Auditing test

$32.00

Description

1. An audit charter should:

A. be dynamic and
change often to coincide with the changing nature of technology and the audit
profession.

B. clearly state
audit objectives for, and the delegation of, authority to the maintenance and
review of internal controls.

C. document the
audit procedures designed to achieve the planned audit objectives.

D. Outline the
overall authority, scope and responsibilities of the audit function.
Answer:___________________________

2. Which of the
following criteria for selecting the applications to be audited is LEAST likely
to be used?

A. Materiality of
audit risk

B. Sensitivity of
transactions

C. Technological
complexity

D. Regulatory agency
involvement

Answer:
___________________________

3. Which of the
following is the MOST likely reason why e-mail systems have become a useful
source of evidence for litigation?

A. Multiple cycles
of backup files remain available

B. Access controls
establish accountability for e-mail activity

C. Data
classification regulates what information should be communicated via e-mail

D. Within the
enterprise, a clear policy for using e-mail ensures that evidence is available

Answer:___________________________

4. While planning an
audit, an assessment of risk should be made to provide: 2

NAME:
______________________________________

A.
Reasonable assurance that the audit will cover material items.

B.
Definite assurance that material items will be covered during the audit work.

C.
Reasonable assurance that all items will be covered by the audit.

D.
Sufficient assurance that all items will be covered during the audit work.

Answer:___________________________

5.
When evaluating the collective effect of preventive, detective or corrective
controls within a process, an IS auditor should be aware of which of the
following?

A.
The point at which controls are exercised as data flow through the system

B.
Only preventive and detective controls are relevant

C.
Corrective controls can only be regarded as compensating

D.
Classification allows an IS auditor to determine which controls are missing

Answer:
___________________________

6.
During an implementation review of a multiuser distributed application, an IS
auditor finds minor weaknesses in three areas—the initial setting of parameters
is improperly installed, weak passwords are being used and some vital reports
are not being checked properly. While preparing the audit report, the IS
auditor should:

A.
Record the observations separately with the impact of each of them marked
against each respective finding.

B.
Advise the manager of probable risks without recording the observations since
the control weaknesses are minor ones.

C.
Record the observations and the risk arising from the collective weaknesses.

D.
Apprise the departmental heads concerned with each observation and properly
document it in the report.

Answer:___________________________

7.
When developing a risk-based audit strategy, an IS auditor should conduct a
risk assessment to ensure that:

A.
controls needed to mitigate risks are in place.

B.
vulnerabilities and threats are identified.

C.
audit risks are considered.

D.
a gap analysis is appropriate.

Answer:___________________________

8.
The success of control self-assessment (CSA) depends highly on:

A.
Having line managers assume a portion of the responsibility for control
monitoring.

B.
Assigning staff managers the responsibility for building, but not monitoring,
controls.

C.
The implementation of a stringent control policy and rule-driven controls.

NAME:
______________________________________ 3

D. The implementation of supervision
and the monitoring of controls of assigned duties.

Answer:
___________________________

9.
A long-term IS employee has asked to transfer to IS auditing. The individual
has a strong technical background and broad managerial experience. According to
ISACA’s General Standards for IS Auditing, consideration should be given to the
candidate’s:

A
Length of service since this will help ensure technical competence

B.
IS knowledge since this will bring enhanced credibility to the audit function

C.
Existing IS relationships and ability to retain audit independence

D.
Age as training in audit techniques may be practical

Answer:___________________________

10.
Which of the following audit techniques would BEST aid an auditor in
determining whether there have been unauthorized program changes since the last
authorized program update?

A.
Test data run

B.
Code review

C.
Automated code comparison

D.
Review of code migration procedures

Answer:___________________________

11.
The IT balanced scorecard (BSC) is a business governance tool intended to
monitor IT performance evaluation indicators other than:

A.
Financial results.

B.
Customer satisfaction.

C.
Internal process efficiency.

D.
Innovation capacity.

Answer:___________________________

12.
Which of the following is the initial step in creating a firewall policy?

A.
A cost-benefit analysis of methods for securing the applications

B.
Identification of network applications to be externally accessed

C.
Identification of vulnerabilities associated with network applications to be
externally accessed

D.
Creation of an applications traffic matrix showing protection methods

Answer:___________________________

NAME:
______________________________________ 4

13. The management of an organization
has decided to establish a security awareness program. Which of the following
would MOST likely be a part of the program?

A.
Utilization of an intrusion detection system to report incidents

B.
Mandating the use of passwords to access all software

C.
Installing an efficient user log system to track the actions of each user

D.
Training provided on a regular basis to all current and new employees

Answer:___________________________

14.
IT control objectives are useful to IS auditors since they provide the basis
for understanding the:

A.
Desired result or purpose of implementing specific control procedures.

B.
Best IT security control practices relevant to a specific entity.

C.
Techniques for securing information.

D.
Security policy.

Answer:___________________________

15.
Which of the following is the MOST important function to be performed by IS
management when a service has been outsourced?

A.
Ensuring that invoices are paid to the provider

B.
Participating in systems design with the provider

C.
Renegotiating the provider’s fees

D.
Monitoring the outsourcing provider’s performance

Answer:___________________________

16.
Is it appropriate for an IS auditor from a company that is considering
outsourcing its IS processing to request and review a copy of each vendor’s
business continuity plan?

A.
Yes, because an IS auditor will evaluate the adequacy of the service bureau’s
plan and assist their company in implementing a complementary plan.

B.
Yes, because based on the plan, an IS auditor will evaluate the financial
stability of the service bureau and its ability to fulfill the contract.

C.
No, because the backup to be provided should be specified adequately in the
contract.

D.
No, because the service bureau’s business continuity plan is proprietary
information.

Answer:___________________________

17.
An IS auditor was hired to review e-business security. The IS auditor’s first
task was to examine each existing e-business application, looking for
vulnerabilities. What would be the next task?

A.
Immediately report the risks to the CIO and CEO

NAME:
______________________________________ 5

B. Examine e-business application in
development

C.
Identify threats and likelihood of occurrence

D.
Check the budget available for risk management

Answer:
___________________________

18.
In an organization, the responsibilities for IT security are clearly assigned
and enforced, and an IT security risk and impact analysis is consistently
performed. This represents which level of ranking in the information security
governance maturity model?

A.
Optimized

B.
Managed

C.
Defined

D.
Repeatable

Answer:___________________________

19.
Which of the following IT governance best practices improves strategic
alignment?

A.
Supplier and partner risks are managed.

B.
A knowledge base on customers, products, markets and processes is in place.

C.
A structure is provided that facilitates the creation and sharing of business
information.

D.
Top management mediates between the imperatives of business and technology.

Answer:___________________________

20.
A top-down approach to the development of operational policies will help
ensure:

A.
That they are consistent across the organization.

B.
That they are implemented as a part of risk assessment.

C.
Compliance with all policies.

D.
That they are reviewed periodically.

Answer:___________________________

21.
Which of the following controls would an IS auditor look for in an environment
where duties cannot be appropriately segregated?

A.
Overlapping controls

B.
Boundary controls

C.
Access controls

D.
Compensating controls

Answer:___________________________

22.
Which of the following reduces the potential impact of social engineering
attacks?

NAME:
______________________________________ 6

A. Compliance with regulatory
requirements

B.
Promoting ethical understanding

C.
Security awareness programs

D.
Effective performance incentives

Answer:___________________________

23.
Which of the following is the MOST important element for the successful
implementation of IT governance?

A.
Implementing an IT scorecard

B.
Identifying organizational strategies

C.
Performing a risk assessment

D.
Creating a formal security policy

Answer:___________________________

24.
A benefit of open system architecture is that it:

A.
facilitates interoperability.

B.
facilitates the integration of proprietary components.

C.
will be a basis for volume discounts from equipment vendors.

D.
allows for the achievement of more economies of scale for equipment.

Answer:___________________________

25.
A retail outlet has introduced radio frequency identification (RFID) tags to create
unique serial numbers for all products. Which of the following is the PRIMARY
concern associated with this initiative?

A.
Issues of privacy

B.
Wavelength can be absorbed by the human body

C.
RFID tags may not be removable

D.
RFID eliminates line-of-sight reading

Answer:___________________________

26.
Which of the following is the MOST important criterion when selecting a
location for an offsite storage facility for IS backup files? The offsite
facility must be:

A.
physically separated from the data center and not subject to the same risks.

B.
Given the same level of protection as that of the computer data center.

C.
outsourced to a reliable third party.

D.
equipped with surveillance capabilities.

Answer:___________________________

NAME:
______________________________________ 7

27. Which of the following findings
should an IS auditor be MOST concerned about when performing an audit of backup
and recovery and the offsite storage vault?

A.
There are three individuals with a key to enter the area

B.
Paper documents are also stored in the offsite vault

C.
Data files that are stored in the vault are synchronized

D.
The offsite vault is located in a separate facility

Answer:___________________________

28.
Which of the following represents the GREATEST risk created by a reciprocal
agreement for disaster recovery made between two companies?

A.
Developments may result in hardware and software incompatibility

B.
Resources may not be available when needed

C.
The recovery plan cannot be tested

D.
The security infrastructures in each company may be different

Answer:___________________________

29.
Which of the following disaster recovery/continuity plan components provides
the GREATEST assurance of recovery after a disaster?

A.
The alternate facility will be available until the original information
processing facility is restored.

B.
User management is involved in the identification of critical systems and their
associated critical recovery times.

C.
Copies of the plan are kept at the homes of key decision-making personnel.

D.
Feedback is provided to management, assuring them that the business continuity
plans are, indeed, workable and that the procedures are current.

Answer:___________________________

30.
Which of the following would have the HIGHEST priority in a business continuity
plan?

A.
Resuming critical processes

B.
Recovering sensitive processes

C.
Restoring the site

D.
Relocating operations to an alternative site

Answer:___________________________

31.
An IS auditor has audited a business continuity plan. Which of the following
findings is the MOST critical?

A.
Nonavailability of an alternate private branch exchange (PBX) system

NAME:
______________________________________ 8

B. Absence of a backup for the
network backbone

C.
Lack of backup systems for the users’ PCs

D.
Failure of the access card system

Answer:___________________________

32.
During a business continuity audit, an IS auditor found that the business
continuity plan covered only critical processes. The IS auditor should:

A.
Recommend that the business continuity plan cover all business processes.

B.
Assess the impact of the processes not covered.

C.
Report the findings to the IT manager.

D.
Redefine critical processes.

Answer:___________________________

33.
An IS auditor noted that an organization had adequate business continuity plans
for each individual process, but no comprehensive business continuity plan.
Which would be the BEST course of action for the IS auditor?

A.
Recommend that an additional comprehensive business continuity plan be
developed.

B.
Determine whether the business continuity plans are consistent.

C.
Accept the business continuity plans as written.

D.
Recommend the creation of a single business continuity plan.

Answer:
___________________________

34.
Which of the following is MOST important when there is a lack of adequate fire
detection and control equipment in the computer areas?

A.
Adequate fire insurance

B.
Regular hardware maintenance

C.
Off-site storage of transaction and master files

D.
Fully tested backup processing facilities

Answer:
___________________________

35.
When developing a business continuity plan, which of the following tools should
be used to gain an understanding of the organization’s business processes?

A.
Business continuity self-audit

B.
Resource recovery analysis

C.
Business Impact analysis

D.
Gap analysis

Answer:
___________________________

NAME:
______________________________________ 9

36. The PRIMARY objective of testing
a business continuity plan is to:

A.
Familiarize employees with the business continuity plan.

B.
Ensure that all residual risks are addressed.

C.
Exercise all possible disaster scenarios.

D.
Identify limitations of the business continuity plan.

Answer:___________________________

37.
In determining the acceptable time period for the resumption of critical
business processes:

A.
only downtime costs need to be considered.

B.
recovery operations should be analyzed.

C.
both downtime costs and recovery costs need to be evaluated.

D.
indirect downtime costs should be ignored.

Answer:___________________________

38.
Separation of duties between computer operators and other data processing
personnel is intended to:

A.
Prevent unauthorized modifications to program or data.

B.
Reduce overall cost of operations.

C.
Allow operators to concentrate on their assigned duties.

D.
Restrict operator access to data.

Answer:
___________________________

39.
During a review of a business continuity plan, an IS auditor noticed that the
point at which a situation is declared to be a crisis has not been defined. The
MAJOR risk associated with this is that:

A.
assessment of the situation may be delayed.

B.
execution of the disaster recovery plan could be impacted.

C.
notification of the teams might not occur.

D.
potential crisis recognition might be ineffective.

Answer:
___________________________

40.
Which of the following pairs of job functions/duties would an organization MOST
likely keep separate?

A.
Operations and Programming.

B.
Systems Analysis and Programming.

C.
Database Administration and IS Management.

D.
Tape Librarian and Program Librarian.

Reviews

There are no reviews yet.

Be the first to review “Auditing test”

Your email address will not be published. Required fields are marked *