IIA Updated IIA-CIA-Part3 Exam Questions and Answers by samir

When performing follow-up work, the first step for an auditor—especially one not previously involved in the engagement—is to review the prior audit report, findings, and management’s agreed response/action plan. This provides context on what needs to be validated before collecting new evidence.

Interviewing management (Option A), requesting documentation (Option B), or performing walkthroughs (Option D) are important steps, but they come only after the auditor has reviewed the original findings and corrective commitments.

Definition of Rooting:

Rooting (on Android) or Jailbreaking (on iOS) is the process of bypassing manufacturer and administrative security controls on a smart device.

This allows users to gain full control (root access) over the operating system, which can override security restrictions and allow installation of unauthorized applications.

How Rooting Increases Data Security Risks:

Bypassing Security Measures: Rooting removes built-in security protections, making the device more vulnerable to malware, unauthorized access, and data breaches.

Exposure to Malicious Apps: Rooted devices can install third-party applications that are not vetted by official app stores, increasing the risk of data theft, spyware, and ransomware attacks.

Circumventing Enterprise Security Policies: Many organizations use Mobile Device Management (MDM) to enforce security policies, but rooted devices can bypass these controls, exposing corporate data to cyber threats.

Increased Risk of Privilege Escalation Attacks: Attackers can exploit root access to take full control of the device, leading to unauthorized access to sensitive information.

IIA’s Perspective on Cybersecurity Risks:

IIA Standard 2110 – Governance emphasizes the importance of protecting sensitive data and ensuring compliance with IT security policies.

IIA’s GTAG (Global Technology Audit Guide) on Information Security warns against the dangers of rooted or jailbroken devices, as they compromise cybersecurity defenses.

NIST Cybersecurity Framework and ISO 27001 Information Security Standards identify unauthorized modifications to devices as a critical security risk.

Eliminating Incorrect Options:

B. Eavesdropping: This refers to intercepting communications (e.g., listening in on phone calls or network traffic) but does not involve circumventing administrative restrictions.

C. Man-in-the-Middle (MITM) Attack: This is an attack where an attacker intercepts and alters communication between two parties but does not involve rooting a device.

D. Session Hijacking: This attack involves stealing session tokens to impersonate a user but is unrelated to bypassing security controls on devices.

IIA References:

IIA Standard 2110 – Governance and IT Security

IIA GTAG – Information Security Risks

NIST Cybersecurity Framework

ISO 27001 Information Security Standards

Before an external assessment of the internal audit activity, the CAE should agree with the board on the qualifications and independence of the external assessor or assessment team. This ensures credibility and compliance with the IIA’s Quality Assurance and Improvement Program (QAIP) requirements.

Options A and B (specific audit areas or testing levels) are not matters for board approval in external assessments. Option D (specialized skills) is relevant but not as essential as overall qualifications and competence.

Data Mining for Exploratory Purposes:

Exploratory data mining involves analyzing large datasets to identify trends, patterns, and risks before conducting specific audits.

Internal auditors use data mining to assess risks and determine potential audit subjects, making it a key input in audit planning.

Aligns with IIA Practice Guide on Data Analytics:

Exploratory analysis helps auditors prioritize areas with high-risk indicators.

Supports IIA Standard 2010 - Planning, which requires risk-based audit planning.

A. Internal auditors perform reconciliation procedures to support an external audit of financial reporting. (Incorrect)

Reconciliation is a procedural task, not an exploratory data mining activity.

Supports external audit rather than internal audit’s strategic risk assessment role.

B. Internal auditors perform a systems-focused analysis to review relevant controls. (Incorrect)

This relates more to evaluating control effectiveness rather than exploratory data mining.

Does not directly contribute to identifying new audit areas.

D. Internal auditors test IT general controls with regard to operating effectiveness versus design. (Incorrect)

Testing IT general controls is a structured evaluation, not an exploratory data mining technique.

Exploratory data mining is used to identify risks before formal testing occurs.

Explanation of Answer Choice C (Correct Answer):Explanation of Incorrect Answers:Conclusion:The best example of exploratory data mining by internal auditors is risk assessment for audit planning (Option C).

IIA References:

IIA Standard 2010 - Planning

IIA Practice Guide: Data Analytics