Professional Documents
Culture Documents
IT Audit Process
Questions
1. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails
to discover potential anomalies in user or system behavior. Which of the following tools
is MOST suitable for performing that task?
A. CASE tools
B. Embedded data collection tools
C. Heuristic scanning tools
D. Trend/variance detection tools
2. In the course of performing a risk analysis, an IS auditor has identified threats and
potential impacts.
Next, an IS auditor should:
A. audit planning.
B. controls.
C. vulnerabilities.
D. liabilities.
4. The PRIMARY role of an IS auditor during the system design phase of an application
development project is to:
A can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
Page 1 of 16
Classification: Internal Use
IT Audit Process
Questions
8. Which one of the following could an IS auditor use to validate the effectiveness of
edit and validation routines?
A. an understanding of workflows.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.
10. Which of the following is the MOST likely reason why e-mail systems have become a
useful source of evidence for litigation?
A. sampling risk.
Page 2 of 16
Classification: Internal Use
IT Audit Process
Questions
B. detection risk.
C. inherent risk.
D. control risk.
13. An IS auditor reviewing the effectiveness of IT controls found a prior audit report,
without workpapers. How should the IS auditor proceed?
15. Which of the following is the PRIMARY advantage of using computer forensic
software for investigations?
16. To ensure that audit resources deliver the best value to the organization, the FIRST
step would be to:
A. schedule the audits and monitor the time spent on each audit.
B. train the IS audit staff on current technology used in the company.
C. develop the audit plan on the basis of a detailed risk assessment.
D. monitor progress of audits and initiate cost control measures.
Page 3 of 16
Classification: Internal Use
IT Audit Process
Questions
17. In cases where there is disagreement, during an exit interview, regarding the
impact of a finding, the IS auditor should:
A. ask the auditee to sign a release form accepting full legal responsibility.
B. elaborate on the significance of the finding and the risks of not correcting it.
C. report the disagreement to the audit committee for resolution.
D. accept the auditee's position since they are the process owners.
18. Which of the following normally would be the MOST reliable evidence for an
auditor?
19. To identify the value of inventory that has been kept for more than eight weeks, an
IS auditor would MOST likely use:
A. test data.
B. statistical sampling.
C. an integrated test facility.
D. generalized audit software.
20. Which of the following sampling methods is MOST useful when testing for
compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation
21. Which of the following audit tools is MOST useful to an IS auditor when an audit
trail is required?
22. Which of the following tests is an IS auditor performing when a sample of programs
is selected to determine if the source and object versions are the same?
Page 4 of 16
Classification: Internal Use
IT Audit Process
Questions
23. Which audit technique provides the BEST evidence of the segregation of duties in an
IS department?
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
26. When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
27. The vice president of human resources has requested an audit to identify payroll
overpayments for the previous year. Which would be the BEST audit technique to use in
this situation?
A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
Page 5 of 16
Classification: Internal Use
IT Audit Process
Questions
A. having line managers assume a portion of the responsibility for control monitoring.
B. assigning staff managers the responsibility for building, but not monitoring, controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and the monitoring of controls of assigned duties.
30. Which of the following online auditing techniques is most effective for the early
detection of errors or irregularities?
A. does not require an IS auditor to collect evidence on system reliability while processing is
taking place.
B. requires the IS auditor to review and follow up immediately on all information collected.
C. can improve system security when used in time-sharing environments that process a large
number of transactions.
D. does not depend on the complexity of an organization's computer systems.
33. An IS auditor evaluates the test results of a modification to a system that deals with
payment computation. The auditor finds that 50 percent of the calculations do not
match predetermined totals. Which of the following would MOST likely be the next step
in the audit?
Page 6 of 16
Classification: Internal Use
IT Audit Process
Questions
34. Senior management has requested that an IS auditor assist the departmental
management in the implementation of necessary controls. The IS auditor should:
37. When communicating audit results, IS auditors should remember that ultimately
they are responsible to:
38. When evaluating the collective effect of preventive, detective or corrective controls
within a process, an IS auditor should be aware:
A. of the point at which controls are exercised as data flow through the system.
B. that only preventive and detective controls are relevant.
Page 7 of 16
Classification: Internal Use
IT Audit Process
Questions
C. that corrective controls can only be regarded as compensating.
D. that classification allows an IS auditor to determine which controls are missing.
39. An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The
manager had written the password, allocated by the system administrator, inside
his/her desk drawer. The IS auditor should conclude that the:
40. In an audit of an inventory application, which approach would provide the BEST
evidence that purchase orders are valid?
A. It uses actual master files or dummies and the IS auditor does not have to review the source of
the transaction.
B. Periodic testing does not require separate test processes.
C. It validates application systems and tests the ongoing operation of the system.
D. It eliminates the need to prepare test data.
45. In a critical server, an IS auditor discovers a Trojan horse that was produced by a
known virus that exploits a vulnerability of an operating system. Which of the following
should an IS auditor do FIRST?
47. Which of the following would be the BEST population to take a sample from when
testing program changes?
A. facilitator.
B. manager.
C. partner.
D. stakeholder.
Page 9 of 16
Classification: Internal Use
IT Audit Process
Questions
C. Network monitoring is very limited.
D. Many user ids have identical passwords.
51. Corrective action has been taken by an auditee immediately after the identification
of a reportable finding. The auditor should:
A. include the finding in the final report, because the IS auditor is responsible for an accurate
report of all findings.
B. not include the finding in the final report, because the audit report should include only
unresolved findings.
C. not include the finding in the final report, because corrective action can be verified by the IS
auditor during the audit.
D. include the finding in the closing meeting for discussion purposes only.
52. Which of the following forms of evidence for the auditor would be considered the
MOST reliable?
53. During a review of the controls over the process of defining IT service levels, an IS
auditor would MOST likely interview the:
A. systems programmer.
B. legal staff.
C. business unit manager.
D. application programmer.
54. Which of the following is the GREATEST challenge in using test data?
A. Ensuring the program version tested is the same as the production program
B. Creating test data that covers all possible valid and invalid conditions
C. Minimizing the impact of additional transactions on the application being tested
D. Processing the test data under an auditor's supervision
Page 10 of 16
Classification: Internal Use
IT Audit Process
Questions
55. When assessing the design of network monitoring controls, an IS auditor should
FIRST review network:
A. topology diagrams.
B. bandwidth usage.
C. traffic analysis reports.
D. bottleneck locations.
A. be dynamic and change often to coincide with the changing nature of technology and the audit
profession.
B. clearly state audit objectives for and the delegation of authority to the maintenance and review
of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
57. The BEST method of proving the accuracy of a system tax calculation is by:
A. detailed visual review and analysis of the source code of the calculation programs.
B. recreating program logic using generalized audit software to calculate monthly totals.
C. preparing simulated transactions for processing and comparing the results to predetermined
results.
D. automatic flowcharting and analysis of the source code of the calculation programs.
58. The decisions and actions of an IS auditor are MOST likely to affect which of the
following risks?
A. Inherent
B. Detection
C. Control
D. Business
Page 11 of 16
Classification: Internal Use
IT Audit Process
Questions
61. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a
vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.
62. An IS auditor has imported data from the client's database. The next step-
confirming whether the imported data are complete-is performed by:
A. matching control totals of the imported data to control totals of the original data.
B. sorting the data to confirm whether the data are in the same order as the original data.
C. reviewing the printout of the first 100 records of original data with the first 100 records of
imported data.
D. filtering data for different categories and matching them to the original data.
63. The extent to which data will be collected during an IS audit should be determined
based on the:
64. An integrated test facility is considered a useful audit tool because it:
65. In planning an audit, the MOST critical step is the identification of the:
Page 12 of 16
Classification: Internal Use
IT Audit Process
Questions
68. Which of the following steps would an IS auditor normally perform FIRST in a data
center security review?
A. record the observations separately with the impact of each of them marked against each
respective finding.
B. advise the manager of probable risks without recording the observations, as the control
weaknesses are minor ones.
C. record the observations and the risk arising from the collective weaknesses.
D. apprise the departmental heads concerned with each observation and properly document it in
the report.
Page 13 of 16
Classification: Internal Use
IT Audit Process
Questions
71. The MAJOR advantage of the risk assessment approach over the baseline approach
to information security management is that it ensures:
73. Which of the following processes describes risk assessment? Risk assessment is:
A. subjective.
B. objective.
C. mathematical.
D. statistical.
74. During a security audit of IT processes, an IS auditor found that there were no
documented security procedures. The IS auditor should:
75. An IS auditor has evaluated the controls for the integrity of the data in a financial
application. Which of the following findings would be the MOST significant?
A. The application owner was unaware of several changes applied to the application by the IT
department.
B. The application data are backed up only once a week.
C. The application development documentation is incomplete.
D. Information processing facilities are not protected by appropriate fire detection systems.
76. While conducting an audit, an IS auditor detects the presence of a virus. What
should be the IS auditor's next step?
Page 14 of 16
Classification: Internal Use
IT Audit Process
Questions
A. A technique that enables the IS auditor to test a computer application for the purpose of
verifying correct processing
B. The utilization of hardware and/or software to review and test the functioning of a computer
system
C. A method of using special programming options to permit the printout of the path through a
computer program taken to process a specific transaction
D. A procedure for tagging and extending transactions and master records that are used by an IS
auditor for tests
78. The risk of an IS auditor using an inadequate test procedure and concluding that
material errors do not exist when, in fact, they do is an example of:
A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.
79. An IS auditor should use statistical sampling and not judgment (nonstatistical)
sampling, when:
81. An IS auditor conducting a review of software usage and licensing discovers that
numerous PCs contain unauthorized software. Which of the following actions should the
IS auditor take?
82. The IS department of an organization wants to ensure that the computer files used
in the information processing facility are adequately backed up to allow for proper
recovery. This is a(n):
A. control procedure.
B. control objective.
C. corrective control.
D. operational control.
Page 16 of 16