The Institute of Chartered Accountants of Bangladesh (ICAB)

IT GOVERNANCE _ Professional Level

Sample Question Answer

1. D. All of the above

Explanation: IS audit has evolved in focus, relationship with financial audits, and the
technologies employed.

2. C. Inherent risk

Explanation: Inherent risk is typically high in projects affecting multiple users and
business areas.

3. B. Sufficient, relevant, and useful

Explanation: These are key characteristics of evidence that enable auditors to achieve
their objectives effectively.

4. D. All the above

Explanation: ISO uses a high-level structure, identical core text, and common terms.

5. D. Audit Objectives

Explanation: Auditing standards guide auditors in meeting objectives.

6. A. Information Security Management

Explanation: ISO 27001:2013 is a standard for information security management

systems (ISMS).

7. B. Adequately safeguard assets

Explanation: The IS audit evaluates if resources safeguard organizational assets.

8. C. The approved audit charter

Explanation: The audit charter authorizes IS audit activities.

9. D. IT service management

Explanation: ITIL and ISO 20000 focus on IT service management.

10. A. COBIT

Explanation: COBIT ensures IT objectives align with business objectives.

11. A. To show compliance with legislation and regulations

Explanation: ISO 27001 demonstrates compliance with security standards.

12. D. Technology

Explanation: COBIT stands for Control Objectives for Information and Related
Technology.

13. D. Val IT

Explanation: Val IT focuses on governance areas such as portfolio and investment

management.

14. A. Plan

Explanation: The PDCA (Plan-Do-Check-Act) cycle begins with planning.

15. A. Publish a report based on available information, highlighting potential security

weaknesses

Explanation: The auditor should report risks and recommend follow-up.

16. C. Legal and regulatory requirements regarding data privacy

Explanation: Legal and regulatory compliance is critical for sensitive health data.

17. C. Document the finding and explain the risk of using shared IDs

Explanation: Sharing IDs creates accountability risks.

18. C. Public

Explanation: Auditors must serve the public interest.

19. C. All of the above

Explanation: Laws and regulations affect both audit requirements and systems.

20. D. All of the above

Explanation: Software audits verify compliance, QA, and adherence to standards.

21. B. False
Explanation: Regulation increases the necessity for sampling techniques in auditing,
but it doesn’t hinder it significantly.

22. A. Requirements, Specifications, Guidelines

Explanation: Standards ensure materials, products, processes, and services meet

specific purposes.

23. B. V Model

Explanation: Regression testing is a significant part of the V Model to verify and validate
each development stage.

24. B. Creating contract terms

Explanation: The three main SDLC goals are quality, budget, and time.

25. D. Stress testing completed for the overall system and related interfaces

Explanation: Stress testing focuses on system performance and reliability under high
load.

26. B. RTO

Explanation: RTO (Recovery Time Objective) defines the maximum allowable

downtime.

27. A. RPO

Explanation: RPO (Recovery Point Objective) specifies acceptable data loss in disaster
scenarios.

28. B. Database shadowing

Explanation: For a low RPO, techniques like database shadowing ensure minimal data
loss.

29. D. QA Team

Explanation: The QA (Quality Assurance) team ensures software validation.

30. C. A location fully equipped to resume operations

Explanation: A hot site is a fully operational backup location.

31. B. The ability to continue delivering agreed products and services during disruption

Explanation: Business continuity ensures uninterrupted critical operations.

32. B. Is to identify the business processes of strategic importance

Explanation: Prioritizing key business processes is essential for business continuity

planning.

33. B. A qualitative risk analysis

Explanation: Qualitative analysis is commonly used in Business Impact Analysis (BIA).

34. B. Risk Assessment, Business Impact Analysis, Strategy & Plan Development, Test
Train & Maintain

Explanation: This sequence represents the Business Continuity Planning lifecycle.

35. B. Business intelligence tool

Explanation: Digital dashboards provide insights using business intelligence tools.

36. C. Major

Explanation: Significant incidents with material business impact are classified as

major.

37. A. Understanding and evaluating business continuity strategy and its connection to
business objectives

Explanation: Evaluating BCP strategy ensures alignment with business objectives.

38. C. Desk-based evaluation

Explanation: A desk-based evaluation involves a simulated walkthrough of the BCP.

39. D. All of the above

Explanation: Agile development emphasizes simplicity, customer feedback, and test-

driven development.

40. D. Consider all the applications that run only client computers not servers

Explanation: Business applications are broader and include server-based systems.

41. C. Minimizes, by re-use, the number of media used

Explanation: Backup rotation schemes focus on efficient use of media while

maintaining data backups.

42. D. All of the above

Explanation: E-commerce involves service, communication, and business process
perspectives, beyond just buying and selling.

43. D. User requirements and objectives were not met

Explanation: Failure to meet user requirements is the most significant risk during SDLC.

44. C. All of the above

Explanation: E-commerce software handles product configuration, data analysis, and

other functionalities.

45. B. Enterprises can sell to a global market

Explanation: The biggest benefit of B2C e-commerce is its global reach.

46. C. Target dates for development projects

Explanation: Strategic plans include timelines for IT development projects.

47. A. IT strategy and objectives

Explanation: IT governance knowledge helps IS auditors understand enterprise

objectives and risks.

48. B. Identify business issues and objectives

Explanation: The primary purpose of the IT steering committee is to align IT initiatives

with business goals.

49. B. Authorization

Explanation: Authorization should be separated if segregation of duties is not

achievable.

50. D. Baseline of the current progress or regression

Explanation: CMM (Capability Maturity Model) provides a baseline to measure process

improvements.

51. B. Segregation of duties

Explanation: Segregating DBA duties is critical to prevent misuse of database

privileges.

52. C. Board of directors and executive management

Explanation: Governance of Enterprise IT (GEIT) involves both the board and executive
management.

53. C. Absence of a formal charter indicates a lack of controls

Explanation: A formal charter ensures proper governance and focus for the steering
committee.

54. C. Defined, Managed, Optimized

Explanation: These represent higher levels of CMM maturity.

55. A. Evaluate the activities of IT oversight committees

Explanation: IT governance performance measures assess oversight activities.

56. B. All login accounts of the employee are terminated

Explanation: Ensuring account termination prevents unauthorized access post-

employment.

57. C. The employee must be allowed to copy any personal files from their computer

Explanation: Allowing employees to copy files may lead to security risks.

58. B. Ensures that the IT strategy supports the business strategy

Explanation: The balanced scorecard ensures alignment between IT and business

strategies.

59. B. Eliminate disputes over who has the authority

Explanation: Job descriptions and change control boards clarify responsibilities and
reduce conflicts.

60. B. Legal requirements

Explanation: While auditing cloud environments, compliance with legal requirements

is crucial.

61. A. Define the relationship as work for hire

Explanation: Employee contracts clarify the relationship and protect the organization’s
intellectual property.

62. C. Value chain

Explanation: Outsourcing reconfigures the value chain by focusing on core activities
and outsourcing non-core ones.

63. D. Fundamental change in the way we do business

Explanation: Strategy involves adapting to fundamental changes to meet business

objectives.

64. C. Hacker or Cracker

Explanation: Intruders exploit system vulnerabilities to gain unauthorized access.

65. A. True

Explanation: NIST identifies programming errors, not missing security features, as the
primary source of vulnerabilities.

66. A. Wrong

Explanation: Every device is a potential target for hackers, regardless of its popularity.

67. C. The sponsor may not implement the proper controls

Explanation: In "sponsor pays" funding, inadequate controls may compromise

governance.

68. A. True

Explanation: Outsourcing governance ensures service continuity and sustains mutual

profitability.

69. B. Top management provides full support

Explanation: Lack of top management support can lead to balanced scorecard (BSC)
failures.

70. D. Wanting to copy a competitor without doing the hard research

Explanation: Copying competitors without strategic alignment is not a valid reason to

reverse outsourcing decisions.

71. A. Level 3 provides quantitative measurement of the process output

Explanation: Quantitative measurements are introduced at Level 4, not Level 3, in the

Capability Maturity Model.

72. D. Defines what business we are in for the next three years
Explanation: Strategy defines the long-term direction of a business.

73. A. It forces separation of duties to ensure that at least two people agree with the
decision

Explanation: Change control enforces governance by requiring approvals and

preventing unauthorized actions.

74. C. A dashboard

Explanation: Dashboards provide real-time visibility to monitor compliance and

processes.

75. D. Acceptable Use Policy

Explanation: This policy governs acceptable behavior and use of IT and information
resources.

76. D. Security baseline

Explanation: Establishing a security baseline is the first step in IT security.

77. B. Rainbow tables

Explanation: Rainbow table attacks involve precomputed tables to crack hashed

passwords.

78. C. Private Key Cryptosystems

Explanation: Key exchange is a significant challenge in private key cryptosystems.

79. D. Cyber-ethics

Explanation: Cyber-ethics explores ethical behavior in digital and online platforms.

80. B. Information Security Steering Committee

Explanation: This committee focuses on security issues, practices, and approvals.

81. C. Consider the overall control structure of the security solution desired by the
management

Explanation: Security planning should align with management’s desired control

structure.

82. C. Effective cost alternatives

Explanation: External service providers often offer cost-effective alternatives for
achieving growth targets.

83. C. To authenticate a message and to guarantee its integrity

Explanation: Digital signatures ensure authenticity and integrity of messages.

84. C. Restricted

Explanation: Unsanctioned third-party remote access indicates a restricted

classification for the information asset.

85. D. Token automatically generated in hardware every 30 seconds

Explanation: Token synchronization is a key feature of two-factor authentication (2FA).

86. B. Vendor to have certified compliance with recognized security standards, e.g., ISO
27001

Explanation: Ensuring compliance with standards like ISO 27001 minimizes risks in
vendor engagements.

87. D. All of the above

Explanation: Network security requires malware protection, strong passwords, and

monitoring.

88. D. Can be detected and displayed

Explanation: Electromagnetic emissions can leak data, making it a security concern.

89. B. Represents a single point of failure

Explanation: Single sign-on (SSO) introduces risks by centralizing access.

90. D. Data transmission

Explanation: Encryption is primarily used to protect data during transmission.

91. A. Social engineering

Explanation: Social engineering manipulates individuals to obtain sensitive

information like passwords.

92. C. Technically qualified

Explanation: Network control functions should be handled by technically qualified

personnel.
93. D. All of the above

Explanation: Organizations must assess outsourcing objectives, economic viability,

and risks.

94. D. Data are encrypted before transmission

Explanation: Encryption ensures confidentiality of data transmitted over a network.

95. C. SLA

Explanation: Service Level Agreements (SLAs) are critical for managing relationships
with outsourced service providers.

96. A. Screening

Explanation: Screening ensures third-party contractors are qualified and understand

their responsibilities.

97. A. Obtain copies of all software contracts to determine the nature of license
agreements

Explanation: Reviewing contracts helps determine compliance with licensing terms.

98. C. Shareware software

Explanation: Shareware is initially free but requires payment after a trial period for full
functionality.

99. B. Mandatory Access Controls

Explanation: These controls validate credentials without allowing user modifications.

100. D. All of the above

Explanation: Effective access control systems ensure identification, authentication,

authorization, and reporting.

101. B. Spyware

Explanation: Spyware collects personal data without consent and sends it to third
parties.

102. D. Three users with the ability to capture and verify the messages of other users
and to send their own messages

Explanation: This setup violates segregation of duties, increasing the risk of

unauthorized activities.
103. C. Identification, authentication, authorization, access, auditing, and
accountability

Explanation: Logical access controls encompass these critical functions for secure
system management.

104. A. Eliminate single points of failure

Explanation: High availability depends on designing systems to avoid single points of

failure.

105. A. Tier 1: Public Information, Tier 2: Internal Information, Tier 3: Restricted

Information

Explanation: This classification ensures appropriate security measures based on

sensitivity levels.

106. B. Documented and implemented

Explanation: Remote access controls must be documented and implemented to

safeguard organizational resources.

107. D. All of the above

Explanation: BYOD policies must align with strategy, assess risks, and govern device
usage.

108. A. All users are connected through secure remote secure VPN service, e.g., PPTP
VPN, SSL VPN, etc.

Explanation: Secure VPN services are essential for protecting remote access to
systems.

109. B. Access control lists

Explanation: Access control lists specify permissions for using specific system
resources.

110. C. Not appropriate as per good practice

Explanation: A web application firewall is a critical security measure for protecting

infrastructure.

111. C. Physical and logical exposures at the same level

Explanation: Backup media require protection from both physical and logical threats.
112. C. All of the above

Explanation: Validating inputs, using stored procedures, and avoiding error messages
with critical information prevent cross-site scripting vulnerabilities.

113. C. Over acquisition of revenues or assets

Explanation: Fraud categories typically include misreporting or misappropriation, not

over-acquisition.

114. B. Identify risks

Explanation: Identifying risks is the first step when Internal Audit meets client
management.

115. B. Incident containment and damage assessment

Explanation: Containing incidents and assessing damage is the first phase of incident
response.

116. D. Review the system software controls as relevant and recommend a detailed
system software review

Explanation: The auditor should address weaknesses impacting applications and

recommend further review if necessary.

117. A. True

Explanation: Forensic analysis includes examining logical structures and unused file
space to uncover evidence.

118. C. Understanding the business process and environment applicable to the review

Explanation: Understanding the business process ensures the audit aligns with
organizational operations.

119. A. Understand the business process

Explanation: A functional walkthrough helps auditors understand the process being

reviewed.

120. A. System log analysis

Explanation: Analyzing system logs reveals unauthorized modifications to production

programs.

121. B. Expand the scope to include substantive testing

Explanation: When discrepancies arise, the scope should be expanded to validate
controls further.

122. C. 100%

Explanation: Generalized Audit Software (GAS) enables complete data analysis, not
sampling.

123. A. Develop an alternate testing procedure

Explanation: Auditors should create alternative procedures when the sample size is too
small.

124. B. Detection

Explanation: IS auditors' activities primarily affect detection risk by identifying control

weaknesses.

125. C. Network architecture and design

Explanation: Understanding the network architecture is crucial to assess security and

functionality.

126. A. Nature of the business and the value of the application to the business

Explanation: Criticality classification depends on the application's business impact.

127. C. Minimization of redundancy of information in tables required to satisfy users’

needs

Explanation: Database normalization reduces data redundancy, improving efficiency

and integrity.

128. C. Trace from the change management documentation to a system-generated audit

trail

Explanation: This method ensures changes documented align with system audit trails.

129. D. Hot site

Explanation: Hot sites provide immediate recovery capabilities for mission-critical

systems.

130. C. Available resources are used efficiently and effectively

Explanation: Capacity planning ensures optimal utilization of resources.

131. B. Audit Planning

Explanation: Understanding changes in the auditee’s business environment is part of
planning.

132. A. SCARF/EAM

Explanation: SCARF (Systems Control Audit Review File) and EAM (Embedded Audit
Module) are essential tools for audit trails.

133. D. System software security

Explanation: Hardware reviews typically do not cover system software security, which
is a separate domain.

134. A. Exception reporting

Explanation: Exception reports highlight deviations that may indicate control issues.

135. A. Application programmers are implementing changes to production programs

Explanation: Programmers making direct changes pose a high risk of fraud.

136. C. The requirements gathering process

Explanation: Reviewing control specifications during requirements gathering ensures

controls align with needs.

137. D. Product is compatible with the current or planned OS

Explanation: Compatibility with the OS ensures smooth implementation and operation.

138. A. Firewalls

Explanation: Firewalls prevent unauthorized traffic between network segments.

139. B. Default passwords are not changed when installing network devices

Explanation: Default passwords pose a significant security risk.

140. D. Testing of user access rights

Explanation: Testing ensures segregation of duties by verifying access restrictions.

141. B. Standard report with configuration values retrieved from the system by the IS
auditor

Explanation: Standard reports generated by the system provide reliable evidence of

current configurations.

142. C. Identify and evaluate the existing controls

Explanation: After identifying threats, auditors assess controls to mitigate those
threats.

143. B. Creating test data that covers all possible valid and invalid conditions

Explanation: Ensuring test data comprehensively covers scenarios is a key challenge.

144. C. Identify and evaluate existing practices

Explanation: Auditors should assess and document existing practices before

recommending changes.

145. B. Generalized audit software

Explanation: GAS efficiently identifies payroll overpayments by analyzing large

datasets.

146. A. Matching control totals of the imported data to control totals of the original data

Explanation: Ensuring data completeness requires verifying control totals.

147. B. The preservation of the chain of custody for electronic evidence

Explanation: Forensic software maintains evidence integrity, which is critical for

investigations.

148. C. Ensure that the malicious code is removed

Explanation: Removing the malicious code is the first step in addressing the Trojan
horse issue.

149. C. There are a number of external modems connected to the network

Explanation: External modems bypass standard security measures, posing a significant

risk.

150. B. Control Risk

Explanation: Control risk is the likelihood that errors won't be detected or corrected by
controls.