Legit IIA-CIA-Part3 Exam Download

A preventive control is designed to stop security breaches before they happen. In data center security, preventing unauthorized physical access is crucial.

Prevents Unauthorized Entry – Restricts access only to authorized personnel.

Tracks and Logs Access – Records who enters and exits the data center, enhancing security monitoring.

Enhances Security Layers – Often combined with biometric authentication or PINs for stronger access control.

Meets IT Security Standards – Aligns with ISO 27001, NIST, and IIA’s GTAG recommendations on physical security.

A. Motion detectors – These are detective controls, identifying movement but not preventing unauthorized access.

C. Security cameras – Also detective, as they record events but do not prevent physical breaches.

D. Monitoring access to data center workstations – This ensures data integrity but does not prevent physical access.

IIA’s GTAG (Global Technology Audit Guide) on Information Security – Recommends strong physical access controls like key cards.

NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems) – Emphasizes access control as a preventive security measure.

ISO 27001 Annex A.11 (Physical and Environmental Security) – Requires access control for secure areas, including data centers.

Why Key Card Access is the Best Preventive Control?Why Not the Other Options?IIA References:

When an organization integrates governance, risk, and compliance (GRC) activities into a centralized technology-based resource, enterprise governance must ensure that the system:

Supports strategic decision-making by the board and senior management.

Provides accurate, reliable, and quality information to demonstrate an effective governance framework.

Aligns with IIA Standard 2110 – Governance, which requires auditors to assess whether the organization’s governance structure supports accountability, transparency, and effective decision-making.

(A) The board should be fully satisfied that there is an effective system of governance in place through accurate, quality information provided. (Correct Answer)

Governance is about ensuring that stakeholders, particularly the board, have confidence in the organization's control environment and decision-making process.

IIA Standard 2110 (Governance) states that internal auditors must evaluate the adequacy and effectiveness of governance structures.

A GRC system should ensure transparency, accountability, and quality reporting to enable strategic governance oversight.

(B) Compliance, audit, and risk management can find and seek efficiencies between their functions through integrated information reporting.

While improving efficiency is a benefit of a GRC system, it is a secondary objective, not a primary enterprise governance concern.

(C) Key compliance and risk metrics can be tracked and compared throughout the enterprise, aiding in identifying problem departments.

Tracking risk metrics is useful but does not directly address governance at the board level, making this answer incomplete.

(D) Data analytics can be utilized for trending of the data to ensure that patterns and ongoing monitoring occurs throughout the organization.

Analytics support monitoring, but the core governance concern is ensuring the board’s confidence in the system.

IIA Standard 2110 – Governance: Internal auditors must assess whether governance processes are effective.

GTAG 1 – Information Technology Risks and Controls: IT governance must provide quality, reliable information for decision-making.

COSO ERM Framework: Emphasizes governance as a key driver of enterprise risk management.

Analysis of Each Option:IIA References Supporting the Answer:Thus, the correct answer is (A) because effective enterprise governance relies on accurate and high-quality information for strategic decision-making.

Strong Security Governance Requires Well-Defined Policies:

Cybersecurity governance is built upon clear, documented, and enforceable security policies that outline expectations, roles, responsibilities, and processes.

Policies define acceptable behaviors, security controls, incident response, and compliance requirements.

IIA Standard 2110 - Governance: Requires organizations to establish effective IT security governance, including policies that address cybersecurity risks.

IIA GTAG (Global Technology Audit Guide) on Information Security Governance:

Recommends that clear policies should guide security controls, user access, and incident response to address cybersecurity threats.

A. Inventory of information assets (Incorrect)

While identifying critical information assets is essential for risk management, it does not constitute security governance on its own.

Asset inventories support governance but must be reinforced by policies that define how data should be protected.

B. Limited sharing of data files with external parties (Incorrect)

Restricting data sharing is a control measure, not a governance principle.

Policies define when, how, and under what conditions data can be shared securely.

C. Vulnerability assessment (Incorrect)

Assessments help identify security gaps but do not establish governance.

Effective governance ensures that vulnerabilities are identified, prioritized, and remediated in accordance with policies.

Explanation of Answer Choice D (Correct Answer):Explanation of Incorrect Answers:Conclusion:To ensure strong security governance, organizations must have clearly defined security policies (Option D) as a foundation for managing cybersecurity threats.

IIA References:

IIA Standard 2110 - Governance

IIA GTAG - Information Security Governance

Under International Financial Reporting Standards (IFRS 10 – Consolidated Financial Statements), an entity is required to consolidate its financial statements based on the control principle rather than ownership percentage alone.

Why Option B (Control ownership) is Correct:

According to IFRS 10, consolidation is required when an entity has control over another entity.

Control is defined as having power over the investee, exposure to variable returns, and the ability to influence those returns.

Even if an entity owns less than 50% of voting rights, it may still have control through contractual arrangements, rights over key decisions, or majority board influence.

Why Other Options Are Incorrect:

Option A (Variable entity approach):

This is a concept used in U.S. GAAP (ASC 810 – Variable Interest Entities) rather than IFRS. IFRS focuses on the broader control model.

Option C (Risk and reward):

IFRS previously considered risk and reward under IAS 27/SIC-12, but IFRS 10 replaced this with the control model.

Option D (Voting interest):

Voting rights alone do not determine consolidation under IFRS. Control can exist even without majority voting rights through contractual arrangements or potential voting rights.

IFRS 10 – Consolidated Financial Statements: Defines the principle of control for consolidation.

IIA GTAG – "Auditing Financial Reporting Risks": Discusses the impact of IFRS consolidation principles.

COSO ERM Framework: Emphasizes risk assessment in financial reporting, including consolidation decisions.

IIA References:Thus, the correct answer is B. Control ownership.