IIA-CIA-Part3 Exam Dumps : Business Knowledge for Internal Auditing

The issue described suggests a systemic authorization flaw, where users gain unrestricted access once logged in. This points to an improperly configured authorization system, which should enforce role-based or least-privilege access to restrict users based on their job responsibilities.

(A) Incorrect – The authentication process relies on a simple password only, which is a weak method of authorization.

While weak authentication is a security risk, the issue described relates to excessive access permissions, not weak login credentials.

(B) Correct – The system authorization of the user does not correctly reflect the access rights intended.

The problem is that users have access to all functionality, which indicates an authorization issue, not an authentication flaw.

Proper role-based access controls (RBAC) should limit user permissions based on job functions.

(C) Incorrect – There was no periodic review to validate access rights.

While periodic reviews are important for detecting unauthorized access, the issue here is a system-level authorization design flaw rather than a failure in periodic reviews.

(D) Incorrect – The application owner apparently did not approve the access request during the provisioning process.

Even if an access request was approved incorrectly, the broader issue remains that all users have unrestricted access, which suggests a system misconfiguration rather than a single provisioning error.

IIA’s GTAG (Global Technology Audit Guide) – Access Control and Authorization

Emphasizes the need for role-based access control (RBAC) to prevent unauthorized access.

COBIT Framework – IT Security Governance

Discusses proper authorization mechanisms to align system access with business needs.

NIST Cybersecurity Framework – Access Management Controls

Recommends restricting access rights based on the principle of least privilege (PoLP).

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

When evaluating a special order, the manufacturer must determine if accepting it will be profitable without disrupting normal operations. The key consideration is whether the company has spare production capacity to handle the order without increasing fixed costs.

Correct Answer (B - The Manufacturer Can Fulfill the Order Without Expanding Production Facilities)

Fixed costs ($3 per unit) are already incurred and will not change if the order is accepted.

The special price ($7 per unit) covers the variable costs ($5 per unit), contributing $2 per unit to profit.

If the manufacturer has excess production capacity, the order is profitable.

The IIA Practice Guide: Auditing Financial Performance emphasizes that special order decisions should be based on incremental cost analysis, ensuring no need for capacity expansion.

Why Other Options Are Incorrect:

Option A (Fixed and Variable Manufacturing Costs Are Less Than the Special Offer Selling Price):

Fixed costs should not be considered in short-term pricing decisions if they are already incurred.

Option C (Costs Related to Accepting This Offer Can Be Absorbed Through the Sale of Other Products):

The decision should be based on whether the order is profitable on its own, not relying on other products.

Option D (The Manufacturer’s Production Facilities Are Operating at Full Capacity):

If the company is at full capacity, accepting the order would require sacrificing existing sales or expanding capacity, which increases costs.

IIA Practice Guide: Auditing Financial Performance – Discusses cost analysis for special pricing decisions.

IIA GTAG 13: Business Performance – Covers incremental cost and profitability analysis in pricing decisions.

Step-by-Step Explanation:IIA References for Validation:Thus, B is the correct answer because accepting the order is only profitable if the manufacturer has excess capacity.