CCIA Practice
Sign inStart free
Home / PART1 · Part 1: Essentials of Internal Auditing / Domain VI: Information Technology and Business Resilience

CIA·PART1 · Part 1: Essentials of Internal Auditing·UnitPART1 · Unit 06Access: Premium

Domain VI: Information Technology and Business Resilience

Prepare for Domain VI: Information Technology and Business Resilience with CIA practice questions covering 7 topics. Part of Part 1: Essentials of Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
229
Topics
7
Access
Premium

What’s in it.

7 topics
  • Topic 01

    IT Governance Frameworks (COBIT)

    30 questions
  • Topic 02

    Systems Development Lifecycle (SDLC) Controls

    32 questions
  • Topic 03

    Application Controls and General IT Controls

    30 questions
  • Topic 04

    Change Management and Patch Management Controls

    31 questions
  • Topic 05

    Business Continuity Planning and Disaster Recovery

    25 questions
  • Topic 06

    Cloud Computing — Risks, Controls, and Shared Responsibility Models

    36 questions
  • Topic 07

    Emerging Technologies (AI, RPA, Blockchain) — Opportunities and Risks

    45 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. An organisation deploys an RPA bot to process 2,000 invoices per day. A configuration error causes the bot to apply the wrong tax rate to all invoices. The error is undetected for three weeks. What RPA risk does this scenario illustrate, and which control would most effectively have prevented the extended impact?

    • Error propagation at scale, where a misconfigured bot processes thousands of incorrect transactions before detection; prevented by exception reporting and ongoing monitoring of bot output accuracy.
      Correct answer
    • Single point of failure risk, where bot unavailability halts critical processing; prevented by implementing manual backup procedures for invoice processing.
    • Change management risk, where a system update breaks the bot's process flow; prevented by regression testing after any system change affecting the bot.
    • Access and identity risk, where bot credentials are compromised by an external actor; prevented by privileged access management for bot accounts.
    Explanation

    The scenario describes error propagation at scale — one of the most distinctive risks of RPA. Unlike a human processing invoices, who might notice an anomalous tax calculation after a few transactions, a bot will continue executing the same error at high volume without any sense that something is wrong. The key preventive control is ongoing monitoring of bot output with automated exception reporting — for example, flagging any batch where the distribution of tax rates deviates from expected norms. This would detect the error early rather than allowing three weeks of incorrect processing.

  2. What does the APO domain in COBIT 2019 stand for and what is its focus?

    • Align, Perform and Optimise — it covers IT performance management and continuous improvement.
    • Assess, Plan and Oversee — it covers board-level governance objectives for evaluating and overseeing IT management.
    • Align, Plan and Organise — it covers management objectives related to IT strategy, risk, architecture, innovation, and organisational structures that govern how IT is planned and organised.
      Correct answer
    • Acquire, Plan and Operate — it covers procurement of IT assets and the planning of IT operations.
    Explanation

    APO stands for Align, Plan and Organise. This COBIT 2019 management domain addresses how IT is strategically aligned with business needs, how it is planned, and how the organisational structures, policies, and frameworks that govern IT are established. Key APO objectives include APO01 (Managed I&T Management Framework), APO02 (Managed Strategy), APO12 (Managed Risk), APO13 (Managed Security), and APO14 (Managed Data). The APO domain covers 14 management objectives, making it the largest of the four management domains.

  3. Which of the following is classified as a processing control rather than an input control?

    • A mandatory field check that prevents a transaction from being saved without a supplier code.
    • A run-to-run total that reconciles the count of records at the start of a processing stage with the count at the end.
      Correct answer
    • A check digit on an account number that validates the number at the point of entry.
    • A range check that rejects a salary input that exceeds a maximum threshold.
    Explanation

    A run-to-run total is a processing control: it compares a control total (such as record count or financial total) at the beginning of a processing stage against the total at the end, detecting any records that were lost or added during processing. Processing controls validate data during the processing phase, after it has been input. All other options are input controls: range checks, mandatory field checks, check digits, duplicate detection, and format checks all validate data at the point of entry, before processing begins.