8/19/2019 Sample 20 Area 1 Q

http://slidepdf.com/reader/full/sample-20-area-1-q 1/5

1. During a review of the controls over the process of defining IT service levels, anIS auditor would MOST likely interview the:

A. systems programmer.

B. legal staff.

C. business unit manager.

D. application programmer.

. !n IS auditor atte"pting to deter"ine whether access to progra"docu"entation is restricted to authori#ed persons would MOST likely:

A. evaluate the record retention plans for off-premises storage.

B. interview programmers about the procedures currently being followed.

C. compare utilization records to operations schedules.

D. review data file access records to test the librarian function.

$. The responsi%ility, authority and accounta%ility of the IS audit function is

appropriately docu"ented in an audit charter and M&ST %e:

A. approved by the highest level of management.

B. approved by audit department management.

C. approved by user department management.

D. changed every year before commencement of IS audits.

'. In a risk(%ased audit approach, an IS auditor should )I*ST co"plete a+n:

A. inherent ris assessment.

B. control ris assessment.

C. test of control assessment.

D. substantive test assessment.

-. hen co""unicating audit results, IS auditors should re"e"%er that

ulti"ately they are responsi%le to:

8/19/2019 Sample 20 Area 1 Q

http://slidepdf.com/reader/full/sample-20-area-1-q 2/5

A. senior management and!or the audit committee.

B. the manager of the audited entity.

C. the IS audit director.

D. legal authorities.

/. !n IS auditor has evaluated the controls for the integrity of the data in afinancial application. hich of the following findings would %e the MOST

significant0

A. "he application owner was unaware of several changes applied to the application bythe I" department.

B. "he application data are baced up only once a wee.

C. "he application development documentation is incomplete.

D. Information processing facilities are not protected by appropriate fire detectionsystems.

. The 23ST "ethod of proving the accuracy of a syste" ta4 calculation is %y:

A. detailed visual review and analysis of the source code of the calculation programs.

B. recreating program logic using generalized audit software to calculate monthly totals.

C. preparing simulated transactions for processing and comparing the results topredetermined results.

D. automatic flowcharting and analysis of the source code of the calculation programs.

5. The decisions and actions of an IS auditor are MOST likely to affect which of the

following risks0

A. Inherent

B. Detection

C. Control

D. Business

6. !n IS auditor is reviewing access to an application to deter"ine whether the 17"ost recent 8new user8 for"s were correctly authori#ed. This is an e4a"ple of:

A. variable sampling.

B. substantive testing.

C. compliance testing.

D. stop-or-go sampling.

8/19/2019 Sample 20 Area 1 Q

http://slidepdf.com/reader/full/sample-20-area-1-q 3/5

17. !n audit charter should:

A. be dynamic and change often to coincide with the changing nature of technology and

the audit profession.

B. clearly state audit ob#ectives for and the delegation of authority to the maintenance

and review of internal controls.

C. document the audit procedures designed to achieve the planned audit ob#ectives.

D. outline the overall authority$ scope and responsibilities of the audit function.

11. !n IS auditor is assigned to perfor" a posti"ple"entation review of an

application syste". hich of the following situations "ay have i"paired theindependence of the IS auditor0 The IS auditor:

A. implemented a specific control during the development of the application system.

B. designed an embedded audit module e%clusively for auditing the application system.

C. participated as a member of the application system pro#ect team$ but did not have

operational responsibilities.

D. provided consulting advice concerning application system best practices.

1. hen evaluating the collective effect of preventive, detective or corrective

controls within a process, an IS auditor should %e aware:

A. of the point at which controls are e%ercised as data flow through the system.

B. that only preventive and detective controls are relevant.

C. that corrective controls can only be regarded as compensating.

D. that classification allows an IS auditor to determine which controls are missing.

1$. !n IS auditor should use statistical sa"pling and not 9udg"ent +nonstatistical

sa"pling, when:

A. the probability of error must be ob#ectively &uantified.

B. the auditor wishes to avoid sampling ris.

C. generalized audit software is unavailable.

D. the tolerable error rate cannot be determined.

1'. !n IS auditor evaluates the test results of a "odification to a syste" that

deals with pay"ent co"putation. The auditor finds that -7 percent of thecalculations do not "atch predeter"ined totals. hich of the following would

MOST likely %e the ne4t step in the audit0

8/19/2019 Sample 20 Area 1 Q

http://slidepdf.com/reader/full/sample-20-area-1-q 4/5

A. Design further tests of the calculations that are in error.

B. Identify variables that may have caused the test results to be inaccurate.

C. '%amine some of the test cases to confirm the results.

D. Document the results and prepare a report of findings$ conclusions and

recommendations.

1-. In a risk(%ased audit approach, an IS auditor, in addition to risk, would %e

influenced %y:

A. the availability of CAA"s.

B. management(s representation.

C. organizational structure and #ob responsibilities.

D. the e%istence of internal and operational controls

1/. hich of the following is a su%stantive test0

A. Checing a list of e%ception reports

B. 'nsuring approval for parameter changes

C. )sing a statistical sample to inventory the tape library

D. *eviewing password history reports

1. The success of control self(assess"ent +S! highly depends on:

A. having line managers assume a portion of the responsibility for control monitoring.

B. assigning staff managers the responsibility for building$ but not monitoring$ controls.

C. the implementation of a stringent control policy and rule-driven controls.

D. the implementation of supervision and the monitoring of controls of assigned duties.

15. hich audit techni;ue provides the 23ST evidence of the segregation of duties

in an IS depart"ent0

A. Discussion with management

B. *eview of the organization chart

C. +bservation and interviews

D. "esting of user access rights

16. hich of the following steps would an IS auditor nor"ally perfor" )I*ST in adata center security review0

8/19/2019 Sample 20 Area 1 Q

http://slidepdf.com/reader/full/sample-20-area-1-q 5/5

A. 'valuate physical access test results.

B. Determine the riss!threats to the data center site.

C. *eview business continuity procedures.

D. "est for evidence of physical access at suspect locations.

7. hen assessing the design of network "onitoring controls, an IS auditorshould )I*ST review network:

A. topology diagrams.

B. bandwidth usage.

C. traffic analysis reports.

D. bottlenec locations.