Multiple Choice

1. Which of these choices is the best answer regarding who is primarily responsible for
providing internal controls to detect, correct, and prevent irregularities or illegal acts?
a. Board of directors
b. Information technology
c. Legal, aka general council
d. Human resources

2. IT governance is most concerned with

a. Security policy
b. IT infrastructure
c. IT strategy
d. IT executive compensation

3. The FIRST step in planning an audit is to:

a. define audit deliverables.
b. finalize the audit scope and audit objectives.
c. gain an understanding of the business’ objectives.
d. develop the audit approach or audit strategy.

4. Which of the following best describes the early stages of an IS audit?

a. Documenting the IS environment
b. Testing for compliance to applicable regulations as agreed
c. Reviewing prior IS audit reports
d. Identify objectives, resources, and audit approach

5. An IS auditor needs to perform an audit of a financial system and needs to trace individual
transactions through the system. What type of testing should the auditor perform?
a. Discovery testing
b. Statistical testing
c. Compliance testing
d. Substantive testing

6. The primary purpose of a change management process is to

a. Record changes made to systems and infrastructure.
b. Review and approve proposed changes to systems and infrastructure.
c. Review and approve changes to a project schedule.
d. Review and approve changes to application source code.

7. An IS auditor evaluating logical access controls should FIRST:

a. document the controls applied to the potential access paths to the system.
b. test controls over the access paths to determine if they are functional.
c. evaluate the security environment in relation to written policies and practices.
d. obtain an understanding of the security risks to information processing.

8. Which of the following functions should be separated from the others if segregation of duties
cannot be achieved in an automated system?
 a. Origination
b. Authorization
c. Reprocessing
d. Transaction logging

9. An organization currently stores its backup media in a cabinet next to the computers being
backed up. IS Auditor told the organization to store backup media at an off-site storage
facility. What risk did the auditor most likely have in mind when he made this
recommendation?
a. A disaster that damages computer systems can also damage backup media.
b. Backup media rotation may result in loss of data backed up several weeks in the past.
c. Corruption of online data will require rapid data recovery from off-site storage.
d. Physical controls at the data processing site are insufficient.

10. An auditor has discovered several errors in user account management: many terminated
employees’ computer accounts are still active. What is the best course of action?
a. Improve the employee termination process.
b. Shift responsibility for employee terminations to another group.
c. Audit the process more frequently.
d. Improve the employee termination process and audit the process more frequently.

11. Why are preventive controls preferred over detective controls?

a. Preventive controls are easier to justify and implement than detective controls.
b. Preventive controls are less expensive to implement than detective controls.
c. Preventive controls stop unwanted events from occurring, while detective controls only
record them.
d. Detective controls stop unwanted events from occurring, while preventive controls only
record them.

12. When planning an IS audit, which of the following factors is least likely to be relevant to the
scope of the engagement?
a. The concerns of management for ensuring that controls are sufficient and working
properly
b. The amount of controls currently in place
c. The type of business, management, culture, and risk tolerance
d. The complexity of the technology used by the business in performing the business
functions

13. As a part of an audit of a business process, the auditor has had a discussion with the control
owner, as well as the control operators, and has collected procedure documents and
records. The auditor is asking internal customers of the business process to describe in their
own words how the business process is operated. What kind of evidence collection are
these discussions with internal customers?
a. Reconciliation
b. Reperformance
c. Walkthrough
d. Corroborative inquiry
14. A mail order organization wants to develop procedures to be followed in the event that the
main office building cannot be occupied, so that customer orders can still be fulfilled. What
kind of a plan does the organization need to develop?
a. Business impact analysis
b. Business continuity plan
c. Disaster recovery plan
d. Emergency evacuation plan

15. An organization is starting its first-ever effort to develop a business continuity and disaster
recovery plan. What is the best first step to perform in this effort?
a. Criticality analysis
b. Business impact analysis (BIA)
c. Setting recovery targets
d. Selecting a Disaster Recovery (DR) site

16. The best definition of database normalization is to

a. Increase system performance by creating duplicate copies of the most accessed data,
allowing faster caching.
b. Increase the amount (capacity) of valuable data.
c. Minimize duplication of data and reduce the size of data tables.
d. Minimize response time through faster processing of information.

17. In an online banking application, which of the following would BEST protect against identity
theft?
a. Encryption of personal password
b. Restricting the user to a specific terminal
c. Two-factor authentication
d. Periodic review of access logs

18. Audit evidence can take many forms. When determining the types required for an audit, the
auditor must consider
a. CAATs, flowcharts, and narratives
b. Interviews, observations, and reperformance testing
c. The best evidence available that is consistent with the importance of the audit objectives
d. Inspection, confirmation, and substantive testing

19. What type of risk results when an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when errors actually exist?
a. Business risk
b. Detection risk
c. Residual risk
d. Inherent risk

20. The concept of data integrity implies that

a. Access has not been given to those who do not have a need to know
b. Data can be accessed by processes when necessary to support the business function
 c. Data has not been altered or modified outside of the expected and approved processing
steps
d. Data has not been made available to processes for which the data classification has not
been accredited

21. When reviewing a systems development project, what would the most important objective be
for an IS auditor?
a. Ensuring that the data security controls are adequate to protect the data.
b. Ensuring that the standards and regulatory commitments are met.
c. Ensuring that the business requirements are satisfied by the project.
d. Ensuring that the quality controls and development methodologies are adhered to.

22. IT control objectives are useful to IS auditors, as they provide the basis for understanding
the:
a. desired result or purpose of implementing specific control procedures.
b. best IT security control practices relevant to a specific entity.
c. techniques for securing information.
d. security policy.

23. When an employee is terminated from service, the MOST important action is to:
a. hand over all of the employee's files to another designated employee.
b. complete a backup of the employee's work.
c. notify other employees of the termination.
d. disable the employee's logical access

24. What is the PRIMARY purpose of audit trails?

a. To document auditing efforts
b. To correct data integrity errors
c. To establish accountability and responsibility for processed transactions
d. To prevent unauthorized access to data

25. Which of the following is not an input authorization control?

a. Signatures on source documents
b. Sequence numbers
c. Management review
d. Separation of duties

26. An IS auditor reviews an organizational chart PRIMARILY for:

a. an understanding of workflows.
b. investigating various communication channels.
c. understanding the responsibilities and authority of individuals.
d. investigating the network connected to different employees.

27. Which audit technique provides the BEST evidence of the segregation of duties in an IS
department?
a. Discussion with management
b. Review of the organization chart
c. Observation and interviews
d. Testing of user access rights
28. How does the process of systems auditing benefit from using a risk based approach to audit
planning?
a. Controls testing starts earlier
b. Auditing resources are allocated to the areas of highest concern
c. Auditing risk is reduced
d. Controls testing is more thorough

29. Which kind of testing ensures that data is being formatted properly and inserted into the new
application from the old application?
a. Unit testing
b. Migration testing
c. Regression testing
d. Functional testing

30. Which of the following is the MOST important criterion when selecting a location for an
offsite storage facility for IS backup files? The offsite facility must be:
a. physically separated from the data center and not subject to the same risks.
b. given the same level of protection as that of the computer data center.
c. outsourced to a reliable third party.
d. equipped with surveillance capabilities