Professional Documents
Culture Documents
Q.1.
1. When communicating audit results, IS auditors should remember that ultimately they are responsible to:
A. senior management and/or the audit committee.
B. the manager of the audited entity.
C. the IS audit director.
D. legal authorities.
5. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation
7. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
10. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights
11. In a risk-based audit approach, an IS auditor must consider the inherent risk and
12. Which statement best describes the difference between a detective control and a corrective control?
A. Neither control stops errors from occurring. One control type is applied sooner than the other.
B. One control is used to keep errors from resulting in loss, and the other is used to warn of danger.
C. One is used as a reasonableness check, and the other is used to make management aware that an error has
occurred.
D. One control is used to identify that an error has occurred and the other fixes the problems before a loss
occurs.
13. When reviewing an audit function for independence, an IS auditor would be most concerned to find that
A. The internal audit function was made up of people who used to work for the external auditing firm that
managed the accounting and auditing of the business
B. The audit function had an administrative reporting relationship to the controller of finance in the business
C. Some of the audit staff had previous involvement with the operation of business processes that their group
was evaluating
D. The audit staff had reviewed similar risk and control processes for competing businesses
14. In evaluating business continuity management, which factor is considered NOT an important aspect of the
overall management of the program by the IS auditor?
A. Impact to the businesses has been studied and agreed to from the business management as a basis from
which to understand the continuity needs.
B. Interactions of all affected processes have been identified so that priorities for recovery can be determined.
C. Recovery tests have been successful and determined to fully meet the needs of the business.
D. The procedures required to manage the business processes without the information systems have been well
documented and moved off-site to provide for interim recovery processing.
15. When evaluating information security management, which of the following are not items the IS auditor
would consider commenting on as a potential control weakness?
16. During the problem analysis and solution design phases of an SDLC methodology, which of the following
steps would you be most concerned with finding?
A. Policies provide a high-level framework and standards are more dynamic and specific.
B. Policies take longer to write and are harder to implement than standards.
C. Standards require interpretation and must have associated procedures.
D. Policies describe how to do things and standards provide best practices guidance.
18. Many organizations require employees to take a mandatory one to two full weeks of continuous vacation
each year because
A. The organization wants to ensure that their employee's quality of life provides for happy employees in the
workplace.
B. The organization wants to ensure that potential errors in process or irregularities in processing are identified
by forcing a person into the job function as a replacement periodically.
C. The organization wants to ensure that the benefits provided by the company are fully used to enable full
employment of replacement staff as much as possible.
D. The organization wants to ensure that their employees are fully cross-trained and able to take over other
functions in case of a major disruption or disaster.
19. Audit evidence can take many forms. When determining the types required for an audit, the auditor must
consider
20. Which of the following is not part of the IS auditors code of ethics?
A. Serve the interest of the employers in a diligent loyal and honest manner.
B. Maintain the standards of conduct and the appearance of independence through the use of audit information
for personal gain.
C. Maintain competency in the interrelated fields of audit and information systems.
D. Use due care to document factual client information on which to base conclusions and recommendations.