access requests, limiting
from the exposure to only those sites in the access control list.
Internet.
Page 184 of 485


access to
sensitive data.
70. The best FALSE. Phishing is a high-tech scam that uses spam
defense against email to deceive people into disclosing sensitive
a phishing personal information such as credit card numbers, bank
attack is anti- account information, Social Security numbers, or
sniffers. passwords. Employee education, awareness, and
common sense are the best defense against phishing.
Potential recipients need to know not to respond to any
email that requests personal or financial information or
a password and not to click on any link given in such an
email that could take them to a spoofed website where
they would be asked to enter that information.
71. The three lines TRUE. The three lines model is applied to cybersecurity
model is not and is a key resource for internal auditors implementing
specific to IT information technology and cybersecurity controls.
controls.
72. The first line is FALSE.
the risk
management  First Line: Management.
and compliance  Second Line: Risk Management and Compliance
functions. Functions.
 Third Line: Internal Audit.
73. Implementing TRUE. Common first-line activities include:

firewalls and
intrusion-  Keeping systems and software up-to-date.
detection  Using encryption wherever possible.
systems is a  Creating and implementing physical and user-access
common first- security controls.
line activity.  Creating an inventory of information assets.
 Recruiting and retaining the necessary IT staff and
specialists.
74. Conducting FALSE. Common second-line activities include:

cybersecurity
risk • Conducting cybersecurity risk assessments.
assessments is • Implementing cybersecurity policies and training.
a common • Monitoring and responding to any security incidents.
third-line • Writing, implementing, and testing disaster recovery
activity. plans.
Page 193 of 485


75. The first line FALSE. The third line provides the organization's
provides the highest possible level of independence and objectivity.
organization's
highest
possible level
of
independence
and objectivity.
Page 194 of 485


SECTION C – INFORMATION TECHNOLOGY (WEIGHTAGE 20%)
STUDY POINTS
S.No DESCRIPTION
1. What are the Internal Control goals for an Information System?
Internal control goals for an information system are the same as

those for the overall organizational internal controls:
• Promote effectiveness and efficiency of operations to achieve

the company’s objectives.
• Maintain the reliability of financial reporting by checking the

accuracy and reliability of accounting data.
• Assure compliance with all laws and regulations that the

company is subject to and adherence to managerial policies.
• Safeguard assets.
2. What is meant by the systems development life-cycle approach?
The development process must be structured, documented, and

controlled when creating a new computer system. The systems
approach to problem-solving, which can be applied to developing
large, highly structured application systems, involves the systems
development life-cycle approach (SDLC).
The SDLC assumes that any information system has a limited life
because organizational priorities change, technology becomes
obsolete, and a new lifecycle must begin when the current system
is no longer adequate.
3. Elaborate on the Framework of systems development life-cycle

approach?
The systems development life-cycle approach involves planning,

analysis, design, and implementation, and it provides a
framework for planning and controlling the detailed activities
involved in systems development.
Page 195 of 485


1. Statement of Objectives. This proposal outlines the need
for the new system, indicates its support within the organization,
and gives an overview of various timing issues.
2. Systems Investigation and Feasibility. A study should

include an analysis of the existing system to determine whether
a new system is needed or whether the existing system can be
fixed. In addition, any control deficiencies in the existing system
that previous audits identified should also be considered.
Toward this goal, three feasibility studies are needed:
a. Technical feasibility. This study determines if the

necessary hardware and software are currently available. If not,
it further examines whether the appropriate hardware and
software can be developed in the required time.
b. Economic feasibility. A cost-benefit study assesses

whether or not expected cost savings, increased revenue or
profits, reductions in required investment, and other benefits
will make the investment in the new system worthwhile. The
auditor should also evaluate cost estimates to see if they are
reasonable.
c. Operational feasibility. This study is designed to determine

how well the proposed system will work once it is in operation.
3. Systems Analysis. In this initial phase, the analyst assesses

the system to get a clear overview of what is needed, what is not,
and what should be allowed to remain.
a. To understand the existing system’s strengths and

weaknesses, the analyst first conducts an organizational
analysis or a systems survey to learn as much as possible
about the company, its management, employees, business,
other systems it interacts with, and its current information
system.
b. Next, the analyst identifies users’ information requirements

and functional requirements. Information requirements might
include input and output needs, database requirements, and
specific system operation characteristics.
Page 196 of 485


Functional requirements refer to everything not necessarily
tied to the hardware, software network, data, and human
resources, including user interface requirements for data entry,
processing, storage, and control requirements.
c. System requirements must be identified and fulfilled.
d. Through a cost-benefit analysis, the analyst evaluates

alternative designs for the proposed system.
e. For the final step, the analyst issues a systems analysis

report that documents the system specifications and the
conceptual design of the proposed system.
4. Systems Design and Development. For this next phase,

software architects and developers take the recommendations
from the analysis report and create the new system.
a. The development team draws up detailed design

specifications, working backward from the desired outputs to
the required inputs.
b. Next, the team assesses the processing requirements to

determine the necessary ones to convert the available inputs
into the desired outputs. The team must also study the
workflow, decide which programs and controls are needed, and
draw up a list of hardware, backups, security measures, and
data communications.
c. Storage components need to be evaluated so that the

development team fully grasps the data requirements, namely
how much will be created and how much will be stored. During
this stage, the team will also design the database and the
appropriate data dictionaries.
d. The team prepares the systems design report. It includes

everything necessary to implement the proposed system,
including input requirements, processing specifications, output
requirements, control provisions, and cost estimates.
e. Documentation comes next. Designated team members

write the manuals, forms, and other related materials.
Page 197 of 485


 Assess and treat information security risks. Identify and
prioritize the risks to the information assets against the
objectives of the organization and its risk appetite.
 Select and implement controls. Determine the controls that are

needed to mitigate identified risks and implement them.
Controls should be considered during the project-design stage
to maximize effectiveness and decrease costs.
 Monitor, maintain, and improve effectiveness (continuous

improvement). Existing systems and controls should be
monitored continuously, focusing on continuous improvement
to reduce risk to the company’s information assets.
64. Describe Information Technology Infrastructure and its stages?
Information Technology Infrastructure (ITIL) is now published

and owned by Axelos, a joint venture between the public and
private sectors.
The ITIL framework describes five stages for aligning a company’s

IT services with its business needs:
 Service Strategy: Create a strategy to ensure IT services align

with business goals.
 Service Design: Design the implementation of IT services to

meet the goals described in the Service Strategy.
 Service Transition: Ensure that IT services are deployed in a way

that meets the Service Design.
 Service Operation: Continually monitor the daily operation of IT

services and correct any problems or failures.
 Continual Service Improvement: Improve IT services' quality and

cost-effectiveness.
65. Explain Business Continuity Management?
Business continuity management refers to the plans and

processes to mitigate incidents that could otherwise interrupt the
Page 225 of 485


company’s activities. The risks to the company’s operation should
be ranked according to which systems are the most essential.
66. What different functions are part of the Backup and Recovery
Plan?
• Program files, as well as data files, should be backed up

regularly.
• Copies of all transaction data are stored as a transaction log.
• Backups should be stored at a secure, remote location.
• The cloud can be used for backups as long as the data is

transmitted and stored securely; in other words, data should be
encrypted.
• Grandparent-parent-child processing is used because of the risk

of losing data before, during, or after processing work.
• Computers should be on an Uninterruptible Power Supply (UPS).
• Fault-Tolerant Systems utilize redundancy in hardware design so

that if one system fails, another will take over.
67. What Disaster Recovery Plan specifies?
A disaster recovery plan specifies the following:
• Which employees will participate in disaster recovery, and what

are their responsibilities. One person should be designated for
disaster recovery, and another should be second in command.
• Appropriate hardware, software, and facilities to be used.
• The priority of applications that should be processed.
• A disaster recovery plan may also be called a contingency plan.
68. What is a Hot Site, Cold Site, and Warm Site?
A hot site is a backup facility with a computer system similar to

the one used regularly. The hot site must be fully operational and
Page 226 of 485


immediately available, with all necessary telecommunications
hookups for online processing.
A cold site is a facility where power and space are available to

install processing equipment, but it is not immediately available. If
an organization uses a cold site, its disaster recovery plan must
include arrangements to get computer equipment installed and
running quickly.
A warm site is in between a hot site and a cold site. It has the
computer equipment and necessary data and communications
links installed, just as a hot site does. However, it does not have
live data. If the use of the warm site is required because of a
disaster, current data will need to be restored to it.
69. What Disaster Recovery Plan should include?
A disaster recovery plan should include the following:
• An introduction emphasizing the importance of contingency and

disaster recovery plans to the organization's long-term success.
• Periodic risk assessment to review and re-prioritize critical

business functions.
• A list of the recovery options and strategies, including each

action plan and the priorities for what business units should be
recovered first.
• A detailed list of the backups, where the backups are stored, and
how to recover the backups.
• A list of the personnel responsible for the disaster recovery

operations, including a hierarchy of who is in charge and current
contact information.
• Emergency procedures for any problems that may arise during

the disaster recovery process.
• A requirement to test recovery plans regularly.
• The name of the person in charge of keeping the disaster

recovery plan current.
Page 227 of 485


SECTION C – INFORMATION TECHNOLOGY (WEIGHTAGE 20%)
1. An information TRUE. Goals for an information system include:
system aims to
promote the  Maintain the reliability of financial reporting.
effectiveness  Assure compliance with all laws and
and efficiency of regulations.
operations.  Safeguard assets.
2. Rapid TRUE. Rapid Application Development refers to

application any number of free and commercial software
development tools that allow programmers to develop
allows quick applications quickly using pre-built components.
development of
applications.
3. The systems TRUE. The systems development life-cycle
approach to approach assumes that any information system
problem-solving has a limited life because organizational priorities
involves the change, technology becomes obsolete, and a new
systems lifecycle must begin when the current system is
development no longer adequate.
life-cycle
approach.
4. Economic FALSE. Technical feasibility determines if the
feasibility necessary hardware and software are currently
determines if the available. If not, it further examines whether the
necessary appropriate hardware and software can be
hardware and developed in the required time.
software are
currently
available.
5. Economic TRUE. Economic feasibility assesses whether or
feasibility is a not expected cost savings, increased revenue or
cost-benefit profits, reductions in required investment, and
study. other benefits will make the investment in the
new system worthwhile.
6. Operational TRUE. Operational feasibility determines how

feasibility well the proposed system will work once it is in
determines how operation. For example, it can determine how
well the willing management, employees, customers, and
Page 229 of 485


proposed suppliers are to operate, use, and support the new
system will work system.
once it is in
operation.
7. Pilot conversion TRUE. The system conversion can be done in
is a way of several ways:
system
conversion.  Parallel operation.
 Phased or modular conversion.
 Pilot conversion.
 Plunge or direct conversion.
8. Prototyping is a TRUE. Prototyping is a useful systems

useful systems development approach because it is an iterative
development process; that is, it progresses through a
approach when structured series alternating between input and
user feedback.
requirements are
unclear.
9. Operating FALSE. Parallel operation is the least risky, but
parallel running two fully operational systems consumes
conversion is the considerable resources simultaneously.
riskiest
approach as it
consumes
considerable
resources.
10. In phased TRUE. Only parts of a new application or a few
conversion, only locations at a time are converted, allowing the
parts of a new conversion to occur gradually.
application or
only a few
locations at a
time are
converted.
11. In direct FALSE. In pilot conversion, the new system is
conversion, the tested in one department or worksite before full
new system is implementation.
tested in one
department or
worksite before
full
implementation.
Page 230 of 485


12. A database is a TRUE. A database is a series of related data files
series of related combined in one location to eliminate
data files. redundancy that different application programs
can use.
13. A bit is either a 1 FALSE. A bit is either a 0 or a 1.

or a 2.
14. A field is a group FALSE. A byte is a group of 8 bits, whereas a field
of 8 bits. is an item within a record.
15. The map or plan FALSE. The map or plan of the entire database is
of the entire called the schema.
database is
called the
subschema.
16. A database TRUE. A database management system can
management create the database, maintain it, safeguard the
system serves data, and make it available for applications and
as an interface inquiries.
between users
and the
database.
17. The domain TRUE. Internet addresses begin as a domain
name and name, also called a Universal Resource Locator
Universal (URL).
Resource
Locator are used
interchangeably.
18. A data mart is a FALSE. A data warehouse is a copy of all of the
copy of all of the historical data.
historical data.
19. A data mart is a TRUE. A data mart is a subsection of a data
subsection of a warehouse that provides users with analytical
data warehouse. capabilities for a restricted data set.
20. A data lake is FALSE. A data lake is used for unstructured data.
used for
structured data.
21. Connections TRUE. Connections between a web browser and
between a web server are stateless, meaning that the server
browser and a does not remember or retain information about
server are the status or result of each connection.
stateless.
Page 231 of 485


65. The Internet is TRUE. Standards and protocols are the keys to
based on a the functionality of the Internet and all of the
series of devices on the Internet being able to
universally communicate with each other.
agreed
standards and
protocols.
66. Record is the FALSE. A data field is an item within a record. It
elementary unit represents an individual attribute of an entity,
of data storage such as an address, phone number, or account
used to number.
represent
individual
attributes of an
entity.
67. Database FALSE. Developing applications to access the
administrators database belongs to the systems analysts and
develop programmers, not the database administrator.
applications to
access the
database.
68. According to FALSE. Internal audit is not one of the five
COSO, an interrelated components of the COSO model.
internal audit is
one of the five
components of
an internal
control system.
69. Structured Query TRUE. Structured Query Language is the ANSI-
Language (SQL) approved language for querying relational
is the most database systems and is used by all modern
frequently used DBMSs.
standard
language for
interacting with
relational
databases.
70. Passing files FALSE. Passing files between programs or
between systems is unnecessary for a database
programs or management system.
systems is
necessary for a
database
Page 239 of 485


management
system.
71. Local area FALSE. A public-switched network uses the
networks standard public telephone lines. Data transmitted
provide the least over public telephone lines can be intercepted
secure means of faster than data transmitted over non-public
data telephone lines.
transmission.
72. ERP is easy to FALSE. A drawback of ERP is its cost and
implement and complexity. ERP is difficult to implement and
maintain. maintain because of hardware, software, and
database incompatibility.
73. Errors are most FALSE. Correction of errors becomes costlier as

costly to correct the project gets closer to being completed. Errors
during caught early can be corrected quickly and thus
programming. less expensive than errors not caught until later in
the project. An error caught during the
implementation stage would be the most-costly
to correct because the implementation stage is
close to the end of the project.
74. Objectivity is FALSE. Objectivity is not impaired if the auditor

impaired if the recommends standards of control.
auditor
recommends
standards of
control.
75. The test is not a TRUE. While all systems should be tested before
method for implementation, "test" is not an approach to
implementing a implementation.
new application
system.
76. An ERP system FALSE. An ERP system is beneficial in
can prepare assembling the data needed to complete an
annual corporate annual corporate tax return, but it cannot prepare
tax returns. the entire tax return on its own. Preparing a tax
return still requires human judgment.
77. COBIT's maturity FALSE. The COBIT maturity model focuses only
model focuses on capability. It does not focus on performance.
on both
capability and
performance.
Page 240 of 485


78. Test recovery TRUE. A disaster recovery plan should include
plans are part of the following:
a disaster
recovery plan.  Periodic risk assessment.
 Recovery options and strategies.
 List of the backups.
 Emergency procedures.
Page 241 of 485


SECTION D – FINANCIAL MANAGEMENT (WEIGHTAGE 20%)
STUDY POINTS
S.No DESCRIPTION
1. Explain the Objective of Financial Reporting?
Financial reporting aims to provide financial information about the

reporting entity useful to existing and potential investors, lenders, and
other creditors in making decisions about providing resources to the
entity.
2. Discuss the Uses of Financial Information?
• Investment and credit decisions – Will the company be able to repay

its loans? Will the company be able to pay a dividend or other return
on investment?
• Assessing cash flows – Will the company be able to meet its short-
term obligations as they come due? Are the incoming cash flows from
investments proportional to the risk involved in them?
• Enterprise assets and claims on those assets – What assets does

the company own? How liquid are they? What claims do other
companies or individuals have on those assets?
3. List the Information that General-Purpose Financial Reports should

provide?
Financial reporting should provide information that fulfills the

following requirements:
 General-purpose financial reports should provide information about

the financial position of a reporting entity or information about the
entity’s economic resources and the claims against the reporting
entity to help users assess the reporting entity’s liquidity and
solvency, its needs for additional financing and how successful it is
likely to be in obtaining that financing.
 General-purpose financial reports should provide information about

the effects of transactions and other events that change a reporting
entity’s economic resources and claims against them. Information
about the entity’s financial performance helps users understand the
return it has produced on its economic resources, indicating how
Page 242 of 485


well management has fulfilled its responsibilities to efficiently and
effectively use its resources.
 Financial reports should be prepared on an accrual basis.
 General-purpose financial reports should also provide information

about changes in a reporting entity’s economic resources and claim
against them not resulting from financial performance, such as
issuing new ownership shares.
4. Discuss the Methods of Recording Transactions in the accounting

records?
There are two basic methods of recording transactions in the

accounting records:
a. Under the cash method, nothing is recorded in the accounting

records until cash is transacted. This means that each journal entry
will have either a debit or a credit to cash in it. The cash basis is not
a generally accepted accounting principle.
b. Accrual accounting depicts the effects of events on an entity’s

economic resources. It claims to them in the periods in which those
effects occur, even if the resulting cash receipts and payments occur
in a different period. For example, expenses are recognized as
liabilities when incurred, even if they will not be paid until some time.
Generally accepted accounting principles require the use of the
accrual method.
5. Contrast between Accrual and Deferral Entries?
Accrual entries are recorded when an event has occurred, but no

money has been transacted yet, usually resulting in a payable or a
receivable.
Deferral entries are recorded when money has been exchanged, but
the goods or services have not yet been exchanged.
6. Explain the Qualitative Characteristics of Accounting Information?
According to the Conceptual Framework for Financial Reporting, the

qualitative characteristics of useful financial information are
Page 243 of 485


segregated into fundamental qualitative characteristics and
enhancing qualitative characteristics.
7. Describe the Fundamental Qualitative characteristics?
The fundamental qualitative characteristics of useful financial

information are:
 Relevance.
 Faithful representation.
8. Define Relevance?
Relevant financial information is information capable of making a

difference in user decisions. Financial information is capable of
making a difference:
• If it has predictive value (it can be used to predict future outcomes),
• If it has confirmatory value (it provides feedback that confirms or

changes previous evaluations), or
• If it has both predictive and confirmatory value.
9. Explore Materiality?
Materiality is an entity-specific aspect of relevance, and what is

material depends on the context of an individual entity’s financial
report. Therefore, no uniform quantitative threshold for materiality can
be specified. However, if omitting information or misstating it could
influence user decisions, that information is material.
10. What is Faithful Representation?
Financial information must faithfully represent the economic

phenomena that it purports to represent. Faithful representation has
three characteristics:
a. The financial information is complete.

b. The financial information is neutral.
c. The financial information is free from error.
Page 244 of 485


On a contribution profit or loss statement, fixed costs are segregated
from variable costs and presented on separate lines. Only variable
costs are allocated to production and, thus, to the units sold. Variable
expenses include variable production costs and variable selling,
general, and administrative expenses.
The contribution profit or loss statement used for evaluation has four
“levels.”
a. Manufacturing Contribution Margin (Net Revenue Less Variable

Manufacturing Costs).
b. Contribution Margin (Manufacturing Contribution Less Variable

Nonmanufacturing Costs).
c. Controllable Margin (Contribution Margin Less Controllable

Fixed Costs).
d. Segment Margin (Controllable Margin Less Non-controllable,

Traceable Fixed Costs).
497. Clarify the Methods for allocating Costs of a Single (One) Service or
Support Department to Multiple Users?
a. Single-Rate Method – The single-rate method does not

separate the fixed costs of service departments from their variable
costs. All service department costs are put into one cost pool and
allocated using one allocation base.
b. Dual-Rate Method – The dual-rate method breaks the cost of

each service department into two pools, a variable-cost pool, and a
fixed-cost pool. Each cost pool is allocated using a different cost
allocation base.
Allocation bases for either the single-rate method or the dual-rate

method can be:
 Budgeted rate and budgeted hours (or other cost driver) to be used
by the operating divisions.
 Budgeted rate and actual hours (or another cost driver) used by the
operating divisions.
Page 426 of 485


498. State the Benefits and Limitations of the Single-Rate Method?
Benefit
The cost to implement the single-rate method is low because it avoids

the analysis needed to classify the service department’s costs into
fixed and variable costs.
Limitation
The single-rate method makes fixed costs of the service department

appear variable to the user departments, possibly leading to
outsourcing that hurts the organization as a whole.
499. Provide the Benefits and Limitations of the Dual-Rate Method?
Benefits
 The dual-rate method helps user department managers see the

difference in how fixed and variable costs behave.
 The dual-rate method encourages user department managers to

make decisions that are in the best interest of the organization as a
whole, as well as in the best interest of each department.
Limitation
The cost is higher than the single-rate method because of the need to
classify all of the service department's costs into fixed and variable
costs.
500. Describe the Methods for Allocating Costs of Multiple Shared Service
Departments?
The following three different methods of allocating costs of multiple

shared service departments are used when service departments use
the services of other service departments:
a. The direct method – The reciprocal services provided by the

different shared service departments to each other are ignored. The
company allocates all shared service departments’ costs directly to
the operating departments. The allocation is made on a reasonable
and equitable basis to the operating departments for each service
Page 427 of 485


department. When calculating the usage ratios for the different
operating departments under the direct method, count only the
usage of the shared service departments by the operating
departments. The usage of shared service departments in the other
service departments is excluded because service departments will
not be allocated any costs from other service departments.
b. The step-down method - is also called the step or the sequential

method. In this, the services the shared service departments provide
to each other are included, but only one allocation of the costs of
each service department is made. After the costs of a particular
service department have been allocated, that service department will
not be allocated any additional costs from other service
departments.
c. The reciprocal method is the most complicated and advanced

of the three methods of shared services cost allocation because it
recognizes all of the services provided by the shared service
departments to the other shared service departments. The
reciprocal method is the most theoretically correct because of this
detailed allocation between and among the shared service
departments. However, a company must balance the additional
costs of allocating costs this way against the benefits received.
Page 428 of 485


SECTION D – FINANCIAL MANAGEMENT (WEIGHTAGE 20%)
1. Investment and TRUE. Examples of the decisions that are made
credit decisions with the financial information are:
are made with
financial  Assessing cash flows.
information.  Enterprise assets and claims on those assets.
2. Financial reporting TRUE. Financial reporting aims to provide

aims to provide financial information about the reporting entity
financial useful to existing and potential investors, lenders,
information about and other creditors in making decisions about
the reporting providing resources to the entity.
entity useful to
existing and
potential
investors.
3. Financial reports FALSE. Financial reports should be prepared on an
should be accrual basis.
prepared on a
cash basis.
4. Accrual entries are FALSE. Deferral entries are recorded when money
recorded when has been exchanged, but the goods or services
money has been have not yet been exchanged. In contrast, accrual
exchanged, but entries are recorded when an event has occurred,
the goods or but no money has been transacted yet, usually
services have not resulting in a payable or a receivable.
yet been
exchanged.
5. An entity’s FALSE. An entity’s financial performance is
financial reflected by its past cash flows.
performance is
reflected by its
present cash
flows.
6. The qualitative TRUE. The qualitative characteristics of useful
characteristics of financial information are segregated into
financial fundamental qualitative characteristics and
information are enhancing qualitative characteristics.
divided into two
types.
Page 429 of 485


7. Relevant financial TRUE. Relevant financial information is
information is information capable of making a difference in user
information decisions.
capable of making
a difference in
user decisions.
8. To be relevant, TRUE. Materiality is an entity-specific aspect of
financial relevance, and what is material depends on the
information context of an individual entity’s financial report.
should also be
material.
9. Faithful TRUE. The financial information is as follows:
representation has
three a. Complete.
characteristics. b. Neutral.
c. Free from error.
10. Comparability is TRUE. The enhancing qualitative characteristics

an enhancing of useful financial information that is relevant and
qualitative faithfully represented are:
characteristic of
useful financial  Comparability.
information.  Verifiability.
 Timeliness.
 Understandability.
11. Consistency is the FALSE. Consistency is related to comparability,

same thing as but it is not the same thing.
comparability.
12. Verification can be TRUE. Verifiability means that different observers
direct or indirect. agree that a particular depiction of an event is
faithful.
13. Financial FALSE. Financial statements are prepared

statements are assuming the entity is a going concern and will
prepared continue operation for the foreseeable future.
assuming that the
entity is not a
going concern.
14. The costs and FALSE. The costs and benefits of financial
benefits of reporting are not always obvious and measurable.
financial reporting
are always
Page 430 of 485


traceable fixed
costs.
350. A traceable fixed TRUE. A traceable fixed cost is a cost that would
cost can be be eliminated if the segment were to be sold or
assigned to a closed.
particular
segment on a
cause-and-effect
basis.
351. The controllable TRUE. The controllable margin, also called short-
margin is a useful term segment manager performance, measures
measure of a all the revenues and costs controllable by the
manager’s short- individual managers on a short-term basis.
term performance.
352. Key performance TRUE. The business must select only a few critical
indicators are metrics most relevant to its strategy and then
measures of the track them rigorously rather than using many
company’s different measurements. These critical measures
performance are called Key Performance Indicators (KPIs).
essential to its
competitive
advantage.
353. A service TRUE. A service department or service center
department within within a larger company is usually a cost center
a larger company because it provides services to other departments
is usually a cost and does not earn any revenue.
center.
354. A cost center is TRUE. A cost center does not earn any revenue
responsible only and therefore generates no profit. An equipment
for the incurrence maintenance department or an internal
of costs. accounting department is an example of a cost
center.
355. The controllable TRUE. The controllable variance equals the sum
variance is the of the remaining three variances: the variable
total overhead overhead spending variance, the variable
flexible budget overhead efficiency variance, and the fixed
variance. overhead spending variance.
356. The goals of the TRUE. The goals of the learning and growth
learning and perspective contribute to the internal process
growth perspective because the company’s culture of
perspective empowering staff members and providing them
contribute to the with the technological support they need makes
Page 482 of 485


internal process innovation and improvements in products and
perspective. services possible.
357. An investment TRUE. An investment center is responsible for

center is profit (revenues and costs) and for providing a
responsible for return on the capital invested by the larger
profit and for organization to which it belongs.
providing a return
on capital.
358. A company should TRUE. If a manager is evaluated based on
focus only on something that they are unable to control (either a
factors the cost or revenue), the manager may be blamed for
manager can or given credit for something for which they were
control when not responsible.
evaluating
managers.
359. Common costs FALSE. Common costs are operating a business
can be allocated that cannot be allocated to any specific user or
to any specific user on any cause-and-effect basis.
user or user on
any cause-and-
effect basis.
360. The segment FALSE. The segment manager’s performance is
manager’s evaluated based on revenues generated minus
performance is variable costs and fixed costs controllable by the
evaluated based segment manager.
on revenues
generated minus
variable costs.
361. The time value of FALSE. The time value of money is a concept that
money states that states that cash received today is more valuable
cash received than cash received in the future.
today is less
valuable than cash
received in the
future.
362. The rate used to TRUE. The discount rate, also called the interest
calculate an rate, is the rate of discounting or compounding
amount's present applied to an amount of money to calculate its
or future value is present or future value.
called a discount
rate.
Page 483 of 485


363. Present value is FALSE. Future value is the accumulated money
the accumulated you get after investing the original sum at a certain
money after interest rate and for a given period.
investing the
original sum at a
certain interest
rate and for a
given period.
364. The factor (1 + r) N FALSE. The factor (1 + r) N is a future value factor.
is a present value
factor.
365. An annuity is a FALSE. An annuity is a series of even cash flows
series of uneven used to determine the future value of equal
cash flows. cashflows.
366. Annuity due is an FALSE. An ordinary annuity is one where the

annuity where the cashflows occur at the end of each period. Such
cashflows occur payments are said to be made in arrears
at the end of each (beginning at time t = 1).
period.
367. (1 + r) −N is the TRUE. (1 + r) −N is called the present value factor,
reciprocal of the which is intuitively the reciprocal of the future
future value value factor.
factor.
368. Payments are TRUE. Annuity due is an annuity where payments
made at the start immediately at the beginning of time, at time
beginning of each t = 0.
period in an
annuity due.
Page 484 of 485

Page 485 of 485

Sample of CIA Part 3 Study Guide 2024

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample of CIA Part 3 Study Guide 2024

Uploaded by

Copyright:

Available Formats

This is a sample version. Full version is available for subscription from www.zainacademy.

CIA Part 3 Study Guide 2024

Let’s Connect With Each Other

CIA Part 3 Study Guide 2024

CERTIFIED INTERNAL AUDITOR (CIA) EXAM GUIDE………………….………………………...…………….06

LETTER FROM MUHAMMAD ZAIN…………………………………………………………..……………….…..……...20

SECTION A – BUSINESS ACUMEN – STUDY POINTS…………………...……………….………………..…23

SECTION A – BUSINESS ACUMEN – TRUE / FALSE QUESTIONS.………….……………………...120

SECTION B – INFORMATION SECURITY – STUDY POINTS…………………………….………….……152

SECTION B – INFORMATION SECURITY – TRUE / FALSE QUESTIONS………..……………....182

SECTION C – INFORMATION TECHNOLOGY – STUDY POINTS………….…………………….……195

SECTION C – INFORMATION TECHNOLOGY – TRUE / FALSE QUESTIONS………………….229

SECTION D – FINANCIAL MANAGEMENT – STUDY POINTS…………..…………...………………..242

SECTION D – FINANCIAL MANAGEMENT – TRUE / FALSE QUESTIONS…………………….…429

ABOUT THE AUTHOR……………………………………………………..………………………..………………….…….....485

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

Without Post-Secondary Education

CIA Part 3 Study Guide 2024

IIA Retired Questions

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

3. CIA Part 2 Study Guide 2024 $ 73

5. CIA Part 3 Study Guide 2024 $ 73

* Subscribing to CIA Exam Review Complete Set 2024 will

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

CIA Part 3 Preparation Time

b. Attempt the True / False Questions of that particular section

c. Attempt the Multiple Choice Questions of that particular section from

If you attempt any question correctly, proceed to the next question.

CIA Part 3 Study Guide 2024

d. Read the explanation of the incorrect answers selected and try to

e. As you complete 80% of the total questions of a particular section,

f. Revision of the already learned topics every week is warranted.

REMEMBER that each topic has an equal chance of selection in the

ALSO REMEMBER that CIA Exams are of continuous 2-hour duration.

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

a. What are the requirements of the question? The question's

c. If you do not know the answer, make an educated guess. The

CIA Part 3 Study Guide 2024

b. Negative Questions - Sometimes MCQs include negative phrasing, with

d. Questions with Several Variables - Some MCQs present several variables

e. Questions with Graphical Illustrations - IA exam questions occasionally

CIA Part 3 Study Guide 2024

 Have a comprehensive meal that is easily digestible and consume any

 Bring printouts of Authorization Letter / Confirmation Letter / Notice

 Two original forms of non-expired identification with a photograph

CIA Part 3 Study Guide 2024

 Visit the washroom before the start of the exam.

 Do not make noise or stand up from the seat without permission.

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

CIA Part 3 Study Guide 2024

Your imagination is everything. It is the preview of life’s coming attractions.

With Love and Care,

CIA Part 3 Study Guide 2024

Planning generally refers to the process that provides guidance

2. What purpose does the company plan serve?

A company’s plan serves as its guide for the activities and