Understanding Mobile Device Risks in an Organization:

When an organization allows third parties (vendors and visitors) to use outside smart devices to

access its proprietary networks and systems, it introduces significant compliance risks.

These risks include violations of regulatory requirements, industry standards, and internal security

policies.

Compliance Risks in Smart Device Usage:

Unauthorized Access: External users may bypass security controls, leading to data breaches or

regulatory non-compliance (e.g., GDPR, HIPAA, or PCI-DSS violations).

Lack of Encryption and Data Protection: If smart devices access sensitive information without proper

security protocols, the organization may fail to comply with industry regulations.

Failure to Enforce Mobile Device Management (MDM): Without proper policy enforcement,

organizations risk failing audits and facing penalties.

Why Other Options Are Incorrect:

B . Privacy:

Privacy concerns relate to handling personal data, but in this scenario, the focus is on third-party

access risks, which fall under compliance.

C . Strategic:

Strategic risks relate to long-term business objectives, whereas compliance risks are more immediate

and regulatory in nature.

D . Physical security:

Physical security deals with preventing unauthorized access to buildings or devices, not cybersecurity

risks from external smart devices.

IIA’s Perspective on Compliance and IT Security:

IIA Standard 2110 – Governance emphasizes the need to evaluate IT security risks, including third-

party access risks.

IIA GTAG (Global Technology Audit Guide) on IT Risks highlights compliance risks in Bring Your Own

Device (BYOD) and third-party access policies.

ISO 27001 Information Security Standard mandates controls to manage external device access risks.

IIA Reference:

IIA Standard 2110 – Governance and IT Security

IIA GTAG – IT Risks and BYOD Policies

ISO 27001 Information Security Standard

NIST Cybersecurity Framework for Mobile Device Security

Thus, the correct and verified answer is A. Compliance.

Fixed manufacturing costs refer to costs that do not vary with the level of production activity within a

relevant range. These costs include expenses such as depreciation, rent, property taxes, and salaries

of permanent employees in the production facility. Their primary purpose is to ensure the availability

and operational readiness of production facilities, regardless of fluctuations in production levels.

Breakdown of Answer Choices:

(A) Correct – To ensure availability of production facilities

Fixed manufacturing costs are incurred to maintain and operate production facilities, ensuring that

they remain functional and available for production when needed. These costs exist even if no units

are produced, emphasizing their role in sustaining the production infrastructure.

(B) Incorrect – To decrease direct expenses related to production

Fixed manufacturing costs are unrelated to direct expenses, such as raw materials and labor, which

vary with production volume. Instead, they remain constant regardless of output levels.

(C) Incorrect – To incur stable costs despite operating capacity

While fixed costs remain stable within a relevant range, their primary purpose is not just cost stability

but ensuring production facilities' availability and functionality.

(D) Incorrect – To increase the total unit cost under absorption costing

Under absorption costing, fixed manufacturing costs are allocated to units produced, affecting per-

unit cost calculations. However, this is an accounting treatment rather than the core purpose of fixed

manufacturing costs.

IIA Reference and Internal Auditing Standards:

IIA’s Global Internal Audit Standards – Managing Resources Effectively

Fixed manufacturing costs ensure operational resources are available and managed efficiently.

IIA’s Guide on Cost Management and Internal Control

Highlights the role of cost structures, including fixed costs, in ensuring business continuity.

IIA’s Practice Advisory on Cost Accounting Controls

Discusses the importance of maintaining production facilities to ensure operational readiness.

Would you like further clarification on any point?

Centralized authority refers to decision-making being concentrated at the top levels of an

organization, ensuring uniform policies and procedures across departments.

Let's analyze each option:

A . Fraud committed through collusion is more likely when authority is centralized.

Incorrect. Centralized authority reduces the chances of fraud by enforcing strict oversight and

controls. Decentralized structures may create more opportunities for fraud due to inconsistent

policies.

B . Centralized managerial authority typically enhances certainty and consistency within an

organization. ✅ (Correct Answer)

Correct. Centralized authority ensures consistent decision-making, standardized processes, and clear

policies, reducing uncertainty.

For example, in a multinational company, a centralized governance structure ensures compliance

with financial reporting standards across all subsidiaries.

C . When authority is centralized, the alignment of activities to achieve business goals typically is

decreased.

Incorrect. Centralized authority actually helps in aligning business activities toward strategic goals by

ensuring uniform direction and coordination.

D . Using separation of duties to mitigate collusion is reduced only when authority is centralized.

Incorrect. Separation of duties (SoD) is a key internal control mechanism that exists regardless of

centralization. Organizations implement SoD through policies, not just governance structures.

IIA Reference:

IIA Standard 2110 – Governance – Emphasizes the importance of clear governance structures in

organizations.

COSO Internal Control – Integrated Framework – Discusses centralization and its impact on risk

management and control effectiveness.

IIA Global Technology Audit Guide (GTAG) – Enterprise Risk Management (ERM) – Highlights the role

of centralized authority in aligning corporate strategies.

ISO 37000:2021 – Governance of Organizations – Outlines how centralized governance improves

organizational consistency and decision-making.

To maximize profit with a limited material supply of 500 kg per month, the company should prioritize

producing the product that generates the highest contribution margin per kg of material used.

Step 1: Calculate Contribution Margin Per Unit for Each Product

Since fixed costs are not relevant in this decision, we focus on the contribution margin per unit of raw

material:

Product X

Selling price per unit = $10

Material cost per unit = 2 kg × $1/kg = $2

Contribution margin per unit = $10 - $2 = $8

Contribution margin per kg = $8 ÷ 2 kg = $4 per kg

Product Y

Selling price per unit = $13

Material cost per unit = 6 kg × $1/kg = $6

Contribution margin per unit = $13 - $6 = $7

Contribution margin per kg = $7 ÷ 6 kg = $1.17 per kg

Step 2: Prioritize Product with Higher Contribution Margin Per Kg

Product X ($4 per kg) is more profitable per kg than Product Y ($1.17 per kg).

To maximize profit, produce as many units of Product X as possible first, then allocate the remaining

material to Product Y.

Step 3: Allocate Limited Material (500 kg)

First, maximize production of Product X

Each unit of Product X requires 2 kg.

Maximum units of Product X = 500 kg ÷ 2 kg per unit = 250 units.

However, demand is only 70 units, so produce 70 units of Product X.

Material used for 70 units of X = 70 × 2 kg = 140 kg.

Material remaining = 500 kg - 140 kg = 360 kg.

Use remaining material for Product Y

Each unit of Product Y requires 6 kg.

Maximum units of Product Y = 360 kg ÷ 6 kg per unit = 60 units.

Final Decision:

Produce 70 units of Product X (to meet demand).

Produce 60 units of Product Y (using the remaining material).

IIA Reference for Validation:

IIA GTAG 13: Business Performance Management – Discusses maximizing profit by prioritizing high

contribution margin products.

IIA Practice Guide: Cost Analysis for Decision-Making – Covers constraints and resource allocation for

maximizing profitability.

Thus, B (60 units) is the correct answer because it optimally allocates the 500 kg of material to

maximize profit.

Job enrichment is a motivational strategy where employees are given more control, responsibility,

and meaningful tasks in their roles. It aims to increase job satisfaction, personal growth, and

motivation by making work more engaging and fulfilling.

Let’s analyze each option:

Option A: Validation of the achievement of their goals and objectives

Incorrect.

While job enrichment may contribute to achieving personal and professional goals, its primary

purpose is not just validation but improving employee engagement and motivation.

Option B: Increased knowledge through the performance of additional tasks

Incorrect.

Job enlargement (not job enrichment) involves assigning additional tasks without necessarily

increasing responsibility or autonomy.

Job enrichment focuses on providing meaningful and challenging work, not just adding tasks.

Option C: Support for personal growth and a meaningful work experience

Correct.

Job enrichment enhances job satisfaction by giving employees greater autonomy, responsibility, and

purpose in their roles.

It encourages personal and professional development, leading to a more meaningful work

experience.

IIA Reference: Internal auditors assessing human resource and organizational performance

management focus on employee motivation strategies, including job enrichment. (IIA Practice Guide:

Talent Management and Human Capital Risks)

Option D: An increased opportunity to manage better the work done by their subordinates

Incorrect.

Job enrichment does not necessarily focus on managing subordinates but rather on enhancing

individual job roles by making them more fulfilling.

Thus, the verified answer is C. Support for personal growth and a meaningful work experience.

Effective change management ensures that IT changes (such as software updates, system

modifications, or infrastructure upgrades) are well-controlled, minimizing disruptions. Poor change

management leads to instability, inefficiencies, and operational risks.

Why 2, 3, and 4 Are Indicators of Poor Change Management?

Unplanned Downtime (2) – Indicates that changes are being implemented without proper testing or

failover planning, disrupting business operations.

Excessive Troubleshooting (3) – Suggests that changes are causing recurring issues, leading to

increased workload for IT support teams.

Unavailability of Critical Services (4) – Highlights that change-related failures are affecting essential

business functions, indicating improper risk assessment.

Why Not Option 1 (Inadequate Control Design)?

While inadequate control design is a general IT risk, it is not a direct indicator of poor change

management. Instead, it relates more to weaknesses in IT governance and security frameworks.

IIA Reference:

IIA’s GTAG (Global Technology Audit Guide) on Change Management – Identifies unplanned

downtime, excessive troubleshooting, and service unavailability as key red flags of poor change

management.

COBIT 2019 (Governance and Management of IT) – Emphasizes structured change management to

minimize disruptions.

ITIL Change Management Framework – Highlights these issues as symptoms of ineffective change

control.

✅ Final Answe r: D. 2, 3, and 4 only.

A decentralized organizational structure allows decision-making authority to be distributed across

various levels and locations, making it more flexible and adaptable to rapid changes and

uncertainties.

Step-by-Step Justification:

Why Decentralization Helps in Uncertainty?

Decentralization empowers different units or teams to make faster decisions.

It enables quick adaptation to market shifts, technological advancements, and external disruptions.

According to IIA’s Organizational Governance Guidelines, decentralized structures increase agility

and responsiveness, particularly in dynamic industries like technology and finance.

Characteristics of Decentralized Structures:

Autonomy at multiple levels – decisions are not centralized at the top.

Faster decision-making – local teams react quickly to changes.

Greater innovation and flexibility – promotes problem-solving without bureaucratic delays.

Why Not Other Options?

B . Centralized:

A centralized structure concentrates decision-making at the top, slowing down responsiveness to

changes.

C . Departmentalized:

While departmentalization organizes work efficiently, it may restrict cross-functional collaboration,

making adaptation slower.

D . Tall Structure:

Tall structures have multiple management layers, leading to bureaucracy and slower decision-

making.

IIA Reference:

IIA Practice Guide: Organizational Governance

IIA Standard 2110 – Governance and Risk Management

COBIT 2019 – Enterprise Risk and Governance Framework

Thus, the correct and verified answer is A. Decentralized.

To efficiently protect business data from corruption and errors, the best approach is proactive

detection through validation controls. Batch total calculations help verify data integrity before

approval, ensuring errors are caught early.

Analysis of Each Option:

(A) Controls to ensure data is unable to be accessed without authorization.

Incorrect: Access controls prevent unauthorized access, but they do not detect or prevent data

corruption/errors.

(B) Controls to calculate batch totals to identify an error before approval. (Correct Answer)

Batch control totals ensure that data entries match expected values before processing, helping detect

errors before approval.

IIA GTAG 3 – Continuous Auditing recommends automated validation and reconciliation checks for

data integrity.

(C) Controls to encrypt the data so that corruption is likely ineffective.

Incorrect: Encryption protects data confidentiality, but it does not prevent or detect errors or

corruption.

(D) Controls to quickly identify malicious intrusion attempts.

Incorrect: Intrusion detection systems focus on cybersecurity, not data corruption or errors.

IIA Reference Supporting the Answer:

IIA Standard 2120 – Risk Management: Recommends controls for error prevention and early

detection.

IIA GTAG 3 – Continuous Auditing: Suggests automated validation processes like batch totals to

detect errors before approval.

Thus, the correct answer is (B) because batch total calculations effectively detect errors before

approval, ensuring data integrity.

Preventive security controls proactively stop unauthorized access before it occurs. The most effective

method is strict access management, where new or additional access rights require formal validation

before being granted.

Why Approval-Based Access Control is the Best Preventive Measure?

Prevents Unauthorized Entry – Ensures that only approved personnel have access to the power plant.

Implements Segregation of Duties (SoD) – Supervisors validate access requests, reducing insider

threats.

Aligns with Least Privilege Principle – Employees get only the minimum access necessary for their

role.

Prevents Security Risks Before They Happen – Unlike detective or corrective controls, this method

stops unauthorized access before it occurs.

Why Not the Other Options?

A . Offboarding procedure (monthly review) – This is a detective control, identifying issues after

access is granted, not preventing them.

B . Smart lock anomaly scanning – Also detective, as it identifies suspicious behavior after access has

been used.

D . Automatic notifications for after-hours entry – A corrective control, responding to potential

violations instead of preventing them.

IIA Reference:

IIA’s GTAG on Identity and Access Management – Recommends pre-approval processes for sensitive

locations.

ISO 27001 Annex A.9 (Access Control) – Requires role-based access management for critical

infrastructures.

NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems) – Defines supervisor

approval as a key preventive measure.

Before an external assessment of the internal audit activity, the CAE should agree with the board on

the qualifications and independence of the external assessor or assessment team. This ensures

credibility and compliance with the IIA’s Quality Assurance and Improvement Program (QAIP)

requirements.

Options A and B (specific audit areas or testing levels) are not matters for board approval in external

assessments. Option D (specialized skills) is relevant but not as essential as overall qualifications and

competence.

Reference:

IIA Standards – Standard 1312: External Assessments; Practice Advisory 1312-1.