Information Technology Audit

September 21, 2017

1. Which is not the purpose of Risk analysis?

A. It supports risk based audit decisions

B. Assists the Auditor in determining Audit objectives

C. Ensures absolute safety during the Audit

D. Assists the Auditor in identifying risks and threats

2. Which term best describes the difference between the sample and the

population in the sampling process?

A. Precision

B. Tolerable error rate

C. Level of Risk

D. Analytical Data

3. Name one of the purposes of creating Business Continuity Plan

A. To maximise the number of decisions made during an incident

B. To minimise decisions needed during a crisis

C. To lower business insurance premiums

D. To provide guidance for federal regulations

4. Failing to prevent or detect a material error would represent which type of

risk?

A. Overall Audit Risk

B. Detection Risk

C. Inherent Risk

D. Control Risk

5. Which is one of the bigger concerns regarding asset disposal?

A. Residual Asset Value

B. Employees taking disposed property home

C. Standing data

D. Environmental Regulations
6. Who should issue ogranisational policies?

A. Policies should originate from the bottom and move upto the middle

management level for approval

B. The policy should be issued in accordance with the approved standards

by the middle management level

C. Policy can be issued by any level of management based on a case to case

basis

D. The policy should be signed and enforced by the highest level

of management

7. A program check that ensures data entered by a data entry operator is

complete is an example of a

A. Detective Control

B. Preventive Control

C. Corrective Control

D. Redundancy Control

8. What is the primary objective in problem escalation?

A. Improve customer satisfaction

B. Optimise the number of skilled personnel

C. Ensure the correct response

D. Prove that the IT staff is competent

9. Which of the following is LEAST important when Auditors review Internal

Controls?

A. The existence of an Audit Committee in the Organisation

B. The Organisational structure and the Management style used by the

Organisation

C. The existence of a Budgeting System

D. The number of Personnel working for the Organisation

10. What is the best example of why plan testing is important?

A. To prove the plan worked the first time

 B. To find the correct problems

C. To show the team that is not pulling their own weight

D. To verify that everyone shows up at the recovery site

11. Continuity planners can create plans without the business impact analysis

(BIA) process because

A. Business Impact Analysis is not required

B. Management already dictated all the key processes to be used

C. Not possible, critical processes continuously changes

D. Risk assessment is acceptable

12. What are the three competing demands to be addressed by the Project

Management?

A. Scope, Authority and Availability of Resources

B. Time, Cost and Scope

C. Requirements, Authority and Responsibility

D. Authority, Organisational Culture and Scope

13. How should management act to best deal with emergency changes?

A. Emergency changes can not be made without advanced testing

B. All changes should still undergo review

C. The changes control process does not apply to emergency conditions

D. Emergency changes are not allowed under any condition

14. Which is the following is not an objective of a control?

A. Reduce expected losses from irregularities

B. Reduce the probability of an error occurring

C. Reduce the amount of loss if an occurs

D. Provide for all the failures and to ensure that business is

protected fully from such failures

15. IT audit is the process of collecting and evaluating evidence to determine

A. Whether a computer system safeguards assets

B. Whether maintains data integrity

 C.  Whether allows organisational goals to be achieved effectively and uses

resources efficiently

D. All of the above

16. The objectives of IT audit include

A. Ensures asset safeguarding

B. Ensures that the attributes of data or information are maintained

C. Both (a) and (b)

D. None of the above

17. Which is not an attribute of data or information

A. Compliance

B. Integrity

C. Confidentiality

D. Technology

18. Which among the following does not encompass organisational and

management controls within the information processing facility (IPF)

A. Sound human resource policies and management practices

B. Methods to assess effective and efficient operations.

C. The regulatory framework within which the business is

carried out

D. Separation of duties within the information processing environment

19. The essential aspect to be understood about the organisation subject to IT

audit is

A. Organisation’s business and its strategic goals and objectives

B. The number of operating units / locations and their geographic

dispersion

C. Major pending projects in progress

D. All of the above

20.While understanding the type of software used in the organisation the IT

auditor has to
 A. See the policy decision on developing software inhouse or to buy

commercial products.

B. Collect details of operating systems, application system and database

management system

C. Collect information relating to network architecture and technology to

establish connectivity.

D. All of the above

21. The security goals of the organisation does not cover

A. Confidentiality

B. Probability and impact of occurrence

C. Availability

D. Integrity

22. Find out the incorrect statement with reference to Risk assessment

A. The detailed audit is needed where the risk assessment is low

and the risk management is high

B. An independent assessment is necessary whether threats have been

countered / guarded against effectively and economically

C. The assessment of the soundness of IT system will necessarily have to

study the policies and process of risk management

D. None of the above

23. Consider the following statement and find out the correct one w.r.t. IT audit

A. In inherent risk there is an assumption that there are related internal

controls.

B. In control risk errors will not be prevented or detected and

corrected by the internal control system.

C. The control risk associated with computerised data validation

procedures is ordinarily high.

D. None of the above

24. What is the characteristic of ‘detective control’

 A. Minimise the impact of a threat

B. Use controls that detect and report the occurrence of an

error, omission or malicious act.

C. Detect problems before they occur

D. None of the above

25. Which among the following is not characteristic of ‘preventive control’

A. Monitor both operation and imports

B. Prevent error, omission or malicious act from occurring

C. Correct errors from occurring

D. None of the above

26. IT access is not controlled or regulated though password it indicates

A. Poor security control

B. High risk of the system getting hacked

C. High risk of the system getting breached

D. All of the above

27. Basic risk areas which the external Govt. auditor may come across when

reviewing internal audit’s work include

A. Availability of sufficient resources, in terms of finance, staff and skills

required

B. Involvement of internal audit with IT system and under development

C. Management not required to act on internal audit’s

recommendations

D. None of the above

28.Which is the common audit objectives for an IT audit

A. Review of the security of the IT system

B. Evaluation of the performance of a system

C. Examination of the system development process and the procedures

followed at various stages involved

D. All of the above.

 29. The type of audit evidence which the auditor should consider using in IT audit

includes

A. Observed process and existence of physical items

B. Documentary audit evidence excluding electronic records

C. Analysis excluding IT enabled analysis using

D. None of the above

30.Match the following w.r.t interviews to be conducted with staff and purpose

interviewing Kinds of staff / personnel Purpose of interview

(A) System analysis of(A) To determine whether any application system to consume a
programmers resources.
(B) To determine their perceptions of how the system has aff
(B) Clerical / Data entry staff
working life
(C) Users of an application
(C) To determine how they correct input data.
systems
(D) To obtain a better understanding of the functions and controls
(D) Operation staff
system.

A. A–B; B–A; C–D; D–C

B. A–D; B–C; C–A; D–A

C. A–C; B–D; C–A; D–B

D. None of the above

31. Which of the following type of questions need to be included in the

questionnaire(s)

A. Ambiguous questions

B. Leading questions

C. Presumptuous questions

D. Specific questions

32. Analytical procedures are useful in the following way in collecting audit

evidence in IT audit

A. Use comparisons and relationships to determine whether account

balances appear reasonable

B. To decide which accounts do not need further verification

 C. To decide which audit areas should be more thoroughly investigated

D. All of the above

33. What is the commonly used example of generalised audit software?

A. CAAT

B. IDEA

C. COBIT

D. None of the above

34. A higher risk of system violation happens where

A. The audit module is not operational

B. The audit module has been disabled

C. The audit module is not periodically reviewed

D. All of the above

35. Which among the following is not a compliance test as related to IT

environment

A. Determining whether passwords are changed periodically.

B. Determining whether systems logs are reviewed

C. Determining whether program changes are authorised.

D. Reconciling account balances

36. Substantive tests as they relate to the IT environment does not include

A. Conducting system availability analysis

B. Conducting system outage analysis

C. Performing system storage media analysis

D. Determining whether a disaster recovery plan was tested

37. Find out the incorrect statement w.r.t. attribute sampling used by IT auditors

A. Attribute sampling is used in substantive testing situations

B. Attribute sampling deals with the presence or absence of the attribute

C. It provides conclusions that are expressed in rates of incidence

D. None of the above

38.Variable sampling is used and deals with and provide

 A. Applied in substantive testing situations

B. Deals with population characteristics that vary

C. Provides conclusions related to deviations from the norm

D. All of the above

39. Which among the following is true as to Audit Reporting

A. Normal reporting format is not adhered to in the case of IT Audit

B. In IT audit, the base of the focus is the system

C. In IT audit the audience for the report should normally be ignored

D. None of the above

40.The conclusions of the IT audit report does not include

A. Sweeping conclusions regarding absence of controls and risks

B. A mismatch between hardware procurement and software development

in the absence of IT policy

C. Haphazard development which cannot be ascribed to lack of IT policy

D. All of the above

41. Which among the following is not a limitation in IT Audit

A. Data used not from production environment

B. If these is only production environment and audit could not test

dummy data

C. “Read only Access” given to audit

D. None of the above

42. With the help of what tools, IT auditor can plan for 100% substantive testing

A. CAATs tools

B. CMM (Software)

C. COBIT

D. None of the above

43. The reason for management’s failure to use information properly is

A. Failure to identify significant information

B. Failure to interpret the meaning and value of the acquired information

 C. Failure to communicate information to the decision maker

D. All of the above

44.Find out the incorrect statement

A. Distributed networks may decrease the risk of data inconsistencies

B. Application software developed inhouse may have lower

inherent risk than vendor supplied software

C. Peripheral access devices or system interfaces can increase inherent

risk

D. None of the above

45. Categories of general control do not include

A. Logical access controls

B. Acquisition and program change controls

C. Control over standing data and master files

D. None of the above

46.Application controls includes

A. IT operational controls

B. Control over processing

C. Physical controls
D. None of the above

47. What legal protection is available to prevent theft illegal copying of software

A. Computer misuse legislation

B. Data protection and privacy legislation

C. Copyright laws

D. None of the above

48.Match the following w.r.t. the following critical elements and its impact

(A) Cannot satisfactorily review the computer systems a

(A) Poor reporting structures
controls
(B) Inappropriate or no IT planning (B) Leads to security breaches, data loss fraud and error
(C) Security policies not in place or not
(C) Leads to business growth being constrained by a lac
enforced
(D) Ineffective internal audit function (D) Leads to inadequate decision making and affect the
 concern

A. A–D; B–A; C–B; D–C

B. A–D; B–C; C–B; D–A

C. A–B; B–A; C–D; D–C

D. None of the above

49.The risk areas associated with poorly controlled computer operations include

A. Applications not run correctly

B. Loss or corruption of financial applications

C. lack of backups and contingency planning

D. All of the above

50.In case of outsourcing IT activities the IT auditor should

A. Review the policies and procedures which ensure the security of the

financial data

B. Obtain a copy of the contract to determine if adequate controls have

been specified

C. Ensure that audit needs are taken into account and included in the

contracts

D. All of the above

51. While reviewing the network management and control the IT auditor is

required to

A. Review the security and controls in non-financial systems

B. Review the security and controls in financial system’

C. Either (a) or (b) depending upon scope of audit and SAI’s

mandate

D. None of the above

52. Which among the following is not true w.r.t. logical access controls

A. Logical access control usually depend on the in – built security facilities

 B. The importance of logical access controls is increased where

physical access control is more effective

C. logical access control exits at both an installation and application level

D. None of the above

53. Weak input control may increase the risk of

A. Entry of an authorised data

B. incomplete data entry

C. Entry of duplicate / redundant data

D. All of the above

54. Weak process controls would lead to:

A. Unauthorised changes or amendments to the existing data

B. Absence of audit trial rendering, sometimes the application

unauditable

C. Inaccurate processing of transactions leading to wrong outputs /

results

D. All of the above