Question No. 1 is compulsory.

From the remaining solve any four.

Q.1.

1. When communicating audit results, IS auditors should remember that ultimately they are responsible to:
A. senior management and/or the audit committee.
B. the manager of the audited entity.
C. the IS audit director.
D. legal authorities.

2. Which of the following is a substantive test?

A. Checking a list of exception reports
B. Ensuring approval for parameter changes
C. Using a statistical sample to inventory the tape library
D. Reviewing password history reports

3. The PRIMARY objective of an IS audit function is to:

A. determine whether everyone uses IS resources according to their job description.
B. determine whether information systems safeguard assets, and maintain data integrity.
C. examine books of accounts and relative documentary evidence for the computerized system.
D. determine the ability of the organization to detect fraud.

4. A key element in a risk analysis is/are:

A. audit planning.
B. controls.
C. vulnerabilities.
D. liabilities.

5. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation

6. The PRIMARY purpose of an audit charter is to:

A. documents the audit process used by the enterprise.
B. formally document the audit department’s plan of action.
C. document a code of professional conduct for the auditor.
D. describe the authority and responsibilities of the audit department.

7. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights

8. The PRIMARY purpose of audit trails is to:

A. improve response time for users.
B. establish accountability and responsibility for processed transactions.
C. improve the operational efficiency of the system.
D. provide useful information to auditors who may wish to track transactions.

9. Dataflow diagrams are used by IS auditors to:

A. order data hierarchically.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.

10. Which audit technique provides the BEST evidence of the segregation of duties in an IS department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights

11. In a risk-based audit approach, an IS auditor must consider the inherent risk and

A. How to eliminate the risk through an application of controls

B. Whether the risk is material, regardless of managements tolerance for risk
C. The balance of the loss potential and the cost to implement controls
D. Residual risk being higher than the insurance coverage purchased

12. Which statement best describes the difference between a detective control and a corrective control?

A. Neither control stops errors from occurring. One control type is applied sooner than the other.
B. One control is used to keep errors from resulting in loss, and the other is used to warn of danger.
C. One is used as a reasonableness check, and the other is used to make management aware that an error has
occurred.
D. One control is used to identify that an error has occurred and the other fixes the problems before a loss
occurs.

13. When reviewing an audit function for independence, an IS auditor would be most concerned to find that

A. The internal audit function was made up of people who used to work for the external auditing firm that
managed the accounting and auditing of the business
B. The audit function had an administrative reporting relationship to the controller of finance in the business
C. Some of the audit staff had previous involvement with the operation of business processes that their group
was evaluating
D. The audit staff had reviewed similar risk and control processes for competing businesses

14. In evaluating business continuity management, which factor is considered NOT an important aspect of the
overall management of the program by the IS auditor?

A. Impact to the businesses has been studied and agreed to from the business management as a basis from
which to understand the continuity needs.
B. Interactions of all affected processes have been identified so that priorities for recovery can be determined.
C. Recovery tests have been successful and determined to fully meet the needs of the business.
D. The procedures required to manage the business processes without the information systems have been well
documented and moved off-site to provide for interim recovery processing.

15. When evaluating information security management, which of the following are not items the IS auditor
would consider commenting on as a potential control weakness?

A. A security program had not been developed using a risk-based approach.

B. The information security officer does not accept responsibility for security decisions in the organization.
C. The use of intrusion detection technologies has not been considered for use in the security program.
D. Account administration processes do not require agreement to acceptable behavior guidelines from all
persons requesting accounts.

16. During the problem analysis and solution design phases of an SDLC methodology, which of the following
steps would you be most concerned with finding?

A. Current state analysis and documentation processes

B. Entity relationship diagramming and process flow definitions
C. Pilot testing of planned solutions
D. Gathering of functional requirements from business sponsors

17. What is the primary difference between policies and standards?

A. Policies provide a high-level framework and standards are more dynamic and specific.
B. Policies take longer to write and are harder to implement than standards.
C. Standards require interpretation and must have associated procedures.
D. Policies describe how to do things and standards provide best practices guidance.

18. Many organizations require employees to take a mandatory one to two full weeks of continuous vacation
each year because
A. The organization wants to ensure that their employee's quality of life provides for happy employees in the
workplace.
B. The organization wants to ensure that potential errors in process or irregularities in processing are identified
by forcing a person into the job function as a replacement periodically.
C. The organization wants to ensure that the benefits provided by the company are fully used to enable full
employment of replacement staff as much as possible.
D. The organization wants to ensure that their employees are fully cross-trained and able to take over other
functions in case of a major disruption or disaster.

19. Audit evidence can take many forms. When determining the types required for an audit, the auditor must
consider

A. CAATs, flowcharts, and narratives

B. Interviews, observations, and reperformance testing
C. The best evidence available that is consistent with the importance of the audit objectives
D. Inspection, confirmation, and substantive testing

20. Which of the following is not part of the IS auditors code of ethics?

A. Serve the interest of the employers in a diligent loyal and honest manner.
B. Maintain the standards of conduct and the appearance of independence through the use of audit information
for personal gain.
C. Maintain competency in the interrelated fields of audit and information systems.
D. Use due care to document factual client information on which to base conclusions and recommendations.