Helping Hand Questions for IIA-CIA-Part3

Integration testing is a phase in the software development lifecycle (SDLC) where individual components or systems are combined and tested as a group to ensure they work together correctly.

Ensures Component Compatibility – Confirms that different software modules and hardware components function correctly when integrated.

Identifies Data Flow Issues – Ensures seamless communication between software systems, databases, and external applications.

Detects System-Wide Errors – Finds defects that unit testing (individual module testing) may miss.

Prepares for System Testing – Integration testing is conducted before full system testing to ensure subsystems work together as expected.

A. To verify that the application meets stated user requirements.

This refers to User Acceptance Testing (UAT), not integration testing.

B. To verify that standalone programs match code specifications.

This describes unit testing, where individual components are tested separately.

C. To verify that the application would work appropriately for the intended number of users.

This describes performance or load testing, which measures system behavior under high user load.

IIA’s GTAG on IT Risks and Controls – Emphasizes the role of integration testing in ensuring secure and functional IT environments.

COBIT 2019 (Governance and Management of IT) – Recommends integration testing to reduce IT system failures.

ISO/IEC 25010 (Software Quality Model) – Lists integration testing as a key quality assurance step.

Why Option D is Correct?Why Not the Other Options?IIA References:

Effective change management ensures that IT changes (such as software updates, system modifications, or infrastructure upgrades) are well-controlled, minimizing disruptions. Poor change management leads to instability, inefficiencies, and operational risks.

Unplanned Downtime (2) – Indicates that changes are being implemented without proper testing or failover planning, disrupting business operations.

Excessive Troubleshooting (3) – Suggests that changes are causing recurring issues, leading to increased workload for IT support teams.

Unavailability of Critical Services (4) – Highlights that change-related failures are affecting essential business functions, indicating improper risk assessment.

While inadequate control design is a general IT risk, it is not a direct indicator of poor change management. Instead, it relates more to weaknesses in IT governance and security frameworks.

IIA’s GTAG (Global Technology Audit Guide) on Change Management – Identifies unplanned downtime, excessive troubleshooting, and service unavailability as key red flags of poor change management.

COBIT 2019 (Governance and Management of IT) – Emphasizes structured change management to minimize disruptions.

ITIL Change Management Framework – Highlights these issues as symptoms of ineffective change control.

Why 2, 3, and 4 Are Indicators of Poor Change Management?Why Not Option 1 (Inadequate Control Design)?IIA References:✅ Final Answer: D. 2, 3, and 4 only.

The issue described suggests a systemic authorization flaw, where users gain unrestricted access once logged in. This points to an improperly configured authorization system, which should enforce role-based or least-privilege access to restrict users based on their job responsibilities.

(A) Incorrect – The authentication process relies on a simple password only, which is a weak method of authorization.

While weak authentication is a security risk, the issue described relates to excessive access permissions, not weak login credentials.

(B) Correct – The system authorization of the user does not correctly reflect the access rights intended.

The problem is that users have access to all functionality, which indicates an authorization issue, not an authentication flaw.

Proper role-based access controls (RBAC) should limit user permissions based on job functions.

(C) Incorrect – There was no periodic review to validate access rights.

While periodic reviews are important for detecting unauthorized access, the issue here is a system-level authorization design flaw rather than a failure in periodic reviews.

(D) Incorrect – The application owner apparently did not approve the access request during the provisioning process.

Even if an access request was approved incorrectly, the broader issue remains that all users have unrestricted access, which suggests a system misconfiguration rather than a single provisioning error.

IIA’s GTAG (Global Technology Audit Guide) – Access Control and Authorization

Emphasizes the need for role-based access control (RBAC) to prevent unauthorized access.

COBIT Framework – IT Security Governance

Discusses proper authorization mechanisms to align system access with business needs.

NIST Cybersecurity Framework – Access Management Controls

Recommends restricting access rights based on the principle of least privilege (PoLP).

Analysis of Answer Choices:IIA References and Internal Auditing Standards:

According to the International Standards for the Professional Practice of Internal Auditing, when significant risk exposures remain unaddressed after a follow-up engagement, the CAE must first discuss the matter with the appropriate level of management responsible for the area. The purpose is to determine whether there is a valid reason for not implementing the recommended corrective actions, to clarify management’s perspective, and to encourage timely resolution.

If management still refuses to act and the risk remains high, the CAE must then escalate the issue to senior management and, if necessary, to the board. Immediate escalation to the board without first discussing with management is inappropriate, as it bypasses the chain of accountability. Reporting directly to external auditors is also not the responsibility of the CAE unless specifically mandated by regulation or law.

Therefore, the correct initial step is to discuss the issue with management responsible for the risk area (Option B).