CIA IIA-CIA-Part3 Exam Dumps

At the end of an accounting period, certain accounts must be closed to prepare financial statements and reset balances for the next period. The accounts that must be closed are temporary accounts, which include all income statement accounts (revenues, expenses, and gains/losses).

Why Option A (Income statement accounts) is Correct:

Income statement accounts (revenues, expenses, gains, and losses) are temporary accounts that track financial performance for a specific period.

At the end of the period, these accounts are closed to the retained earnings account to reset them to zero for the next period.

Why Other Options Are Incorrect:

Option B (Balance sheet accounts):

Incorrect because balance sheet accounts (assets, liabilities, and equity) are permanent accounts that carry their balances forward to the next period.

Option C (Permanent accounts):

Incorrect because permanent accounts include all balance sheet accounts, which are never closed.

Option D (Real accounts):

Incorrect because real accounts refer to balance sheet accounts (assets, liabilities, and equity), which remain open.

IIA GTAG – "Auditing Financial Close Processes": Discusses the closing of temporary accounts at the period end.

COSO Internal Control – Integrated Framework: Recommends proper financial reporting controls, including account closures.

IFRS & GAAP Accounting Standards: Define temporary and permanent accounts in financial reporting.

IIA References:Thus, the correct answer is A. Income statement accounts.

A directive control is a policy, procedure, or guideline that establishes expected behavior to mitigate risks. In the context of outsourcing HR functions, a data protection clause in the contract ensures that the service provider is legally obligated to protect sensitive employee data.

Legal and Regulatory Compliance – It ensures the service provider complies with GDPR, CCPA, ISO 27001, SOC 2, and other data protection laws.

Defines Security Responsibilities – Specifies encryption, access controls, data retention policies, and penalties for non-compliance.

Enforceable Accountability – The contract holds the provider accountable for data breaches or misuse.

Industry Best Practice – Most outsourcing agreements include a Data Processing Agreement (DPA) as part of contractual terms.

A. Require a SOC report – A SOC (Service Organization Control) report assesses the provider’s internal controls, but it does not enforce compliance.

C. Obtain a nondisclosure agreement (NDA) – An NDA is useful, but it only prevents individuals from sharing data; it does not define data security requirements.

D. Encrypt the employees' data before transmitting it – Encryption is a strong preventive control, but it does not provide a directive policy like a contract clause does.

IIA’s International Professional Practices Framework (IPPF) – Standard 2201 – Requires internal auditors to assess contract terms related to risk management.

COSO’s Enterprise Risk Management (ERM) Framework – Recommends contractual agreements for third-party risk mitigation.

ISO 27001 Annex A.15.1.2 – Specifies that security requirements must be addressed in supplier contracts.

Why a Data Protection Clause Is the Most Appropriate Directive Control?Why Not the Other Options?IIA References:✅ Final Answer: B. Include a data protection clause in the contract with the service provider. (Most appropriate directive control).