IIA Updated IIA-CIA-Part3 Exam Questions and Answers by aliya

The Business Impact Analysis (BIA) plan is a key component of business continuity planning that identifies critical business processes and determines their Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

Correct Answer (C - Business Impact Analysis Plan)

The BIA is a systematic process that identifies essential functions, assesses potential disruptions, and determines the recovery time requirements to ensure business continuity.

The Recovery Time Objective (RTO) defines the maximum acceptable downtime for critical business functions.

The Recovery Point Objective (RPO) identifies how much data loss is tolerable.

According to the IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management, a BIA is essential for assessing the financial, operational, and reputational impact of disruptions.

Why Other Options Are Incorrect:

Option A (Business Continuity Management Charter):

A charter defines the governance, responsibilities, and overall framework of business continuity but does not focus on RTOs or critical business processes.

Option B (Business Continuity Risk Assessment Plan):

A risk assessment identifies threats and vulnerabilities but does not define recovery time objectives.

While risk assessments inform the BIA, they do not replace it.

Option D (Business Case for Business Continuity Planning):

A business case justifies investment in continuity planning but does not map business processes to RTOs.

GTAG 10: Business Continuity Management – Defines BIA as the process for identifying critical business functions and their RTOs.

IIA Practice Guide: Auditing Business Continuity – Emphasizes the role of BIA in business resilience.

Step-by-Step Explanation:IIA References for Validation:Thus, the Business Impact Analysis (BIA) Plan (C) is the correct answer because it pairs critical business processes with recovery time objectives.

Comprehensive and Detailed In-Depth Explanation:

Biometric authentication (e.g., fingerprint, retina scan) is the most difficult to revoke because it is linked to an individual’s physical attributes, which cannot be changed like passwords or physical devices.

Option A (Traditional key lock) – Can be revoked by retrieving the key or changing the lock.

Option C (Card-key system) – Can be revoked by deactivating the card.

Option D (Proximity device) – Can be revoked by disabling the device.

Since biometric data is permanently tied to an individual, revoking access is complex, making Option B the correct answer.

Total Quality Management (TQM) focuses on continuous improvement, teamwork, and process efficiency. The CAE’s goal is to reduce audit time and improve client satisfaction, which requires collaborative decision-making and diverse skill sets to ensure a high-quality, efficient audit process.

(A) Assign a team with a trained audit manager to plan each audit and distribute fieldwork tasks to various staff auditors. ❌

Incorrect. While structured planning is beneficial, TQM emphasizes decentralized decision-making rather than relying solely on the audit manager.

(B) Assign a team of personnel who have different specialties to each audit and empower team members to participate fully in key decisions. ✅

Correct. TQM encourages cross-functional teams, collaboration, and shared decision-making, which helps in reducing audit time and improving quality.

IIA GTAG "Auditing Continuous Improvement Initiatives" highlights diverse audit teams as a best practice for improving audit effectiveness.

(C) Assign a team to each audit, designate a single person to be responsible for each phase of the audit, and limit decision-making outside of their area of responsibility. ❌

Incorrect. This approach is too rigid and limits team collaboration, which contradicts TQM principles.

(D) Assign a team of personnel who have similar specialties to specific engagements that would benefit from those specialties and limit key decisions to the senior person. ❌

Incorrect. Specializing teams in certain audits may improve technical accuracy, but TQM promotes diverse perspectives rather than restricting decisions to one senior auditor.

IIA GTAG – "Auditing Continuous Improvement Initiatives"

IIA Standard 2110 – Governance (Process Improvement)

ISO 9001 – Total Quality Management Principles

Analysis of Answer Choices:IIA References:Thus, the correct answer is B, as TQM supports cross-functional teams and shared decision-making to improve audit efficiency and client satisfaction.

Data and system backups are a critical part of business continuity and disaster recovery (BC/DR) strategies, ensuring that organizations can restore data and systems to a prior state in the event of system failure, cyberattacks, or disasters.

Primary Purpose of Backup Systems:

The core objective of data and systems backup is to restore data and systems to a previous point in time in case of an unexpected incident.

According to IIA GTAG on Business Continuity Management, backups enable organizations to recover lost, corrupted, or compromised data from an earlier state.

Why Not Other Options?

A. To restore all data and systems immediately after the occurrence of an incident:

This is a misconception because restoration times depend on the Recovery Time Objective (RTO) and the complexity of the incident.

B. To set the maximum allowable downtime to restore systems and data after the occurrence of an incident:

This describes RTO, which is part of business continuity planning but not the primary purpose of backups.

C. To set the point in time to which systems and data must be recovered after the occurrence of an incident:

This describes the Recovery Point Objective (RPO), which determines the acceptable amount of data loss but does not define the main goal of backups.

IIA GTAG – Business Continuity Management

IIA Practice Guide: Auditing Business Continuity and Disaster Recovery

IIA Standard 2120 – Risk Management and IT Controls

Step-by-Step Justification:IIA References:Thus, the correct and verified answer is D. To restore data and systems to a previous point in time after the occurrence of an incident