Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
160 Cards in this Set
- Front
- Back
|
1. Which one of these is not a type of hardware?
a. Mainframes b. Servers c. Workstations d. Operating Systems |
ANS: D
Source: GTAG 2, Page 10 |
|
|
2. What type of stakeholders have the responsibility of Executive leaders (business and IT) who influence guiding principles, strategy, and major decisions?
a. Steering Committee (Executive or Technical) b. Sponsor c. Project Manager d. User (Business, IT, etc.) |
ANS: A
Source: GTAG 12, Page 9 |
|
|
3. At application areas, which of the following is the continuous control assessment?
a. Identification of control deficiencies b. Examination of consistency of processes c. Development of enterprise audit plan d. Follow-up on audit recommendations |
ANS: A
Source: GTAG 3, PPT Page 6 |
|
|
4. Why we needs to Post-Implementation review in Project audits process?
a. Determine readiness for final go-live b. Assess any potential risk areas c. Ensure a project phase was completed as expected and in accordance with the PM processes d. Ensure project accomplished what was expected |
ANS: D
Source: GTAG 12, PPT Page 17-20 |
|
|
5. For examining an application from the macro level, which one of the following is not include in the PPTM framework?
a. People and Process b. Tools c. Evaluates d. Measures |
ANS: C
Source: IT Audit Book, Cha 13 Page 319 |
|
|
6. Which of the following is NOT a key market challenge of the cloud?
a. Marketing restrictions b. No industry standards c. Slow adoption due to new software or platforms d. Difficulty in choosing a vendor |
ANS: A
Source: Guest Speaker |
|
|
7. Which of the following is NOT a data analysis type
a. Ad Hoc b. Continuous c. Spontaneous d. Repetitive |
ANS: C
Source: GTAG: Data Analysis Page 14 |
|
|
8. Which of the following is NOT a benefit of Application Controls?
a. Reliability b. Safety c. Benchmarking d. Time and Cost Savings |
ANS: B
Source: GTAG 8 PPT, Slide 5 |
|
|
9. Applications developed by end users, usually in non controlled IT environment are:
a. User-developed applications b. Hard coded c. Custom applications d. Unique applications |
ANS: A
Source: GTAG: Auditing User Developed Applications page 2 |
|
|
10. In an IT project, it is most costly to fix a problem in the _______ phase:
a. Design b. Code c. Test d. Maintenance |
ANS: D
Source: GTAG 12, Slide 22 |
|
|
11. “Method used to perform audit-related activities on a continuous basis- includes control and risk management” refers to:
a. Continuous monitoring b. Continuous auditing c. Continuous maintenance d. Continuous planning |
ANS: B
Source: GTAG 3 PPT slide 4 |
|
|
12. Which of the following is not a risk assessment approach?
a. Define the universe b. Define the risks c. Weigh the risk factors d. Mitigate risks |
ANS: D
Source: GTAG 8, PPT slide 7 |
|
|
13. Illegitimate drivers’ licenses were created and sold by a police communications officer who accidentally discovers she can create them. What kind of oversight involved in this situation?
a. Lack of segregation of duties. b. Lack of consideration for security vulnerabilities posed by authorized system overrides. c. Lack of code reviews. d. Insufficient attention to security details in automated workflow processes. |
ANS: A
Source: GTAG 13, PPT Slide 11 |
|
|
14. Which of the following fraud can be detected by the procedure “run checks to uncover post office boxes used as addresses and to find any matches between vendor and employee addresses and/or phone numbers”?
a. Fictitious vendors b. Altered invoices c. Duplicate invoices d. Duplicate payments |
ANS: A
Source: GTAG 13, PPT SLIDE 23 |
|
|
15. Which of the following is not one of database objects?
a. Table b. Stored procedure/function c. Trigger d. Update |
ANS: D
Source: Chapter 9 Page 244 |
|
|
16. Which of the following is not one of five key focus areas for project audits?
a. Organization and IT group Alignment b. IT Solution Readiness c. Organizational and Process Change Management d. Post Implementation |
ANS: A
Source: GTAG 12 Page 6 |
|
|
17. Which of the following is not a key factor that determines whether the auditor can rely on the data, or whether more data integrity testing is required
a. The auditor’s familiarity with the source data b. The reliance being placed on the data c. The existence of corroborating evidence d. The efficiency of data store procedures |
ANS: D
Source: GTAG 13 Page 9 |
|
|
18. Which of the following is NOT true about user-developed applications (UDA)?
a. UDAs often are developed on an ad hoc basis by individuals outside the formal IT roles and responsibilities. b. UDA typically is built with scant consideration to design and no appropriate approvals. c. UDA has a standard life cycle that encompasses a feasibility analysis. d. UDAs are usually developed without any documentation explaining what the UDA does or how it works. |
ANS: C
Source: GTAG 14 Page 3 |
|
|
19. Which of the following is not an indicator of poor change management?
a. Unauthorized changes (above zero is unacceptable) b. Delayed project implementations c. High number of emergency changes d. High change success rate |
ANS: D
Source: GTAG 2 |
|
|
20. Which of the following is a phase of the Software Development Life Cycle?
a. Change Management b. Test c. Analysis d. Project Management |
ANS: B
Source: GTAG 12 |
|
|
21. According to the IIA IPPF any illegal act characterized by deceit, concealment, or violation of trust is…
a. Fraud b. Good Business c. Unethical d. Criminal |
ANS: A
Source: GTAG 13 |
|
|
22. Business application systems are defined as:
a. Computer systems that are used to perform and support specific business process b. Common hardware bundles c. Web protocols d. Secure message exchange solutions |
ANS: A
Source: IT Auditing, Chapter 13 |
|
|
23. What type of control is segregation of duties?
a. Preventative b. Detective c. Compensatory d. COSO |
ANS: A
Source: GTAG 2 |
|
|
24. Common Application Controls include all BUT
a. Separation of duties b. Input and access controls c. File and data transmission controls d. Processing controls |
ANS: A
Source: GTAG 8 PowerPoint presentation, Slides 10-11 |
|
|
25. According to GTAG 14 User-Developed Applications (UDA's) ARE:
a. Less configurable and flexible than applications produced by IT b. Difficult to produce because the tools are hard to come by c. Slower to develop and harder to use than applications produced by IT d. More configurable and flexible then applications produced by IT |
ANS: D
Source: GTAG 14, Section 2.2, Benefits of User-developed Applications |
|
|
26. Businesses invest heavily in IT Projects for each of the following reasons EXCEPT:
a. Enable business process efficiency to save money b. Automate key processes and controls c. To meet timelines when the project is having issues d. Meet regulatory and legal requirements |
ANS: C
Source: GTAG 12 PowerPoint presentation, Slide 3 |
|
|
27. Change and Patch Management includes:
a. Management of IT General Controls b. System upgrades (e.g., applications, operating systems, and databases) c. Management of Application Controls d. Knowing best practices for Business Continuity Planning |
ANS: B
Source: GTAG 2, Executive Summary |
|
|
28. Which of the following is NOT a risk indicator of Poor Change Management?
a. Unauthorized changes b. Unplanned outages c. Authorized Changes d. High number of emergency changes |
ANS: C
Source: GTAG 2 Page 4 |
|
|
29. Which of the following is a key focus area for Project Audits?
a. IT Technology b. Post Implementation c. Pre Implementation d. Business Continuity |
ANS: B
Source: GTAG 12 Page 6 |
|
|
30. What is Structured Query Language (SQL) used for?
a. It is used to access data in a relational database b. It is used to update the software and hardware of a database c. It is used to backup and restore a database system d. It is used to set configuration values in a database system. |
ANS: A
Source: Chapter 9 Page 243 |
|
|
31. Which of the following is NOT a common database vendor?
a. IBM b. Oracle c. Sybase d. Sun Microsystems |
ANS: D
Source: Chapter 9 Page 238-241 |
|
|
32. Which of the following is a framework for application auditing?
a. SMPT b. TRUST c. STRIDE d. HTTPS |
ANS: C
Source: Chapter 13 Page 317 |
|
|
33. Which of the following is NOT a natural threat to Data Centers?
a. Flooding b. Tornados c. Earthquakes d. Extreme Temperatures |
ANS: D
Source: Chapter 4 Page 87 |
|
|
34. The consequence of misalignment (Risks) of unclear sourcing strategies and lack of SLAs will lead to
a. High potential for inefficiencies within the organization b. Failure to meet organizational requirements c. Create leadership void and potential lost opportunities d. Misuse of financial resources |
ANS: B
Source: GTAG 17 page 9 |
|
|
35. Which of the followings is a behavior in the Change Management Process that will reduce unauthorized changes?
a. Ability to distinguish planned and unplanned outage events b. Effective communications around scheduled changes c. Effective separation of duties unforced by restrictions on who can implement changes d. Effective monitoring of infrastructure for production changes |
ANS: C
Source: GTAG 2 page 15 |
|
|
36. Five Key Focus Areas for Project Audits do not include
a. Pre Implementation b. Business and IT Alignment c. Organizational and Process Change Management d. Post Implementation |
ANS: A
Source: GTAG 12 page 6 |
|
|
37. Three of the key benefits of relying on application controls do not include
a. Reliability b. Benchmarking c. Safe to Use d. Time and Cost Savings |
ANS: C
Source: GTAG 8 page 3-4 |
|
|
38. An IT fraud risk assessment usually includes the following key steps except
a. Identifying relevant IT fraud risk factors b. Mapping existing controls to potential fraud schemes and identifying gaps c. Testing operating effectiveness of fraud prevention and detection controls d. Eliminating the identified IT fraud risk factors |
ANS: B
Source: GTAG 13 page 2 |
|
|
39. Which of the followings is not a risk associated with User-Developed Applications?
a. Lack of structured development processes and change management controls b. Limited input and output controls c. Lack of documentation d. Lack of flexibility |
ANS: D
Source: GTAG 14 page 2-3 |
|
|
40. The objectives of application controls include all of the following, except:
a. Input data is accurate, complete, authorized, and correct. b. Data is processed as intended in an acceptable time period. c. Data stored and outputs are accurate and complete. d. Unauthorized software installations are prevented. |
ANS: D
Source: GTAG 8 Ppt, Slide 3 |
|
|
41. The process for evaluating a User-developed Application (UDA) control framework consists of:
a. Discovery, Inventory, Risk Rank b. Assessment, Scoring, Decision c. Tolerance, Assessment, Ranking d. Scoring, Ranking, Decision |
ANS: A
Source: GTAG 14 page 12 |
|
|
42. In the Change Management Process, ___________ objectives should derive the preventative, detective, and corrective controls for managing IT changes.
a. the auditor’s b. Employee’s c. Management’s d. IT department’s |
ANS: C
Source: GTAG 2 page 20 |
|
|
43. Data analytics should be used for all of the following reasons, except:
a. Internal control system weaknesses b. Examine 100% of transactions c. Automate tests in high-risk areas d. Decrease costs |
ANS: D
Source: GTAG 13 Ppt, Slide 18 |
|
|
44. Attributes of Data Analysis Software for Audit include all of the following, except:
a. Ability to run the software is common knowledge b. Able to analyze entire data populations covering the scope of the audit c. Allows for accessing, joining, relating, and comparing data from multiple sources d. Supports centralized access, processing, and management of data analysis |
ANS: A
Source: GTAG 16, page 8 |
|
|
45. IT governance can influence and impact the entire organization except
a. Enhancing the relationship Between the organization and IT b. Enterprise risk management of the organization and IT c. Invisibility into IT management’s ability to achieve its objectives d. IT Governance improves the adaptability of IT to Changes in the organization and the IT Environment |
ANS: C
Source: GTAG 17 |
|
|
46. Which of the following is included in the scope of IT Change Management?
a. Security controls b. External environment c. Business objectives d. Vendors |
ANS: A
Source: GTAG2 |
|
|
47. What’s the process of Project IT Audit Planning?
a. Define IT Project Universe, Understand PM Approach and Audit’s Role, Perform Risk Assessment, Formalize Project Audit Plan b. Understand PM Approach and Audit’s Role, Perform Risk Assessment, Define IT Project Universe, Formalize Project Audit Plan c. Understand PM Approach and Audit’s Role, Define IT Project Universe, Formalize Project Audit Plan, Perform Risk Assessment d. Understand PM Approach and Audit’s Role, Define IT Project Universe, Perform Risk Assessment, Formalize Project Audit Plan |
ANS: D
Source: GTAG12 |
|
|
48. Which of the following is not the three additional data access challenges that need to be overcome to assist audit’s use of data analysis tools?
a. Veracity b. Variety c. Volume d. Vulnerability |
ANS: D
Source: GTAG16 |
|
|
49. Which of the following is the risk of UDAs
a. Insufficient physical controls b. Management may assume data is contained in report c. Changes to system programs or data for personal gain d. Copyright infringement |
ANS: B
Source: GTAG14 |
|
|
50. Each of the following items is part of the five important components of effective IT Governance except:
a. Organization and Governance Structures b. Delayed Project Implementations c. Executive Leadership and Support d. Service and Operational Planning |
ANS: B
Source: GTAG 17, page 3 |
|
|
51. Positive security models allow only what is on the list, excluding everything else by default. This is known as a:
a. Blacklist b. Whitelist c. Negative list d. Positive list |
ANS: B
Source: Chapter 13, page 319 |
|
|
52. Projects can be separated into seven major parts, each of which require disciplines and controls that need to be evaluated during a project audit. Which of the items below is NOT one of these parts?
a. Backup b. Detailed design and system development c. Testing d. Training |
ANS: A
Source: Chapter 15, page 370 |
|
|
53. Which of the following social website consolidators was discussed in class?
a. Shareaholic b. Hootsuite c. TweetDeck d. Ping.fm |
ANS: B
Source: Class Discussion |
|
|
54. A number of specific analytical techniques have been proven highly effective in detecting fraud. Audit departments should consider these techniques when evaluating the use of technology in fraud detection except:
a. Calculation of statistical parameters b. Auditor’s familiarity with source data c. Duplicate testing d. Gap testing |
ANS: B
Source: GTAG 13, page 9 |
|
|
55. How many inappropriate websites does a Bank of America employee need to view to lose their job per month?
a. 1,000 b. 3,000 c. 4,000 d. 5,000 |
ANS: D
Source: Class Discussion |
|
|
56. Data analytics can be a powerful tool in detecting fraud for all of the following reasons EXCEPT:
a. Examine 100% of transactions b. Review source code c. Maintain audit trail d. Compare data from different applications |
ANS: B
Source: GTAG 13, Slide 18 |
|
|
57. Data analytics can assist in detecting payroll fraud by:
a. Finding matches between vendor and employee addresses b. Search for identical invoice amounts c. Look for gaps in check numbers d. Comparing termination dates with payroll transaction dates |
ANS: D
Source: GTAG 13, Slide 23 |
|
|
58. The following are all key considerations for fraud testing EXCEPT:
a. Observing processes b. Analyzing data c. Investigating patterns d. Expanding the scope |
ANS: A
Source: GTAG 13, Slide 24 |
|
|
59. The phase of a large IT project that costs the most to fix a problem is:
a. Design b. Code c. Test d. Maintenance |
ANS: D
Source: GTAG 12, Slide 7 |
|
|
60. Which of the following are common application controls?
a. Data Analytics b. Locked doors c. Data checks and validations d. Backup data stores |
ANS: C
Source: GTAG 8, Slide 10 |
|
|
61. The five effective components of IT governance include all of the following EXCEPT:
a. Strategic and Operational Planning b. Service Delivery and Measurement c. Value Added Service and IT Security d.Executive Leadership and Support e.Organization and Governance Structures |
ANS: C
Source: GTAG 17, page 3 |
|
|
62. Which of the following is NOT one of the benefits of user developed applications?
a. Malware and intrusion free b. Quicker to develop and use c. Readily available tools at a lower cost d. Configurable and flexible |
ANS: A
Source: GTAG 14, page 2 |
|
|
63. Which of the following is NOT one of the stages of the project management life cycle?
a. Planning b. Interviewing c. Executing d. Closing |
ANS: B
Source: GTAG 12, page 18 |
|
|
64. __________ is a process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively.
a. Continuous Risk Assessment b. Continuous Control Assessment c. Continuous Monitoring d. Continuous Auditing |
ANS: C
Source: GTAG 3, page 7 |
|
|
65. __________________ is an investigative discipline that includes the preservation, identification, extraction, and documentation of computer hardware and data for evidentiary purposes and root cause analysis.
a. Data Analysis b. Computer Forensics c. Information Security d. Information Analysis |
ANS: B
Source: GTAG 13, page 7 |
|
|
66. Which of the following is NOT one of the most common database vendors?
a. HP b. Oracle c. IBM d. Sybase |
ANS: A
Source: Chapter 9, pages 238-241 |
|
|
67. ______________ controls monitor data being processed and in storage to ensure it remains consistent and correct.
a. Output b. Integrity c. Processing d. Input |
ANS: B
Source: GTAG 8, page 5 |
|
|
68. ___________ allow(s) web clients to pass data through a web server and onto a separate system.
a. Intrusion Detection b. Web Cookies c. Cross Site Scripting d. Injection Attacks |
ANS: D
Source: Ch. 8 p. 225 |
|
|
69. Any structured form of data has the qualities necessary to qualify as a ___________
a. Flat File b. Database c. Data Script d. Operating System |
ANS: B
Source: Ch. 9 p. 237 |
|
|
70. All of the following are major parts of a project audit except:
a. Detailed design and system development b. Implementation c. Manipulating Business Unit Plans d. Training for End Users |
ANS: C
Source: Ch. 15 p.370 |
|
|
71. Ineffective IT change management can cost the company in all ways except:
a. Attrition of qualified IT staff due to lack of quality b. Poor systems cause inefficient employee work c. Ineffective systems alienate customers d. Patches are too frequently deployed and can become costly |
ANS: D
Source: GTAG 2 p. 7 |
|
|
72. All of the following indicate ineffective change management except:
a. Planned system outages b. Low change success rate c. Increasing emergency change deployments d. Ability to make unauthorized changes |
ANS: A
Source: GTAG 2 p. 8 |
|
|
73. Which of the following would be included in an information security strategic plan?
a. Specifications for planned hardware purchases b. Analysis of future business objectives c. Target dates for development projects d. Annual budgetary targets for the information security department |
ANS: B
Source: CIA Review 2012 Ch. 2 – Governance and Management of IT |
|
|
74. An IS auditor should ensure that IT governance performance measures:
a. Evaluate the activities of IT oversight committees b. Provide strategic IT drivers c. Adhere to regulatory reporting standards and definitions d. Evaluate the IT department |
ANS: A
Source: CIA Review 2012 Ch. 2 – Governance and Management of IT |
|
|
75. When auditing the requirements phase of a software acquisition, the IS auditor should:
a. Assess the feasibility of the project timetable b. Assess the vendor’s proposed quality processes c. Ensure that the best software package is acquired d. Review the completeness of the specifications |
ANS: D
Source: CIA Review 2012 Ch. 3 – Information systems Acquisition, Development and Implementation |
|
|
76. An organization decides to purchase software package instead of developing it. In such a case, the design and development phases of a traditional software development life cycle (SDLC) would be replaced with:
a. Selection and configuration phases b. Feasibility and requirement phases c. Implementation and testing phases d. Nothing; replacement is not required |
ANS: A
Source: CIA Review 2012 Ch. 3 – Information systems Acquisition, Development and Implementation |
|
|
77. For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor would, in principle, recommend the use of which of the following recovery options?
a. Mobile site b. Warm site c. Cold site d. Hot site |
ANS: D
Source: CIA Review 2012 Ch. 4 – Information Systems Operations, Maintenance and Support |
|
|
78. Which of the following is the MOST effective method for an IS auditor to use in testing the program change management process?
a. Trace from system-generated information to the change management documentation b. Examine change management documentation for evidence of accuracy c. Trace from the change management documentation to a system-generated audit trail d. Examine change management documentation for evidence of completeness |
ANS: A
Source: CIA Review 2012 Ch. 4 – Information Systems Operations, Maintenance and Support |
|
|
79. The classification based on criticality of a software application as part of an IS business continuity plan is determined by the:
a. Nature of the business and the value of the application to the business b. Replacement cost of the application c. Vendor support available for the application d. Associated threats and vulnerabilities of the application. |
ANS: A
Source: CIA Review 2012 Ch. 4 – Information Systems Operations, Maintenance and Support |
|
|
80. Oracle’s support for rich password management does NOT include which of the following?
a. Password strength validation functions b. Password hints c. Password lockout d. Password reuse limits |
ANS: B
Source: Chapter 9, page 252 |
|
|
81. Data encryption is applied in which three distinct areas?
a. Data in motion, data in transit, Secure Sockets Layer b. Data in motion, data at rest, data in use c. Data at rest, data on storage, encrypted data d. Data in use, date recovery, data processing |
ANS: B
Source: Chapter 9, page 255 |
|
|
82. Bank of America logging who visits porn sites at work is an example of a..
a. Detective Control b. Preventative Control c. Temporary Control d. Ethical Control |
ANS: B
Source: Class |
|
|
83. Which of the following is not a physical access control mechanism?
a. Access control procedures b. Weather and earth movement monitoring c. Security guards d. Physical authentication mechanisms |
ANS: B
Source: Chapter 4, page 91-92 |
|
|
84. PPTM, a great brainstorming framework for examining an application from the macro level, stands for:
a. People, programs, turnover, and movement b. People, processes, tools, and measures c. Processes, patters, time, and management d. Processes, people, time, and materiality |
ANS: B
Source: Chapter 13, page 317 |
|
|
85. Testing multiple modules or units to ensure they work together correctly is:
a. Regression testing b. Integration testing c. Unit testing d. System testing |
ANS: B
Source: Chapter 15, page 382 |
|
|
86. Which one of the following is not a part of common application control?
a. File and data transmission controls b. Data backup control c. Processing controls d. Output controls |
ANS: b
Source: GTAG8 PPT, page11 |
|
|
87. Which one of following is not a key area in IT project auditing?
a. Business and IT alignment b. IT solution readiness c. Project management process d. Pre-implementation |
ANS: d
Source: GTAG12 PPT, page8 |
|
|
88. Why should auditors expect their organization to have standard PM processes (methodology)?
a. Increase project success and reduces known risks b. Evaluate use and viability of external consultants c. Ensure solution design meets the business requirements d. Ensure robust data loading / conversions |
ANS: a
Source: GTAG12 PPT, page10 |
|
|
89. Which one of the following is not a benefit of continuous auditing?
a. Reduced cost of internal control assessment b. Improvements to financial operations c. Reduced revenue leakage for improved bottom-line results d. Reliance on IT general controls can lead to concluding the application controls are effective year to year without re-testing |
ANS: d
Source: GTAG3 PPT, page8 |
|
|
90. Processing controls are
a. Used mainly to check integrity of data entered into a business application b. Controls that address what is done with data c. Controls that monitor data being processed and in storage to ensure it remains consistent and correct d. Controls that provide an automated means to ensure processing is complete, accurate, and authorized |
ANS: D
Source: GTAG 8- pg 5 |
|
|
91. Which of the following is not a form of input control?
a. Data checks and validation b. Automated authorization, approval, and override c. Requiring the user to change passwords every 90 days d. Automated segregation of duties and access rights |
ANS: C
Source: GTAG 8 – pg 21 |
|
|
92. Which of the following is not one of the 10 factors for project success from the 2007 Standish Group Annual Report
a. Diverse Employees b. Skilled Resources c. Agile Optimization d. Formal Methodology |
ANS: A
Source: GTAG 12 ppt slide 5 |
|
|
93. Which of the following provides value to auditors by providing a measuring stick for scoping and planning project audits
a. Software Development Maturity Models b. System Development Maturity Models c. Project Portfolio Management d. Software Development Life Cycle |
ANS: B
Source: GTAG 12 – pg 13 |
|
|
94. During which part of the audit does determining which projects to audit based on risk occur?
a. Understand Project Management Approach and Auditing’s Role b. Define IT Project Universe c. Perform Risk Assessment d. Formalize Project Audit Plan |
ANS: D
Source: GTAG 12 – pg 18 |
|
|
95. Which of the following is a type of alarm sometimes used in data centers?
a. Temperature Alarm b. Sabotage Alarm c. Severe Weather Alarm d. Power Fluctuation Alarms |
ANS: d
Source: Chapter 4, pg 88 |
|
|
96. Which of the following should NOT be considered when evaluating environmental threats to a data center?
a. Flood elevations b. Proximity to emergency services c. Proximity to penitentiaries d. Weather and Earth movement threats |
ANS: c
Source: chapter 4, 91 |
|
|
97. One important part of auditing a firm’s data center disaster recovery capabilities is to
a. Verify that systems can be restored from backup media b. Ensure that fire extinguishers are strategically placed c. Ensure that all data center employees have clearly defined roles d. Ensure that a water alarm system is configured to detect water in high risk areas of the data center |
ANS: a
Source: chapter 4, 113 |
|
|
98. It is important to _____ when auditing web servers and applications
a. Verify that encryption of data-at-rest is implemented where appropriate b. Review the website for cross-site-scripting vulnerabilities c. Determine whether the client is running the company-provisioned firewall d. Verify that network encryption of data-in-motion is implemented where appropriate |
ANS: b
Source: chapter 8, 226 |
|
|
99. Input must be validated prior to use by a web server. Which of the following is NOT commonly used item for filtering user input on a web server?
a. Profanity filters b. Minimum and maximum character lengths c. Allowed character set d. numeric range |
ANS: a
Source: chapter 8, 233 |
|
|
100. When conducting an audit of a database, an auditor should
a. Verify the presence of a fence around the data center b. Verify that fire alarms are present at the data center c. Ensure that permissions on the registry keys used by the database are properly restricted d. Verify that proper object reference and authorization controls are enforced |
ANS: c
Source: Chapter 9, 249 |
|
|
101. Which of the following is NOT one of the seven major part of a company project audit
a. Overall project management b. Effectiveness of security controls c. Detailed design and system development d. Training |
ANS: b
|
|
|
102. Scenario: An 18-year-old former Web developer uses backdoors he inserted into his code to access his former company’s network, spam its customers, alter its applications, and ultimately put the company out of business.
What was the oversight which allowed the scenario to take place? a. Lack of segregation of duties b. Lack of code reviews c. End-user access to source code d. Insufficient attention to security details in automated workflow processes |
ANS: B
Source: GTAG 13, PPT Slide 13 |
|
|
103. With regards to Continuous Auditing, which of the following aspects is not related?
a. Continuous Auditing b. Continuous Assurance c. Continuous Monitoring d. Continuous Evaluation |
ANS: D
Source: GTAG 3, PPT SLIDE 4 |
|
|
104. Which is not a benefit of Application Controls?
a. Time and cost savings b. Data security c. Benchmarking d. Reliability |
ANS: B
Source: GTAG 8, PPT Slide 5 |
|
|
105. The PRIMARY reason an IS auditor performs a functional walkthrough during the preliminary phase of an audit assignment is to:
a. understand the business process. b. comply with auditing standards. c. identify control weakness. d. plan substantive testing. |
ANS: A
Source: GTAG17 |
|
|
106. Web and e-mail filtering tools are PRIMARILY valuable to an organization because they:
a. protect the organization from viruses and non-business materials. b. maximize employee performance. c. safeguard the organization’s image. d. assist the organization in preventing legal issues. |
ANS: A
Source: GTAG17 |
|
|
107. An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network (VPN) when the CIO travels outside of the office. The IS auditor should:
a. do nothing since the inherent security features of GSM technology are appropriate. b. recommend that the CIO stop using the laptop computer until encryption is enabled. c. ensure that media access control (MAC) address filtering is enabled on the network so unauthorized wireless users cannot connect. d. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications. |
ANS: A
Source: GTAG12 Chapter 15 |
|
|
108. Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program?
a. Review the security training program. b. Ask the security administrator. c. Interview a sample of employees. d. Review the security reminders to employees. |
ANS: C
Source: GTAG12 Chapter 15 |
|
|
109. At the completion of a system development project, a postproject review should include which of the following?
a. Assessing risks that may lead to downtime after the production release. b. Identifying lessons learned that may be applicable to future projects. c. Verifying the controls in the delivered system are working. d. Ensuring that test data are deleted. |
ANS: B
Source: GTAG12 Chapter 15 |
|
|
110. A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:
a. what amount of progress against schedule has been achieved. b. if the project budget can be reduced. c. if the project could be brought in ahead of schedule. d. if the budget savings can be applied to increase the project scope. |
ANS: A
Source: GTAG12 Chapter 15 |
|
|
111. An insurance company is using real customer data for testing purposes. What would be the IS auditor's BEST recommendation to secure this model?
a. Review the access rights. b. Ensure that customer data are encrypted. c. Perform data sanitization. d. Ensure that only internal administrators can manage the database. |
ANS: C
Source: GTAG 16 |
|
|
112. IT Governance should direct which of the following?
I. IT Operations II. Corporate Governance III. Information Security IV. IT Projects a. I and II b. I, II and III c. I, II, III, and IV d. I, III, and IV |
ANS: D
Source: GTAG 17, page 2 |
|
|
113. Which is a risk associated with User Developed Applications?
a. Failure to establish appropriate entitlements b. Failure to properly train staff to use it c. Lack of structured development process and change management controls d. Identity theft |
ANS: C
Source: GTAG 14, pages 2-3 |
|
|
114. Which of the following is NOT considered a risk indicator of Poor Change Management?
a. Delayed Project Implementations b. Unauthorized Changes c. High Number of Emergency Changes d. Continuous Monitoring |
ANS: D
Source: GTAG 2, page 4 |
|
|
115. Which one is not a BCM key component?
a. Management support b. Awareness and training c. Skilled employees d. Maintenance |
ANS: C
Source: GTAG 10 Page 3 |
|
|
116. Which one of these is an application control?
a. Integrity control b. People control c. Physical control d. Audit control |
ANS: A
Source: GTAG 8 Page 2 |
|
|
117. Which one is not a control breakdown of a user-developed application?
a. Data download issues b. Lack of developer experience c. Lack of documentation d. Lack of oversight |
ANS: D
Source: GTAG 14 Pages 2&3 |
|
|
118. Which one of these is not an indicator that IT activities may have systemic change management control issues at the organizational level?
a. Majority of the IT organization’s time is spent on operations and maintenance b. The IT manager has been there for 10 years c. High IT staff turnover d. Failure to complete projects and planned work |
ANS: B
Source: GTAG 2 Page 4 |
|
|
119. Which one is a risk of a failed or challenged project?
a. Increased profit b. Gain in competitive advantage c. Gain in investors d. Negative impact on reputation. |
ANS: D
Source: GTAG 12 Page 3 |
|
|
120. Which one is not a common item for positive filtering criteria?
a. Field name b. Data type c. Minimum and maximum length d. Numeric range |
ANS: A
Source: Chapter 8 Page 233 |
|
|
121. To provide assurance the AICPA created what report for servicers?
a. SOC 2 b. SAS 71 c. SAS 70 d. SSAE 16 |
ANS: C
Source: Chapter 14 Page 345 |
|
|
122. Mentioned in class, which of following is a dashboard management company that allows people to manage multiple social media accounts in one place?
a. Reddit b. HootSuite c. Pinterest d. Buzznet |
ANS: B
Source: Social Media Lecture |
|
|
123. What is hybrid cloud computing?
a. Using a third party service provider who provides the hardware and applications b. Using privately-own virtual servers c. Sharing cloud infrastructure between multiple organizations d. Using a combination of public and private computing |
ANS: D
Source: Cloud Computing Lecture |
|
|
124. What is NOT a benefit of continuous auditing?
a. Decreased scope of audit activities b. Reduced cost of internal control assessment c. Reduced financial errors and potential for fraud d. Improvements to financial operations |
ANS: A
Source: GTAG 3 – Slide 8 |
|
|
125. What is the method used to perform audit-related activities on a continuous basis, including control and risk assessment?
a. Continuous monitoring b. Continuous assurance c. Continuous auditing d. Continuous management |
ANS: C, Continuous auditing
Source: GTAG 3, Slide 4 |
|
|
126. What is NOT a benefit of continuous, integrated approach to auditing?
a. Increased scope of audit activities b. Reduced financial errors and potential for fraud c. Increased ability to mitigate risk d. Increased profit for organization |
ANS: D, Increased profit for organization
Source: GTAG 3, Slide 8 |
|
|
127. Which of the following is NOT one of the five key focus areas for project audits?
a. IT solution readiness b. Pre-implementation c. Business and IT alignment d. Organizational change management |
ANS: B, Pre-implementation
Source: GTAG 12, Slide 8 |
|
|
128. What are the suggested steps to go through to incorporate projects into the audit plan universe / cycle?
a. Understand PM approach and audit’s role, define project universe, perform risk assessment, formalize plan b. Identify risk factors, define objectives, analyze data, present and analyze results c. Understand PM approach and audit’s role, analyze data, present results d. Define objectives, identify risk factors, formalize plan |
ANS: A, Understand PM approach and audit’s role, define project universe, perform risk assessment, formalize plan
Source: GTAG 12, Slide 16 |
|
|
129. Why should data analysis technology be used to prevent and detect fraud?
a. Because it is cost effective b. Because it provides detailed analysis report that cannot be obtained otherwise c. Because examining 100% of transactions at the source level helps assure the integrity and accuracy of the information d. Because it is recommended by all internal audit professionals |
ANS: C, Because examining 100% of transactions at the source level helps assure the integrity and accuracy of the information
Source: GTAG 13, Slide 18 |
|
|
130. Application controls pertain to all of the following except:
a. Separation of business functions b. Authorization identification c. Transaction logging d. Error reporting |
ANS: B
Source: GTAG 8, page 2 |
|
|
131. A risk factor for identifying the likelihood of failure in a UDA would be:
a. Expected life and frequency of use of the application b. Number of users of both the application and the results c. Frequency of modification to the UDA d. Financial, operational, and regulatory compliance materiality of the UDA |
ANS: C
Source: GTAG 14, page 7 |
|
|
132. Which of the following is a way internal audit can assist management and the board with IT changes in risk?
a. Determining the portfolio of risk for management b. Hire specialized IT auditors c. Determine risk appetite and compare new risks d. Understanding the controls that are crucial to a solid IT change management approach |
ANS: D
Source: GTAG 2, page 5 |
|
|
133. Which of the following is usually the most costly part of the development lifestyle for IT projects:
a. Test b. Maintenance c. Code d. Requirements |
ANS: B
Source: GTAG 12, Slide 7 |
|
|
134. A process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively is called:
a. Continuous Monitoring b. Continuous Control Assessment c. Continuous Auditing d. Continuous Risk Assessment |
ANS: A
Source: GTAG 3, page 7-8 |
|
|
135. Seeking to improve the efficiency, consistency, and quality of audits is a description of what type of data analysis task?
a. Repetitive b. Access c. Ad Hoc d. Continuous |
ANS: A
Source: GTAG 16, page 10 |
|
|
136. Organizations with better IT change and patch management lead to:
a. Attrition of highly qualified IT staff due to frustration over low-quality results. b. Poor quality systems that make employees ineffective and inefficient or that alienate customers. c. Experiencing less downtime. d. Missed opportunities to provide innovative or more efficient products and services to customers. |
ANS: C
Source: GTAG 2, Page 3 |
|
|
137. Which one is not a risk indicator of poor change management:
a. Low change success rate. b. High number of emergency changes. c. Unauthorized changes (Above zero is unacceptable.) d. A defined, predictable, repeatable process with defined, predictable, repeatable results. |
ANS: D
Source: GTAG 2, Page 4 |
|
|
138. Factors serving as sources of change that must be addressed and managed effectively in the IT environment include the following except:
a. Regulatory environment. b. Vendors (e.g., new products, upgrades, patches, and vulnerabilities). c. Liquidity of Cash. d. Changes in performance or capacity requirements. |
ANS: C
Source: GTAG 2, Page 10 |
|
|
139. Project management is:
a. The collection of projects within an organization. Programs may include a number of projects. b. The discipline of organizing and managing resources (e.g. people and budget) so that the project is completed within defined scope, quality, time, and cost constraints. c. The overlap between projects and corporate governance, the governance of project management at the entity level. d. Broad collections of integrated policies, standards, methodologies, life cycles, procedures, tools, techniques, stakeholders, and organizations that are used to guide the planning and execution of a project. |
ANS: B
Source: GTAG 12, Page 7 |
|
|
140. Project governance is:
a. The collection of projects within an organization. Programs may include a number of projects. b. The discipline of organizing and managing resources (e.g. people and budget) so that the project is completed within defined scope, quality, time, and cost constraints. c. The overlap between projects and corporate governance, the governance of project management at the entity level. d. Broad collections of integrated policies, standards, methodologies, life cycles, procedures, tools, techniques, stakeholders, and organizations that are used to guide the planning and execution of a project. |
ANS: C
Source: GTAG 12, Page 7 |
|
|
141. Which of the following is NOT a benefit of continuous monitoring?
a. Increased scope of audit activities. b. Increased ability to mitigate risk. c. Sustainable and cost-effective means to support compliance. d. Provides complete assurance that controls are working. |
ANS: D
Source: GTAG 3 PPT Slide 8 |
|
|
142. Auditors should expect their organization to have standard PM processes (methodology) for all of the following reasons except?
a. Provides a standard roadmap. b. It removes auditor liability. c. Increase project success and reduces known risks. d. Provide a basis for measuring success. |
ANS: B
Source: GTAG 12 PPT Slide 10 |
|
|
143. What is the often most underestimated aspect of business organization and operational organization?
a. Process Change Management b. Firewall setup. c. Encryption of customer data. d. Security keys. |
ANS: A
Source: GTAG 12 PPT Slide 14 |
|
|
144. Continuous Assurance is:
a. Combination of continuous auditing and audit oversight of continuous monitoring. b. Method used to perform audit-related activities on a continuous basis. c. Processes to ensure policies/processes are operating effectively and to assess adequacy/effectiveness of controls. d. Performed by operational/financial management. |
ANS: A
Source: GTAG 3 PPT Slide 4 |
|
|
145. The objective of application controls is to ensure all of the following except:
a. Input data is accurate, complete, authorized, and correct b. Data is processed as intended in an acceptable time period c. Only authorized individuals can access a given system d. Outputs are accurate and complete |
ANS: C
Source: GTAG 8, page 2 |
|
|
146. Which of the following is not a top factor for IT audit project success:
a. CHAOS b. Executive Support c. Emotional Maturity d. User Involvement |
ANS: A
Source: GTAG 12, page 4 |
|
|
147. Which of the following is not one of the three types of Data Analysis tasks:
a. Consistent b. Repetitive c. Ad Hoc d. Continuous |
ANS: A
Source: GTAG 16, page 10 |
|
|
148. All of the following are key areas of IT governance internal auditors should address, except:
a. IT governance risks and controls b. Alignment between IT and general controls c. Accountability and decision-making d. IT performance monitoring and reporting metrics |
ANS: B
Source: GTAG 17 page 1 |
|
|
149. Which of the following is incorrect about Application controls?
a. Controls ensure that input data is accurate complete, authorized and correct. b. Controls ensure that the data is processed as intended within an acceptable time period. c. Controls ensure that all data is encrypted for storage. d. Controls ensure that outputs are accurate and complete. |
ANS: C
Source: GTAG 8, Page 2 |
|
|
150. The correct order for the change management process is:
a. Identify need, prepare for change, develop justification, obtain approvals, authorize change request, schedule and implement change, verify and review change. b. Identify need, develop justification & obtain approvals, prepare for change, authorize change, schedule and implement change. c. Develop justification and obtain approvals, identify need, prepare for change, schedule and implement change, review change. d. Evaluate IT crisis, identify problem, develop justification, obtain approvals, prepare for change schedule and implement change, verify and review change. |
ANS: A
Source: GTAG 2, Page 11 |
|
|
151. Continuous assurance includes which 3 components:
a. Continuous event identification, continuous risk assessment, & continuous control assessment. b. Continuous controls assessment, continuous risk assessment, & continuous monitoring. c. Continuous risk assessments, continuous communication & continuous monitoring. d. Continuous control activities, continuous risk responses and continuous risk assessment. |
ANS: B
Source: GTAG 3, Page 7 |
|
|
152. Which of the following is true?
a. Project Portfolios are a collection of projects that are being audited. b. Project Management is organizing and managing resources so the project is completed within budget and meets specifications. c. Project governance is how auditors ensure the organization establishes priorities, picks the right projects and has appropriate decision making processes in place. d. Project governance involves broad collections of integrated policies, standards, methodologies, life cycles, procedures, tools, techniques, stakeholders, and organizations that are used to guide the planning and execution of a project. |
ANS: B
Source: GTAG 12, Page 7 |
|
|
153. Project portfolio management provides:
a. A measuring stick to plan audits and evaluate projects. b. A centralized location to review and identify projects which aids audit planning. c. Provides the foundation for developing audit approaches and assessing project level performance. d. A broad collections of integrated policies, standards, methodologies, life cycles, procedures, tools, techniques, stakeholders, and organizations that are used to guide the planning and execution of a project. |
ANS: B
Source: GTAG 12, Page 9 |
|
|
154. Project management tools help:
a. Auditors obtain information on cost, schedule, technical problems, project decision making and issue tracking. b. Auditors see the discipline of organizing and managing resources (e.g. people and budget) so that the project is completed within defined scope, quality, time, and cost constraints. c. Auditors effectively use the outsourced resources associated with projects. d. Collect the integrated policies, standards, methodologies, life cycles, procedures, tools, techniques, stakeholders, and organizations that are used to guide the planning and execution of a project. |
ANS: A
Source: GTAG 12, Page 11 |
|
|
155. Which of the following software does not belong to Cloud Computing?
a. SaaS b. PaaS c. Caas d. Iaas |
ANS: c
Source: Professor’s presentation |
|
|
156. Which of the following is not a stage of IT Outsourcing Life Cycle
a. Decision-making Process b. Tender Process c. Monitoring and Reporting d. Translation Process |
ANS: d
Source: GTAG 7 Page 13-15 |
|
|
157. Which of the following is not a benefit of application control?
a. Relevance b. Reliability c. Benchmarking d. Time and cost saving |
ANS: a
Source: GTAG 8 Slide 5 |
|
|
158. Which of the following is not a stage of E-Business Maturity Model?
a. Interaction b. Preparation c. Transaction d. Transformation |
ANS: b
Source: Professor’s presentation |
|
|
159. Which of the following is not a key focus area of auditing IT projects?
a. Business and IT alignment b. IT solution readiness c. Project management process d. IT management |
ANS: d
Source: GTAG 12 Slide 8 |
|
|
160. Which of the following principles is not covered in managing the business risk of fraud?
a. Fraud detection and report b. A fraud risk management program c. Fraud prevention techniques established d. A reporting process and coordinate approach to investigation |
ANS: a
Source: GTAG 13 Slide 6 |
