Auditing test

Auditing test


1. An audit charter should:

A. be dynamic and change often to coincide with the changing nature of technology and the audit profession.

B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.

C. document the audit procedures designed to achieve the planned audit objectives.

D. Outline the overall authority, scope and responsibilities of the audit function. Answer:___________________________

2. Which of the following criteria for selecting the applications to be audited is LEAST likely to be used?

A. Materiality of audit risk

B. Sensitivity of transactions

C. Technological complexity

D. Regulatory agency involvement

Answer: ___________________________

3. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?

A. Multiple cycles of backup files remain available

B. Access controls establish accountability for e-mail activity

C. Data classification regulates what information should be communicated via e-mail

D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available


4. While planning an audit, an assessment of risk should be made to provide: 2

NAME: ______________________________________

A. Reasonable assurance that the audit will cover material items.

B. Definite assurance that material items will be covered during the audit work.

C. Reasonable assurance that all items will be covered by the audit.

D. Sufficient assurance that all items will be covered during the audit work.


5. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?

A. The point at which controls are exercised as data flow through the system

B. Only preventive and detective controls are relevant

C. Corrective controls can only be regarded as compensating

D. Classification allows an IS auditor to determine which controls are missing

Answer: ___________________________

6. During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas—the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:

A. Record the observations separately with the impact of each of them marked against each respective finding.

B. Advise the manager of probable risks without recording the observations since the control weaknesses are minor ones.

C. Record the observations and the risk arising from the collective weaknesses.

D. Apprise the departmental heads concerned with each observation and properly document it in the report.


7. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

A. controls needed to mitigate risks are in place.

B. vulnerabilities and threats are identified.

C. audit risks are considered.

D. a gap analysis is appropriate.


8. The success of control self-assessment (CSA) depends highly on:

A. Having line managers assume a portion of the responsibility for control monitoring.

B. Assigning staff managers the responsibility for building, but not monitoring, controls.

C. The implementation of a stringent control policy and rule-driven controls.

NAME: ______________________________________ 3

D. The implementation of supervision and the monitoring of controls of assigned duties.

Answer: ___________________________

9. A long-term IS employee has asked to transfer to IS auditing. The individual has a strong technical background and broad managerial experience. According to ISACA’s General Standards for IS Auditing, consideration should be given to the candidate’s:

A Length of service since this will help ensure technical competence

B. IS knowledge since this will bring enhanced credibility to the audit function

C. Existing IS relationships and ability to retain audit independence

D. Age as training in audit techniques may be practical


10. Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update?

A. Test data run

B. Code review

C. Automated code comparison

D. Review of code migration procedures


11. The IT balanced scorecard (BSC) is a business governance tool intended to monitor IT performance evaluation indicators other than:

A. Financial results.

B. Customer satisfaction.

C. Internal process efficiency.

D. Innovation capacity.


12. Which of the following is the initial step in creating a firewall policy?

A. A cost-benefit analysis of methods for securing the applications

B. Identification of network applications to be externally accessed

C. Identification of vulnerabilities associated with network applications to be externally accessed

D. Creation of an applications traffic matrix showing protection methods


NAME: ______________________________________ 4

13. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

A. Utilization of an intrusion detection system to report incidents

B. Mandating the use of passwords to access all software

C. Installing an efficient user log system to track the actions of each user

D. Training provided on a regular basis to all current and new employees


14. IT control objectives are useful to IS auditors since they provide the basis for understanding the:

A. Desired result or purpose of implementing specific control procedures.

B. Best IT security control practices relevant to a specific entity.

C. Techniques for securing information.

D. Security policy.


15. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?

A. Ensuring that invoices are paid to the provider

B. Participating in systems design with the provider

C. Renegotiating the provider’s fees

D. Monitoring the outsourcing provider’s performance


16. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?

A. Yes, because an IS auditor will evaluate the adequacy of the service bureau’s plan and assist their company in implementing a complementary plan.

B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract.

C. No, because the backup to be provided should be specified adequately in the contract.

D. No, because the service bureau’s business continuity plan is proprietary information.


17. An IS auditor was hired to review e-business security. The IS auditor’s first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task?

A. Immediately report the risks to the CIO and CEO

NAME: ______________________________________ 5

B. Examine e-business application in development

C. Identify threats and likelihood of occurrence

D. Check the budget available for risk management

Answer: ___________________________

18. In an organization, the responsibilities for IT security are clearly assigned and enforced, and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?

A. Optimized

B. Managed

C. Defined

D. Repeatable


19. Which of the following IT governance best practices improves strategic alignment?

A. Supplier and partner risks are managed.

B. A knowledge base on customers, products, markets and processes is in place.

C. A structure is provided that facilitates the creation and sharing of business information.

D. Top management mediates between the imperatives of business and technology.


20. A top-down approach to the development of operational policies will help ensure:

A. That they are consistent across the organization.

B. That they are implemented as a part of risk assessment.

C. Compliance with all policies.

D. That they are reviewed periodically.


21. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

A. Overlapping controls

B. Boundary controls

C. Access controls

D. Compensating controls


22. Which of the following reduces the potential impact of social engineering attacks?

NAME: ______________________________________ 6

A. Compliance with regulatory requirements

B. Promoting ethical understanding

C. Security awareness programs

D. Effective performance incentives


23. Which of the following is the MOST important element for the successful implementation of IT governance?

A. Implementing an IT scorecard

B. Identifying organizational strategies

C. Performing a risk assessment

D. Creating a formal security policy


24. A benefit of open system architecture is that it:

A. facilitates interoperability.

B. facilitates the integration of proprietary components.

C. will be a basis for volume discounts from equipment vendors.

D. allows for the achievement of more economies of scale for equipment.


25. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative?

A. Issues of privacy

B. Wavelength can be absorbed by the human body

C. RFID tags may not be removable

D. RFID eliminates line-of-sight reading


26. Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:

A. physically separated from the data center and not subject to the same risks.

B. Given the same level of protection as that of the computer data center.

C. outsourced to a reliable third party.

D. equipped with surveillance capabilities.


NAME: ______________________________________ 7

27. Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault?

A. There are three individuals with a key to enter the area

B. Paper documents are also stored in the offsite vault

C. Data files that are stored in the vault are synchronized

D. The offsite vault is located in a separate facility


28. Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies?

A. Developments may result in hardware and software incompatibility

B. Resources may not be available when needed

C. The recovery plan cannot be tested

D. The security infrastructures in each company may be different


29. Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster?

A. The alternate facility will be available until the original information processing facility is restored.

B. User management is involved in the identification of critical systems and their associated critical recovery times.

C. Copies of the plan are kept at the homes of key decision-making personnel.

D. Feedback is provided to management, assuring them that the business continuity plans are, indeed, workable and that the procedures are current.


30. Which of the following would have the HIGHEST priority in a business continuity plan?

A. Resuming critical processes

B. Recovering sensitive processes

C. Restoring the site

D. Relocating operations to an alternative site


31. An IS auditor has audited a business continuity plan. Which of the following findings is the MOST critical?

A. Nonavailability of an alternate private branch exchange (PBX) system

NAME: ______________________________________ 8

B. Absence of a backup for the network backbone

C. Lack of backup systems for the users’ PCs

D. Failure of the access card system


32. During a business continuity audit, an IS auditor found that the business continuity plan covered only critical processes. The IS auditor should:

A. Recommend that the business continuity plan cover all business processes.

B. Assess the impact of the processes not covered.

C. Report the findings to the IT manager.

D. Redefine critical processes.


33. An IS auditor noted that an organization had adequate business continuity plans for each individual process, but no comprehensive business continuity plan. Which would be the BEST course of action for the IS auditor?

A. Recommend that an additional comprehensive business continuity plan be developed.

B. Determine whether the business continuity plans are consistent.

C. Accept the business continuity plans as written.

D. Recommend the creation of a single business continuity plan.

Answer: ___________________________

34. Which of the following is MOST important when there is a lack of adequate fire detection and control equipment in the computer areas?

A. Adequate fire insurance

B. Regular hardware maintenance

C. Off-site storage of transaction and master files

D. Fully tested backup processing facilities

Answer: ___________________________

35. When developing a business continuity plan, which of the following tools should be used to gain an understanding of the organization’s business processes?

A. Business continuity self-audit

B. Resource recovery analysis

C. Business Impact analysis

D. Gap analysis

Answer: ___________________________

NAME: ______________________________________ 9

36. The PRIMARY objective of testing a business continuity plan is to:

A. Familiarize employees with the business continuity plan.

B. Ensure that all residual risks are addressed.

C. Exercise all possible disaster scenarios.

D. Identify limitations of the business continuity plan.


37. In determining the acceptable time period for the resumption of critical business processes:

A. only downtime costs need to be considered.

B. recovery operations should be analyzed.

C. both downtime costs and recovery costs need to be evaluated.

D. indirect downtime costs should be ignored.


38. Separation of duties between computer operators and other data processing personnel is intended to:

A. Prevent unauthorized modifications to program or data.

B. Reduce overall cost of operations.

C. Allow operators to concentrate on their assigned duties.

D. Restrict operator access to data.

Answer: ___________________________

39. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:

A. assessment of the situation may be delayed.

B. execution of the disaster recovery plan could be impacted.

C. notification of the teams might not occur.

D. potential crisis recognition might be ineffective.

Answer: ___________________________

40. Which of the following pairs of job functions/duties would an organization MOST likely keep separate?

A. Operations and Programming.

B. Systems Analysis and Programming.

C. Database Administration and IS Management.

D. Tape Librarian and Program Librarian.