True or false

____1. IS Audit is an objective assessment of the effectiveness of controls that are embedded in systems.
____2. Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the
degree of correspondence between those assertions and establishing criteria and communicating the results to interested users.
____3. Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization
____4. During an audit, an auditor need to see evidences that the processes are being done in accordance to procedures and policies
____5. Auditing should be seen as a positive process not a fault finding activity
____6. Internal Audit is an independent examination of a quality system
____7. Internal Audit should be done periodically by independent and qualified people.
____8. Internal Audit includes all written quality documents, instructions and records.
____9. SOX is the standard that requires the testing of internal controls of publicly listed corporations.
____10. Internal Audit helps improve profitability without increasing the cost of doing business.

Multiple choice questions

____11. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability
C. the likelihood of a given threat source exploiting a given vulnerability
D. the collective judgment of the risk assessment team.
____12. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?
A. Evaluate physical access test results. B. Determine the risks/threats to the data center site.
C. Review business continuity procedures. D. Test for evidence of physical access at suspect locations.
____13. Which of the following is not a component of the COSO framework
A. The dominant behavior in the organization
B. The proper dissemination of relevant information such policies and guidelines.
C. Establishment of internal audit function with staff who are all Certified Internal Auditors.
D. Adequate employee supervision.
____14. In planning an audit, the MOST critical step is the identification of the:
A. areas of high risk. B. skill sets of the audit staff. C. test steps in the audit. D. time allotted for the audit.
____15. The role of IT auditor in complying with the Management Assessment of Internal Controls (Section 404 of the Sarbanes-Oxley Act) is:
A. planning internal controls B. documenting internal controls C. designing internal controls D. implementing internal controls
____16. The IS auditor learns that when equipment was brought into the data center by a vendor, the emergency power shutoff switch was accidentally pressed and
the UPS was engaged. Which of the following audit recommendations should the IS auditor suggest?
A. Relocate the shutoff switch. B. Install protective covers. C. Escort visitors. D. Log environmental failures.
____17. Controls risk and inherent risk result to?
A. Detection risk B. Audit Risk C. Risk of Misstatement D. Alpha risk
____18. Which of the following is the MOST effective control over visitor access to a data center?
A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators.
____19. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent B. Detection C. Control D. Business
____20. The use of statistical sampling procedures helps minimize:
A. sampling risk. B. detection risk. C. inherent risk. D. control risk.
____21. What particular subset of internal audit concerns whether the auditee observes the existing sets rules and regulations?
A. Financial Audits B. Operational Audits C. Compliance Audits D. Fraud Audits E.IT Audits
____22. Which of the following is the most common subset of internal audit?
A. Financial Audits B. Operational Audits C. Compliance Audits D. Fraud Audits E.IT Audits
____23. Which of the following internal audit services requires forensic expertise such as signature verification and finger print analysis?
A. Financial Audits B. Operational Audits C. Compliance Audits D. Fraud Audits E.IT Audits
____24. Which of the following subsets of internal audit is more applicable is internal controls are embedded in an automated system?
A. Financial Audits B. Operational Audits C. Compliance Audits D. Fraud Audits E.IT Audits
____25. Which of the following provides investigation services where anomalies are suspected, to develop evidence to support or deny fraudulent activities?
A. Financial Audits B. Operational Audits C. Compliance Audits D. Fraud Audits E.IT Audits
____26. Which of the following is the objective of external audit?
A. To determine whether the auditors are independent or are external from the Company.
B. To ascertain whether in all material respects, financial statements are a fair representation of organizations transactions and account balances.
C. To ensure that the Companys management is not involve in any form of financial statement fraud.
D. To ensure that the companys financial statements are prepared on a timely basis.
____27. Which of the following is not true with regard to external audit?
A. Required by SEC for publicly-traded companies B. Referred to as a financial audit
C. Management requirement D. Beneficial to the investing public
____28. All of the following pertains to management assertions regarding financial statements except:
A. Existence or Occurrence B. Completeness C. Rights & Obligations D. Valuation or Allocation E. Effectiveness of internal controls
____29. The probability that the auditor will give an inappropriate opinion on the financial statements: that is, that the statements will contain materials
misstatement(s) which the auditor fails to find
A. Audit risk B. Detection risk C. Wrist watch D. Control risk
____30. The probability that material misstatements have occurred considering the nature of the account or function being audited
A. Inherent risk B. Natural risk C. Credit risk D. Detection risk
____31. Economic condition is associated to what type of risk?
A. Economic risk B. Inherent risk C. Detection risk D. Control risk
____32. Audit risk is computed as:
A. AR = IR CR - DR B. AR = IR * (CR-DR) C. AR = IR * CR * DR D. AR = IR + CR + DR
____33. What type of risk results when an IS auditor uses an inadequate test procedure, and concludes that material errors do not exist when error actually exists?
A. Inherent risk B. Business risk C. Residual risk D. Detection risk
____34. What is the recommended initial step for an IS Auditor to implement continuous monitoring system?
A. Establish a controls monitoring steering committee B. Document existing internal controls
C. Identify high risk areas within the organization D. Perform compliance testing on internal controls
____35. How does the process of systems auditing benefit from using a risk-based approach to audit planning?
A. Controls testing starts earlier B. Auditing resources are allocated to the areas of highest concern
 C. Controls testing is more thorough D. Auditing risk is reduced
____36. What type of risk is associated with authorized program exits (trap doors)?
A. Business risk C. Audit risk D. Inherent risk E. Detective risk
____37. An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of
transactions.
A. True B. False
____38. As compared to an understanding of an organizations IT process rather than from evidence directly collected, how valuable are prior audit reports as
evidence?
A. Lesser value B. Greater value C. Prior audit reports are not relevant D. The same value
____39. To properly evaluate the collective effect of preventive, detective, or corrective controls within a process, an IS auditor should be aware of:
A. The point at which controls are exercised as data flows through the system B. The effect of segregation of duties on internal controls
C. The business objectives of the organization D. Organizational control policies
____40. Which of the following would prevent accountability for an action performed, thus allowing non-repudiation?
A. Proper identification B. Proper authentication C. Proper identification, authentication, and authorization
D. Proper identification and authentication
____41. Which of the following is the most critical step in planning the audit?
A. Identification of high risk audit targets B. Testing controls C. Identifying current controls D. Implementing a prescribed auditing framework such
as COBIT
____42. After an IS auditor has identified threats and potential impacts, the auditor should then:
A. Identify and evaluate the existing controls B. Conduct a business impact analysis (BIA)C. Report on existing controls D. Propose new controls
____43. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can:
A. Increase audit accuracy B. Identify high risk areas that might need detailed review later C. Reducing audit time D. Reducing audit cost
____44. Professional services that are designed to improve the quality of information, both financial and non-financial, used by decision-makers
A. Financial statements audit B. Assurance C. Attestation D. Due diligence
____45. The use of statistical sampling procedures help minimize:
A. Business risk B. Control risk C. Detection risk D. Compliance risk
____46. An IS auditor is using statistical sample to inventory the tape library. What type of test would this be considered?
A. Compliance B. Substantive C. Integrated D. Continuous Audit
____47. IS Auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the internal controls, they conclude that control
risks are within the acceptable limits.
A. True B. False
____48. Exposure pertains to the amount of changes in the business environment while risk pertains to the impact of these changes in the business environment.
A. True B. False
____49. Which of the following is of greatest concern to the IS auditor?
A. Failure to detect a successful attack to the network B. Failure to recover from a successful attack to the network
B. Failure to report a successful attack to the network D. Failure to prevent successful attack to the network
____50. What is the primary purpose of audit trails?
A. To document auditing efforts B. To establish accountability and responsibility for processed transactions
C. To prevent unauthorized access to data D. To correct data integrity errors
____51. An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated data.
A. True B. False
____52. Which of the following is best suited for searching for address field duplications?
A. Manual review B. Productivity audit software C. Text search forensic utility software D. Generalized audit software
____53. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a:
A. Sponsor B. Implementer C. Facilitator D. Developer
____54. Which of the following is closely related to control environment
A. Hard control B. Time Log C. Culture D. Policies
____55. Which of the following serves as the foundation of all internal controls?
A. Control Environment B. Control Activities C. Risk Management D. Monitoring
____56. This risk represents the auditor's assessment of the likelihood that a material misstatement relating to an assertion in the financial statements will not be
detected and corrected, on a timely basis, by the client's internal control system.
A. Control Risk B. Inherent Risk C. Detection Risk D. Audit Risk
____57. What is the complete name of your professor in Audicom?