IIA Updated IIA-CIA-Part3 Exam Questions and Answers by merryn

The internal audit plan must be risk-based, as required by the IIA Standards. If cybersecurity has been identified as a high risk during the annual risk assessment, then it should be included in the audit plan to provide assurance over the adequacy of controls.

Including engagements simply to satisfy management (Option A) or for auditor learning purposes (Option B) does not align with risk-based planning principles. Likewise, management requests alone (Option D) do not dictate audit plan content; engagements must be prioritized based on risk to the organization.

Reliance on external auditors’ work is possible if the CAE has sufficient access to review their programs and workpapers to evaluate the scope, quality, and results. This ensures internal audit can confirm the appropriateness of relying on their work.

Option B is not required—external and internal audit can use different methodologies. Options C and D represent governance involvement but do not substitute for CAE’s independent evaluation of audit work.

A directive control is a policy, procedure, or guideline that establishes expected behavior to mitigate risks. In the context of outsourcing HR functions, a data protection clause in the contract ensures that the service provider is legally obligated to protect sensitive employee data.

Legal and Regulatory Compliance – It ensures the service provider complies with GDPR, CCPA, ISO 27001, SOC 2, and other data protection laws.

Defines Security Responsibilities – Specifies encryption, access controls, data retention policies, and penalties for non-compliance.

Enforceable Accountability – The contract holds the provider accountable for data breaches or misuse.

Industry Best Practice – Most outsourcing agreements include a Data Processing Agreement (DPA) as part of contractual terms.

A. Require a SOC report – A SOC (Service Organization Control) report assesses the provider’s internal controls, but it does not enforce compliance.

C. Obtain a nondisclosure agreement (NDA) – An NDA is useful, but it only prevents individuals from sharing data; it does not define data security requirements.

D. Encrypt the employees' data before transmitting it – Encryption is a strong preventive control, but it does not provide a directive policy like a contract clause does.

IIA’s International Professional Practices Framework (IPPF) – Standard 2201 – Requires internal auditors to assess contract terms related to risk management.

COSO’s Enterprise Risk Management (ERM) Framework – Recommends contractual agreements for third-party risk mitigation.

ISO 27001 Annex A.15.1.2 – Specifies that security requirements must be addressed in supplier contracts.

Why a Data Protection Clause Is the Most Appropriate Directive Control?Why Not the Other Options?IIA References:✅ Final Answer: B. Include a data protection clause in the contract with the service provider. (Most appropriate directive control).

User-Developed Applications (UDAs) are applications, spreadsheets, databases, or tools created and maintained by end-users rather than IT departments. They provide flexibility but also introduce risks related to security, accuracy, and change management.

Why Option B is Correct:

UDAs lack formal change management controls.

Since they are typically not subject to rigorous testing and documentation, modifications may introduce errors.

Updating or correcting a formula, macro, or script in a UDA may have unintended consequences that go unnoticed, leading to data integrity issues.

Why Other Options Are Incorrect:

Option A (UDAs are less flexible and more difficult to configure than traditional IT applications):

Incorrect. UDAs are more flexible and easier to modify compared to traditional IT applications, which undergo strict change controls.

Option C (UDAs typically are subjected to application development and change management controls):

Incorrect. Most UDAs lack formal governance or IT oversight. They are typically developed by business users with little or no structured IT controls.

Option D (Using UDAs typically enhances the organization’s ability to comply with regulatory factors):

Incorrect. UDAs introduce compliance risks due to lack of security, audit trails, and formal change controls.

IIA GTAG – "Auditing User-Developed Applications": Discusses risks and controls related to UDAs.

IIA Practice Advisory 2130-1 (Control Risk Self-Assessment): Highlights the importance of internal controls over UDAs.

COSO Internal Control – Integrated Framework: Recommends applying IT general controls (ITGCs) to UDAs.

IIA References:Thus, the correct answer is B. Updating UDAs may lead to various errors resulting from changes or corrections.