COMPUTER AND INTERNAL CONTROL B.

Commitment to competence
MULTIPLE-CHOICE QUESTIONS C. Management philosophy and operating style
D. Organizational structure
Control Environment ANSWER: A

1. Which of the following statement/s is/are correct? 6. The entity must have an audit committee which
Statement I: The control environment includes the will be responsible for overseeing the financial
attitudes, awareness, and actions of management reporting policies and practices of the entity. This
and those charged with governance concerning refers to:
the entity’s internal control and its importance in A. Commitment to competence
the entity. B. Active participation of those charged with
Statement II: In active participation of those governance
charged with governance, the auditor should C. Personnel policies and procedures
assess the management's attitude towards D. Effective Organizational Structure
financial reporting and their emphasis on meeting ANSWER: B
projected profit goals because these will
significantly influence the risk of material 7. This provides a framework for planning, directing,
misstatements in the financial statements. and controlling the entity’s operations. Appropriate
A. Only Statement I is correct methods of assigning responsibility must be
B. Only Statement II is correct implemented to avoid incompatible functions and
C. Both statements are correct to minimize the possibility of errors because of too
D. Both statements are false much workload assigned to an employee.
ANSWER: A A. Organizational Structure
B. Personnel Policies and Procedures
2. All of the following are components of internal C. Active participation of those charged with
control except: governance
A. Control Environment D. Integrity and Ethical Values
B. Risk Assessment ANSWER: A
C. Control Activities
D. Communication Systems 8. Which of the following is not a subcomponent of
ANSWER: D the control environment?
A. Management Philosophy and operating style
3. Under the Control Environment, it refers to the B. Organizational Structure
importance of establishing ethical standards that C. Adequate Segregation of duties
discourage employees from engaging in dishonest D. All are subcomponents of the control
and unethical acts. environment
A. Active participation of those charged with ANSWER: C
governance
B. Integrity and Ethical Values 9. Management philosophy and operating style
C. Commitment to competence most likely would have a significant influence on an
D. Organizational Structure entity’s control environment when
ANSWER: B A. The internal auditor reports directly to the
management
4. Commitment to competence refers to: B. Management is dominated by one individual
A. The entity should consider the level of C. Accurate management job descriptions
competence required for each task and translate it delineate specific duties
to requisite knowledge and skills. D. The audit committee actively oversees the
B. The entity should have an audit committee financial reporting process
C. The entity must implement appropriate policies ANSWER: D
and procedures for hiring, training, and evaluating
personnel 10. Which of the following components of internal
D. Appropriate methods of assigning responsibilities control structures include the development of
to personnel employee promotion and training policies?
ANSWER: A A. Control Activities
B. Control Environment
5. The entity must implement appropriate policies C. Information and communication
for hiring, training, evaluating, promoting, and D. Quality control system
compensating the entity's personnel because the ANSWER: B
competence of the entity’s employees will bear
directly on the effectiveness of the entity’s internal 11. It is important for the auditor to consider the
control. This refers to: competence of the audit client’s employees
A. Personnel policies and procedures
because their competence has been directly and
importantly upon the
A. Cost-benefit relationship of internal control 16. When should risk assessments ideally be
B. Achievement of the objectives of internal control conducted within an organization?
C. Comparison of recorded accountability with A. On a regular basis or whenever major changes
assets occur
D. Timing of the tests to be performed B. Only whenever major changes occur
ANSWER: B C. On a regular basis and whenever major changes
occur
12. This sets the tone of an organization, influencing D. On an annual basis and whenever minor
the control consciousness of its people. It is the changes occur
foundation for effective internal control, providing ANSWER: C
discipline and structure.
A. Control Environment 17. Which from the choices best distinguishes the
B. Information and Communication systems risk assessments conducted by auditors from those
C. Quality Assurance Control conducted by management?
D. Control Activities a) Auditors assess risks to evaluate the likelihood of
ANSWER: A material misstatements in the financial statements
in a financial statement audit, while management
Risk Assessments assesses risks to achieve entity objectives.
b) Auditors focus on identifying potential material
13. Which of the following statement/s is/are misstatements in financial statements, while
correct? management focuses on evaluating the
Statement I: Risks arising from the use of IT relate to effectiveness of internal controls.
the “susceptibility of information-processing controls c) Auditors prioritize the analysis of inherent risks,
to effective design or operation, or risks to the while management prioritizes the analysis of control
integrity of information in the entity’s information risks.
system, due to ineffective design or operation of d) Auditors evaluate the efficiency of internal
controls in the entity’s IT processes. controls, while management evaluates the
Statement II: Risk is the net negative impact of the likelihood of material misstatements in financial
exercise of a vulnerability, considering only the statements.
probability of occurrence ANSWER: A
A. Statement I only
B. Statement II only 18. Which of the following statement/s is/are
C. Both Statements are correct correct?
D. Both Statements are false Statement I: In System Identification activities, the
ANSWER: D boundaries of the IT system are identified, along
with the resources and the information that
14. The following are the components of risk constitute the system. This establishes the scope of
equation except the risk assessment effort, and provides essential
A. Threat-source information for defining the risk
B. Vulnerability Statement II: to identify the potential threat-sources
C. Asset and compile a threat statement listing potential
D. Threat threat-sources that are applicable to the IT system
ANSWER: A being evaluated is the goal of threat identification.
A. Statement I
15. All of the following describes risk assessment B. Statement II
except C. Both
A.Risk assessment is a process that aims to identify, D. Neither
evaluate and prioritize the risks associated with an ANSWER:B
IT system.
B.Organizations use risk assessment to determine 19. Password systems is one of the controls in
the extent of the potential threat and the risk response to risk of unauthorized access to data
associated with an IT system throughout its SDLC. programs in what area of information technology
C.Risk Assessments focus on identifying the threats A. Computer operations
facing your information systems, networks and data, B. Computer Programs
and assessing the potential consequences you’d C. IT networks and electronic commerce
face should these adverse events occur D. End User Computing
D.The output of this process helps to identify ANSWER: D
appropriate controls for completely eliminating risk
during the risk mitigation process 20. Which of the following statements is incorrect?
ANSWER: D
A. Vulnerability are weaknesses that can be but has no effect on the amount of further audit
intentionally triggered and accidentally exploited procedures needed.
B.Threat is any circumstance or event with the c) The type of IT application and its risk, control and
potential to cause harm to an IT system use affects both the auditor's assessment of control
C.A threat source can be natural, human and risk and the amount of further audit procedures
environmental needed.
D. Both a and b d) The type of IT application affects the amount of
ANSWER: D further audit procedures needed but has no effect
on the auditor's assessment of control risk.
21. Which is/are incorrect from the following ANSWER: C
statements?
Statement I: Risk in risk determination is categorised Control Activities
into 3 levels namely high, average and low
Statement II: If an observation or finding is 25. Control activities include the following:
evaluated as a high risk, corrective actions are A. General controls, application controls, physical
needed and a plan must be developed to controls
incorporate these actions within a reasonable B. Authorization, Performance reviews, Information
period of time. processing, Physical controls, Segregation of duties.
A. Statement I C. IT controls, preventive controls, and corrective
B. Statement II controls
C. Both D. Physical controls, preventive controls, and
D. Neither corrective controls
ANSWER: C ANSWER: B

22. Which of the following statements is incorrect 26. The following are the control activities in CIS
regarding information gathering technique? environment except;
A. Information-gathering techniques are used to A. Physical Control
solicit information relevant to the IT system B. User Control
processing environment. C. General Control
B.Information gathering can be conducted D. Application Control
throughout the risk assessment process, from Step 1 ANSWER: A
(System Characterization) through Step 9 (Results
Documentation). 27. Which of the following situations is NOT a
C. Any, or a combination, of the following segregation of duties violation?
techniques can be used in gathering information A. The accounting clerk who shares the record-
relevant to the IT system within its operational keeping responsibility for the accounts receivable
boundary. subsidiary ledger performs the monthly
D. Information-gathering techniques include reconciliation of the subsidiary ledger and the
questionnaires, remote interviews, document control account
review and use of automated scanning tool B. The warehouse clerk, who has custodial
ANSWER: D responsibility over inventory in the warehouse,
selects the vendor and authorizes purchases when
23. Common challenges face by IT auditor in inventories are low
conducting risk assessments includes all of the C. The sales manager has the responsibility to
following except approve credit and the authority to write-off
A. Cybersecurity accounts
B. Controlling and skills challenges D. The treasurer has the authority to sign checks but
C. Technological changes gives the signature block to the assistant treasurer
D. Data management and Governance to run the check-signing machine
ANSWER: B ANSWER: D

24. How does the type of an entity's IT application 28. The effectiveness of manual follow-up activities
and its risk, control and use impact the auditor's depends upon the effectiveness of the
assessment of control risk and the amount of further programmed control activities that produce the
audit procedures needed? exception reports.
a) The type of IT application and its risk, control and A. True
use has no effect on the auditor's assessment of B. False
control risk or the amount of further audit C. Maybe
procedures needed. D. None of the above
b) The type of IT application and its risk, control and ANSWER: A
use affects the auditor's assessment of control risk
29. No one individual should perform more than comparison of data against a master file or table
one of the functions of authorizing transactions, for accuracy.
recording transactions, and maintaining custody Statement II: Allowed character test is a test of
over assets. whether the data inputted is of the proper type, for
A. Review Controls example, numeric. On the other hand, missing data
B. Transaction Control test is a test to determine that all required fields in a
C. Physical Control set of input data contain entries.
D. Segregation of Duties A. Statement I is false; Statement II is true.
ANSWER: D B. Statement I is true; Statement II is false.
C. Both statements are false
30. General control activities apply to the input, D. Both statements are true.
processing, and output of individual applications ANSWER:D
while Application control activities support many
applications. 36. What is least likely to be an example of physical
A. True control?
B. False A. Locks
C. Maybe B. Safes
D. None of the above C. Password
ANSWER: B D. Fences
ANSWER: C
31. Which of the following statement/s is correct?
Statement I: General authorization occurs when Monitoring
management establishes criteria for acceptance
of a certain type of transaction. 37. Which of the following is not true about
Statement II: Specific authorization occurs when monitoring?
transactions are authorized on an individual basis. A. It is a process of assessing the quality of internal
A. Statement I is false control over time.
B. Only Statement II is true B. It involves assessing the design and operation of
C. Both statements are true controls on a timely basis and taking necessary
D. Both statements are false corrective actions.
ANSWER: C C. The entity's process to monitor the entity's system
of internal control may consist of ongoing activities,
32. Input validation checks increase the accuracy separate evaluations (conducted periodically), or
of input data by accepting any data that fail to some combination of the two.
meet an edit check and by informing the user that D. It responds to a specific risk.
revised information is needed. ANSWER: D
A. True
B. False 38. Which of the following statement/s is correct?
C. Maybe Statement I: Management’s monitoring activities
D. None of the above may use information in communications from
ANSWER: B internal parties such as customer complaints or
regulator comments that may indicate problems or
33. Major types of transaction control include the highlight areas in need of improvement.
following except: Statement II: In more complex entities, and in
A. Supervisory Controls particular owner-manager entities, the auditor's
B. Controls Over Standing Data understanding of the entity's process to monitor the
C. Authentication system of internal control is often focused on how
D. Authorizations and Approvals management or the owner-manager is directly
ANSWER: C involved in operations.
A. Only statement I is correct
34. System acquisition, development, and B. Only statement II is correct
maintenance is under what type of control activity C. Both statements are correct
A. General Control Activities D. Both statements are false
B. Application Control Activities ANSWER: D
C. User Control Activities
D. None of the above 39. According to PSA 315 (Revised 2019), which of
ANSWER: A the following is not a monitoring of internal control
activity?
35. Which of the following statement/s is correct? A. Understanding those aspects of the entity’s
Statement I: Limit test is a test of the reasonableness process that address ongoing and separate
of a field of data, using a predetermined upper evaluations for monitoring the effectiveness of
and/or lower limit. While validity test is a
controls, and the identification and remediation of
control deficiencies identified. 43. Which is an example of an ongoing evaluation?
B. Understanding those aspects of the entity’s A. Automated system alerts
process that address the entity’s external audit B. Special investigations
function, if any, including its nature, responsibilities, C. Regulatory inspections
and activities. D. Periodic audits by internal auditors
C. Understanding the sources of the information ANSWER: A
used in the entity’s process to monitor the system of
internal control, and the basis upon which 44. How does the monitoring of the system of
management considers the information to be internal control differ from the measurement and
sufficiently reliable for the purpose. review of financial performance?
D. Evaluating whether the entity's process for A. Monitoring is automated, while measurement
monitoring the system of internal control is and review are manual
appropriate to the entity's circumstances B. Monitoring focuses on meeting business
considering the nature and complexity of the entity. performance objectives, while measurement and
ANSWER: B review focus on control effectiveness
C. Monitoring involves identifying control
40. In understanding the entity's internal audit deficiencies, while measurement and review are
function, external auditors may do the following focused on technology access controls
except: D. Monitoring is concerned with monitoring the
A. Inquire with individuals within the internal audit effectiveness of controls, but measurement and
function to understand the nature of their review are directed at whether business
responsibilities. performance is meeting the objectives set by
B. If the auditor expects to use the work performed management (or third parties).
or to be performed by the internal audit function to ANSWER: D
adjust the nature, timing, or extent of their audit
procedures, the auditor shall apply the 45. What may alert the owner-manager to issues
International Standard on Auditing (ISA) 610 with the timing of when customer payments are
(Revised 2013). being recognized in the accounting records in
C. If the auditor determines that the internal audit owner-manager entities?
function's responsibilities are related to financial A. Employee turnover rate
reporting, they may review the internal audit B. Inaccuracies in monthly statements
function's audit plan for the relevant period. C. Delayed shipments to customers
D. Investigate and appraise internal control and the D. Customer complaints about product quality
efficiency with which the various units of the ANSWER: B
organization are performing their assigned
functions, and they report their findings and 46. The following are matters that may be relevant
recommendations to management and the audit for the auditor to consider when understanding
committee. how the entity monitors its system of internal control
ANSWER: D except
A. The design of the monitoring activities
41. What is the auditor required to obtain an B. The performance and frequency of the
understanding of, according to PSA 315 paragraph monitoring activities;
24 (Revised 2019)? C. The evaluation of the results of the controlling
A. The entity's management accounting activities, on a timely basis, to determine whether
information the controls have been effective; and
B. The entity's financial statements preparation D. How identified deficiencies have been
process addressed through appropriate remedial actions,
C. The entity's risk assessment procedures including timely communication of such
D. The entity's internal control monitoring process deficiencies to those responsible for taking
ANSWER: D remedial action
ANSWER: C
42. What best describes the reasons why errors in
the information used for monitoring potentially lead 47. Which of the following statement/s is correct?
management to draw incorrect conclusions? Statement I: The auditor's understanding of the
A. The information obtained is too complex to sources of information used by the entity in
analyze monitoring the entity's system of internal control,
B. Management does not have a basis for assuming including whether the information used is relevant
that the information used is relevant and reliable and reliable, assists the auditor in evaluating
C. There are no external communications used whether the entity’s process to monitor the entity's
D. The information is not relevant and reliable system of internal control is appropriate.
ANSWER: B
Statement II: If management assumes that ANSWER: D
information used for monitoring is relevant and
reliable without having a basis for that assumption, 53. In Data Base Processing, who is responsible for
errors that may exist in the information could maintaining and restricting access to the database
potentially lead management to draw correct to authorized personnel?
conclusions from its monitoring activities. A. User-department
A. Only statement I is correct B. Back-up and recovery
B. Only statement II is correct C. Database administrator
C. Both statements are correct D. Access control
D. Both statements are false ANSWER: C
ANSWER: A
54. In a small computer environment, what is the
48. The auditor may also consider how the entity's emphasis in terms of security?
process to monitor the system of internal control A. Security over hardware
addresses monitoring information processing B. Security over software and data
controls that involve the use of IT. This may include, C. Centralized authorization
except: D. Periodic verification
A. Controls to monitor complex IT environments that ANSWER: B
evaluate the continuing design effectiveness of
information processing controls and modify them, 55. Why is periodic verification of processing
as appropriate, for changes in conditions. important in a small computer environment?
B. Controls that monitor the permissions applied in A. To focus on personal projects
automated information processing controls that B. To enhance hardware security
enforce the segregation of duties. C. To prevent system downtime
C. Controls that monitor how errors or control D. To prevent the system from being used for
deficiencies related to the automation of financial personal projects
reporting are identified and addressed. ANSWER: D
D. All of the choices are correct.
ANSWER: D 56. What control should be explicitly stated in a
contract between a user and a service bureau
Characteristics of Specific EDP System regarding data files and records ownership?
A. Ownership of data files and records
49. What is the primary focus of personnel control in B. Processing verification
a small computer environment? C. Backup and Recovery
a. Decentralized authorization D. Password on header labels
b. Security over hardware ANSWER: A
c. Centralized authorization
d. Periodic verification 57. Which control measure is essential in a
Answer: C distributed system to ensure that each remote
location is controlled and audited as a separate
50. This is a common EDP system that usually leaves unit?
an easy to follow audit trail A. Uniform standards
A. Batch processing system B. Segregation
B. Direct random access system C. Audit unit
C. Small computer system D. Centralization
D. Distributed system ANSWER: C
ANSWER: A
58. What is the purpose of a distributed system in
51. What characterizes distributed systems? which a network of remote computer sites, each
A. Centralized processing having a small computer, is implemented?
B. Limited scalability A. Centralization of computing power
C. Sequential data access B. Reduction of load on the main computer system
D. Network of interconnected computers C. Increased load on the main computer system
ANSWER: D D. Slower turnaround of information
ANSWER: B
52. In Data Base Processing, how frequently is the
recommended magnetic tape backup of the 59. What is the characteristic of direct random
database? access processing?
A. Monthly A. Batch processing of transactions
B. Weekly B. Sequential input of transactions
C. At the beginning of each day C. Offline storage of master files
D. At the end of each day
D. Processing data as transactions occur and are A. True
entered into the system B. False
ANSWER: D Answer: A

60. Why is it possible to input transactions in any 7. Organizations need not to perform a risk
order in direct random access processing? assessment to identify, analyze, and manage risks
a. Due to batch processing limitations relevant to financial reporting.
b. Master file records are available sequentially A. True
c. Master file records are available in a random- B. False
access fashion Answer: B
d. Transactions are processed offline
Answer: C. 8. These are the limitations in the principles of
internal control, except
COMPUTER INTERNAL CONTROL A. Possibility of Error
B. Changing Conditions
1. These systems enable firms to configure how they C. Circumvention
use technology and respond promptly to market D. None of the above
situations without incurring significant overhead Answer: D
costs.
A. Computer Information System 9. COSO stands for
B. Manual Accounting System A. Committee of Standard Organization
C. Double Entry System B. Committee of Supporting Organization
D. None of the above C. Committee of Sponsoring Offices
Answer: A D. Committee of Sponsoring Organizations
Answer: D
2. All are examples of Computer Information System,
except for 10. This reasonableness implies that the benefits of
A. Processing Systems better control should outweigh the costs involved.
B. Management Information Systems A. True
C. Double Entry System B. False
D. Finance and Accounting Systems Answer: B
Answer: C
11. This legislation is intended to prevent fraud in the
3. This internal framework component is the securities market and to create more transparency
foundation for the other four control components. in companies' financial disclosures so that investors
A. Monitoring have the information they need to make informed
B. Control activities decisions.
C. Control environment A. Foreign Corrupt Practices Act (FCPA)
D. Risk assessment B. Committee Of Sponsoring Organizations Of The
Answer: C Treadway Commission
C. Securities and exchange act of 1934 (Sea)
4. All of the following are the broad objectives of D. The Sarbanes-Oxley Act of 2002
internal control, except Answer: C
A. To safeguard the assets of the firm
B. To measure noncompliance with management’s 12. It is an organization that creates
prescribed policies and procedures recommendations for businesses to evaluate fraud
C. To promote efficiency in the firm’s operations deterrence, risk management, and internal controls.
D. To ensure the accuracy and reliability of A. Foreign Corrupt Practices Act (FCPA)
accounting records and information B. Committee Of Sponsoring Organizations Of The
Answer: B Treadway Commission
C. Securities and exchange act of 1934 (Sea)
5. The establishment and maintenance of a system D. The Sarbanes-Oxley Act of 2002
of internal control is the responsibility of Answers: B
A. Employees
B. Customer 13. This legislation requires businesses to establish
C. Management and maintain internal controls.
D. Investors A. Foreign Corrupt Practices Act (FCPA)
Answer: C B. Committee Of Sponsoring Organizations Of The
Treadway Commission
6.The goals remain the same regardless of the C. Securities and exchange act of 1934 (Sea)
method used to process the data—computer- D. The Sarbanes-Oxley Act of 2002
based or manual. Answers: A
 Answer: D
14. Mandates that publicly traded American
businesses evaluate the quality of their financial 21. SEA stands for
reporting using internal control systems and provide A. Securities and Exchange Act
investors with the findings of these evaluations in B. Securing and Exchange Assets
their yearly financial reports. C. Securities and Exchanging Act
A. Foreign Corrupt Practices Act (FCPA) D. None of the above
B. Committee Of Sponsoring Organizations Of The Answer: A
Treadway Commission
C. Securities and exchange act of 1934 (Sea) 22. Elements of Control Environment includes the
D. The Sarbanes-Oxley Act of 2002 following, except,
Answers: D A. Integrity and ethical values of management
B. Securing and Exchange Assets
15. The COSO framework was created in year C.Structure of the organization
A. 1965 D. Management’s methods for assessing
B. 1992 performance
C. 2000 Answer: B
D. 2005
Answer: B 23. It answers the question, “How does your
organization assess risk in order to identify the things
16. All of the following organizations have that threaten the achievement of their objectives?”
contributed to the creation of COSO framework A. Monitoring
except, B. Control Activities
A. American Accounting Association C.Risk assessment
B. Financial Executives International D. Control Environment
C.The Institute of Internal Auditors Answer: C
D. None of the above
Answer: D 24. Risk assessment is sometimes referred as
enterprise risk management
17. Is the set of standards, processes, and structures A. True
that provide the basis for carrying out internal B. False
controls across the organization. Answer: A
A. Monitoring
B. Control Activities 25. It involves your organization's analysis of the risks
C.Risk assessment posed by internal and external changes, the ability
D. Control Environment to establish objectives and determine their
Answer: D suitability for your business and the process for
weighing risks versus risk tolerances.
18. A limitation of internal control where the A. Monitoring
management is in a position to override control B. Control Activities
procedures by personally distorting transactions or C.Risk assessment
by directing a subordinate to do so D. Control Environment
A. Circumvention Answer: C
B. Possibility of error
C. Changing conditions 26. The COSO framework consists of how many
D. Management override components?
Answer: D A. two
B. five
19. A limitation that states every system has flaws. C. four
A. Circumvention D. three
B. Possibility of error Answer: B
C. Changing conditions
D. Management override 27. A limitation of internal control where conditions
Answer: B may change over time so that existing effective
controls may become ineffectual.
20. It answers the question, how has management A. Circumvention
implemented policies and procedures that guide B. Possibility of error
the organization? C. Changing conditions
A. Monitoring D. Management override
B. Control Activities Answer: C
C.Risk assessment
D. Control Environment
28. The elements of Control environment does not D. Physical Count
include: Answer: D
A. Integrity and ethical values of management
B. Structure of the organization 35. It is t is important that the person who approves
C. Changing conditions transactions have the authority to do so and the
D. External influences necessary knowledge to make informed decisions.
Answer: C A. True
B. False
29.All are instances that arise risk, except Answer: A
A. Changes in Environment
B. New accounting principle 36. Authorization involves cross-checking
C. New products or services transactions or records of activity to ensure that the
D. All are instances that may arise risks information reported is accurate.
Answer: D A.True
B. False
30. A limitation of internal control where employees Answer: B
may use various strategies or coordination to go
around the system. 37. Which of the following is/are incorrect?
A. Circumvention Statement I: Detection controls attempt to deter or
B. Possibility of error stop an unwanted outcome before it happens.
C. Changing conditions Statement II: Preventive controls attempt to
D. Management override uncover errors or irregularities that may already
Answer: D have occurred.
A. Statement I
31. All of the following are the broad objectives of B. Statement II
internal control, except C. Both statements are correct
A. To safeguard the assets of the firm D. Both statements are incorrect
B. To ensure the accuracy and reliability of Answer: D
accounting records and information
C. To promote inefficiency in the firm’s operations 38. Which of the following is/are incorrect?
D. To measure compliance with management’s Statement I: Hard controls are formal and tangible.
prescribed policies and procedures Statement II: Soft controls are informal and
Answer: C intangible
A. Statement I
32. Through independent verification procedures, B. Statement II
management can assess the following, except: C. Both statements are correct
A. The nature of the client's data processing system. D. Both statements are incorrect
B. Performance of individuals. Answer: C
C. Integrity of the transaction processing system.
D.Correctness of data contained in accounting 39. Which of the following is/are correct?
records. Statement I: Manual controls are manually
Answer: A performed, either solely manual or IT-dependent,
where a system-generated report is used to test a
33. Which of the following is/are correct? particular control.
Statement I: Control activities are policies and Statement II: Automated controls are performed
procedures established by management to ensure entirely by the computer system.
the risks identified during the risk assessment process A. Statement I
are mitigated or reduced to an acceptable level. B. Statement II
Statement II: Control environment are the C. Both statements are correct
procedures that help ensure management D. Both statements are incorrect
directives are carried out. Answer: C
A. Statement I
B. Statement II 40. Which of the following is/are incorrect?
C. Both statements are correct Statement I: Key controls are those that must
D. None of the two statements operate effectively to reduce the risk to an
Answer: A acceptable level.
Statement II: Secondary controls are those that do
34. The Key Internal Control Activities includes the not help the process run smoothly but are essential.
following, except: B. Statement I
A. Segregation of Duties B. Statement II
B. Authorization and Approval C. Both statements are correct
C. Reconciliation and Review D. None of the statements
Answer: B D. II and IV
Answer: C
41. All of the following are incorrect, except:
A. Implementing segregation of duties where duties 46. Monitoring internal controls helps an
are divided among different people organization to achieve its strategic, operating,
B. Making sure transactions are authorized by a compliance, and reporting objectives.
person with no authority A. True
C. Making certain that equipment, inventories, B. False
cash and other property are not secured physically Answer: A
D. Providing employees with inappropriate training 47. Which of the following is/are incorrect?
and guidance Statement I: Monitoring involves evaluating the
Answer: A effectiveness of an organization’s internal control
over a specific time period, to assure that internal
42. It sits at the top of the triangle and oversees all controls continue to operate effectively.
of the other components. Statement II: Monitoring is effective when it leads
A. Control Environment to the identification and correction of control
B. Risk Assessment weaknesses before those weaknesses materially
C. Control Activities affect the achievement of the organization’s
D. Monitoring objectives.
Answer: D A. Statement I
B. Statement II
43. All of the following are importance of C. Both statements are correct
monitoring internal control, except: D. Both statements are incorrect
A. Protect the effectiveness and efficiency of Answer: C
operations
B. Identify and correct internal control problems on 48. The following are the three broad elements
a timely basis needed to implement by organizations, except:
C. Prepare reliable and accurate physical security A. Establish a foundation for monitoring.
D. Assure compliance with applicable laws and B. Design and execute monitoring procedures.
regulations C. Assessment of reports
Answer: C D. Assess and report results.
Answer: C
44. Monitoring internal controls gives an
organization’s leadership teams greater peace of 49. Which of the following is/are incorrect?
mind where they know everything is operating as Statement I: Having a starting point from which
intended without them having to oversee every ongoing monitoring and effective evaluations can
aspect of the organization. be implemented is critical.
A. True Statement II: Some procedures should be focused
B. False on persuasive information concerning the
Answer: A operation of key controls that address critical risks
to organizational objectives.
45. What are the two fundamental principles of A. Statement I
COSO’s monitoring guidelines? B. Statement II
I. Ongoing and/or separate evaluations enable C. Both statements are correct
management to determine whether the other D. None of the statements
components of internal control continue to function Answer: B
over time
II. Ongoing and/or secondary evaluations enable 50. These are Actionable Tips for Internal Controls
management to determine whether the other Monitoring, except:
components of internal control continue to function A. Thoroughly assess potential risks
over time B. Identify new controls
III. Internal control deficiencies are identified and C. Design and communicate control changes
communicated in an alphabetical manner to those D. Identify the control changes effectively.
parties responsible for taking corrective action and Answer: D
to management and the board as appropriate.
IV. Internal control deficiencies are identified and 51. Which of the following is/are correct?
communicated in a timely manner to those parties Statement I: Thoroughly assess potential risks that
responsible for taking corrective action and to threaten the organization’s ability to achieve its
management and the board as appropriate. business objectives or service commitments.
A. I and II Statement II: Design and communicate control
B. I and III changes to the personnel responsible for
C. I and IV
implementing, carrying out, and reviewing the 58. These can be used to collect data from other
related control activities. systems, except:
A. Statement I A. Data mining
B. Statement II B. File retrieval
C. Both statements are correct C. Pattern recognition
D. None of the statements D. Business external tools
Answer: C Answer: D

52. Which of the following is/are incorrect? 59. Business performance management and real-
Statement I: Carefully monitor the organization’s time compliance tools can provide management
control environment only. with real-time, enterprise-wide data.
Statement II: Carefully monitor the organization’s A. True
control activities. B. False
A. Statement I Answer: A
B. Statement II
C. Both statements are correct 60. Which of the following is/are incorrect?
D. None of the statements Statement I: The tools for monitoring internal
Answer: A controls cannot be used by organizations for them
to regularly monitor the effectiveness of their
53. The best way to explain the relationship internal control and expose and eliminate internal
between internal control and internal audit is to control weaknesses
consider, Statement II: these tools for monitoring internal
A. COSO Framework controls can be used by organizations for them to
B. Three Lines Model regularly monitor the effectiveness of their internal
C. COSO Guidance control and expose and do not eliminate internal
D. Three Way Model control weaknesses
Answer: B A. Statement I
B. Statement II
54. Internal audit is part of the _____ Line, which C. Both statements are correct
involves assessing the effectiveness of the D. Both statements are incorrect
Operational Management Functions and Risk and Answer: D
Compliance Management Functions.
A. First
B. Second
C. Third
D. Fourth
Answer: C

55. Internal audit should ______ to the board of

directors, and specifically to the audit committee.
A. report directly
B. report indirectly
C. report immediately
D. not report
Answer: A

56. Internal audit and internal control are designed

to provide reasonable assurance that overall
established objectives and goals are met efficiently.
A. True
B. False
Answer: A

57. Tools for Monitoring Internal Control includes the

following, except:
A. Communication and collaboration tools
B. Security-focused generic tools
C. Regulatory and technical reference tools
D. Document authorization tools
Answer: D
GENERAL CONTROLS
8. What happens when a parity check doesn’t
1. What is the primary goal of segregating duties in match the expected value during data processing?
accounting information systems? A. The data is automatically deleted and re-
A. Eliminate the need for internal audits entered
B. Reduce employee workload B. The system continues processing without any
C. Prevent fraud and errors notification
D. Improve data accuracy C. An error message is displayed, suggesting
ANSWER: C potential data entry issues
ANSWER: C
2. Which of the following activities should NOT be
performed by the same person in an accounting 9. How can parity check contribute to preventing
system? fraud in accounting systems?
A. Recording cash receipts A. By making it impossible for unauthorized
B. Reconciling bank statements individuals to access data
C. Approving purchase orders B. By detecting attempts to manipulate or alter
D. Printing checks financial records
ANSWER: D C. By identifying forged documents or suspicious
transactions
3. In an ideal system, who should control access to D. All of the above
sensitive accounting data (e.g., payroll information) ANSWER: D
A. The head accountant
B. All employees who need the data for their jobs 10. What is a limitation of using a parity check in
C. A dedicated system administrator with restricted accounting systems?
access rights Statement I: They rely on accurate initial data entry,
D. The most senior manager in the company which can still contain errors.
ANSWER: C Statement II: They require additional processing
resources and increase system complexity.
4. Which of the following is NOT a benefit of A. Both I and II
implementing segregation of duties in an B. Statement I only
accounting system? C. Statement II only
A. Reduced risk of fraudulent activity D. None of the above
B. Improved accuracy of financial records ANSWER: A
C. Increased employee morale
D. Enhanced internal control environment 11. What is the primary reason for using a parity
ANSWER: C check in accounting information systems?
A. To increase data storage efficiency.
5. What is a potential consequence of failing to B. To improve search functionality within records.
segregate duties effectively in an accounting C. To enhance data security by encryption.
system? D. To detect errors introduced during data entry or
A. Improved employee efficiency processing.
B. Enhanced data security ANSWER: D
C. Increased risk of undetected errors and fraud
D. Reduced need for external audits 12. A segregation function established to ensure
ANSWER: C that new systems under development and old
systems being
6. What technology can be used to help enforce changed are adequately controlled and follow
segregation of duties in an accounting information department documentation standards.
system? A. System Programmer
A. Spreadsheet software B. Quality Assurance
B. Cloud-based accounting systems C. Database Administrator
C. Access control lists and user permissions D. Network Technician
D. Biometric authentication ANSWER: B
ANSWER: C
13. Echo check is not a hardware control
7. Which type of data commonly uses parity check A. True
in accounting systems? B. False
A. Narrative descriptions of transactions ANSWER: B
B. Currency amounts expressed in decimals
C. Dates and timestamps of entries 14. Echo check is primarily used in
D. Account numbers, identifiers, and codes telecommunications transmissions
ANSWER: D A. True
B. False ANSWER: A
ANSWER: A
23. What is the key function of a control group?
15. The sending hardware automatically resends A. Recording input data in a control log
any characters that it detects which were received B. Following the progress of processing
incorrectly C. Distributing output
A. True D. All of the above
B. False ANSWER: D
ANSWER: A
24. Which of the following is not part of the
16. All of this are the steps when doing echo check, diagnostic routine processes?
except A. Power on self test
A. Data is sent B. Peripheral Diagnostic Software
B. Recipients sent back data C. Manufacturer - Supplied Diagnostic Software
C. Differentiate the data D. Periodic System Diagnostic Software
D. Identification of error ANSWER: D
ANSWER: C
25. Statement 1: Router is a device that allows
17. It is designed to locate a malfunction in the remote users to connect to a private network
computer, a mistake in coding, or both securely, ensuring that data remains confidential
A. Parity check during transmission.
B. Diagnostic routine Statement 2: Switch is device that works to control
C. Echo check the flow of data between two or more network
D. Periodic Maintenance segments
ANSWER: B A. Only statement 1 is true.
B. Only statement 2 is true.
18. Which of the following statements is true? C. Both statements are true.
A. In an echo check, data received is returned to D. Both statements are false.
the sender after a while ANSWER: D
B. Data is not transmitted again in an echo check if
an error is detected 26. Statement 1: Firewall is device that controls the
C. Echo checks do not require a lot of extra data to flow of network traffic between networks or hosts
be transmitted that employ differing security postures
D. With an echo check, it is not known whether the Statement 2: Boundary protection ensures that
error occurred when originally sent, or when it was simultaneous job destroys the allocated memory of
sent back another job.
ANSWER: D A. Only statement 1 is true.
B. Only statement 2 is true.
19. Diagnostic routines are often activated when C. Both statements are true.
the system is booted up D. Both statements are false.
A. True ANSWER: A
B. False
ANSWER: A 27. Most CPUs have multiple jobs running
simultaneously. To ensure that these simultaneous
20. Audit software cannot be used to analyze the jobs cannot destroy or change the allocated
data collected by the diagnostic routines and memory of another job, the system contains _______.
detect A. Software controls
significant trends B. Hardware controls
A. True C. Boundary protection
B. False D. Periodic maintenance
ANSWER: B ANSWER: C

21. The receiving hardware does not repeats back 28. Which of the following statements is not one of
to the sending hardware what it received the importance of periodic maintenance?
A. True A. Help increase the lifetime of assets and reduce
B. False the number of equipment repairs and
ANSWER: B replacements
B. Help ensure timely and coordinated servicing of
22. Which of the following hardware compares the equipment so that they always perform to their best
data? C. Help ensure that simultaneous jobs cannot
A. Sender destroy or change the allocated memory of
B. Receiver another job
D. Help to prevent unexpected hardware failures ANSWER: B
ANSWER: C
35. All are examples of hardware maintenance
29. Gateway is except:
A. A hardware and software solution that enables A. Cleaning of the system
communications between two dissimilar networking B. Resistance of the system
systems or protocols C. Configuration and update of the OS
B. A device that controls the flow of traffic between D. Correct location of the system
different networks, enforces routing policies, and ANSWER: C
enhances security by filtering and inspecting data
packets. 36. Which of the following is an example of
C. A device that regenerates and retransmits the documentation maintenance?
signal on a network. A. Database maintenance
D. A device that monitors and filters HTTP traffic, B. Configuration and update of the OS
identifying and blocking malicious activities. C. Cleaning of the system
ANSWER: A D. none of the above
ANSWER: D
30. A device that works to control the flow of data
between two or more network segments 37. Which of the following statements is/are true?
A. CPU 1. Access to program documentation should be
B. Router limited to those persons who require it in the
C. Bridge performanceof their duties.
D. Firewall 2. Access to data files and programs should be
ANSWER: B unlimited, regardless of authorization.
3. Access to computer hardwares should be limited
31. It is the brain of a computer, containing all the to authorized individuals such as computer
circuitry needed to process input, store data, and operators and their supervisors.
output A. Only statement 1 is true.
results. B. Only statements 1 and 2 are correct.
A. CPU C. Only statements 1 and 3 are correct.
B. Router D. None of the above.
C. Bridge ANSWER: C
D. Firewall
ANSWER: A 38. What is an alternative method to restrict
physical access to facilities containing EDP
32. Statement 1: Systems should be examined equipment and files?
periodically by a qualified auditor. A. Wearing an ID badge to enter a secured area
Statement 2: Periodic maintenance helps to B. Recording visits in a visitor’s log
prevent unexpected hardware failures. C. Escorting by an authorized person in the secure
A. Only statement 1 is true. area
B. Only statement 2 is true. D. Using new access devices allowing entry through
C. Both statements are true. fingerprints
D. Both statements are false. ANSWER: D
ANSWER: B
39. Which options fall under physical controls?
33. Most CPUs have multiple jobs running A. Access Control Software and Visitor Entry Logs
simultaneously or known as B. Limited Physical Access and Visitor Entry Logs
A. multiprogramming environment C. Limited Physical Access and Call Back
B. simple programming environment D. Encryption Boats and Periodic Maintenance
C. single programming environment ANSWER: B
D. none of the above
ANSWER: A 40. Which of the following is not a goal of
implementing software controls?
34. Statement 1:Periodic maintenance is not A. Ensure access to systems software.
considered as a general control. B. Ensure errors are detected within application
Statement 2: The levels of system maintenance programs.
includes hardware, software, and documentation C. Ensure data files are protected from
maintenance. unauthorized use or modification.
A. Only statement 1 is true. D. Restrict access to systems documentation.
B. Only statement 2 is true. ANSWER: A
C. Both statements are true.
D. Both statements are false.
41. What controls are those general controls that
are built into the computer during its manufacture 47. Access to computer hardware should be limited
and are designed to detect equipment to highly ranked individuals such as computer
malfunctions? operators and their supervisors.
A. Program Controls A. True
B. Operation Controls B. False
C. Hardware Controls ANSWER: B
D. Software Controls
ANSWER: C 48. Visitor entry logs enable entry into secured areas
without the need for direct supervision. Is this
42. What primarily contributes to the reliability of statement true or false? Choose the most fitting
modern computers? answer.
A. Computer operation controls A. True
B. Applications systems development & B. False
maintenance controls C. Partially true, depending on the security
C. Data entry & program controls measures in place.
D. Hardware & systems software controls D. True, but only during specific timeframes
ANSWER: D stipulated in the access logs.
ANSWER: B
43. Identify the incorrect statement(s):
A. The control procedures for systems software 49. What is the primary purpose of the Grandfather-
should differ from those applied to the installation Father-Son backup method?
and changes of application programs. A. Immediate data recovery
B. The auditor must be mindful of control features in B. Safeguarding historical data
computer hardware, the operating system, and C. Real-time data updates
supporting software, ensuring their optimal D. Minimizing backup storage space
utilization. ANSWER: B
C. All statements are correct.
D. All statements are incorrect. 50. Why is it important to store Grandfather-Father-
ANSWER: A Son backup files both on- and off-site?
A. To reduce backup costs
44. Which of the following is not an example of a B. To facilitate real-time data updates
hardware control? C. To ensure redundancy and data recovery
A. Diagnostic Routines D. To improve processing speed
B. Echo Check ANSWER: C
C. Sound Check
D. Dual Arithmetic Check 51. Which statement is incorrect among the
ANSWER: C following principles related to backup and
recovery?
45. Which of the following is not true? A. Perform Regular Backups
A. Physical controls are needed to protect the B. Test Backup Process Reliability
software programs themselves. C. Identify and Rank Critical Application
B. Limited access to computer hardware should be D. Perform Test Restores
granted to authorized individuals, such as ANSWER: C
computer operators and their supervisors.
C. Systems programs have hardware controls 52. Which statement is correct among the following
integrated into them. principles related to the recovery principle?
D. Echo check is primarily used in A. Perform Test Restores
telecommunications transmissions. B. Perform Regular Backups
ANSWER: C C. Test Backup Process Reliability
D. Provide for Regular and Effective Testing of the
46. Which practice is important for managing Plan
access to a company’s computer systems? ANSWER: D
A. Giving everyone unrestricted access to program
documentation. 53. What does the term "backup window" refer to in
B. Allowing employees to choose their own access the context of backup and recovery?
to data files and programs. A. The time frame for data generation
C. Limiting computer hardware access to B. The designated time for completing backups
authorized individuals like operators. C. The interval between backup generations
D. Providing unlimited access to all IT resources for D. The duration of data storage in backup files
everyone. ANSWER: B
ANSWER: C
54. Which backup approach involves consolidating Data no. 1: 1001010
data from the last full backup and all incremental Data no. 2: 1001011
backups to create a Synthetic Full Backup? Data no. 3: 1011011
A. Incremental Forever Data no. 4: 0100100
B. Grandfather-Father-Son A. Data no. 1 only
C. Daily Snapshot B. Data no. 1 and 4 only
D. Full Data Restoration C. Data no. 1 and 3 only
ANSWER: A D. Data no. 2 only
Answer: C
55. What is the primary function of a "hot site" in
contingency processing? 2. Which of the following statements is/are incorrect?
A. Data consolidation Statement 1: A parity check does not help find
B. Redundant facility for minimal downtime which bit of code is false.
C. Hardware preparation for backups Statement 2: Parity checks are simple to implement
D. Daily data snapshot creation and do not require significant computational
ANSWER: B resources.
Statement 3: Parity check cannot be enhanced
56. In contingency processing, what is the main with advanced error detection methods such as
purpose of a "cold site" or "shell site"? cyclic redundancy check or forward error
A. Real-time data updates correction.
B. Minimal to no downtime A. Statement 1 only
C. Hardware preparation as needed B. Statements 1 and 3
D. Redundant facility for immediate recovery C. Statements 1 and 2
ANSWER: C D. Statement 3 only
Answer: D
57. What is the common characteristic of backup
centers referred to as "hot sites"? 3. Which of the following statements pertains to
A. Equipped with hardware Proper Segregation of Functions?
B. Prepared for hardware as needed A. Include in role and responsibility descriptions
C. Resilient to physical disasters adherence to management policies and
D. Internal options only procedures, the code of ethics, and professional
ANSWER: A practices.
B. Ensure that accountability is defined through
58. Why is it imperative to perform regular and roles and responsibilities.
effective testing of a backup and recovery plan? C. Structure roles and responsibilities to reduce the
A. To reduce the need for backup storage possibility for a single role to compromise a critical
B. To identify and rank critical applications process.
C. To ensure the plan’s reliability in a crisis D. All of the above
D. To minimize the backup window duration Answer: D
ANSWER: C
4. Which of the following statements is/are incorrect?
59. What is the purpose of the Incremental Forever Statement 1: Fraud is more difficult to commit when
backup method? there is proper segregation of functions because it
A. Minimizing backup costs would require collusion of two or more persons.
B. Reducing the need for Synthetic Full Backups Statement 2: By handling different aspects of the
C. Creating periodic Synthetic Full Backups transaction, innocent errors are less likely to be
D. Real-time data updates for all files found and flagged for correction.
ANSWER: C Statement 3: Custody of assets, Recording
transactions, and Authorization to execute
60. In the context of contingency processing, what transactions, and Periodic reviews and
events should a comprehensive plan be ready for? reconciliation of existing assets to recorded
A. Only natural disasters amounts are not Incompatible Functions.
B. Only hardware failures A. Statement 2 only
C. Natural disasters, man-made disasters, and B. Statement 1 and 2 only
hardware failures C. Statement 2 and 3 only
D. Only man-made disasters D. Statement 1 only
ANSWER: C Answer: C

General Controls (3rdyr block) 5. Which of the following is/are not Advantages of
Parity Check?
1. Which of the following Data has an Odd Parity Bit I. Parity checks are cheap as they only require
value? adding a small bit to each data unit.
II. Two-dimensional parity checks can only find A. Segregation Controls
code errors causing the parity number to change. B. Application Controls
III. Parity checks help ensure the accuracy of the C. Manual Controls
communication as every transmission is checked. D. Maintenance Controls
A. I and III Answer: A
B. II only
C. III only 12. In this parity bit type, the total count of 1’s in the
D. II and III data, including the extra bit, should be odd
Answer: B in number.
A. Even Parity Bit
6. Which of the following Data has an Even Parity Bit B. Redundant Bits
value? C. Odd Parity Bit
Data no. 1: 1001011 D. Data Bits
Data no. 2: 1011001 Answer: C
Data no. 3: 0010010
Data no. 4: 0110100 13. Considering the capabilities of diagnostic
A. Data no. 3 only routines as described, which of the following
B. Data no. 1 and 2 only statements best captures their significance?
C. Data no. 1, 2, and 3 only A. Diagnostic routines primarily focus on enhancing
D. Data no. 4 only system performance.
Answer: C B. Running diagnostic tests is unnecessary for
preventing system failures.
7. In this parity bit type, the total count of 1’s in the C. The primary role of diagnostic routines is to
data, including the extra bit, should be even in facilitate timely repairs and adjustments.
number. D. Diagnostic routines play a crucial role in ensuring
A. Odd Parity Bit the reliability and longevity of computer systems by
B. Data Bit identifying and troubleshooting issues.
C. Redundant Bits Answer: D
D. Even Parity Bit
Answer: D 14. Which of the following statements is/are
incorrect?
8. Which of the following functions should be Statement 1. Diagnostic routines are typically
properly segregated to prevent individuals from activated before the computer shuts down.
performing Incompatible Functions? Statement 2. Power-On Self-Test (POST) is an
A. Authorization to execute transactions operation initiated by a computer after it has been
B. Recording Transactions both turned on and the OS booted.
C. Periodic reviews and reconciliation of existing A. Statement 1 is correct
assets to recorded amounts B. Statement 2 is correct
D. All of the above C. Both statements are correct
Answer: D D. None of the statements are correct
Answer: D
9. They are the extra binary bits that are added
explicitly to the original data to prevent damage to 15. Which of the following statements is/are
the transmitted data. incorrect?
A. Parity Bit Statement 1. In echo checks, the receiving
B. Odd Parity Bit computer compares the two sets of data to see if
C. Even Parity Bit any errors happened during the transfer.
D. Redundant Bit Statement 2. In echo checks, the data is sent again
Answer: D to the sending computer.
A. Statement 1 is correct
10. Is an error-correction process in network B. Statement 2 is correct
communication that ensures data transmissions C. Both statements are correct
between communication nodes are accurate. D. None of the statements are correct
A. Echo Check Answer: D
B. Contingency Processing
C. Parity Check 16. It is a form of error detection that involves
D. Periodic Maintenance comparing data sent and received by two
Answer: C computers.
A. Parity check
11. Is an internal control designed to prevent error B. Echo check
and fraud by ensuring that at least two individuals C. Diagnostic routines
are responsible for the separate parts of any task. D. Boundary protection
Answer: B
23. In diagnostic routines, what risk is associated
17. During the system startup, this is performed by with false positives?
computers to identify and troubleshoot A. Efficient problem resolution
issues within the system. B. Unnecessary troubleshooting efforts
A. Parity check C. Accurate problem detection
B. Echo check D. Reduced resource utilization
C. Diagnostic routines Answer: B
D. Boundary protection
Answer: C 24. What consequence might arise due to false
negatives in diagnostic routines?
18. If errors are found during echo check, what will A. Accelerated system performance
the sending computer do? B. Undiagnosed issues leading to failures
A. Check which hardware made the error. C. Reduced troubleshooting time
B. Resend the data to the receiving computer. D. Enhanced resource utilization
C. Track which part of the system made the error. Answer: B
D. The receiving computer sends a confirmation
message to the sending computer. 25. To ensure that simultaneous jobs cannot destroy
Answer: B or change the allocated memory of another
job, the system contains_______________.
19. What is POST? A. Echo Check
A. Power-Off Self-Test B. Boundary Protection Controls
B. Power-On Self-Tracking C. Periodic Maintenance
C. Power-Off Self-Tracking D. Physical Access
D. Power-On Self-Test Answer: B
Answer: D
26. How is the primary goal of preventing and
20. Which of the following statements is/are detecting malicious and unauthorized
incorrect? communications at the external boundary of an
Statement 1. In echo checks, if the data compared information system typically achieved through
are different it's impossible to determine whether boundary protection devices?
the error happened during the initial sending or the A. Data Encryption
return transmission. B. Network Isolation
Statement 2. Echo checks promote efficiency of C. Monitoring and Control of Communications
data transmission when performed. D. Physical Access Control
A. Statement 1 is correct Answer: C
B. Statement 2 is correct
C. Both statements are correct 27. What is the primary purpose of boundary
D. None of the statements are correct protection in an information system?
Answer: A A. Ensuring optimal CPU performance
B. Monitoring and controlling external
21. In the context of echo checks, if the compared communications to prevent malicious activities
data reveal differences, what does this indicate C. Preventing memory allocation conflicts
about the likelihood of the error occurring during D. Enhancing network segmentation
the initial sending or the return transmission? Answer: B
A. The error is more likely to have occurred during
the initial sending. 28. What does a gateway facilitate in a network?
B. The error is more likely to have occurred during A. Communication between dissimilar networking
the return transmission. systems
C. It is impossible to determine the source of the B. Memory allocation control
error. C. Control the flow of data between two or more
D. Echo checks do not involve the comparison of network segments.
data. D. Prevention of malicious communications
Answer: C Answer: A

22. While conducting an echo check, what aspect 29. What is the main function of a router in a
is primarily being evaluated? network?
A. Signal transmission speed A. Controlling data flow between two or more
B. Integrity of the communication link network segments
C. Power consumption during transmission B. Communication between dissimilar networking
D. Encryption level of transmitted data systems
Answer: B C. Enhancing CPU performance
D. Monitoring and controlling firewall settings B. Only Statement 2 is correct
Answer: A C. Both statements are correct
D. None of the statements are correct
30. How does a firewall contribute to network Answer: A
security?
A. Enhancing CPU processing speed 37. The following physical access controls, except:
B. Allocating memory resources A. Limited Physical Access
C. Controlling the flow of network traffic to prevent B. Call back
unauthorized communications C. Visitors Entry Logs
D. Facilitating communication between dissimilar D. None of the above
networking systems Answer: A
Answer: C
38. Hardware or software supplied by the
31. What is periodic maintenance? manufacturer to check the internal operations and
A. Random system check-ups devices within the computer system.
B. Time-based maintenance A. Parity Check
C. Emergency system repairs B. Diagnostic Routines
D. Unscheduled equipment servicing C. Periodic Maintenance
Answer: B D. Eco Check
Answer: B
32. Why is periodic maintenance important for a
system? 39. In a hardware and software controls, the
A. To increase the number of equipment repairs auditor’s test of control should:
B. To decrease the lifetime of assets A. Normally include identification, observation and
C. To prevent unexpected hardware failures inquiry.
D. To accelerate the need for equipment B. Determine that the system development
replacements procedures that exist are properly functioning and
Answer: C are adequately documented.
C. Test whether the controls are functioning as
33. What is hardware maintenance focused on? intended.
A. Configuring operating systems D. Ensure that all security violations are followed up
B. Cleaning the system on to ensure they are errors
C. Updating software licenses Answer: C
D. Documenting technical characteristics
Answer: B 40. Which of the following is correct?
A. Computer systems are not dependent on
34. What is software maintenance responsible for? accuracy and validity of data held on file.
A. Configuration and update of the operating B. The reliability of EDP hardware has increased
system. dramatically over the years not only due to the
B. Database maintenance. advancements in technology but also due to the
C. Protection, detection, and cleaning of malware. controls built into the mechanism to detect and
D. All of the above. encourage equipment failures.
Answer: D C. Access to data files and programs should be
limited to those individuals authorized to process
35. Which of the following is an incorrect statement data.
regarding periodic maintenance? D. Systems software should be subjected to
A. It involves time-based maintenance different control procedures as those applied
B. The system should be examined periodically by a toinstallation of and changes to application
qualified technician programs.
C. It accelerates the need for equipment Answer: C
replacements
D. It helps prevent unexpected hardware failures 41. In limited physical access:
Answer: C A. All are correct.
B. The physical facility that houses EDP equipment,
36. What is time-based maintenance? files, and documentation should have controls to
Statement 1. A form of planned upkeep that limit access only to the authorized individuals.
ensures timely and coordinated servicing of C. Any individual entering a secure area must be
equipment or objects so that they always perform pre-approved by management
to their best. D. Any individual entering a secure area must be
Statement 2. The system should be examined wearing an ID badge or authorized by an
quarterly by a qualified technician. appropriate individual, recorded in a visitor’s log,
A. Only Statement 1 is correct and escorted while in the secure area.
Answer: B D. Parity Check
Answer: C
42. What is an example of hardware and software
controls? 48. An example of hardware and software controls
A. Contingency processing wherein a special bit is added to each character
B. Operations run manual stored in memory that can detect if the hardware
C. Backup and recovery loses a bit during the internal movement of a
D. Periodic maintenance character.
Answer: D A. Validity check
B. Field check
43. This is primarily used in telecommunications C. Parity check
transmissions. D. Logic check
A. Echo check Answer: C
B. Parity check
C. Diagnostic routines 49. Which of the following statements is/are correct?
D. Boundary protection Statement 1: The father, grandfather, and great-
Answer: A grandfather are backup files that should be stored
both on-and off-premises.
44. In visitor entry logs: Statement 2: The Grandfather-Father-Son backup
A. Any individual entering a secure area must be strategy combines full and partial copying to
pre-approved by management and wearing an ID various media to shorten backup times and
badge. improve storage security.
B. Any individual entering a secure area must be A. Statement 1 is correct
authorized by an appropriate individual, recorded B. Statement 2 is correct
in a visitor’s log, and escorted while in the secure C. Both statements are correct
area. D. None of the statements are correct
C. Both a and b. Answer: C
D. None of the above.
Answer: C 50. It is the most popular and extensively used
backup rotation mechanism for storage media.
45. What controls affect the access to the EDP A. Incremental Forever Method
environment? B. Backup Rotation Strategy
A. Physical Control C. Contingency Processing
B. Processing Control D. The Grandfather-Father-Son Method
C. Electronic Access Control Answer: D
D. Both a and c
Answer: D 51. This is one of the backup principles that asserts
that data should be backed up on a daily basis.
46. The reliability of EDP hardware has increased A. Test Backup Process Reliability
dramatically over the years not only due to the B. Perform Regular Backups
advancements in technology but also due to the C. Perform Test Restores
controls built into the mechanism to detect and D. Use Secure Storage
prevent equipment failures. Thus: Answer: B
A. The auditor should be aware of control features
inherent in the computer hardware, operating 52. Which of the following statements is/are correct?
system, and other supporting software and ensure Statement 1: In the Grandfather-Father-Son
that they are utilized to the maximum possible environment, detail files are updated with each run.
extent. The detail file being updated is the grandfather.
B. Systems software should be subjected to different The new file is the son. The file from which the son
control procedures as those applied to installation was developed is the father.
of and changes to application programs. Statement 2: The Grandfather-Father-Son backup
C. Both a and b. strategy combines full and partial copying to
D. None of the above. various media to shorten backup times and
Answer: A improve storage security.
A. Only Statement 1 is correct
47. Most CPUs have multiple jobs running B. Only Statement 2 is correct
simultaneously. To ensure that these simultaneous C. Both statements are correct
jobs cannot destroy or change the allocated D. Statement 2 is incorrect
memory of another job, the system contains this. Answer: B
A. Diagnostic routines
B. Periodic maintenance 53. The _________ is a full data backup that is kept
C. Boundary protection for 1 full calendar year.
A. Grandfather Statement 1: A detailed contingency plan should
B. Son detail the responsibilities of individuals, as well as
C. Father the alternate processing sites that should be utilized.
D. Great-grandfather Statement 2: A backup window is a time frame in
Answer: A which the backup needs to complete so it can
interfere with normal work hours.
54. This is created by combining the data from the A. Only Statement 1 is correct
last full, or synthetic full and all of the incremental B. Only Statement 2 is correct
backups since the last full or synthetic full, to build C. Both statements are correct
the equivalent of a full backup. D. None of the statements are correct
A. Incremental Backup Answer: A
B. Full Backup
C. Partial Backup
D. Synthetic Full Backup
Answer: D

55. The _________ is a full data backup that is kept

for 1 full month.
A. Grandfather
B. Son
C. Father
D. Great-grandfather
Answer: C

56. Which of the following statements is/are false?

Statement 1: The father, grandfather, and great-
grandfather are backup files that should be stored
on premises, only.
Statement 2: If the son were destroyed, it could be
reconstructed by rerunning the father file and the
related transaction file.
A. Only Statement 1 is false
B. Only Statement 2 is false
C. Both statements are false
D. None of the statements are false
Answer: A

57. Backup centers already equipped with

hardware are called _______
A. Warm site
B. Cold site
C. Shell site
D. Hot site
Answer: D
58. Another term for shell site is ____
A. Cold site
B. Hot site
C. Warm site
D. None of the above
Answer: A

59. A center not equipped with hardware but

ready for hardware to be brought in is called a___.
A. Hot site
B. Backup site
C. Warm site
D. Cold site
Answer: D

60. Which of the following statements is/are correct?