Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 74

According to IIA guidance on IT auditing, which of the following would not be an area examined by the internal audit activity?

Answer options

• A. Access system security.
• B. Policy development.
• C. Change management.
• D. Operations processes.

Correct answer: B

Explanation

The correct answer is B, as policy development is usually the responsibility of management rather than the internal audit function, which focuses on evaluating controls and processes. The other options—Access system security, Change management, and Operations processes—are directly related to IT operations and are typically examined by internal auditors to ensure compliance and effectiveness.