CCIA Practice
Sign inStart free
Home / PART3 · Part 3: Business Knowledge for Internal Auditing
Aligned to the IIA CIA exam syllabus

CIA·ModulePART3

Part 3: Business Knowledge for Internal Auditing

Prepare for Part 3: Business Knowledge for Internal Auditing with CIA practice questions covering 34 topics. Build your knowledge, track your progress, and study effectively with CIA Practice.

Questions
1,088
Units
3
Topics
34

What’s in it.

3 units

Sample questions

3 of many

A few questions from this module, with the answer and a full explanation. The complete bank is available when you start practising.

  1. What is a right-to-audit clause in a vendor contract and why is it important for internal auditors?

    • A right-to-audit clause gives the vendor the right to audit the organisation's use of their service to verify compliance with the licence terms.
    • A right-to-audit clause gives the organisation the contractual right to audit the vendor's security controls or require an independent assessment; it provides a mechanism to obtain direct assurance beyond self-reported questionnaires.
      Correct answer
    • A right-to-audit clause is relevant only when the organisation suspects fraud; it is not used for routine security assurance.
    • A right-to-audit clause is a financial term giving the organisation the right to audit the vendor's invoice calculations for accuracy.
    Explanation

    A right-to-audit clause gives the contracting organisation a contractual right to conduct or commission an audit of the vendor's security controls, processes, and facilities. It is important because: it provides the highest level of assurance (auditor-controlled scope, direct evidence gathering); it acts as a deterrent — vendors knowing they can be audited tend to maintain higher standards; it is required by PCI DSS (Requirement 12.8) and expected by financial services regulators (EBA, FCA, DORA); and it enables the organisation to investigate concerns about specific controls or incidents. Even if rarely exercised, the right-to-audit clause should be a standard provision in contracts with Tier 1 vendors.

  2. What is project scope and why is defining it accurately critical to project success?

    • Project scope is the timeline allocated to the project; defining it accurately ensures milestones can be tracked against the plan.
    • Project scope is the risk register maintained by the project manager; defining it accurately ensures all risks are identified at initiation.
    • Project scope is the list of stakeholders who will be affected by the project; accurate definition ensures all interests are considered.
    • Project scope defines the specific boundaries, deliverables, features, and work required to complete the project; accurate scope definition is critical because unclear scope leads to scope creep, budget overruns, and missed deadlines.
      Correct answer
    Explanation

    Scope defines what the project will and will not deliver — the specific outputs, features, functions, and quality standards that constitute successful completion. Without clear scope: (1) project estimates are unreliable; (2) stakeholders have different expectations that lead to disputes at completion; (3) scope creep occurs as additional requirements are added without formal assessment of impact on time and cost; and (4) acceptance criteria are ambiguous, making it impossible to formally close the project. A Work Breakdown Structure (WBS) is the primary tool for formally documenting and organising project scope.

  3. What is an IT investment portfolio management process and how does it support strategic alignment?

    • A process for reporting IT expenditure to the finance function for budget management purposes
    • A process for managing cybersecurity investments separately from other IT spending decisions
    • A process for evaluating, comparing, and governing IT investments as a portfolio to ensure spending aligns with strategic priorities and maximises business value
      Correct answer
    • A process for selecting software vendors based on technical capability and cost comparisons
    Explanation

    IT portfolio management involves actively governing the full set of IT investments, projects, and assets as an integrated portfolio — rather than managing each in isolation. It supports strategic alignment by: comparing competing investment proposals against strategic criteria; ensuring the portfolio is balanced between operational maintenance and strategic investment; eliminating redundant or low-value initiatives; and providing a mechanism for the IT steering committee to prioritise IT spending against business priorities. COBIT 2019's APO05 (Managed Portfolio) addresses this governance function.