CCIA Practice
Sign inStart free
Home / PART3 · Part 3: Business Knowledge for Internal Auditing / Domain III: Information Technology

CIA·PART3 · Part 3: Business Knowledge for Internal Auditing·UnitPART3 · Unit 03Access: Premium

Domain III: Information Technology

Prepare for Domain III: Information Technology with CIA practice questions covering 13 topics. Part of Part 3: Business Knowledge for Internal Auditing — build your knowledge and track your progress with CIA Practice.

Questions
451
Topics
13
Access
Premium

What’s in it.

13 topics
  • Topic 01

    IT Governance and IT Risk Management

    75 questions
  • Topic 02

    IT Strategy Alignment with Business Objectives

    36 questions
  • Topic 03

    IT General Controls — Access Management, Change Control, Operations, Backup

    30 questions
  • Topic 04

    Application Controls — Input, Processing, Output, Interface Controls

    30 questions
  • Topic 05

    ERP Systems and Financial System Controls

    16 questions
  • Topic 06

    Systems Development Lifecycle and Agile/DevOps Auditing

    36 questions
  • Topic 07

    Database Management and Data Integrity

    42 questions
  • Topic 08

    Cloud Computing — IaaS, PaaS, SaaS Audit Considerations

    28 questions
  • Topic 09

    Business Continuity and IT Disaster Recovery Testing

    31 questions
  • Topic 10

    Data Analytics, Data Warehousing, and BI Tools

    23 questions
  • Topic 11

    Robotic Process Automation (RPA) Controls

    39 questions
  • Topic 12

    Artificial Intelligence and Machine Learning — Audit Implications

    35 questions
  • Topic 13

    Blockchain and Distributed Ledger Technology

    30 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. How does an internal audit team use continuous auditing techniques to monitor controls in a data warehousing environment?

    • Continuous auditing means the internal audit team permanently occupies space in the IT department and monitors all data warehouse activities in person throughout the year, without any automated tools.
    • Continuous auditing uses automated scripts or tools running at defined intervals to test key control indicators — such as comparing warehouse totals to source system totals nightly, flagging ETL error rate spikes, and alerting on anomalous data patterns — providing ongoing rather than point-in-time assurance.
      Correct answer
    • Continuous auditing is a testing approach where the same audit tests are repeated monthly without any change, providing consistent historical comparisons but no additional coverage compared to annual testing.
    • Continuous auditing is exclusively a financial reporting technique used during the statutory audit, where the external auditor continuously monitors the organisation's books throughout the year rather than just at year-end.
    Explanation

    Continuous auditing in data analytics environments combines automated monitoring with internal audit oversight. Key elements: (1) Automated controls testing: scripts query the data warehouse at regular intervals (nightly, weekly) to run control tests — e.g., comparing warehouse record counts to source counts, testing for duplicate loads, monitoring ETL error rates; (2) Exception alerting: when test thresholds are breached (e.g., error rate exceeds 1%), alerts are generated for audit or management investigation; (3) Continuous risk indicator monitoring: tracking metrics like number of transformation exceptions, volume of records in error queues, number of ETL jobs not completing on schedule; and (4) Periodic audit review: internal audit reviews continuous monitoring outputs at defined intervals, investigating trends and anomalies. This approach provides ongoing detection of control failures rather than discovering them only at annual audit time. Continuous auditing is technology-enabled — not physical presence. It does not mean repeating the same tests without adapting them. It does not mean manual review of 100% of transactions. It is an internal audit technique, not exclusively an external audit technique. It supplements, not replaces, periodic substantive audit procedures.

  2. An organisation monitors two IT metrics: (1) system availability measured against the SLA target, and (2) number of days since the last successful backup restoration test. Which of these is best classified as a KRI rather than a KPI?

    • System availability is the KRI because availability failures directly trigger risk events
    • Both are KRIs because they both relate to IT risk management objectives
    • Number of days since the last successful backup restoration test — this is a leading indicator of increasing recovery risk, not a measure of current performance
      Correct answer
    • Both are KPIs because they both measure operational IT performance against defined standards
    Explanation

    System availability measured against an SLA target is a KPI — it measures how well the service is currently performing against a defined standard. The number of days since the last successful backup restoration test is a KRI — it is a leading indicator that, as the count increases, signals rising risk that backups may not be restorable when needed (a risk event that hasn't happened yet but becomes more likely over time). KRIs are predictive; KPIs are descriptive of current or recent performance.

  3. What is the significance of version control for RPA bot scripts?

    • Version control is primarily a development tool and has no relevance to the production governance of RPA bots once they are deployed.
    • Version control only applies to the business requirements documents for bots — the executable code is managed through the orchestrator's deployment history.
    • Version control maintains a complete history of all changes to bot code — enabling rollback to previous versions, attribution of changes to specific individuals, and comparison between versions to identify what changed and when.
      Correct answer
    • Version control is a vendor-provided feature of RPA orchestrator platforms that automatically backs up bot configurations daily.
    Explanation

    Version control (e.g., Git) for RPA bot scripts provides three key control benefits: (1) complete audit trail — every change is logged with who made it, when, and what changed, supporting fraud investigation and change management verification; (2) rollback capability — if a change introduces errors, the previous version can be restored quickly; (3) comparison — the difference between any two versions can be examined, enabling auditors to verify that only approved changes were implemented. The absence of version control is a significant change management weakness per COBIT BAI06 and ISO/IEC 27001 Control 8.32.