📚 Internal Audit Exam Prep

ACCT 3233/7233 · LSU · IIA Standards, Cybersecurity Risk & ITGC Testing

📋 Master Study Guide

Exam Tips: 70 questions covering all 3 slide decks + 3 readings. Focus on definitions, frameworks, the IIA 2024 structure, CIA Triad, ITGC testing types, the Four C's of findings, and the thematic connections between Solzhenitsyn, Didion, Milgram and the IIA ethics principles.
Big Picture

The Three Topic Areas

1. IIA Standards
2024 IPPF • 5 Domains • 15 Principles • 52 Standards • Topical Requirements
2. Cybersecurity Risk
CIA Triad • Attack surface • Defense in Depth • Org Pathologies • IIA Topical Req
3. ITGC Testing
Positive/Negative • TOD/TOE • Sampling • Risk Ratings • Finding Structure

⚡ Quick-Reference Flash Facts

IIA 2024 Architecture
  • 5 Domains, 15 Principles, 52 Standards
  • Domain I – Purpose (Why we exist)
  • Domain II – Ethics & Professionalism
  • Domain III – Governing the Function
  • Domain IV – Managing the Function
  • Domain V – Performing Services
  • Old "Attribute" / "Performance" categories are gone
Domain I Purpose

Internal auditing provides 4 services:

  • Assurance – independent evaluation
  • Advice – recommendations to improve
  • Insight – deeper understanding
  • Foresight – anticipating emerging risks ⭐ NEW in 2024

Goal: create, protect, and sustain value

Domain II – 5 Ethics Principles
  • P1 – Demonstrate Integrity (Kant's categorical imperative)
  • P2 – Maintain Objectivity (Husserl's epoché – bracket assumptions)
  • P3 – Demonstrate Competency (Aristotle's phronesis – practical wisdom)
  • P4 – Exercise Due Professional Care (Hume – can't test everything)
  • P5 – Maintain Confidentiality
Domain III – Governance
  • P6 – Authorized by the Board (charter = source of authority)
  • P7 – Positioned Independently (CAE reports to board)
  • P8 – Overseen by the Board
  • Most significant change in 2024 – boards have explicit responsibilities
  • Defines "Essential Conditions" boards must provide
Domain IV – Managing
  • P9 – Plan Strategically (risk-based)
  • P10 – Manage Resources
  • P11 – Communicate Effectively
  • P12 – Enhance Quality (QAIP required)
  • External Quality Assessment every 5 years, requires active CIA
  • No more "audit everything every 3 years" cyclical approach
Domain V – Performing Services
  • P13 – Plan Engagements
  • P14 – Conduct Work (Four C's of Findings)
  • P15 – Communicate & Monitor
  • New term: "conclusion" replaces "opinion"
  • Engagement effort split: Planning 20-30% / Fieldwork 40-50% / Reporting 15-20% / F/U ongoing
⭐ Must Memorize

The Four C's of Findings (Domain V)

  • Condition – What IS (the actual situation found)
  • Criteria – What SHOULD BE (the standard/policy)
  • Cause – WHY the gap exists
  • Consequence – WHY it matters (the risk/impact)

Three Lines Model:

  • 1st Line – Management (owns risk day-to-day)
  • 2nd Line – Risk & Compliance (monitors/supports)
  • 3rd Line – Internal Audit (independent assurance to board)
  • Governing Body – accountability to stakeholders

🔒 Cybersecurity Risk Key Concepts

CIA Triad
  • Confidentiality – only authorized access; threats: breaches, eavesdropping
  • Integrity – accurate, unaltered data; threats: tampering, MITM attacks
  • Availability – accessible when needed; threats: DDoS, ransomware
Audit tip: Every control should map to ≥1 CIA objective
Why Cyber Risk is Different
  • Adversarial – intelligent actor actively probes (not passive like market risk)
  • Asymmetric – attacker needs 1 weakness; defender must protect everything
  • Evolving – threat landscape changes daily
  • Invisible – breaches often undetected for months
  • Interconnected – your security = your vendors' security
Defense in Depth Layers
  • Preventive – firewalls, patching, encryption, access controls
  • Detective – SIEM, IDS/IPS, log monitoring, anomaly detection
  • Corrective – incident response, backup/restore, DR
  • Layers: Network → Endpoint → Application → Data → Human → Governance
4 Organizational Pathologies
  • #1 Ownership Gap – no one knows who owns a system (e.g., Target 2013 HVAC vendor)
  • #2 Security vs. Business – speed vs. control; CISO reporting line matters
  • #3 Compliance Trap – compliance ≠ security (Equifax was PCI compliant when breached)
  • #4 Learned Helplessness – "if they want in, they'll get in" fatalism; fundamentals still matter
IIA Cybersecurity Topical Requirement
Released: Feb 5, 2025
Effective: Feb 5, 2026
First Topical Requirement under 2024 IPPF
Maps to NIST & COBIT
When it applies:
• Cybersecurity is in audit plan
• Cyber risks emerge during engagement
• Management/board requests cyber audit
3 Domains:
• Governance
• Risk Management
• Controls

Must document applicability & rationale for exclusions

🖥️ ITGC Testing Key Concepts

Positive vs. Negative Testing
  • Positive – "Did the control work when it should?" → Testing the happy path (verifying approvals, timelines)
  • Negative – "Did the control block what it should?" → Testing guardrails (can terminated users log in? self-approve?)
  • Key point: Positive testing alone creates false confidence
Test of Design (TOD)

Evaluates if the control can work (the blueprint):

  • Precision – is the control specific enough?
  • Completeness – does it cover all scenarios?
  • Authority – are the right people involved?

"A flawed blueprint can never produce a sound structure"

Design vs. OE Failures
  • Design Failure – control CAN'T work; blueprint is flawed. Remedy: process redesign
  • OE Failure – control DIDN'T work; good design, bad execution. Remedy: training, monitoring, automation
  • Critical: Don't prescribe training for a design problem
Sampling Framework
  • Random – equal probability; good for large homogeneous populations
  • Stratified – subgroups by risk; best practice with census for high-risk strata
  • Haphazard – judgment-based; not statistically valid
  • Census – 100% testing; use for critical controls, small populations
  • Privileged users, SoD conflicts → census (100%)
Sample Size Table (AICPA/PCAOB Guidance)
FrequencyLow RiskModerate RiskHigh Risk
Annual111
Quarterly22-34
Monthly2-34-68-12
Weekly5-910-1520-25
Daily10-1520-3040-60
Per occurrence254060
Risk Ratings (External vs. Internal)

External (SOX/PCAOB):

  • Material Weakness – reasonable possibility of material misstatement → adverse ICFR opinion
  • Significant Deficiency – less than MW but merits attention → report to Audit Committee
  • Control Deficiency – design/operation gap

Internal (IIA-aligned): Critical/High, Medium, Low

Assurance vs. Advisory Services

Assurance: 3 parties (auditor, auditee, stakeholders); auditor sets scope; formal conclusions; skepticism default. Examples: SOX testing, compliance reviews

Advisory: 2 parties (auditor + client); client sets scope; recommendations only (no "opinion"); collaboration posture. Examples: M&A due diligence, process design

Warning: Advisory on a process may impair objectivity for future assurance on the same process
Common Topical Requirements (New 2024 IPPF)

Mandatory when in scope. Effective 12 months after issuance. Must document which apply and rationale for any exclusions.

Cybersecurity – governance, risk, controls, incident response
IT Governance – tech strategy, performance, risk
Privacy Risk Management – GDPR, CCPA compliance
Third-Party Management – vendor risk, due diligence
Sustainability & ESG – climate, DEI metrics
More coming… as risks evolve
⭐ Key Philosophical Connections (Your professor clearly loves these):
Integrity → Kant's Categorical Imperative | Objectivity → Husserl's Epoché | Competency → Aristotle's Phronesis | Due Care → Hume's Induction Problem | Findings → Heidegger's Aletheia (unconcealment/truth) | Standards → Plato's Forms

🔒 Cybersecurity Risk Deep Dive

Core Concept

Cyber risk is adversarial — an intelligent actor actively probes for weaknesses and adapts to your defenses. Most risks are passive; cyber risk is not. Hobbes: cyberspace is close to the "war of all against all."

CIA Triad

Confidentiality

Info accessible only to authorized users. Protection against unauthorized disclosure.

Threats: Data breaches, unauthorized access, eavesdropping

Integrity

Info/systems accurate, complete, unaltered except by authorized actions. Protection against unauthorized modification.

Threats: Data tampering, malware, man-in-the-middle attacks

Availability

Info/systems accessible when needed. Protection against disruption.

Threats: DDoS attacks, ransomware, system failures

Modern Enterprise Attack Surfaces

On-Premises Infrastructure – data centers, servers, legacy systems. Often decades old, poorly documented.
Cloud Services – IaaS, PaaS, SaaS. Shared responsibility models. Shadow IT proliferates faster than governance.
Endpoints – laptops, mobile, IoT, printers, cameras. Each a potential entry point.
Third-Party Connections – vendors, partners, APIs. Your security = your weakest vendor.
Identity & Access – Active Directory, SSO, MFA, privileged accounts. "The keys to the kingdom."
The Invisible Layer – shadow IT, personal devices, forgotten test systems. What you don't know CAN hurt you.

Defense in Depth

Control TypePurposeExamples
PreventiveStop attacks before they succeedFirewalls, access controls, encryption, patching, security awareness
DetectiveIdentify attacks in progress or afterSIEM, IDS/IPS, log monitoring, anomaly detection, threat hunting
CorrectiveRespond and recoverIncident response, backup/restore, disaster recovery, forensics

4 Organizational Pathologies

Pathology #1
Ownership Gap – Who owns this system? Unowned systems don't get patched. Real example: Target 2013 breach via HVAC vendor. Audit: asset inventory, clear ownership assignment, orphan system process.
Pathology #2
Security vs. Business Tension – Business wants speed; security wants control. CISO reporting line signals organizational priorities. Shadow IT bypasses controls. Rational actors optimize for what's measured.
Pathology #3
The Compliance Trap – Compliance ≠ Security. Equifax, Target, Capital One were all compliant when breached. Attackers don't check compliance status. Organizations optimize for passing audits, not actual security.
Pathology #4
Learned Helplessness – "If they want in, they'll get in." Most breaches are NOT sophisticated — stolen credentials, phishing, unpatched systems. Verizon DBIR confirms: fundamentals prevent most breaches. Stoic wisdom: focus on what you can control.

IIA Cybersecurity Topical Requirement (2025)

DomainFocus AreasKey Question
GovernanceBoard oversight, strategy, policies, roles, resource allocationDoes leadership own cybersecurity?
Risk ManagementAsset ID/classification, threat assessment, risk appetite, third-party riskDo they know what they're protecting?
ControlsIAM, network security, data protection, monitoring, incident response, DRAre the controls actually working?

📜 IIA 2024 Standards Deep Dive

Architecture
5
Domains
15
Principles
52
Standards

Old "Attribute" and "Performance" categories are eliminated. New structure is cleaner, governance-focused.

All 15 Principles by Domain

Domain#PrincipleKey Concept
I – PurposeWhy IA existsAssurance, Advice, Insight, Foresight (NEW)
II – EthicsP1IntegrityKant – categorical imperative; truthful even when difficult
P2ObjectivityHusserl – epoché; bracket assumptions; manage confirmation bias
P3CompetencyAristotle – phronesis; know what you don't know; use specialists
P4Due Professional CareHume – can't test everything; sample intelligently; document reasoning
P5ConfidentialityProtect info; breach once = never get candid info again
III – GoverningP6Authorized by BoardCharter = source of authority; board approves mandate
P7Positioned IndependentlyCAE reports functionally to board; structural independence
P8Overseen by BoardBoard approves plan, budget, resources; they're accountable too
IV – ManagingP9Plan StrategicallyRisk-based audit plan; dynamic, not cyclical
P10Manage ResourcesPeople, tech, budget; document when insufficient
P11Communicate EffectivelyBidirectional; listen as much as inform
P12Enhance QualityQAIP; EQA every 5 years with active CIA required
V – PerformingP13Plan EngagementsUnderstand activity, risk assessment, define scope, work program
P14Conduct WorkGather evidence, Four C's, recommendations, conclusions
P15Communicate & MonitorNo surprises; confirm implementation; follow-up

Assurance vs. Advisory

Assurance Services
  • 3 parties: auditor, auditee, stakeholders
  • Auditor determines scope
  • Results in formal conclusions
  • Skepticism is the default posture
  • Examples: SOX testing, operational audits, compliance reviews
Advisory Services
  • 2 parties: auditor + client
  • Client typically sets scope
  • Results in recommendations (no "opinion")
  • Collaboration is the posture
  • Examples: M&A due diligence, process design, training

The Engagement Lifecycle

Planning (20-30%) – Most audit failures are planning failures. Understand the business first. Talk to process owners early.
Fieldwork (40-50%) – Document as you go. When something "feels off," dig. That instinct is often correct.
Reporting (15-20%) – No surprises in the final report. Management responses are their words. "Conclusion" not "opinion."
Follow-up (Ongoing) – An untracked recommendation is a wasted recommendation. This is where audit demonstrates it has teeth.

The Three Lines Model

LineWhoRoleReports To
1st LineManagement (Operations, IT, HR)Owns risk and controls day-to-daySenior Management
2nd LineRisk & Compliance (ERM, Legal, Security)Supports, monitors, provides expertiseSenior Management
3rd LineInternal AuditIndependent assurance on governance, risk, controlsBoard/Audit Committee
Governing BodyBoardAccountability to stakeholdersStakeholders
Key: Lines should collaborate but maintain distinct roles. IA can rely on 2nd line work but must independently verify before reporting conclusions.

🖥️ ITGC Testing Deep Dive

Positive vs. Negative Testing

Positive Testing

"Did the control work when it should have?"

Testing the happy path. Select legitimate transactions and verify approvals obtained, within timeframes, by authorized individuals, with proper documentation.

Limitation: Positive testing alone creates false confidence. A control that approves everything but blocks nothing is useless.

Negative Testing

"Did the control prevent what it should have?"

Testing the guardrails. Attempt to bypass: Can terminated users log in? Can users self-approve? Does system block SoD violations? Are unauthorized changes rejected?

Test of Design (TOD) – The Blueprint Test

Core question: "If everyone followed this control perfectly, would it actually prevent or detect the risk?"

Precision – specific enough? "Manager approval" vs. "Direct manager via ServiceNow within 24 hours with documented justification"
Completeness – covers all scenarios? Contractors? Emergency access? Department transfers?
Authority – right people involved? Is a clerk approving executive access?

Sampling Methods

MethodDescriptionWhen to UseLimitation
RandomEqual probability; use random number generatorLarge, homogeneous populationsMay miss high-risk items by chance
StratifiedDivide into subgroups; sample by riskHeterogeneous populations with risk strataRequires understanding of risk factors
HaphazardWithout specific pattern; auditor judgmentSmall populations; preliminary testingUnconscious bias; not statistically valid
Census (100%)Test entire populationSmall populations; critical controlsTime-consuming; may not be practical
Best Practice: Combine methods. Random for general population + 100% for privileged users + 100% for SoD conflicts.

Design Failure vs. Operating Effectiveness Failure

Design Failure

The control CAN'T work. The blueprint is flawed (policy doesn't exist, gaps, wrong approvers, SLA undefined).

Even perfect execution won't prevent the risk.

Remedy: Policy/process redesign

⚠️ Don't prescribe training for a design problem!

OE Failure

The control DIDN'T work. Good design, but execution failed (approvals missing, SLA breached, reviews not completed).

Remedy: Training, monitoring, automation

Audit Tick Marks

SymbolMeaningWhen to Use
Tested, no exceptionAttribute tested and passed
Exception identifiedAttribute tested and failed
N/ANot applicableAttribute doesn't apply to this item
TTraced/TiedAmount traced to source document
RRecalculatedCalculation independently verified
IInquiryConfirmed via inquiry
Inspected originalViewed original document/screen
Follow-up neededRequires additional investigation

Finding Structure: External vs. Internal

External (Management Letter)
Condition → Criteria → Cause → Effect → Recommendation
Tone: formal, regulatory. Generalized ("certain users"). High-level recommendations.
Internal (Audit Finding)
Observation Title → Background/Criteria → Observation → Risk/Impact → Recommendation (with owner + due date) → Management Response
Tone: collaborative. Named individuals. Specific actions with accountability.

Risk Ratings

Rating (External)DefinitionConsequence
Material WeaknessReasonable possibility material misstatement not prevented/detectedAdverse ICFR opinion
Significant DeficiencyLess than MW but merits oversight attentionReport to Audit Committee
Control DeficiencyDesign/operation gap not reaching SD/MW levelManagement letter

8 Rules for Audit Reporting Excellence

  1. Lead with the headline (exception rate first)
  2. Quantify everything ("3 of 127" not "several")
  3. Separate fact from judgment
  4. Define your population clearly
  1. Show your math (elapsed time, calculation)
  2. Acknowledge compensating factors
  3. Make recommendations actionable
  4. Write for the skeptic

📖 Readings Deep Dive

Why these readings? Your professor paired them with the IIA Standards slides deliberately. Both essays address the same core problem: what happens to a person — and a profession — when integrity is abandoned for comfort. Read them through the lens of Principle 1 (Integrity) and Principle 2 (Objectivity).
Reading 1

Alexander Solzhenitsyn — "Live Not By Lies" (1974)

Written Moscow, February 12, 1974 — the day before his arrest and deportation from the Soviet Union. Circulated as samizdat (underground self-published literature).

The Central Argument

Solzhenitsyn argues that totalitarian power sustains itself not primarily through overt violence, but through the daily participation of ordinary people in lies. Violence and lies are symbiotic: violence needs lies to maintain a respectable face; lies need violence to be enforced. But here is the key insight — violence cannot act on every person every day. All it demands is obedience to lies and daily participation in lies.

Therefore, the simplest and most accessible act of resistance is personal non-participation in lies. Not revolution. Not mass protest. Just: refuse to say what you do not think.

Key Concepts & Quotable Ideas

The Virus Metaphor

Lies are compared to a virus: they can survive only in a living organism. When people stop participating, the lies are rendered helpless and subside. The power of the system depends entirely on individual complicity.

Spiritual Independence vs. Servitude

Solzhenitsyn frames the choice starkly: every day presents a choice between spiritual independence (truth) or spiritual servitude (lies). There is no neutral ground. Even technically-minded people working in the sciences face this choice daily.

The Fear Hierarchy

He observes that people don't even fear nuclear war or a third world war — but they deeply fear acts of civil courage: lagging behind the herd, taking one step alone, losing their job, their heating gas, their Moscow registration. Comfort is the prison.

The Minimum Path

He explicitly calls this "the most moderate of all paths of resistance" — easier than Gandhi's civil disobedience, far easier than a hunger strike or self-immolation. The flames will not touch your body. Your family can still get black bread and fresh water. The bar is low — which makes the failure to clear it all the more damning.

The Code of Conduct

He lists specific commitments: will not sign/write/print phrases that distort truth; will not utter them in public or private; will not cite out of context to please someone; will walk out of a meeting if a speaker tells lies; will not subscribe to publications that distort facts. The pattern, once started, applies itself to new cases.

Czechoslovakia & Collective Courage

He invokes Czechoslovakia — "betrayed and deceived by us" — as evidence that even an unarmed people with worthy hearts can stand up to tanks. And: if we are in thousands, they cannot do anything to anyone. If tens of thousands, we will not recognize our country. Individual choices aggregate into collective transformation.

The Pushkin Closing

He ends with contempt for those too frightened to act, quoting Pushkin: "What use to the herds the gifts of freedom? The scourge, and a yoke with tinkling bells — this is their heritage, bequeathed to every generation." Those who choose comfort over truth have no right to complain about their suffocation — they are doing it to themselves.

Connection to IIA Standards & Audit Practice

Solzhenitsyn ConceptIIA / Audit Parallel
"Personal non-participation in lies"Standard 1.1 – Acting Honestly and Courageously; never omitting material facts from findings
"Obedience to lies" as the crux of complicitySoftening findings to protect relationships; "reframing" unfavorable results at management's request
Violence needs lies; lies need participationFraudulent organizations depend on auditors who look the other way or document what they're told
Fear of civil courage (losing job/comfort)Practitioner pressure: "could we reframe this?" — the auditor who backs down under pressure
Spiritual independence vs. servitudeEvery audit engagement is a choice between objective reporting and management appeasement
The code of conduct listThe IIA Code of Ethics; the specific prohibitions in Standards 1.1, 2.1
Kant's categorical imperative (referenced in slides)If all auditors softened findings, the profession collapses — same logic as Solzhenitsyn
Reading 2

Joan Didion — "On Self-Respect" (1961)

Originally published in Vogue; later collected in Slouching Towards Bethlehem. Uses "negative definition" — defining the concept largely through what it is not.

The Central Argument

Didion argues that self-respect is fundamentally an internal standard, having nothing to do with others' approval or reputation. Its source is character — the willingness to accept responsibility for one's own life. Without it, one becomes an unwilling audience to an interminable documentary of one's own failures, and eventually runs away from oneself to find no one at home.

Self-deception, she argues, is the most difficult deception — far harder to overcome than deceiving others. The tricks that work on others count for nothing in the well-lit back alley where one keeps assignations with oneself.

Key Concepts & Quotable Ideas

The Opening Anecdote

She begins with not being elected to Phi Beta Kappa — a failure predictable, unambiguous. She had thought herself exempt from cause-and-effect relationships that hampered others. That day marked the end of something: the loss of the comfortable conviction that lights would always turn green for her.

Self-Respect ≠ Approval / Reputation

Self-respect has nothing to do with the approval of others — who are, after all, deceived easily enough. It has nothing to do with reputation, which, as Rhett Butler told Scarlett O'Hara, is something people with courage can do without. No winning smiles or prettily drawn lists of good intentions will do here.

Character as the Source

"Character — the willingness to accept responsibility for one's own life — is the source from which self-respect springs." People with self-respect have the courage of their mistakes: they do not seek absolution, do not complain unduly of unfairness. They exhibit moral nerve — what was once called character.

The Interminable Documentary

To live without self-respect is to be an unwilling audience to a documentary of one's own failings — fresh footage spliced in for every screening. Counting the sins of commission and omission, the trusts betrayed, the promises broken, the gifts wasted through sloth or cowardice. Eventually one lies down alone in that notoriously uncomfortable bed we make ourselves.

Jordan Baker vs. Julian English

Jordan Baker (careless, dishonest in The Great Gatsby) had self-respect — she made her own peace, avoided threats to that peace. Julian English (careless, suicidal in Appointment in Samarra) did not. The paradox: the outwardly dishonest person had it; the seemingly respectable one was hollow. Self-respect is not correlated with conventional virtue.

Discipline as Practice

Self-respect is a discipline, a habit of mind — it can be developed, trained, coaxed forth. Small disciplines represent larger ones — not for the ritual itself but as a way of remembering who and what we are. It is difficult to continue fancying oneself Cathy in Wuthering Heights with one's head in a paper bag.

Alienation from Self

In its advanced stages, alienation from self means we no longer answer the telephone — someone might want something. We cannot say no without drowning in self-reproach. Every encounter demands too much. Without self-respect, one eventually runs away to find oneself and finds no one at home.

The Intrinsic Worth Thesis

To have that sense of intrinsic worth is potentially to have everything: the ability to discriminate, to love, and to remain indifferent. To lack it is to be locked within oneself — paradoxically incapable of either love or indifference. Without it, we despise those who have so few resources as to consort with us.

Connection to IIA Standards & Audit Practice

Didion ConceptIIA / Audit Parallel
Self-respect ≠ approval of othersPrinciple 2 (Objectivity) — independence not just attitudinal but structural; not seeking management approval
Character = accepting responsibility for one's own lifePrinciple 1 (Integrity) — the willingness to own unfavorable findings without softening them
Discipline as habit of mindPrinciple 4 (Due Professional Care) — skepticism not as instinct but as cultivated practice
Courage of one's mistakesAuditors who acknowledge their own errors in prior work rather than burying them
The "interminable documentary"The auditor who compromised integrity — each watered-down finding replays in professional memory
Small disciplines represent larger onesDocumentation rigor, tick marks, referencing every exhibit — small habits that hold when under pressure
Self-deception is the most difficult deceptionConfirmation bias (Principle 2 — most dangerous bias is finding what you expect to find)

The Cross-Essay Synthesis

⭐ The Big Picture — Why Both Essays Together

What they share:

  • Both locate integrity in an internal standard, not external approval or consequences
  • Both identify complicity with comfortable falsehood as the central moral failure
  • Both argue the minimum act — simply refusing to say what you don't think / accepting responsibility — is within everyone's reach
  • Both connect individual choices to collective outcomes

Applied to auditing:

  • Solzhenitsyn: the auditor who softens a finding is participating in lies — the profession depends on non-participation
  • Didion: the auditor who seeks management approval lacks self-respect in the deepest sense — and will eventually find no one home
  • Together: the IIA's five ethics principles are not bureaucratic rules but descriptions of what an integrated person looks like — someone who has internalized Solzhenitsyn's refusal and Didion's discipline
  • Heidegger's aletheia (unconcealment) = Solzhenitsyn's insistence that the naked truth be allowed to appear naked
Likely exam angle: Expect questions that ask you to connect a specific passage concept (the virus metaphor, the interminable documentary, Jordan Baker's self-respect) to an IIA principle or to the auditor's real-world situation. Your professor is testing whether you read with the slides in mind.
Reading 3

Stanley Milgram — "The Perils of Obedience" (1973)

Published in Harper's Magazine, December 1973. Adapted from Obedience to Authority. Written in direct response to Hannah Arendt's coverage of the Eichmann trial and her concept of the "banality of evil."

The Central Argument

Milgram set out to test empirically what philosophers and historians had theorized: how far will ordinary people go when ordered to harm another person by an authority figure? His answer was disturbing — and directly relevant to anyone who works inside an institution. Most people will comply with harmful orders not because they are sadistic, but because they have entered what Milgram calls the agentic state: they come to view themselves as instruments of another's will, and therefore no longer hold themselves responsible for the content of their actions.

This is, Milgram argues, the most fundamental lesson of his study: ordinary people, simply doing their jobs, without any particular hostility, can become agents in a terrible destructive process.

The Experiment — Design & Results

The Setup

Two people come to a Yale psychology lab to take part in a study of "memory and learning." One is designated Teacher (the real, naïve subject); the other a Learner (actually an actor/confederate). The Learner is strapped into a chair with an electrode on his wrist. The Teacher sits before a shock generator with 30 switches ranging from 15 to 450 volts, labeled from "Slight Shock" through "Danger: Severe Shock" to simply "XXX."

Each wrong answer from the Learner requires the Teacher to administer a shock of increasing intensity. The Learner — who receives no actual shock — follows a script: grunts at 75V, complains at 120V, demands to be released at 150V, goes silent after 330V.

The Findings

Predicted: Psychiatrists, college students, and middle-class adults all forecast that virtually all subjects would refuse. Psychiatrists specifically predicted only a pathological fringe of ~1 in 1,000 would reach 450 volts.

Actual: 25 of 40 subjects (62.5%) obeyed to the maximum 450-volt shock. Results replicated across Yale undergrads, New Haven community members, and internationally — Munich: 85% obedient. The result was the same regardless of social class, profession, or background.

Subject Profiles — Gretchen Brandt

A 31-year-old medical technician who had emigrated from Germany. At 210V she tells the experimenter firmly: "Well, I'm sorry, I don't think we should continue." When told she has no other choice, she replies: "I think we are here on our own free will. I don't want to be responsible for anything happening to him." She refuses — and the experiment is terminated. Milgram notes her behavior was "the very embodiment of what I envisioned would be true for almost all subjects."

Subject Profiles — Fred Prozi

Unemployed, about 50. Becomes increasingly agitated as the voltage climbs but continues obeying. At 375V the subject stands up. Prozi insists something has happened to the man in there. He continues all the way to 450V — but not from indifference. He is visibly distressed, asking the experimenter who will take responsibility. The experimenter replies: "The responsibility is mine." Prozi continues. The subjects excused their behavior by saying responsibility belonged to the man who actually pulled the switch.

Key Concepts

The Agentic State

The essence of obedience: a person comes to view himself as the instrument for carrying out another person's wishes, and therefore no longer regards himself as responsible for his actions. Once this critical shift of viewpoint has occurred, all the essential features of obedience follow. The subordinate's morality doesn't disappear — it acquires a radically different focus: shame or pride based on how adequately he has performed the actions called for by authority.

The Banality of Evil (Arendt Connection)

Hannah Arendt contended that the prosecution's effort to depict Eichmann as a sadistic monster was wrong — he came closer to being an uninspired bureaucrat who simply sat at his desk and did his job. Milgram's data confirms: the ordinary person who shocked the victim did so out of a sense of obligation — an impression of his duties as a subject — and not from any peculiarly aggressive tendencies. "The subjects do not derive satisfaction from inflicting pain, but they often like the feeling they get from pleasing the experimenter."

Diffusion of Responsibility

In a variation where the subject only administered the word-pair test while another person pulled the shock lever, 37 of 40 adults continued to the highest level — excusing their behavior by saying responsibility belonged to the man who actually pulled the switch. This illustrates a dangerously typical arrangement in complex organizations: it is easy to ignore responsibility when one is only an intermediate link in a chain of action. No one is confronted with the full consequences of his decision to carry out the evil act.

What Reduces Obedience

Physical presence of authority: When orders were given by telephone instead of in person, obedience dropped to roughly one-third of normal levels.

Conflicting authority: When two experimenters of equal status gave incompatible orders, no shocks were delivered past the point of their disagreement.

Rebellious peers: When two other "teachers" (actors) disobeyed and refused to continue, 36 of 40 real subjects joined them and refused as well. One voice of dissent drastically changes the moral landscape.

Connection to IIA Standards & Audit Practice

Milgram ConceptIIA / Audit Parallel
The agentic state — "I'm just carrying out instructions"Standard 1.1 (Integrity) — "I just did what the partner told me" is not a defense; auditors retain personal responsibility for their work
Diffusion of responsibility in a chain of actionIn complex audit engagements, each person signs only one workpaper — but the collective failure belongs to all; "someone else checked it" is not sufficient
Obedience drops sharply without physical presenceRemote/hybrid audit teams; the importance of direct engagement with management rather than purely email/documentation trails
One rebellious peer collapses obedienceSpeak-up culture; the IIA's expectation that auditors report impairments to independence; a single auditor voicing concern changes the room
Subjects comply out of duty, not sadismAudit failures are rarely malicious — they are the product of incremental compliance: each small compromise feels manageable until the finding is unrecognizable
The banality of evil — bureaucrat at his deskThe auditor who processes 40 workpapers a day without engaging judgment is Eichmann at his desk — technically compliant, morally vacant
Experimenter's authority was fragile — no real power to enforceManagement pressure on audit findings is similarly fragile if the auditor simply refuses to capitulate; authority depends on the subject's continued consent

The Cross-Essay Synthesis — All Three Readings

⭐ The Big Picture — Why All Three Essays Together

What they share:

  • All three locate moral failure in ordinary people yielding to structure, authority, or the desire for approval — not in monsters or exceptional cases
  • All three argue the individual retains a genuine choice that determines their moral identity
  • Solzhenitsyn & Didion: integrity is an internal standard, not calibrated to external approval
  • Milgram & Solzhenitsyn: ordinary compliance enables large-scale harm — no malice required, only obedience
  • All three connect individual choices to collective outcomes — one person refusing changes the dynamic

Applied to auditing:

  • Solzhenitsyn: the auditor who softens a finding is participating in lies — the profession depends on non-participation
  • Didion: the auditor who seeks management approval lacks self-respect — and will eventually find no professional self at home
  • Milgram: the auditor who says "I just followed the manager's direction" has entered the agentic state — responsibility does not transfer upward
  • Together: the IIA's five ethics principles describe what an integrated person looks like — someone who refuses to participate in lies (Solzhenitsyn), derives standards from within (Didion), and refuses the agentic state (Milgram)
  • Heidegger's aletheia (unconcealment) = Solzhenitsyn's insistence that truth appear naked before the world = Milgram's subject who says "I won't do this" = Didion's discipline as habit of mind
Likely exam angle: Expect questions that ask you to connect a specific concept (the agentic state, the banality of evil, diffusion of responsibility, peer disobedience) to an IIA principle or real audit situation. Also expect synthesis questions requiring you to compare all three readings — what they share, where they differ, and how together they define the ethical auditor.

📝 70-Question Practice Exam

Instructions: Q1–50 cover the slide decks; Q51–60 cover Solzhenitsyn & Didion; Q61–70 cover Milgram's "The Perils of Obedience" and all three reading connections to the IIA standards. Select your answer, then click "Submit Answers" at the bottom to see your score and explanations.
0/70

Question 1 of 50 · IIA Standards
The 2024 Global Internal Audit Standards consist of how many domains, principles, and standards?
B is correct. The 2024 Standards have 5 Domains, 15 Principles, and 52 Standards. The old "Attribute" and "Performance" categories were eliminated.
Question 2 · IIA Standards
Which of the following is a NEW addition to the stated purpose of internal auditing in the 2024 Standards?
C is correct. "Foresight" — anticipating emerging risks and future challenges — is explicitly new in the 2024 Standards. The board now expects auditors to "see around corners."
Question 3 · IIA Standards
Kant's categorical imperative is used to illustrate which IIA Principle?
B is correct. Kant's categorical imperative ("act only as you could will to become universal law") illustrates Integrity (Principle 1). If all auditors concealed findings to protect relationships, the profession would collapse.
Question 4 · IIA Standards
Husserl's "epoché" — suspending assumptions to let evidence speak — is applied to illustrate which principle?
C is correct. Husserl's epoché (bracketing assumptions) illustrates Objectivity (Principle 2). The most dangerous bias is confirmation bias — auditors must actively look for disconfirming evidence.
Question 5 · IIA Standards
Aristotle's concept of "phronesis" (practical wisdom) is associated with which principle?
A is correct. Phronesis = practical wisdom through experience. Competency (P3) is not just certifications — it's the capacity to see what matters in a specific context and knowing when to use specialists.
Question 6 · IIA Standards
Domain III of the 2024 Standards is considered the most significant change because it:
B is correct. Domain III defines "Essential Conditions" that boards and management must provide. It made explicit what was always implicit — boards have real accountability for internal audit effectiveness.
Question 7 · IIA Standards
In the Three Lines Model, which line is responsible for independent assurance to the board?
C is correct. Internal Audit is the Third Line and provides independent assurance on governance, risk management, and controls to the board. It tests both 1st and 2nd line effectiveness.
Question 8 · IIA Standards
Which of the following correctly describes Assurance Services under the 2024 Standards?
B is correct. Assurance: 3 parties (auditor, auditee, stakeholders); auditor determines scope; results in formal conclusions (not opinions); skepticism is default. Examples: SOX testing, compliance reviews.
Question 9 · IIA Standards
Under Domain V, the 2024 Standards use which new term instead of "opinion"?
C is correct. The 2024 Standards use "conclusion" instead of "opinion" — a more accurate term for what audit work produces.
Question 10 · IIA Standards
Topical Requirements are effective how long after issuance, and what must auditors document?
C is correct. Topical Requirements are effective 12 months after issuance. Auditors must document which requirements apply to each engagement and the rationale for any exclusions.
Question 11 · IIA Standards
The External Quality Assessment (EQA) requirement under Standard 12.4 specifies:
C is correct. EQA is required every 5 years, and at least one team member must be an active CIA. This is now explicitly stated in Standard 12.4.
Question 12 · IIA Standards
Heidegger's concept of "aletheia" (unconcealment/truth) is applied to illustrate:
B is correct. Aletheia (ἀλήθεια) means unconcealment — truth as bringing what is hidden into the open. An audit finding is an act of unconcealment: making visible what the organization could not see about itself.
Question 13 · IIA Standards
Providing advisory services on a process may:
B is correct. Providing advisory services on a process may impair objectivity for future assurance engagements. Standard 7.2 requires safeguards in these situations.
Question 14 · IIA Standards
The "Four C's of Findings" framework consists of:
B is correct. The Four C's: Condition (what IS), Criteria (what SHOULD BE), Cause (WHY the gap exists), Consequence (WHY it matters / the risk or impact).
Question 15 · IIA Standards
Internal audit can rely on second-line work, but before reporting conclusions must:
B is correct. IA can coordinate with and rely on 2nd line work, but must independently verify before reporting conclusions. The lines should collaborate but maintain distinct roles.
Question 16 · Cybersecurity
What makes cyber risk fundamentally different from most other business risks?
B is correct. Most risks are passive (market volatility doesn't try to defeat your hedging strategy). Cyber risk is adversarial — an intelligent actor actively probes and adapts. This changes everything about how you assess it.
Question 17 · Cybersecurity
The CIA Triad's "Integrity" objective protects against:
C is correct. Integrity = information and systems are accurate, complete, and unaltered except by authorized actions. Threats include data tampering, malware, and man-in-the-middle attacks.
Question 18 · Cybersecurity
Which CIA Triad objective would a DDoS attack most directly threaten?
C is correct. DDoS (Distributed Denial of Service) attacks target Availability — making systems inaccessible to authorized users. Other availability threats include ransomware and system failures.
Question 19 · Cybersecurity
The "asymmetric" nature of cyber risk means:
B is correct. The fundamental asymmetry: defenders must protect everything, but attackers only need to find one weakness. This asymmetry is structural and permanent. Growth and security are in constant tension.
Question 20 · Cybersecurity
The 2013 Target data breach is cited as an example of which organizational pathology?
C is correct. The Ownership Gap: Target's HVAC vendor had network access. Who owned that relationship? Who reviewed their security? The answer was effectively "no one." Unowned relationships become attack vectors.
Question 21 · Cybersecurity
Equifax being PCI compliant when it was breached illustrates which organizational pathology?
D is correct. The Compliance Trap: Compliance ≠ Security. Equifax, Target, and Capital One all passed audits but were breached. Attackers don't check compliance status. Organizations optimize for passing audits, not actual security.
Question 22 · Cybersecurity
In a defense-in-depth model, a SIEM (Security Information and Event Management) system is an example of which control type?
B is correct. SIEM is a detective control — it identifies attacks in progress or after the fact through log monitoring and anomaly detection. Preventive controls stop attacks; corrective controls respond/recover.
Question 23 · Cybersecurity
The IIA Cybersecurity Topical Requirement was released on:
B is correct. Released February 5, 2025. Effective February 5, 2026. One year to prepare. It was the first Topical Requirement under the 2024 IPPF.
Question 24 · Cybersecurity
According to the Verizon DBIR, most breaches are caused by:
C is correct. Year after year, the Verizon DBIR shows: stolen credentials, phishing, and unpatched vulnerabilities cause most breaches. Not zero-days or AI-powered attacks — basic hygiene failures. Fundamentals beat sophistication.
Question 25 · Cybersecurity
Which of the following best describes the "learned helplessness" organizational pathology in cybersecurity?
B is correct. Learned helplessness is the fatalistic attitude that sophisticated attackers are unstoppable. The reality: most breaches exploit basic failures. Stoic wisdom — focus on what you can control. Fundamentals prevent 95% of attacks.
Question 26 · Cybersecurity
The IIA Cybersecurity Topical Requirement's three domains are:
B is correct. The three domains are: Governance (does leadership own cybersecurity?), Risk Management (do they know what they're protecting?), and Controls (are the controls actually working?). Maps to NIST and COBIT frameworks.
Question 27 · Cybersecurity
Encryption at rest and in transit is primarily a control at which defense-in-depth layer?
C is correct. The Data Layer includes encryption at rest/transit, DLP (Data Loss Prevention), classification, access controls, and backups. These protect the data itself regardless of what layer it's accessed from.
Question 28 · Cybersecurity
An internal auditor's role in cybersecurity is best described as:
B is correct. Internal audit provides independent assessment of security posture, validates controls, bridges technical teams and the board, identifies blind spots, and holds management accountable for remediation. IA is NOT a pen testing team or a guarantee against breach.
Question 29 · ITGC Testing
Positive testing of an access control verifies:
B is correct. Positive testing = "Did the control work when it should have?" — testing the happy path. Select legitimate transactions and verify approvals obtained, within timeframes, by authorized individuals, with proper documentation.
Question 30 · ITGC Testing
A control requires manager approval for access requests, but the policy is vague about timelines and doesn't specify what "manager" means (direct, skip-level, department head). This is primarily a:
C is correct. TOD evaluates if the control can work. Precision asks: Is the control specific enough? "Manager approval" vs. "Direct manager via ServiceNow within 24 hours with documented justification" — the former lacks precision and is a design gap.
Question 31 · ITGC Testing
Based on AICPA/PCAOB guidance, how many samples should an auditor test for a HIGH RISK control that occurs DAILY?
C is correct. For a daily control at high risk: 40-60 samples. Low risk daily = 10-15. Moderate risk daily = 20-30. Higher risk, higher frequency, prior exceptions, and higher desired confidence all increase sample size.
Question 32 · ITGC Testing
For privileged users and SoD (Segregation of Duties) conflicts, the recommended sampling method is:
D is correct. For high-risk populations like privileged users and SoD conflicts, auditors should consider 100% testing (census) regardless of population size. Missing one can have material consequences.
Question 33 · ITGC Testing
Haphazard sampling is described as:
B is correct. Haphazard = auditor selects without a specific pattern. Used for small populations or preliminary testing. Limitations: unconscious bias and not statistically valid. Not appropriate for high-risk populations.
Question 34 · ITGC Testing
When classifying an exception where a good policy exists (SLA defined, approval workflow documented) but a required approval was simply skipped by an employee, this is a:
B is correct. Good design, bad execution = Operating Effectiveness (OE) failure. Remedy: training, monitoring, automation. Critical distinction: don't prescribe training for a design problem. Classification drives the right recommendation.
Question 35 · ITGC Testing
Under the external audit risk rating framework, what is a "Material Weakness"?
C is correct. Material Weakness = reasonable possibility that material misstatement will not be prevented or detected by the company's ICFR. Result: adverse ICFR opinion. Significant Deficiency is less severe but still requires reporting to audit committee.
Question 36 · ITGC Testing
The "R" tick mark in audit documentation means:
B is correct. "R" = Recalculated — the auditor independently verified the calculation. Every tick mark must be defined in a legend on the work paper. "T" = Traced/Tied, "I" = Inquiry, "✓" = Tested no exception, "✗" = Exception identified.
Question 37 · ITGC Testing
The "Golden Rule" of audit documentation states:
B is correct. The Golden Rule: If you can't point to a specific exhibit, row, or document for every fact in your finding, you haven't documented it properly. Every assertion must trace to specific evidence.
Question 38 · ITGC Testing
In internal audit findings (versus external), what additional elements are included that are NOT typically in external management letter findings?
B is correct. Internal audit findings include accountability: named individuals, specific data, owner + due date, and space for management's response/action plan. External audit uses generalized language ("certain users") and high-level recommendations.
Question 39 · ITGC Testing
Required documentation elements for sampling methodology include all of the following EXCEPT:
C is correct. Required documentation includes: population source, population completeness verification, selection criteria, sample size rationale, selection method, and sample listing. CAE written approval is NOT a listed required element. The test: could another auditor recreate your exact sample?
Question 40 · ITGC Testing
The "Best Practice" for sample selection when a population has both general and high-risk items is:
C is correct. Best practice: combine methods. Random/stratified for general population + 100% census for privileged users and SoD conflicts. This balances efficiency with appropriate risk coverage.
Question 41 · Mixed
Which of the following is a Topical Requirement released under the 2024 IPPF?
B is correct. Topical Requirements include: Cybersecurity, IT Governance, Privacy Risk Management, Third-Party Management, and Sustainability & ESG. ERM and ICFR are not listed Topical Requirements.
Question 42 · Mixed
According to the engagement lifecycle, what percentage of effort should fieldwork typically represent?
B is correct. Fieldwork = 40-50% of effort (the largest portion). Planning = 20-30%. Reporting = 15-20%. Follow-up = ongoing. Most audit failures are planning failures despite planning being a smaller portion.
Question 43 · Mixed
If an auditor discovers that a terminated user's account was not disabled until 16.75 hours after termination (SLA = 4 hours), but sign-in logs confirm no post-termination logins occurred, the finding should:
C is correct. Document the control gap (16.75 hrs vs. 4-hr SLA = OE failure) AND acknowledge the compensating factor (no unauthorized access occurred). Rule #6 of reporting: acknowledge compensating factors. The risk didn't materialize, but the control gap still exists.
Question 44 · Mixed
An auditor is reviewing a cybersecurity control that prevents users from self-approving their own access requests. Attempting to self-approve in the test environment to verify the block is which type of test?
C is correct. Negative testing = "Did the control prevent what it should have?" Attempting to self-approve tests the guardrail. Does the system reject it? This tests the negative scenario.
Question 45 · Mixed
The "Reviewer's Test" for sampling documentation asks:
B is correct. The Reviewer's Test: Could another auditor recreate your exact sample from your documentation? If not, your methodology isn't sufficiently documented. This ensures reproducibility and defensibility.
Question 46 · Mixed
Plato's "Forms" (ideal essences) as referenced in the IIA Standards lecture represent:
B is correct. Standards represent Platonic ideals — articulating what excellent internal auditing looks like, a reference point against which we measure ourselves. "Practice without form is mere improvisation."
Question 47 · Mixed
Which of the following best describes why audit findings should help security teams rather than punish them?
B is correct. Security teams are often overwhelmed and underappreciated. Approach as a partner, not an adversary. Audit's goal is the same — protecting the organization. Findings should help security teams get resources, not punish them.
Question 48 · Mixed
Which statement about the "No Surprises" principle in audit reporting is correct?
B is correct. "No surprises in the final report." If you haven't discussed a finding with management before issuing, you've failed at communication. Management responses are their words — but auditors can comment on them.
Question 49 · Mixed
A report states: "Several users had issues with their access during the period." According to the 8 Rules for Audit Reporting Excellence, this violates which rule?
B is correct. "Quantify everything" — not "several users" but "3 of 127 (2.4%)." Vague language undermines credibility and doesn't communicate the magnitude of the issue. Always use numbers.
Question 50 · Mixed
Which statement BEST captures the philosophical core of internal auditing as described in the course materials?
B is correct. The philosophical core: internal auditors make the invisible visible. This is Heideggerian aletheia (unconcealment), Socratic questioning, trained attention — the auditor's essential task is illuminating what organizations cannot see about themselves. Everything else is technique.
📖 Questions 51–60: The Readings
Solzhenitsyn's "Live Not By Lies" & Didion's "On Self-Respect" — and their connections to the IIA standards
Question 51 · Solzhenitsyn
According to Solzhenitsyn, what is the relationship between violence and lies in a totalitarian system?
B is correct. Solzhenitsyn argues that violence and lies are mutually dependent: violence cannot maintain a respectable face without lies, and lies can only be sustained by violence. Together they form the mechanism of oppression.
Question 52 · Solzhenitsyn
Solzhenitsyn compares lies to a virus because:
C is correct. The virus metaphor captures the dependency of lies on human participation. When people stop complying — stop saying what they do not think — the lies lose their host and are rendered helpless. Withdrawal of participation is the cure.
Question 53 · Solzhenitsyn
Solzhenitsyn's "simplest and most accessible key to our self-neglected liberation" is:
B is correct. Personal non-participation in lies is the minimum — not marching into squares shouting truth, not hunger strikes or self-immolation. Simply: refuse to say what you do not think. It is the easiest possible resistance, which makes the failure to exercise it all the more indefensible.
Question 54 · Solzhenitsyn
What does Solzhenitsyn say people fear most — more than nuclear war?
B is correct. Solzhenitsyn observes they don't even fear nuclear death — but they deeply fear acts of civil courage: lagging behind the herd, taking one step alone, and suddenly finding themselves without white bread, heating gas, and a Moscow registration. Comfort is the real prison.
Question 55 · Solzhenitsyn → IIA Connection
An audit manager who, after management pushes back, agrees to remove a finding from the report to "preserve the relationship" is most directly analogous to which concept in Solzhenitsyn's essay?
B is correct. Solzhenitsyn says violence demands not that it act on every shoulder every day — only obedience to lies and daily participation in them. The audit manager who removes a finding to appease management is exactly this: the small, daily act of participation that sustains the larger falsehood. This directly parallels IIA Standard 1.1 (Acting Honestly and Courageously).
Question 56 · Didion
According to Didion, what is the source from which self-respect springs?
C is correct. Didion is explicit: "character — the willingness to accept responsibility for one's own life — is the source from which self-respect springs." It is an internal standard entirely independent of others' approval or one's reputation.
Question 57 · Didion
Didion argues that self-deception is:
B is correct. Didion: "self-deception remains the most difficult deception." No winning smiles, no prettily drawn lists of good intentions will work in that well-lit back alley. This connects directly to the IIA's confirmation bias warning under Objectivity (Principle 2).
Question 58 · Didion
The "interminable documentary" metaphor in Didion's essay describes:
B is correct. To live without self-respect is to be an unwilling audience to an interminable documentary detailing one's failings — fresh footage spliced in for every screening. Counting sins of commission and omission, trusts betrayed, promises broken, gifts wasted through sloth or cowardice.
Question 59 · Didion → IIA Connection
Didion's concept of discipline as "a habit of mind that can be developed, trained, coaxed forth" most closely parallels which IIA principle and its philosophical foundation?
C is correct. Didion's "discipline as habit of mind, developed and trained" echoes both Due Professional Care (P4) — applying skepticism proportionately and systematically — and Objectivity/Husserl's trained attention ("the auditor's role: making the invisible visible"). Importantly, P3 (Competency/phronesis) is Aristotelian but phronesis is wisdom cultivated through experience, not quite the same as Didion's disciplinary practice.
Question 60 · Cross-Essay Synthesis
Which statement BEST captures the shared philosophical argument of Solzhenitsyn's "Live Not By Lies" and Didion's "On Self-Respect," as applied to the practice of internal auditing?
B is correct. Both essays locate integrity in an internal standard rather than external approval. Solzhenitsyn: refuse to say what you do not think. Didion: self-respect is not the approval of others but the willingness to accept responsibility for one's own life. Applied to auditing: an auditor who softens findings to please management fails both standards simultaneously — lacking Solzhenitsyn's refusal to participate in lies and Didion's self-respect rooted in character, not approval.
📖 Questions 61–70: Milgram — "The Perils of Obedience" & Three-Reading Synthesis
Stanley Milgram's obedience experiments and their connections to Solzhenitsyn, Didion, and the IIA standards
Question 61 · Milgram — Experiment Design
In Milgram's experiment, what was the actual purpose of the study — and who was the real subject?
B is correct. The Learner was an actor who received no actual shock. The real focus was the Teacher — an ordinary person placed in a situation where authority commanded harm. The Learner's protests and the increasing voltage created the moral conflict Milgram was studying.
Question 62 · Milgram — Results
What percentage of subjects obeyed to the maximum 450-volt shock in Milgram's original experiment — and how did this compare to expert predictions?
C is correct. 25 of 40 subjects (62.5%) obeyed fully to 450 volts. Psychiatrists had predicted only a pathological fringe — about 1 in 1,000 — would reach the maximum. The actual result was a profound shock to professional assumptions about human nature and the exceptionality of evil.
Question 63 · Milgram — The Agentic State
Milgram describes the "agentic state" as the psychological mechanism underlying obedience. Which of the following best defines it?
C is correct. The agentic state is the core mechanism: the person shifts from autonomous moral agent to instrument of authority. Morality doesn't disappear — it redirects. The subject now feels shame or pride based on how well he has carried out the authority's wishes, not on the content of those wishes. This is how ordinary people can do terrible things while feeling virtuous.
Question 64 · Milgram — Diffusion of Responsibility
In the variation where subjects only administered the word-pair test while a confederate pulled the shock lever, what happened — and what does Milgram say this illustrates?
B is correct. 37 of 40 — nearly everyone — continued to the maximum when they were only the "administrator" rather than the "shocker." Milgram says this may illustrate a dangerously typical arrangement in complex society: it is easy to ignore responsibility when one is only an intermediate link in a chain of action. No one person is confronted with the consequences of the full evil act.
Question 65 · Milgram — What Reduces Obedience
Which of the following experimental variations most dramatically reduced obedience in Milgram's studies?
C is correct. The rebellious peers variation was the most powerful single factor reducing obedience. When two confederates playing "teachers" refused and walked away, 36 of 40 real subjects joined them. One or two voices of conscience in a group can radically change the moral landscape — which is why organizational speak-up culture and IIA independence protections matter so much.
Question 66 · Milgram — Motivation of Subjects
Milgram's data undermines which common explanation for why people commit atrocities under authority?
B is correct. Milgram explicitly notes that the subjects do not derive satisfaction from inflicting pain. When given free choice in a control condition, subjects used very low, usually painless shocks. The two-thirds who obeyed were ordinary people from working, managerial, and professional classes. Their motivation was not sadism but a sense of duty — obligation to fulfill their role as a cooperative subject.
Question 67 · Milgram → IIA Connection
An audit senior tells the engagement partner: "I documented what you told me to document — the conclusion on that control is your call, not mine." Which Milgram concept does this most directly illustrate, and which IIA principle does it violate?
B is correct. "The conclusion is your call" is precisely the agentic state: the senior has transferred perceived responsibility upward and ceased to function as an autonomous moral agent. This violates P1 Integrity — every auditor on the engagement retains personal responsibility for the accuracy of their work product, regardless of who signs off at the top. "Following instructions" is not an ethical defense in audit, just as Milgram showed it is not a moral defense in the lab.
Question 68 · Milgram — Hannah Arendt Connection
Milgram explicitly connects his findings to Hannah Arendt's concept of the "banality of evil" from her coverage of the Eichmann trial. What is the core claim of that concept as Milgram applies it?
C is correct. Arendt argued Eichmann was not a sadistic monster but an uninspired bureaucrat who sat at his desk and did his job. Milgram's data confirms this: ordinary people from every stratum of society — not an aggressive fringe — administered the maximum shock. The most common characteristic of socially organized evil in modern society, Milgram concludes, is the fragmentation of the total human act so that no one person is confronted with its full consequences.
Question 69 · Three-Reading Synthesis
Solzhenitsyn, Didion, and Milgram all address a similar underlying problem. Which of the following best captures what all three share?
C is correct. Solzhenitsyn: ordinary people sustain totalitarianism through daily participation in lies. Didion: ordinary self-deception and approval-seeking erode integrity incrementally. Milgram: ordinary people administer maximum voltage because authority says so. In all three, the agent is not a monster — and in all three, a genuine individual choice remains available. This is the unified lesson the professor is testing.
Question 70 · Three-Reading Synthesis → IIA Application
An audit manager is pressured by the CFO to remove a significant finding from the draft report. Drawing on all three readings, which response best reflects the integrated ethical auditor?
C is correct. All three readings converge on the same answer. Solzhenitsyn: removing the finding is daily participation in lies — the profession depends on non-participation. Didion: the auditor who removes the finding to keep the CFO happy lacks self-respect — they are calibrating their standard to others' approval rather than to character. Milgram: escalating to the partner and saying "it's your call" is the agentic state — responsibility does not transfer upward. The IIA's Standard 1.1 and the escalation path to the audit committee exist precisely for this moment.