True or false ____22.

Which of the following provides investigation services where anomalies are

suspected, to develop evidence to support or deny fraudulent activities?
____1. Internal Audit is a quality assessments that adds value to the organization
A. Financial Audits B. Operational Audits C. Compliance Audits
____2. Internal Audit is a powerful tool to measure the effectiveness of quality D. Fraud Audits E.IT Audits
management system ____23. Which of the following is the objective of external audit?
____3. Internal Audit tells one the health of a quality system
A. To determine whether the auditors are independent or are external from the Company.
____4. During an audit, an auditor need to see evidences that the processes are being
B. To ascertain whether in all material respects, financial statements are a fair
done in accordance to procedures and policies
representation of organization’s transactions and account balances.
____5. Auditing should be seen as a positive process not a fault finding
C. To ensure that the Company’s management is not involve in any form of financial
____6. Internal Audit is an independent examination of a quality system
statement fraud.
____7. Internal Audit measures the effectiveness of an organisation's quality D. To ensure that the company’s financial statements are prepared on a timely basis.
management system. ____24. Which of the following is not true with regard to external audit?
A. Required by SEC for publicly-traded companies B. Referred to as a “financial audit”
____8. Internal Audit should be done periodically by independent and qualified people. C. Management requirement D. Beneficial to the investing public
____9. Internal Audit includes all written quality documents, instructions and records. ____25. All of the following pertains to management assertions regarding financial
____10. Internal Audit helps improves profitability without increasing the cost of doing statements except:
business. A. Existence or Occurrence B. Completeness C. Rights & Obligations D. Valuation
or Allocation E. Effectiveness of internal controls
____11. Which of the following steps would an IS auditor normally perform FIRST in a ____26. The probability that the auditor will give an inappropriate opinion on the
data center security review? financial statements: that is, that the statements will contain materials misstatement(s)
A. Evaluate physical access test results. B. Determine the risks/threats to the which the auditor fails to find
data center site. A. Audit risk B. Detection risk C. Wrist watch D. Control risk
C. Review business continuity procedures. D. Test for evidence of physical access at ____27. The probability that material misstatements have occurred considering the
suspect locations. nature of the account or function being audited
____12. During an audit of the tape management system at a data center, an IS auditor A. Inherent risk B. Natural risk C. Credit risk D. Detection risk
discovered that parameters are set to bypass or ignore the labels written on tape header ____28. Economic condition is associated to what type of risk?
records. The IS auditor also determined that effective staging and job setup procedures were A. Economic risk B. Inherent risk C. Detection risk D. Control risk
in place. In this situation, the IS auditor should conclude that the: ____29. Audit risk is computed as:
A. tape headers should be manually logged and checked by the operators. A. AR = IR – CR - DR B. AR = IR * (CR-DR) C. AR = IR * CR * DR
B. staging and job setup procedures are not appropriate compensating controls. D. AR = IR + CR + DR
C. staging and job setup procedures compensate for the tape label control ____30. What type of risk results when an IS auditor uses an inadequate test procedure,
weakness. and concludes that material errors do not exist when error actually exists?
D. tape management system parameters must be set to check all labels. A. Inherent risk B. Business risk C. Residual risk D. Detection risk
____13. The IS auditor learns that when equipment was brought into the data center by ____31. What is the recommended initial step for an IS Auditor to implement continuous
a vendor, the emergency power shutoff switch was accidentally pressed and the UPS was monitoring system?
engaged. Which of the following audit recommendations should the IS auditor suggest? A. Establish a controls monitoring steering committee B. Document existing
A. Relocate the shutoff switch. B. Install protective covers. C. Escort visitors. D. internal controls
Log environmental failures. C. Identify high risk areas within the organization D. Perform
____14. Which of the following methods of suppressing a fire in a data center is the compliance testing on internal controls
MOST effective and environmentally friendly? ____32. How does the process of systems auditing benefit from using a risk-based
A. Halon gas B. Wet-pipe sprinklers C. Dry-pipe sprinklers D. approach to audit planning?
Carbon dioxide gas A. Controls testing starts earlier B. Auditing resources are allocated to the
____15. Which of the following is the MOST effective control over visitor access to a areas of highest concern
data center? C. Controls testing is more thorough D. Auditing risk is reduced
A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. ____33. What type of risk is associated with authorized program exits (trap doors)?
Visitors are spot-checked by operators. A. Business risk C. Audit risk D. Inherent risk E. Detective
____16. The decisions and actions of an IS auditor are MOST likely to affect which of the risk
following risks? ____34. An advantage of a continuous audit approach is that it can improve system
A. Inherent B. Detection C. Control D. Business security when used in time-sharing environments that process a large number of
____17. The use of statistical sampling procedures helps minimize: transactions.
A. sampling risk. B. detection risk. C. inherent risk. D. control risk. A. True B. False
____18. What particular subset of internal audit concerns whether the auditee observes ____35. As compared to an understanding of an organization’s IT process rather than
the existing sets rules and regulations? from evidence directly collected, how valuable are prior audit reports as evidence?
A. Financial Audits B. Operational Audits C. Compliance Audits D. A. Lesser value B. Greater value C. Prior audit reports are not
Fraud Audits E.IT Audits relevant D. The same value
____19. Which of the following is the most common subset of internal audit? ____36. To properly evaluate the collective effect of preventive, detective, or corrective
A. Financial Audits B. Operational Audits C. Compliance Audits D. controls within a process, an IS auditor should be aware of:
Fraud Audits E.IT Audits A. The point at which controls are exercised as data flows through the system B.
____20. Which of the following internal audit services requires forensic expertise such The effect of segregation of duties on internal controls
as signature verification and finger print analysis? C. The business objectives of the organization D.
A. Financial Audits B. Operational Audits C. Compliance Audits Organizational control policies
D. Fraud Audits E.IT Audits ____37. Which of the following would prevent accountability for an action performed,
____21. Which of the following subsets of internal audit is more applicable is internal thus allowing non-repudiation?
controls are embedded in an automated system? A. Proper identification B. Proper authentication C. Proper identification,
A. Financial Audits B. Operational Audits C. Compliance Audits authentication, and authorization
D. Fraud Audits E.IT Audits D. Proper identification and authentication
 ____38. Which of the following is the most critical step in planning the audit?
A. Identification of high risk audit targets B. Testing controls C. Identifying current
controls D. Implementing a prescribed auditing framework such as COBIT
____39. After an IS auditor has identified threats and potential impacts, the auditor
should then:
A. Identify and evaluate the existing controls B. Conduct a business impact analysis
(BIA) C. Report on existing controls D. Propose new controls
____40. A primary benefit derived from an organization employing control self-
assessment (CSA) techniques is that it can:
A. Increase audit accuracy B. Identify high risk areas that might need detailed
review later C. Reducing audit time D. Reducing audit cost
____41. What is the primary objective of a control self-assessment (CSA) program?
A. Integrity of the audit responsibility B. Enhancement of the audit responsibility
C. Elimination of the audit responsibility D. Replacement of the audit
responsibility
____42. The use of statistical sampling procedures help minimize:
A. Business risk B. Control risk C. Detection risk D. Compliance risk
____43. An IS auditor is using statistical sample to inventory the tape library. What
type of test would this be considered?
A. Compliance B. Substantive C. Integrated D. Continuous Audit
____44. IS Auditors are most likely to perform compliance tests of internal controls if,
after their initial evaluation of the internal controls, they conclude that control risks are within
the acceptable limits.
A. True B. False
____45. Which of the following is of greatest concern to the IS auditor?
A. Failure to detect a successful attack to the network B. Failure to recover
from a successful attack to the network
B. Failure to report a successful attack to the network D. Failure to prevent successful
attack to the network
____46. What is the primary purpose of audit trails?
A. To document auditing efforts B. To establish accountability and
responsibility for processed transactions
C. To prevent unauthorized access to data D. To correct data integrity errors
____47. An integrated test facility is not considered a useful audit tool because it
cannot compare processing output with independently calculated data.
A. True B. False
____48. Which of the following is best suited for searching for address field
duplications?
A. Manual review B. Productivity audit software C. Text search
forensic utility software D. Generalized audit software
____49. The traditional role of an IS auditor in a control self-assessment (CSA) should be
that of a:
A. Sponsor B. Implementer C. Facilitator D. Developer