📚 Internal Audit Exam Prep

ACCT 3233/7233 · LSU · IIA Standards, Cybersecurity Risk & ITGC Testing

📋 Master Study Guide

Exam Tips: 70 questions covering all 3 slide decks + the Didion reading + the case study. Focus on definitions, frameworks, the IIA 2024 structure, CIA Triad, ITGC testing types, the Four C's of findings, and the thematic connections between Didion and the IIA ethics principles.
Big Picture

The Three Topic Areas

1. IIA Standards
2024 IPPF • 5 Domains • 15 Principles • 52 Standards • Topical Requirements
2. Cybersecurity Risk
CIA Triad • Attack surface • Defense in Depth • Org Pathologies • IIA Topical Req
3. ITGC Testing
Positive/Negative • TOD/TOE • Sampling • Risk Ratings • Finding Structure

⚡ Quick-Reference Flash Facts

IIA 2024 Architecture
  • 5 Domains, 15 Principles, 52 Standards
  • Domain I – Purpose (Why we exist)
  • Domain II – Ethics & Professionalism
  • Domain III – Governing the Function
  • Domain IV – Managing the Function
  • Domain V – Performing Services
  • Old "Attribute" / "Performance" categories are gone
Domain I Purpose

Internal auditing provides 4 services:

  • Assurance – independent evaluation
  • Advice – recommendations to improve
  • Insight – deeper understanding
  • Foresight – anticipating emerging risks ⭐ NEW in 2024

Goal: create, protect, and sustain value

Domain II – 5 Ethics Principles
  • P1 – Demonstrate Integrity (Kant's categorical imperative)
  • P2 – Maintain Objectivity (Husserl's epoché – bracket assumptions)
  • P3 – Demonstrate Competency (Aristotle's phronesis – practical wisdom)
  • P4 – Exercise Due Professional Care (Hume – can't test everything)
  • P5 – Maintain Confidentiality
Domain III – Governance
  • P6 – Authorized by the Board (charter = source of authority)
  • P7 – Positioned Independently (CAE reports to board)
  • P8 – Overseen by the Board
  • Most significant change in 2024 – boards have explicit responsibilities
  • Defines "Essential Conditions" boards must provide
Domain IV – Managing
  • P9 – Plan Strategically (risk-based)
  • P10 – Manage Resources
  • P11 – Communicate Effectively
  • P12 – Enhance Quality (QAIP required)
  • External Quality Assessment every 5 years, requires active CIA
  • No more "audit everything every 3 years" cyclical approach
Domain V – Performing Services
  • P13 – Plan Engagements
  • P14 – Conduct Work (Four C's of Findings)
  • P15 – Communicate & Monitor
  • New term: "conclusion" replaces "opinion"
  • Engagement effort split: Planning 20-30% / Fieldwork 40-50% / Reporting 15-20% / F/U ongoing
⭐ Must Memorize

The Four C's of Findings (Domain V)

  • Condition – What IS (the actual situation found)
  • Criteria – What SHOULD BE (the standard/policy)
  • Cause – WHY the gap exists
  • Consequence – WHY it matters (the risk/impact)

Three Lines Model:

  • 1st Line – Management (owns risk day-to-day)
  • 2nd Line – Risk & Compliance (monitors/supports)
  • 3rd Line – Internal Audit (independent assurance to board)
  • Governing Body – accountability to stakeholders

🔒 Cybersecurity Risk Key Concepts

CIA Triad
  • Confidentiality – only authorized access; threats: breaches, eavesdropping
  • Integrity – accurate, unaltered data; threats: tampering, MITM attacks
  • Availability – accessible when needed; threats: DDoS, ransomware
Audit tip: Every control should map to ≥1 CIA objective
Why Cyber Risk is Different
  • Adversarial – intelligent actor actively probes (not passive like market risk)
  • Asymmetric – attacker needs 1 weakness; defender must protect everything
  • Evolving – threat landscape changes daily
  • Invisible – breaches often undetected for months
  • Interconnected – your security = your vendors' security
Defense in Depth Layers
  • Preventive – firewalls, patching, encryption, access controls
  • Detective – SIEM, IDS/IPS, log monitoring, anomaly detection
  • Corrective – incident response, backup/restore, DR
  • Layers: Network → Endpoint → Application → Data → Human → Governance
4 Organizational Pathologies
  • #1 Ownership Gap – no one knows who owns a system (e.g., Target 2013 HVAC vendor)
  • #2 Security vs. Business – speed vs. control; CISO reporting line matters
  • #3 Compliance Trap – compliance ≠ security (Equifax was PCI compliant when breached)
  • #4 Learned Helplessness – "if they want in, they'll get in" fatalism; fundamentals still matter
IIA Cybersecurity Topical Requirement
Released: Feb 5, 2025
Effective: Feb 5, 2026
First Topical Requirement under 2024 IPPF
Maps to NIST & COBIT
When it applies:
• Cybersecurity is in audit plan
• Cyber risks emerge during engagement
• Management/board requests cyber audit
3 Domains:
• Governance
• Risk Management
• Controls

Must document applicability & rationale for exclusions

🖥️ ITGC Testing Key Concepts

Positive vs. Negative Testing
  • Positive – "Did the control work when it should?" → Testing the happy path (verifying approvals, timelines)
  • Negative – "Did the control block what it should?" → Testing guardrails (can terminated users log in? self-approve?)
  • Key point: Positive testing alone creates false confidence
Test of Design (TOD)

Evaluates if the control can work (the blueprint):

  • Precision – is the control specific enough?
  • Completeness – does it cover all scenarios?
  • Authority – are the right people involved?

"A flawed blueprint can never produce a sound structure"

Design vs. OE Failures
  • Design Failure – control CAN'T work; blueprint is flawed. Remedy: process redesign
  • OE Failure – control DIDN'T work; good design, bad execution. Remedy: training, monitoring, automation
  • Critical: Don't prescribe training for a design problem
Sampling Framework
  • Random – equal probability; good for large homogeneous populations
  • Stratified – subgroups by risk; best practice with census for high-risk strata
  • Haphazard – judgment-based; not statistically valid
  • Census – 100% testing; use for critical controls, small populations
  • Privileged users, SoD conflicts → census (100%)
Sample Size Table (AICPA/PCAOB Guidance)
FrequencyLow RiskModerate RiskHigh Risk
Annual111
Quarterly22-34
Monthly2-34-68-12
Weekly5-910-1520-25
Daily10-1520-3040-60
Per occurrence254060
Risk Ratings (External vs. Internal)

External (SOX/PCAOB):

  • Material Weakness – reasonable possibility of material misstatement → adverse ICFR opinion
  • Significant Deficiency – less than MW but merits attention → report to Audit Committee
  • Control Deficiency – design/operation gap

Internal (IIA-aligned): Critical/High, Medium, Low

Assurance vs. Advisory Services

Assurance: 3 parties (auditor, auditee, stakeholders); auditor sets scope; formal conclusions; skepticism default. Examples: SOX testing, compliance reviews

Advisory: 2 parties (auditor + client); client sets scope; recommendations only (no "opinion"); collaboration posture. Examples: M&A due diligence, process design

Warning: Advisory on a process may impair objectivity for future assurance on the same process
Common Topical Requirements (New 2024 IPPF)

Mandatory when in scope. Effective 12 months after issuance. Must document which apply and rationale for any exclusions.

Cybersecurity – governance, risk, controls, incident response
IT Governance – tech strategy, performance, risk
Privacy Risk Management – GDPR, CCPA compliance
Third-Party Management – vendor risk, due diligence
Sustainability & ESG – climate, DEI metrics
More coming… as risks evolve
⭐ Key Philosophical Connections (Your professor clearly loves these):
Integrity → Kant's Categorical Imperative | Objectivity → Husserl's Epoché | Competency → Aristotle's Phronesis | Due Care → Hume's Induction Problem | Findings → Heidegger's Aletheia (unconcealment/truth) | Standards → Plato's Forms

🔒 Cybersecurity Risk Deep Dive

Core Concept

Cyber risk is adversarial — an intelligent actor actively probes for weaknesses and adapts to your defenses. Most risks are passive; cyber risk is not. Hobbes: cyberspace is close to the "war of all against all."

CIA Triad

Confidentiality

Info accessible only to authorized users. Protection against unauthorized disclosure.

Threats: Data breaches, unauthorized access, eavesdropping

Integrity

Info/systems accurate, complete, unaltered except by authorized actions. Protection against unauthorized modification.

Threats: Data tampering, malware, man-in-the-middle attacks

Availability

Info/systems accessible when needed. Protection against disruption.

Threats: DDoS attacks, ransomware, system failures

Modern Enterprise Attack Surfaces

On-Premises Infrastructure – data centers, servers, legacy systems. Often decades old, poorly documented.
Cloud Services – IaaS, PaaS, SaaS. Shared responsibility models. Shadow IT proliferates faster than governance.
Endpoints – laptops, mobile, IoT, printers, cameras. Each a potential entry point.
Third-Party Connections – vendors, partners, APIs. Your security = your weakest vendor.
Identity & Access – Active Directory, SSO, MFA, privileged accounts. "The keys to the kingdom."
The Invisible Layer – shadow IT, personal devices, forgotten test systems. What you don't know CAN hurt you.

Defense in Depth

Control TypePurposeExamples
PreventiveStop attacks before they succeedFirewalls, access controls, encryption, patching, security awareness
DetectiveIdentify attacks in progress or afterSIEM, IDS/IPS, log monitoring, anomaly detection, threat hunting
CorrectiveRespond and recoverIncident response, backup/restore, disaster recovery, forensics

4 Organizational Pathologies

Pathology #1
Ownership Gap – Who owns this system? Unowned systems don't get patched. Real example: Target 2013 breach via HVAC vendor. Audit: asset inventory, clear ownership assignment, orphan system process.
Pathology #2
Security vs. Business Tension – Business wants speed; security wants control. CISO reporting line signals organizational priorities. Shadow IT bypasses controls. Rational actors optimize for what's measured.
Pathology #3
The Compliance Trap – Compliance ≠ Security. Equifax, Target, Capital One were all compliant when breached. Attackers don't check compliance status. Organizations optimize for passing audits, not actual security.
Pathology #4
Learned Helplessness – "If they want in, they'll get in." Most breaches are NOT sophisticated — stolen credentials, phishing, unpatched systems. Verizon DBIR confirms: fundamentals prevent most breaches. Stoic wisdom: focus on what you can control.

IIA Cybersecurity Topical Requirement (2025)

DomainFocus AreasKey Question
GovernanceBoard oversight, strategy, policies, roles, resource allocationDoes leadership own cybersecurity?
Risk ManagementAsset ID/classification, threat assessment, risk appetite, third-party riskDo they know what they're protecting?
ControlsIAM, network security, data protection, monitoring, incident response, DRAre the controls actually working?

📜 IIA 2024 Standards Deep Dive

Architecture
5
Domains
15
Principles
52
Standards

Old "Attribute" and "Performance" categories are eliminated. New structure is cleaner, governance-focused.

All 15 Principles by Domain

Domain#PrincipleKey Concept
I – PurposeWhy IA existsAssurance, Advice, Insight, Foresight (NEW)
II – EthicsP1IntegrityKant – categorical imperative; truthful even when difficult
P2ObjectivityHusserl – epoché; bracket assumptions; manage confirmation bias
P3CompetencyAristotle – phronesis; know what you don't know; use specialists
P4Due Professional CareHume – can't test everything; sample intelligently; document reasoning
P5ConfidentialityProtect info; breach once = never get candid info again
III – GoverningP6Authorized by BoardCharter = source of authority; board approves mandate
P7Positioned IndependentlyCAE reports functionally to board; structural independence
P8Overseen by BoardBoard approves plan, budget, resources; they're accountable too
IV – ManagingP9Plan StrategicallyRisk-based audit plan; dynamic, not cyclical
P10Manage ResourcesPeople, tech, budget; document when insufficient
P11Communicate EffectivelyBidirectional; listen as much as inform
P12Enhance QualityQAIP; EQA every 5 years with active CIA required
V – PerformingP13Plan EngagementsUnderstand activity, risk assessment, define scope, work program
P14Conduct WorkGather evidence, Four C's, recommendations, conclusions
P15Communicate & MonitorNo surprises; confirm implementation; follow-up

Assurance vs. Advisory

Assurance Services
  • 3 parties: auditor, auditee, stakeholders
  • Auditor determines scope
  • Results in formal conclusions
  • Skepticism is the default posture
  • Examples: SOX testing, operational audits, compliance reviews
Advisory Services
  • 2 parties: auditor + client
  • Client typically sets scope
  • Results in recommendations (no "opinion")
  • Collaboration is the posture
  • Examples: M&A due diligence, process design, training

The Engagement Lifecycle

Planning (20-30%) – Most audit failures are planning failures. Understand the business first. Talk to process owners early.
Fieldwork (40-50%) – Document as you go. When something "feels off," dig. That instinct is often correct.
Reporting (15-20%) – No surprises in the final report. Management responses are their words. "Conclusion" not "opinion."
Follow-up (Ongoing) – An untracked recommendation is a wasted recommendation. This is where audit demonstrates it has teeth.

The Three Lines Model

LineWhoRoleReports To
1st LineManagement (Operations, IT, HR)Owns risk and controls day-to-daySenior Management
2nd LineRisk & Compliance (ERM, Legal, Security)Supports, monitors, provides expertiseSenior Management
3rd LineInternal AuditIndependent assurance on governance, risk, controlsBoard/Audit Committee
Governing BodyBoardAccountability to stakeholdersStakeholders
Key: Lines should collaborate but maintain distinct roles. IA can rely on 2nd line work but must independently verify before reporting conclusions.

🖥️ ITGC Testing Deep Dive

Positive vs. Negative Testing

Positive Testing

"Did the control work when it should have?"

Testing the happy path. Select legitimate transactions and verify approvals obtained, within timeframes, by authorized individuals, with proper documentation.

Limitation: Positive testing alone creates false confidence. A control that approves everything but blocks nothing is useless.

Negative Testing

"Did the control prevent what it should have?"

Testing the guardrails. Attempt to bypass: Can terminated users log in? Can users self-approve? Does system block SoD violations? Are unauthorized changes rejected?

Test of Design (TOD) – The Blueprint Test

Core question: "If everyone followed this control perfectly, would it actually prevent or detect the risk?"

Precision – specific enough? "Manager approval" vs. "Direct manager via ServiceNow within 24 hours with documented justification"
Completeness – covers all scenarios? Contractors? Emergency access? Department transfers?
Authority – right people involved? Is a clerk approving executive access?

Sampling Methods

MethodDescriptionWhen to UseLimitation
RandomEqual probability; use random number generatorLarge, homogeneous populationsMay miss high-risk items by chance
StratifiedDivide into subgroups; sample by riskHeterogeneous populations with risk strataRequires understanding of risk factors
HaphazardWithout specific pattern; auditor judgmentSmall populations; preliminary testingUnconscious bias; not statistically valid
Census (100%)Test entire populationSmall populations; critical controlsTime-consuming; may not be practical
Best Practice: Combine methods. Random for general population + 100% for privileged users + 100% for SoD conflicts.

Design Failure vs. Operating Effectiveness Failure

Design Failure

The control CAN'T work. The blueprint is flawed (policy doesn't exist, gaps, wrong approvers, SLA undefined).

Even perfect execution won't prevent the risk.

Remedy: Policy/process redesign

⚠️ Don't prescribe training for a design problem!

OE Failure

The control DIDN'T work. Good design, but execution failed (approvals missing, SLA breached, reviews not completed).

Remedy: Training, monitoring, automation

Audit Tick Marks

SymbolMeaningWhen to Use
Tested, no exceptionAttribute tested and passed
Exception identifiedAttribute tested and failed
N/ANot applicableAttribute doesn't apply to this item
TTraced/TiedAmount traced to source document
RRecalculatedCalculation independently verified
IInquiryConfirmed via inquiry
Inspected originalViewed original document/screen
Follow-up neededRequires additional investigation

Finding Structure: External vs. Internal

External (Management Letter)
Condition → Criteria → Cause → Effect → Recommendation
Tone: formal, regulatory. Generalized ("certain users"). High-level recommendations.
Internal (Audit Finding)
Observation Title → Background/Criteria → Observation → Risk/Impact → Recommendation (with owner + due date) → Management Response
Tone: collaborative. Named individuals. Specific actions with accountability.

Risk Ratings

Rating (External)DefinitionConsequence
Material WeaknessReasonable possibility material misstatement not prevented/detectedAdverse ICFR opinion
Significant DeficiencyLess than MW but merits oversight attentionReport to Audit Committee
Control DeficiencyDesign/operation gap not reaching SD/MW levelManagement letter

8 Rules for Audit Reporting Excellence

  1. Lead with the headline (exception rate first)
  2. Quantify everything ("3 of 127" not "several")
  3. Separate fact from judgment
  4. Define your population clearly
  1. Show your math (elapsed time, calculation)
  2. Acknowledge compensating factors
  3. Make recommendations actionable
  4. Write for the skeptic

📖 Readings Deep Dive

Why this reading? Joan Didion's "On Self-Respect" was paired with the IIA Standards slides deliberately. It addresses the core problem: what happens to a person — and a profession — when integrity is abandoned for comfort or approval. Read it through the lens of Principle 1 (Integrity) and Principle 2 (Objectivity).
Reading

Joan Didion — "On Self-Respect" (1961)

Originally published in Vogue; later collected in Slouching Towards Bethlehem. Uses "negative definition" — defining the concept largely through what it is not.

The Central Argument

Didion argues that self-respect is fundamentally an internal standard, having nothing to do with others' approval or reputation. Its source is character — the willingness to accept responsibility for one's own life. Without it, one becomes an unwilling audience to an interminable documentary of one's own failures, and eventually runs away from oneself to find no one at home.

Self-deception, she argues, is the most difficult deception — far harder to overcome than deceiving others. The tricks that work on others count for nothing in the well-lit back alley where one keeps assignations with oneself.

Key Concepts & Quotable Ideas

The Opening Anecdote

She begins with not being elected to Phi Beta Kappa — a failure predictable, unambiguous. She had thought herself exempt from cause-and-effect relationships that hampered others. That day marked the end of something: the loss of the comfortable conviction that lights would always turn green for her.

Self-Respect ≠ Approval / Reputation

Self-respect has nothing to do with the approval of others — who are, after all, deceived easily enough. It has nothing to do with reputation, which, as Rhett Butler told Scarlett O'Hara, is something people with courage can do without. No winning smiles or prettily drawn lists of good intentions will do here.

Character as the Source

"Character — the willingness to accept responsibility for one's own life — is the source from which self-respect springs." People with self-respect have the courage of their mistakes: they do not seek absolution, do not complain unduly of unfairness. They exhibit moral nerve — what was once called character.

The Interminable Documentary

To live without self-respect is to be an unwilling audience to a documentary of one's own failings — fresh footage spliced in for every screening. Counting the sins of commission and omission, the trusts betrayed, the promises broken, the gifts wasted through sloth or cowardice. Eventually one lies down alone in that notoriously uncomfortable bed we make ourselves.

Jordan Baker vs. Julian English

Jordan Baker (careless, dishonest in The Great Gatsby) had self-respect — she made her own peace, avoided threats to that peace. Julian English (careless, suicidal in Appointment in Samarra) did not. The paradox: the outwardly dishonest person had it; the seemingly respectable one was hollow. Self-respect is not correlated with conventional virtue.

Discipline as Practice

Self-respect is a discipline, a habit of mind — it can be developed, trained, coaxed forth. Small disciplines represent larger ones — not for the ritual itself but as a way of remembering who and what we are. It is difficult to continue fancying oneself Cathy in Wuthering Heights with one's head in a paper bag.

Alienation from Self

In its advanced stages, alienation from self means we no longer answer the telephone — someone might want something. We cannot say no without drowning in self-reproach. Every encounter demands too much. Without self-respect, one eventually runs away to find oneself and finds no one at home.

The Intrinsic Worth Thesis

To have that sense of intrinsic worth is potentially to have everything: the ability to discriminate, to love, and to remain indifferent. To lack it is to be locked within oneself — paradoxically incapable of either love or indifference. Without it, we despise those who have so few resources as to consort with us.

Connection to IIA Standards & Audit Practice

Didion ConceptIIA / Audit Parallel
Self-respect ≠ approval of othersPrinciple 2 (Objectivity) — independence not just attitudinal but structural; not seeking management approval
Character = accepting responsibility for one's own lifePrinciple 1 (Integrity) — the willingness to own unfavorable findings without softening them
Discipline as habit of mindPrinciple 4 (Due Professional Care) — skepticism not as instinct but as cultivated practice
Courage of one's mistakesAuditors who acknowledge their own errors in prior work rather than burying them
The "interminable documentary"The auditor who compromised integrity — each watered-down finding replays in professional memory
Small disciplines represent larger onesDocumentation rigor, tick marks, referencing every exhibit — small habits that hold when under pressure
Self-deception is the most difficult deceptionConfirmation bias (Principle 2 — most dangerous bias is finding what you expect to find)
Likely exam angle: Expect questions connecting a specific Didion concept (the interminable documentary, Jordan Baker, discipline as habit, self-deception) to an IIA principle or to the auditor's real-world situation. Your professor is testing whether you read the essay through the lens of the IIA standards.

🏢 Case Study: Meridian Energy Holdings — ITGC Access Controls

Context: You are a first-year associate on the IT audit team. Your firm performs the integrated audit of Meridian Energy Holdings, Inc. (MEH) — a publicly traded energy company on the NYSE, subject to SOX Section 404. MEH uses SAP S/4HANA as its ERP, with Microsoft Entra ID (formerly Azure AD) as its Identity Provider for Single Sign-On. Your job: test IT General Controls (ITGCs) over logical access.
Company Profile

Meridian Energy Holdings, Inc. (MEH)
Mid-sized energy company, Houston TX · NYSE-listed · ~2,800 employees

Regulatory exposure: SOX §404 (ICFR), NERC CIP (cybersecurity), FERC (reporting)

ERP: SAP S/4HANA — financial reporting, procurement, operations

Identity stack:

  • Entra ID — Identity Provider (IdP); authenticates all employees via MFA
  • SSO — Entra ID federates into SAP; no separate SAP password needed
  • RBAC — SAP roles bundle permissions (e.g., Z_FI_AP_PROC = enter invoices; Z_FI_AP_PAY = release payments)
  • Key insight: Disabling Entra ID = cutting access to SAP. This is why the 4-hour termination SLA flows through Entra ID, not SAP directly.

Control Objectives (AC-01 through AC-05)

IDControl ObjectiveTesting Method
AC-01User authentication enforced via Entra ID with MFATOD — inspect Entra ID config, MFA policy
AC-02New access granted only with documented manager + data owner approval, aligned to job roleTOE — attribute test ServiceNow tickets (Exhibit B)
AC-03Access removed within 4 hours of HR terminationTOE — calculate SLA compliance from Exhibit C
AC-04Periodic access reviews validate continued appropriatenessTOE — review Exhibit H completion rates
AC-05SoD conflicts identified and either remediated or mitigated with documented compensating controlsTOE — Exhibits D + E cross-reference

Exhibit A — SAP User Population (as of Nov 10, 2025)

Source: SAP transaction SUIM. Note: dkim77 has two roles (shown on consecutive rows) — this is the SoD conflict flag.
User IDNameDepartmentJob TitleSAP RoleRisk Flag
jsmith01John SmithAccountingStaff AccountantZ_FI_GL_POST
mwilson03Maria WilsonAccountingSenior AccountantZ_FI_GL_APPROVE
bjones22Brian JonesAccounts PayableAP ClerkZ_FI_AP_PROC
klee45Karen LeeAccounts PayableAP ManagerZ_FI_AP_PAY
tgarcia08Tony GarciaTreasuryCash ManagerZ_FI_AP_PAY⚠ SoD (Table D)
aclark99Amy ClarkIT SecuritySecurity AdminZ_SEC_ADMCRITICAL role
rthomas15Robert ThomasProcurementBuyerZ_MM_PURCH⚠ SoD (Table D)
dkim77David KimAPAP SupervisorZ_FI_AP_PROC + Z_FI_AP_PAY⚠ HIGH SoD conflict
lmartinez44Laura MartinezOperationsPlant SupervisorZ_PM_MAINT
pjohnson88Paul JohnsonFinanceFinancial AnalystZ_FI_GL_POST⚠ Terminated 1/31 — still in population!
⚠ Key Finding — pjohnson88

Paul Johnson appears in the active user population with role Z_FI_GL_POST. Cross-referencing Exhibit C: he was terminated 01/31/2025. Cross-referencing Exhibit H: he shows "NO RESPONSE" on the Q2 access review (July 2025) — meaning his access was never cleaned up even 5+ months after termination. This is a Significant Deficiency or Material Weakness candidate.

Exhibit B — Access Provisioning Tickets (ServiceNow, Jan–Apr 2025)

TicketUserReq DateRoleMgr ApprovalData Owner Appr.Access GrantedSLA (2 BD)Exception?
REQ-2501jsmith0101/08Z_FI_GL_POST01/08 ✓01/08 ✓01/09✅ MetNone
REQ-2502bjones2201/15Z_FI_AP_PROC01/15 ✓01/16 ✓01/16✅ MetNone
REQ-2503rthomas1502/03Z_MM_PURCH02/03 ✓— ✗02/04✅ Met⚠ No data owner approval
REQ-2504nwhite3302/20Z_FI_AR_BILL02/20 ✓02/21 ✓02/24✅ MetNone
REQ-2505mchen6603/10Z_FI_GL_POST03/10 ✓03/10 ✓03/14⚠ 4 days — MISSEDSLA exception
REQ-2506kpatel9104/05Z_SEC_ADM04/05 ✓04/07 ✓04/07✅ MetCRITICAL role — verify CISO approval per Exhibit F
Analysis — AC-02 Exceptions (2 of 6)

REQ-2503: No data owner approval documented. Policy requires dual approval (manager + data owner) before access grant. Exception rate: 1/6 = 16.7%. Root cause: likely bypassed due to business urgency or workflow gap. Control Deficiency at minimum.

REQ-2505: Access granted in 4 business days vs. 2-day SLA. No process exception approved. Isolated? Need to expand testing to determine if systemic.

Exhibit C — Termination Testing (Jan–Apr 2025)

UserNameHR Term Date/TimeEntra DisabledElapsed4-Hr SLALast LoginPost-Term Access?
pjohnson88Paul Johnson01/31 17:0001/31 18:301.5 hrs✅ Met01/31 16:45None
swright42Susan Wright02/14 17:0002/14 17:150.25 hrs✅ Met02/14 14:30None
jdavis55James Davis03/07 17:0003/08 09:4516.75 hrs❌ Missed03/07 16:58Possibly — login 2 min before term; verify
arobinson19Alice Robinson03/28 17:0003/28 17:300.5 hrs✅ Met03/28 15:00None
mhernandez07Miguel Hernandez04/15 17:0004/15 18:001.0 hrs✅ Met04/15 13:20None
⚠ jdavis55 — SLA Exception: 16.75 Hours

James Davis was terminated Friday 03/07 at 5:00pm. Entra ID wasn't disabled until Saturday 03/08 at 9:45am — 16.75 hours later. Root cause: the batch sync process that triggers Workday → Entra ID only runs on weekday mornings. Friday evening terminations fall into a gap window. This is the canonical example from the 8 Reporting Rules (Card 9 in your notecards).

Exception rate: 1 of 5 (20%). With only 5 terminations in the test window, consider whether this is systemic (the Friday-batch-gap affects all Friday terminations) vs. isolated. Likely Significant Deficiency given the 16.75-hour exposure window on a SOX-regulated system.

Exhibits D + E — SoD Conflicts & Mitigating Controls

UserConflictRiskMitigating ControlMC Adequate?
dkim77 (David Kim)Z_FI_AP_PROC (enter invoices) + Z_FI_AP_PAY (release payments)HIGH — can create fraudulent invoice AND pay it to himself or a shell vendor with no second set of eyesMC-001: Controller reviews all payment batches >$10K before release⚠ PARTIAL — leaves payments <$10K unreviewed; no control over invoice entry itself
tgarcia08 (Tony Garcia)Z_FI_AP_PAY (release payments) + Z_MM_VENDOR (create/modify vendors)HIGH — can add a fictitious vendor AND pay them; classic ghost vendor fraud schemeMC-002: Vendor master changes require dual approval; weekly AP Manager review✅ Adequate if operating effectively — dual approval breaks the single-person control chain
jbrown61 (Jennifer Brown)Z_FI_GL_POST (post JEs) + Z_FI_GL_APPROVE (approve JEs)HIGH — can post and self-approve journal entries; enables earnings manipulationNONE DOCUMENTED❌ DEFICIENCY — no mitigating control = unmitigated HIGH SoD conflict on a SOX-material account
rthomas15 (Robert Thomas)Z_MM_PURCH (create PO) + Z_MM_PO_APP (approve PO)MEDIUM — can create and self-approve own purchase ordersMC-003: All POs require Procurement Director approval regardless of amount✅ Adequate — independent director approval at 100% overrides the self-approval risk
⚠ jbrown61 — Unmitigated HIGH SoD

Jennifer Brown has both JE posting and JE approval roles with zero mitigating controls documented. On a SOX engagement for a publicly traded company, an unmitigated HIGH SoD conflict on the general ledger is a strong Significant Deficiency candidate, potentially Material Weakness depending on the population of transactions affected. This requires immediate escalation and remediation — either remove one role or implement a compensating control such as independent GL review.

Exhibit F — SAP Role Classification Matrix

Role IDDescriptionFunctionRisk LevelRequired Approver
Z_FI_GL_POSTPost journal entries to GLGeneral LedgerHighController
Z_FI_GL_APPROVEApprove journal entriesGeneral LedgerHighCFO
Z_FI_AP_PROCEnter/process vendor invoicesAccounts PayableHighAP Manager
Z_FI_AP_PAYExecute payment runs & release paymentsAccounts PayableCriticalTreasurer
Z_MM_PURCHCreate POsProcurementMediumDept Manager
Z_MM_PO_APPApprove POsProcurementHighProc Director
Z_MM_VENDORCreate/modify vendor master recordsMaster DataCriticalController
Z_SEC_ADMAdminister user accounts & role assignmentsIT SecurityCriticalCISO
Z_PM_MAINTCreate/manage plant maintenance work ordersOperationsLowPlant Mgr

Exhibit H — Q2 2025 Quarterly Access Review (Entra ID, July 2025)

User IDNameRoleReviewer DecisionDate
jsmith01John SmithZ_FI_GL_POST✅ APPROVED — Access appropriate07/10/2025
mwilson03Maria WilsonZ_FI_GL_APPROVE✅ APPROVED — Access appropriate07/10/2025
bjones22Brian JonesZ_FI_AP_PROC✅ APPROVED — Access appropriate07/11/2025
lperez29Lisa PerezZ_FI_AR_BILL🔄 REVOKED — Transferred to HR07/11/2025
pjohnson88Paul JohnsonZ_FI_GL_POST⚠ NO RESPONSE
⚠ pjohnson88 — The Compounding Problem

Paul Johnson was terminated 01/31/2025 (Exhibit C — SLA met, Entra ID disabled same day). But by Q2 access review in July 2025, he still appears in the SAP user population with an active role (Exhibit A) and shows NO RESPONSE on the review — because there's no active manager to respond. The Entra ID disable didn't trigger SAP account deprovisioning. This means his SAP role persists even though his Entra ID is disabled. If SSO breaks or is reconfigured, this is a reactivation risk.

This illustrates a design gap in AC-03: the control disables Entra ID within SLA but has no corresponding procedure to clean up orphaned SAP roles. The access review (AC-04) should have caught this but failed because the no-response case wasn't escalated.

Key Policy SLAs (Exhibit G — IT-SEC-004)

Provisioning (AC-02)
  • Requires manager approval before access grant
  • Requires data owner approval before access grant
  • SLA: access granted within 2 business days of approval
  • Critical roles (Z_SEC_ADM, Z_FI_AP_PAY, Z_MM_VENDOR) require CISO/Treasurer/Controller approval additionally
Terminations (AC-03)
  • Entra ID account disabled within 4 hours of HR termination record
  • SAP roles to be reviewed and removed within 24 hours
  • Involuntary terminations: immediate disable required
  • Access review escalation: NO RESPONSE = auto-revoke per policy (not followed for pjohnson88)

Deficiency Summary — What to Know for the Exam

FindingControlExceptionClassificationRationale
REQ-2503 — no data owner approvalAC-021/6 (16.7%)Control DeficiencySingle instance; access aligned to job; no apparent harm. But policy breach = deficiency.
REQ-2505 — SLA missed (4 days vs. 2)AC-021/6 (16.7%)Control DeficiencyIsolated timing issue; no unauthorized access risk. May be systemic if root cause is workflow.
jdavis55 — 16.75 hr termination gapAC-031/5 (20%)Significant DeficiencyExtended exposure window (16.75 hrs) on SOX system. Root cause systemic (Friday batch gap).
pjohnson88 — orphaned SAP role post-termAC-03 / AC-04Design + OperatingSig. Deficiency → MW candidateTerminated employee retains SAP role 5+ months later. Access review failed to catch. Reactivation risk.
jbrown61 — unmitigated JE post + approve SoDAC-05No MC documentedSignificant Deficiency → MW candidateUnmitigated HIGH SoD on GL in a SOX entity. No compensating control. Direct financial statement risk.
dkim77 — partial MC ($10K threshold)AC-05Partial mitigationControl DeficiencyMC addresses large payments but leaves small-dollar fraud risk unmitigated.

How the Case Study Connects to the Readings & Slides

Milgram → jdavis55 & jbrown61

Diffusion of responsibility: "The IT team disables Entra ID — SAP cleanup is someone else's job." No one person owns the full termination workflow → pjohnson88's SAP role persists for 5 months.

Agentic state: The analyst who processes the AC-03 checklist without flagging the 16.75-hour gap is acting as an instrument, not a moral agent.

Solzhenitsyn → SoD / Findings

The auditor who documents jbrown61's SoD conflict as "noted — management to address" without escalating is participating in a small daily lie. Non-participation = escalating to the audit committee per IIA standards.

Didion → Independence / Objectivity

The auditor who accepts management's assurance that the $10K MC for dkim77 is "sufficient" without testing it independently is seeking approval rather than applying the internal standard of self-respect / objectivity (P2).

ITGC Slides → 8 Reporting Rules

The jdavis55 termination finding is the canonical before/after example from the 8 Reporting Rules: "1 of 5 (20%) terminations exceeded the 4-hr SLA. jdavis55 disabled 16.75 hrs after HR term (Fri 5pm → Sat 9:45am). Compensating: no post-term logins confirmed. Root cause: Friday batch sync gap. Rec: real-time Workday-to-Entra sync."

📝 70-Question Practice Exam

Instructions: Q1–50 cover the slide decks; Q51–60 cover Solzhenitsyn & Didion; Q61–70 cover Milgram; Q61–70 cover the Meridian Energy Holdings case study and applied ITGC concepts. Select your answer, then click "Submit Answers" at the bottom to see your score and explanations.
0/70

Question 1 of 50 · IIA Standards
The 2024 Global Internal Audit Standards consist of how many domains, principles, and standards?
B is correct. The 2024 Standards have 5 Domains, 15 Principles, and 52 Standards. The old "Attribute" and "Performance" categories were eliminated.
Question 2 · IIA Standards
Which of the following is a NEW addition to the stated purpose of internal auditing in the 2024 Standards?
C is correct. "Foresight" — anticipating emerging risks and future challenges — is explicitly new in the 2024 Standards. The board now expects auditors to "see around corners."
Question 3 · IIA Standards
Kant's categorical imperative is used to illustrate which IIA Principle?
B is correct. Kant's categorical imperative ("act only as you could will to become universal law") illustrates Integrity (Principle 1). If all auditors concealed findings to protect relationships, the profession would collapse.
Question 4 · IIA Standards
Husserl's "epoché" — suspending assumptions to let evidence speak — is applied to illustrate which principle?
C is correct. Husserl's epoché (bracketing assumptions) illustrates Objectivity (Principle 2). The most dangerous bias is confirmation bias — auditors must actively look for disconfirming evidence.
Question 5 · IIA Standards
Aristotle's concept of "phronesis" (practical wisdom) is associated with which principle?
A is correct. Phronesis = practical wisdom through experience. Competency (P3) is not just certifications — it's the capacity to see what matters in a specific context and knowing when to use specialists.
Question 6 · IIA Standards
Domain III of the 2024 Standards is considered the most significant change because it:
B is correct. Domain III defines "Essential Conditions" that boards and management must provide. It made explicit what was always implicit — boards have real accountability for internal audit effectiveness.
Question 7 · IIA Standards
In the Three Lines Model, which line is responsible for independent assurance to the board?
C is correct. Internal Audit is the Third Line and provides independent assurance on governance, risk management, and controls to the board. It tests both 1st and 2nd line effectiveness.
Question 8 · IIA Standards
Which of the following correctly describes Assurance Services under the 2024 Standards?
B is correct. Assurance: 3 parties (auditor, auditee, stakeholders); auditor determines scope; results in formal conclusions (not opinions); skepticism is default. Examples: SOX testing, compliance reviews.
Question 9 · IIA Standards
Under Domain V, the 2024 Standards use which new term instead of "opinion"?
C is correct. The 2024 Standards use "conclusion" instead of "opinion" — a more accurate term for what audit work produces.
Question 10 · IIA Standards
Topical Requirements are effective how long after issuance, and what must auditors document?
C is correct. Topical Requirements are effective 12 months after issuance. Auditors must document which requirements apply to each engagement and the rationale for any exclusions.
Question 11 · IIA Standards
The External Quality Assessment (EQA) requirement under Standard 12.4 specifies:
C is correct. EQA is required every 5 years, and at least one team member must be an active CIA. This is now explicitly stated in Standard 12.4.
Question 12 · IIA Standards
Heidegger's concept of "aletheia" (unconcealment/truth) is applied to illustrate:
B is correct. Aletheia (ἀλήθεια) means unconcealment — truth as bringing what is hidden into the open. An audit finding is an act of unconcealment: making visible what the organization could not see about itself.
Question 13 · IIA Standards
Providing advisory services on a process may:
B is correct. Providing advisory services on a process may impair objectivity for future assurance engagements. Standard 7.2 requires safeguards in these situations.
Question 14 · IIA Standards
The "Four C's of Findings" framework consists of:
B is correct. The Four C's: Condition (what IS), Criteria (what SHOULD BE), Cause (WHY the gap exists), Consequence (WHY it matters / the risk or impact).
Question 15 · IIA Standards
Internal audit can rely on second-line work, but before reporting conclusions must:
B is correct. IA can coordinate with and rely on 2nd line work, but must independently verify before reporting conclusions. The lines should collaborate but maintain distinct roles.
Question 16 · Cybersecurity
What makes cyber risk fundamentally different from most other business risks?
B is correct. Most risks are passive (market volatility doesn't try to defeat your hedging strategy). Cyber risk is adversarial — an intelligent actor actively probes and adapts. This changes everything about how you assess it.
Question 17 · Cybersecurity
The CIA Triad's "Integrity" objective protects against:
C is correct. Integrity = information and systems are accurate, complete, and unaltered except by authorized actions. Threats include data tampering, malware, and man-in-the-middle attacks.
Question 18 · Cybersecurity
Which CIA Triad objective would a DDoS attack most directly threaten?
C is correct. DDoS (Distributed Denial of Service) attacks target Availability — making systems inaccessible to authorized users. Other availability threats include ransomware and system failures.
Question 19 · Cybersecurity
The "asymmetric" nature of cyber risk means:
B is correct. The fundamental asymmetry: defenders must protect everything, but attackers only need to find one weakness. This asymmetry is structural and permanent. Growth and security are in constant tension.
Question 20 · Cybersecurity
The 2013 Target data breach is cited as an example of which organizational pathology?
C is correct. The Ownership Gap: Target's HVAC vendor had network access. Who owned that relationship? Who reviewed their security? The answer was effectively "no one." Unowned relationships become attack vectors.
Question 21 · Cybersecurity
Equifax being PCI compliant when it was breached illustrates which organizational pathology?
D is correct. The Compliance Trap: Compliance ≠ Security. Equifax, Target, and Capital One all passed audits but were breached. Attackers don't check compliance status. Organizations optimize for passing audits, not actual security.
Question 22 · Cybersecurity
In a defense-in-depth model, a SIEM (Security Information and Event Management) system is an example of which control type?
B is correct. SIEM is a detective control — it identifies attacks in progress or after the fact through log monitoring and anomaly detection. Preventive controls stop attacks; corrective controls respond/recover.
Question 23 · Cybersecurity
The IIA Cybersecurity Topical Requirement was released on:
B is correct. Released February 5, 2025. Effective February 5, 2026. One year to prepare. It was the first Topical Requirement under the 2024 IPPF.
Question 24 · Cybersecurity
According to the Verizon DBIR, most breaches are caused by:
C is correct. Year after year, the Verizon DBIR shows: stolen credentials, phishing, and unpatched vulnerabilities cause most breaches. Not zero-days or AI-powered attacks — basic hygiene failures. Fundamentals beat sophistication.
Question 25 · Cybersecurity
Which of the following best describes the "learned helplessness" organizational pathology in cybersecurity?
B is correct. Learned helplessness is the fatalistic attitude that sophisticated attackers are unstoppable. The reality: most breaches exploit basic failures. Stoic wisdom — focus on what you can control. Fundamentals prevent 95% of attacks.
Question 26 · Cybersecurity
The IIA Cybersecurity Topical Requirement's three domains are:
B is correct. The three domains are: Governance (does leadership own cybersecurity?), Risk Management (do they know what they're protecting?), and Controls (are the controls actually working?). Maps to NIST and COBIT frameworks.
Question 27 · Cybersecurity
Encryption at rest and in transit is primarily a control at which defense-in-depth layer?
C is correct. The Data Layer includes encryption at rest/transit, DLP (Data Loss Prevention), classification, access controls, and backups. These protect the data itself regardless of what layer it's accessed from.
Question 28 · Cybersecurity
An internal auditor's role in cybersecurity is best described as:
B is correct. Internal audit provides independent assessment of security posture, validates controls, bridges technical teams and the board, identifies blind spots, and holds management accountable for remediation. IA is NOT a pen testing team or a guarantee against breach.
Question 29 · ITGC Testing
Positive testing of an access control verifies:
B is correct. Positive testing = "Did the control work when it should have?" — testing the happy path. Select legitimate transactions and verify approvals obtained, within timeframes, by authorized individuals, with proper documentation.
Question 30 · ITGC Testing
A control requires manager approval for access requests, but the policy is vague about timelines and doesn't specify what "manager" means (direct, skip-level, department head). This is primarily a:
C is correct. TOD evaluates if the control can work. Precision asks: Is the control specific enough? "Manager approval" vs. "Direct manager via ServiceNow within 24 hours with documented justification" — the former lacks precision and is a design gap.
Question 31 · ITGC Testing
Based on AICPA/PCAOB guidance, how many samples should an auditor test for a HIGH RISK control that occurs DAILY?
C is correct. For a daily control at high risk: 40-60 samples. Low risk daily = 10-15. Moderate risk daily = 20-30. Higher risk, higher frequency, prior exceptions, and higher desired confidence all increase sample size.
Question 32 · ITGC Testing
For privileged users and SoD (Segregation of Duties) conflicts, the recommended sampling method is:
D is correct. For high-risk populations like privileged users and SoD conflicts, auditors should consider 100% testing (census) regardless of population size. Missing one can have material consequences.
Question 33 · ITGC Testing
Haphazard sampling is described as:
B is correct. Haphazard = auditor selects without a specific pattern. Used for small populations or preliminary testing. Limitations: unconscious bias and not statistically valid. Not appropriate for high-risk populations.
Question 34 · ITGC Testing
When classifying an exception where a good policy exists (SLA defined, approval workflow documented) but a required approval was simply skipped by an employee, this is a:
B is correct. Good design, bad execution = Operating Effectiveness (OE) failure. Remedy: training, monitoring, automation. Critical distinction: don't prescribe training for a design problem. Classification drives the right recommendation.
Question 35 · ITGC Testing
Under the external audit risk rating framework, what is a "Material Weakness"?
C is correct. Material Weakness = reasonable possibility that material misstatement will not be prevented or detected by the company's ICFR. Result: adverse ICFR opinion. Significant Deficiency is less severe but still requires reporting to audit committee.
Question 36 · ITGC Testing
The "R" tick mark in audit documentation means:
B is correct. "R" = Recalculated — the auditor independently verified the calculation. Every tick mark must be defined in a legend on the work paper. "T" = Traced/Tied, "I" = Inquiry, "✓" = Tested no exception, "✗" = Exception identified.
Question 37 · ITGC Testing
The "Golden Rule" of audit documentation states:
B is correct. The Golden Rule: If you can't point to a specific exhibit, row, or document for every fact in your finding, you haven't documented it properly. Every assertion must trace to specific evidence.
Question 38 · ITGC Testing
In internal audit findings (versus external), what additional elements are included that are NOT typically in external management letter findings?
B is correct. Internal audit findings include accountability: named individuals, specific data, owner + due date, and space for management's response/action plan. External audit uses generalized language ("certain users") and high-level recommendations.
Question 39 · ITGC Testing
Required documentation elements for sampling methodology include all of the following EXCEPT:
C is correct. Required documentation includes: population source, population completeness verification, selection criteria, sample size rationale, selection method, and sample listing. CAE written approval is NOT a listed required element. The test: could another auditor recreate your exact sample?
Question 40 · ITGC Testing
The "Best Practice" for sample selection when a population has both general and high-risk items is:
C is correct. Best practice: combine methods. Random/stratified for general population + 100% census for privileged users and SoD conflicts. This balances efficiency with appropriate risk coverage.
Question 41 · Mixed
Which of the following is a Topical Requirement released under the 2024 IPPF?
B is correct. Topical Requirements include: Cybersecurity, IT Governance, Privacy Risk Management, Third-Party Management, and Sustainability & ESG. ERM and ICFR are not listed Topical Requirements.
Question 42 · Mixed
According to the engagement lifecycle, what percentage of effort should fieldwork typically represent?
B is correct. Fieldwork = 40-50% of effort (the largest portion). Planning = 20-30%. Reporting = 15-20%. Follow-up = ongoing. Most audit failures are planning failures despite planning being a smaller portion.
Question 43 · Mixed
If an auditor discovers that a terminated user's account was not disabled until 16.75 hours after termination (SLA = 4 hours), but sign-in logs confirm no post-termination logins occurred, the finding should:
C is correct. Document the control gap (16.75 hrs vs. 4-hr SLA = OE failure) AND acknowledge the compensating factor (no unauthorized access occurred). Rule #6 of reporting: acknowledge compensating factors. The risk didn't materialize, but the control gap still exists.
Question 44 · Mixed
An auditor is reviewing a cybersecurity control that prevents users from self-approving their own access requests. Attempting to self-approve in the test environment to verify the block is which type of test?
C is correct. Negative testing = "Did the control prevent what it should have?" Attempting to self-approve tests the guardrail. Does the system reject it? This tests the negative scenario.
Question 45 · Mixed
The "Reviewer's Test" for sampling documentation asks:
B is correct. The Reviewer's Test: Could another auditor recreate your exact sample from your documentation? If not, your methodology isn't sufficiently documented. This ensures reproducibility and defensibility.
Question 46 · Mixed
Plato's "Forms" (ideal essences) as referenced in the IIA Standards lecture represent:
B is correct. Standards represent Platonic ideals — articulating what excellent internal auditing looks like, a reference point against which we measure ourselves. "Practice without form is mere improvisation."
Question 47 · Mixed
Which of the following best describes why audit findings should help security teams rather than punish them?
B is correct. Security teams are often overwhelmed and underappreciated. Approach as a partner, not an adversary. Audit's goal is the same — protecting the organization. Findings should help security teams get resources, not punish them.
Question 48 · Mixed
Which statement about the "No Surprises" principle in audit reporting is correct?
B is correct. "No surprises in the final report." If you haven't discussed a finding with management before issuing, you've failed at communication. Management responses are their words — but auditors can comment on them.
Question 49 · Mixed
A report states: "Several users had issues with their access during the period." According to the 8 Rules for Audit Reporting Excellence, this violates which rule?
B is correct. "Quantify everything" — not "several users" but "3 of 127 (2.4%)." Vague language undermines credibility and doesn't communicate the magnitude of the issue. Always use numbers.
Question 50 · Mixed
Which statement BEST captures the philosophical core of internal auditing as described in the course materials?
B is correct. The philosophical core: internal auditors make the invisible visible. This is Heideggerian aletheia (unconcealment), Socratic questioning, trained attention — the auditor's essential task is illuminating what organizations cannot see about themselves. Everything else is technique.
📖 Questions 51–60: The Reading
Joan Didion's "On Self-Respect" — and its connections to the IIA standards
Question 51 · Didion
According to Didion, what is the source from which self-respect springs?
C is correct. Didion is explicit: "character — the willingness to accept responsibility for one's own life — is the source from which self-respect springs." It is an internal standard entirely independent of others' approval or one's reputation.
Question 52 · Didion
Didion argues that self-deception is:
B is correct. Didion: "self-deception remains the most difficult deception." No winning smiles, no prettily drawn lists of good intentions will work in that well-lit back alley. This connects directly to the IIA's confirmation bias warning under Objectivity (Principle 2).
Question 53 · Didion
The "interminable documentary" metaphor in Didion's essay describes:
B is correct. To live without self-respect is to be an unwilling audience to an interminable documentary detailing one's failings — fresh footage spliced in for every screening. Counting sins of commission and omission, trusts betrayed, promises broken, gifts wasted through sloth or cowardice.
Question 54 · Didion → IIA Connection
Didion's concept of discipline as "a habit of mind that can be developed, trained, coaxed forth" most closely parallels which IIA principle?
C is correct. Didion's "discipline as habit of mind, developed and trained" echoes both Due Professional Care (P4) — applying skepticism proportionately and systematically — and Objectivity (P2) — the trained attention that must be cultivated through practice. P3/phronesis is wisdom cultivated through experience, which is related but distinct from Didion's disciplinary practice.
Question 55 · Didion → IIA Connection
An auditor who softens a finding because the engagement manager seems displeased, and who tells themselves "I'm sure the control is fine, I just can't find the evidence" — which two Didion concepts does this simultaneously illustrate?
B is correct. The auditor fails on both counts: (1) their "standard" is the manager's approval rather than character — Didion's central critique of false self-respect; and (2) they are deceiving themselves with "I'm sure the control is fine" — exactly the self-deception that no winning smile can paper over in the well-lit back alley. This is the integrated exam question: can you see both Didion concepts operating simultaneously in a single audit scenario?
Question 56 · Didion
What is the significance of Jordan Baker vs. Julian English in Didion's argument?
B is correct. This is Didion's paradox: Jordan Baker is careless and dishonest, yet she has self-respect — she made her own peace and avoided threats to it. Julian English is seemingly respectable but hollow inside, and ultimately destroys himself. The lesson: self-respect is an internal condition, not an external reputation. An auditor can look compliant and professional while being completely hollow inside.
Question 57 · Didion
Didion describes "alienation from self" in its advanced stages as:
B is correct. Advanced alienation from self means every encounter demands too much. You can't say no without drowning in self-reproach. Eventually you run from yourself and find no one at home. Applied to audit: the senior who has compromised on every engagement eventually loses the professional self entirely — they can no longer even identify what their actual judgment is, separate from what the partner wants to hear.
Question 58 · Didion
Didion argues that people with genuine self-respect have "the courage of their mistakes." In an audit context, this most directly means:
B is correct. The courage of one's mistakes means owning them cleanly — no excuses, no blame-shifting, no rationalization. In audit practice: if you find that prior-year workpapers misclassified a control, you flag it. If your sample missed a key population, you expand it. You don't rationalize. This is integrity (P1) expressed as Didion's self-respect.
Question 59 · Didion → IIA Connection
Didion writes that self-respect involves "small disciplines" that "represent larger ones — not for the ritual itself but as a way of remembering who and what we are." The IIA audit practice most directly parallel to this is:
B is correct. Didion's small disciplines are the audit equivalent of proper documentation habits: every tick mark sourced, every exhibit cross-referenced, every conclusion supported. These seem like rituals, but they are the structural expression of integrity — when the pressure comes to soften a finding or skip a step, it's the auditor who maintained small disciplines who holds. The one who cut corners in good times has no muscle to flex in hard ones.
Question 60 · Didion — Applied Synthesis
Which statement BEST captures Didion's "On Self-Respect" as applied to the practice of internal auditing?
B is correct. Didion's entire argument is that self-respect — and therefore integrity — is an internal standard that has nothing to do with others' approval. The auditor who softens findings to keep the partner happy, who self-deceives about control effectiveness, who lacks the courage of their mistakes — that auditor will eventually run from themselves and find no professional self at home. The IIA's five ethics principles are not bureaucratic rules; they describe what a person with Didion's self-respect looks like in an audit context.
🏢 Questions 61–80: Meridian Energy Holdings Case Study
Applied ITGC testing, SoD analysis, deficiency classification, and connections to readings
Question 61 · Case Study — Termination Testing
In Exhibit C, James Davis (jdavis55) was terminated Friday 03/07 at 5:00pm. His Entra ID account was disabled Saturday 03/08 at 9:45am. What is the elapsed time, and what is the root cause of this exception?
B is correct. 5:00pm Friday to 9:45am Saturday = 16.75 hours — far exceeding the 4-hour SLA. The root cause is systemic: the automated sync that pushes HR terminations to Entra ID only runs on weekday mornings. Any employee terminated on a Friday afternoon falls into a gap until Monday. This is a process design flaw, not a one-time human error, which elevates the classification toward Significant Deficiency.
Question 62 · Case Study — User Population Analysis
Paul Johnson (pjohnson88) appears in Exhibit A (active SAP user population) with role Z_FI_GL_POST. Cross-referencing Exhibits C and H, what is the full scope of the problem?
B is correct. This is a compounding failure across two controls. AC-03 met the 4-hour Entra ID SLA but had no corresponding procedure to clean up SAP roles. AC-04 (access review) should have caught this as a compensating control, but the NO RESPONSE case wasn’t escalated to auto-revoke as policy requires. The result: a terminated employee’s SAP role persists for 5+ months. If SSO is reconfigured or a local SAP account exists, reactivation risk is real. This is a strong Significant Deficiency or Material Weakness candidate.
Question 63 · Case Study — SoD Analysis
Jennifer Brown (jbrown61) has both Z_FI_GL_POST (post journal entries) and Z_FI_GL_APPROVE (approve journal entries). Exhibit E shows no mitigating control is documented. How should this be classified on a SOX engagement, and why?
C is correct. A Material Weakness requires a “reasonable possibility” that a material misstatement would not be prevented or detected — not proof that one occurred. An unmitigated ability for one person to both post and approve journal entries on a public company’s GL meets this threshold. No fraud needs to have happened. The absence of any documented mitigating control means the auditor cannot conclude the risk is mitigated. Immediate escalation and remediation (remove one role OR implement independent GL review) is required.
Question 64 · Case Study — Provisioning Testing
REQ-2503 (rthomas15, role Z_MM_PURCH) shows manager approval obtained but data owner approval field is blank (“—”). Access was granted the next day. How should you treat this exception?
B is correct. The control objective AC-02 explicitly requires both manager and data owner approval before access is granted. The absence of data owner approval is an exception to the control — period. Risk level of the role doesn’t change whether the control operated as designed; it affects the severity of the exception (classification), not its existence. Accepting verbal confirmation post-hoc is not valid audit evidence for a control that requires contemporaneous documented approval.
Question 65 · Case Study — Mitigating Controls
The mitigating control for dkim77’s SoD conflict (Z_FI_AP_PROC + Z_FI_AP_PAY) is: “Controller reviews all payment batches exceeding 0,000 before release.” What risk does this leave unaddressed?
B is correct. A sophisticated fraudster (or one who understands the control threshold) would structure payments to stay under 0,000. This is a real-world fraud technique called “structuring.” The MC covers large payments but leaves a gap for small-dollar fraud. Additionally, the MC doesn’t address the invoice entry side — dkim77 can enter fictitious vendor invoices regardless of amount. A stronger control would be either removing one role or requiring review of all payments (or all invoices) regardless of dollar amount.
Question 66 · Case Study — TOD vs. TOE
For AC-01 (MFA enforcement via Entra ID), an auditor inspects the Entra ID configuration and confirms the MFA policy is enabled for all users. What type of test is this, and what does it NOT tell you?
B is correct. Inspecting the configuration is a Test of Design (TOD) — it answers “could this control work?” To conclude operating effectiveness, you need evidence that the control actually operated throughout the year: MFA authentication logs, sign-in reports showing MFA challenges, or exception reports for any MFA bypasses. A well-configured policy that was bypassed for all legacy app users all year would pass TOD and fail TOE.
Question 67 · Case Study — Sampling
MEH had approximately 47 terminations in the first half of 2025. Exhibit C tests only 5. What is the appropriate sample size for a daily/high-risk control, and is 5 sufficient for a SOX engagement?
B is correct. Per ITGC slide guidance and AICPA/PCAOB standards: for a high-risk control with daily/frequent operation, the recommended sample is 40–60. For moderate risk: 20–30. For low risk: 10–15. Termination access is high risk (SOX, financial system access). Testing only 5 would need documented justification — e.g., this is a preliminary sample, the population is small, or this is a lower-assurance engagement. For a public SOX engagement, 5 would typically be insufficient to draw a conclusion about operating effectiveness over a full year.
Question 68 · Case Study — SSO & Technology
MEH uses Single Sign-On (SSO) between Entra ID and SAP. An auditor asks: “If Entra ID goes down, can users still access SAP?” What is the correct answer and its audit implication?
B is correct. SSO creates a single control point — Entra ID — which is both a strength and a risk. If SAP has local super-user accounts (SAP* is the default SAP emergency account), those can bypass SSO entirely. A thorough ITGC auditor asks: are SAP local accounts disabled? Is the SAP* account locked or password-randomized? Is the DDIC account locked? These are privileged access risks that exist even in an SSO environment. This is a TOD question — the design has a gap if local accounts aren’t addressed.
Question 69 · Case Study — Readings Connection
An audit senior reviews pjohnson88’s orphaned SAP role, notes it in the workpaper as “management is aware,” and closes the item without escalating or classifying it as a deficiency. Which reading and which concept most directly applies?
A is correct. This scenario illustrates Milgram’s agentic state — the senior has transferred responsibility upward (“management is aware”) and ceased to function as an independent moral agent. It also parallels Solzhenitsyn: noting “management is aware” instead of “Significant Deficiency” is a small daily participation in a professional lie. Didion would add: the senior who does this repeatedly will eventually find no professional self at home. All three readings converge on the same audit failure: small acts of compliance that accumulate into systemic integrity failure.
Question 70 · Case Study — Management Letter
Using the jdavis55 termination exception, which of the following is the best-drafted management letter comment applying the 8 Reporting Rules?
B is correct. This is the 8 Reporting Rules applied perfectly: (1) lead with headline — “1 of 5 (20%)”; (2) quantify — specific names and timestamps; (3) fact vs. judgment — “16.75 hours” is fact, “SLA exceeded” is the judgment; (4) define population — 5 terminations tested; (5) show your math — 03/07 5pm → 03/08 9:45am; (6) acknowledge compensating controls — no post-term logins confirmed; (7) actionable rec — specific technical fix (real-time sync trigger), not “improve the process”; (8) writes for the skeptic — every assertion is supported. Option A is a textbook example of the weak, vague report the 8 Rules are designed to replace.