1. An IS auditor, performing a review of an application’s controls, A.

Business processes
discovers a weakness in system software, which could materially B. Critical IT applications
impact the application. The IS auditor should: C. Corporate objectives
D. Business strategies
A. Disregard these control weaknesses as a system software review is
beyond the scope of this review. 10. Which of the following is a substantive audit test?
B. Conduct a detailed system software review and report the control
weaknesses. A. Verifying that a management check has been performed regularly
C. Include in the report a statement that the audit was limited to a B. Observing that user IDs and passwords are required to sign on the
review of the application’s controls. computer
D. Review the system software controls as relevant and recommend a C. Reviewing reports listing short shipments of goods received
detailed system software review. D. Reviewing an aged trial balance of accounts receivable.

2. The reason for having controls in an IS environment: 11. Which of the following tasks is performed by the same person
in a well-controlled information processing facility/computer
A. remains unchanged from a manual environment, but the center?
implemented control features may be different.
A. Security administration and management
B. changes from a manual environment, therefore the implemented B. Computer operations and system development
control features may be different. C. System development and change management
D. System development and systems maintenance.
C. changes from a manual environment, but the implemented control
features will be the same. 12. Where adequate segregation of duties between operations and
programming are not achievable, the IS auditor should look for:
D. remains unchanged from a manual environment and the
implemented control features will also be the same. A. compensating controls.
B. administrative controls.
3. Which of the following types of risks assumes an absence of C. corrective controls.
compensating controls in the area being reviewed? D. access controls.
A. Control risk 13. Which of the following would be included in an IS strategic
B. Detection risk plan?
C. Inherent risk
D. Sampling risk A. Specifications for planned hardware purchases
B. Analysis of future business objectives
4. An IS auditor is conducting substantive audit tests of a new C. Target dates for development projects
accounts receivable module. The IS auditor has a tight schedule D. Annual budgetary targets for the IS department.
and limited computer expertise. Which would be the BEST audit
technique to use in this situation? 14. The MOST important responsibility of a data security officer
in an organization is:
A. Test data
B. Parallel simulation A. recommending and monitoring data security policies.
C. Integrated test facility B. promoting security awareness within the organization.
D. Embedded audit module C. establishing procedures for IT security policies.
D. administering physical and logical access controls.
5. The PRIMARY purpose of compliance tests is to verify
whether: 15. Which of the following BEST describes an IT department’s
strategic planning process?
A. controls are implemented as prescribed.
B. documentation is accurate and current. A. The IT department will have either short-range or long-range
C. access to users is provided as specified. plans depending on the organization’s broader plans and objectives.
D. data validation procedures are provided. B. The IT department’s strategic plan must be time and project
oriented, but not so detailed as to address and help determine
6. Which of the following BEST describes the early stages of an priorities to meet business needs.
IS audit? C. Long-range planning for the IT department should recognize
organizational goals, technological advances and regulatory
A. Observing key organizational facilities.
requirements.
B. Assessing the IS environment.
D. Short-range planning for the IT department does not need to be
C. Understanding business process and environment applicable to the
integrated into the short-range plans of the organization since
review.
technological advances will drive the IT department plans much
D. Reviewing prior IS audit reports.
quicker than organizational plans.
7. The document used by the top management of organizations to
16. When a complete segregation of duties cannot be achieved in
delegate authority to the IS audit function is the:
an online system environment, which of the following functions
A. long-term audit plan.
should be separated from the others?
B. audit charter.
C. audit planning methodology. A. Origination
D. steering committee minutes. B. Authorization
C. Recording
8. Before reporting results of an audit to senior management, an
D. Correction
IS auditor should:
17. In a small organization, where segregation of duties is not
A. Confirm the findings with auditees.
practical, an employee performs the function of computer
B. Prepare an executive summary and send it to auditee management.
operator and application programmer. Which of the following
C. Define recommendations and present the findings to the audit
controls should the IS auditor recommend?
committee.
D. Obtain agreement from the auditee on findings and actions to be A. Automated logging of changes to development libraries
taken. B. Additional staff to provide segregation of duties
C. Procedures that verify that only approved program changes are
9. While developing a risk-based audit program, which of the
implemented
following would the IS auditor MOST likely focus on?
D. Access controls to prevent the operator from making program
modifications.
18. An IT steering committee would MOST likely perform which
of the following functions?

A. Placement of a purchase order with the approved IT vendor

B. Installation of systems software and application software
C. Provide liaison between IT department and user department
D. Interview staff for the IT department.

19. An IS auditor is auditing the controls relating to employee

termination. Which of the following is the MOST important
aspect to be reviewed?

A. The related company staff are notified about the termination

B. User ID and passwords of the employee have been deleted
C. The details of employee have been removed from active payroll
files
D. Company property provided to the employee has been returned.

20. When reviewing a service level agreement for an outsourced

computer center an IS auditor should FIRST determine that:

A. the cost proposed for the services is reasonable.

B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of business
needs.
D. audit access to the computer center is allowed under the
agreement.

21. An IS auditor discovers a potential material finding. The

BEST course of action is to:

A. report the potential finding to business management.

B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.

22. Which of the following is in the BEST position to approve

changes to the audit charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit

23. An IS auditor reviewing the process to monitor access logs

wishes to evaluate the manual log review process. Which of the
following audit techniques would the auditor MOST likely
employ to fulfill this purpose?

A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance

24. An IS auditor is evaluating processes put in place by

management at a storage location containing computer
equipment. One of the test procedures compares the equipment
on location with the inventory records. This type of testing
procedure executed by the IS auditor is an example of:

A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.

25. During an audit, the IS auditor notes that the application

developer also performs quality assurance testing on a particular
application. Which of the following should the IS auditor do?

A. Recommend compensating controls.

B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.