Information Systems Control and Audit: Inal LD Ourse

FINAL (OLD) COURSE
PAPER : 6
Information Systems
Control and Audit
BOOKLET ON MCQS &

CASE SCENARIOS
BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
© The Institute of Chartered Accountants of India

This booklet has been prepared by the faculty of the Board of Studies. The
objective of the booklet is to provide teaching material to the students to enable
them to obtain knowledge in the subject. In case students need any clarifications
or have any suggestions to make for further improvement of the material
contained herein, they may write to the Director of Studies.
All care has been taken to provide interpretations and discussions in a manner
useful for the students. However, the booklet has not been specifically discussed
by the Council of the Institute or any of its Committees and the views expressed
herein may not be taken to necessarily represent the views of the Council or any
of its Committees.
Permission of the Institute is essential for reproduction of any portion of this
booklet.
© The I nstitute of Chartered Accountants of India
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted, in any form, or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without prior permission, in writing, from
the publisher.
Edition : January, 2021
Website : www.icai.org
E-mail : bosnoida@icai.org
Committee/Department : Board of Studies
ISBN No. :
Price (All Modules): `
Published by : The Publication Department on behalf of The

Institute of Chartered Accountants of India, ICAI
Bhawan, Post Box No. 7100, Indraprastha Marg,
New Delhi 110 002, India.
Printed by :

Preface
This booklet on case scenarios on Information Systems Control and Audit is the
collection of various techniques and technologies used in development,
implementation and protection of various information systems processes with
an insight on emerging technologies and IT Act, 2000. These case scenarios
and Multiple Choice Questions reflect the changes in business on account of
plethora of laws, borderless economies consequent to giant leap in e-
commerce, business continuity planning and disaster recovery planning and
auditing of information systems.
Information Systems Control and Audit, as a subject at Final(old) level helps
you inculcate the requisite IT skill-sets necessary for achieving the desired
professional competence. The issues under information technology in
the prevailing scenario can be better understood through the related
case scenarios. The Board of Studies, through this release of booklet
wishes to create awareness amongst the students about the various
significant strategies and techniques relating to information technology. As
part of its continuous endeavor towards enrichment of knowledge, Board of
Studies, had decided to bring out a booklet on Case Scenarios and Multiple
Choice Questions under Paper 6: Information Systems Control and Audit of
Final(old) Course. Being the part of examination, this initiative will lead to
understanding of above on the interpretational, application and analysis
of information technology techniques therein. This publication contains
the summarized version of the facts of the fundamental concepts of
Information systems – their acquisition, development, implementation,
protection and auditing.
This booklet is relevant for May 2021 Examination and onwards.
Wishing you happy reading!

MULTIPLE CHOICE QUESTIONS ∗
1. Identify the statement that is not included in “Internal Control report

of Management” which itself forms part of Company’s Annual report.
(a) A statement of management’s responsibility for establishing and
maintaining adequate internal control over financial reporting
for the company.
(b) A statement identifying the framework used by management to
conduct the required evaluation of the effectiveness of the
company’s internal control over financial reporting.
(c) The assessment of effectiveness of the company’s internal control
that includes disclosure of any material weaknesses in the company’s
internal control over financial reporting identified by management.
(d) A statement that the registered private accounting firm that
audited the financial statements included in the monthly report
has issued an attestation report on management’s assessment
of the company’s internal control over financial reporting.
2. It is a well-known fact that the knowledge is of two types- Explicit and
Tacit. Identify the statement that does not hold true for Explicit
knowledge and Tacit knowledge.
(a) Explicit knowledge is that which can be formalized easily and as
a consequence is easily available across the organization.
(b) Tacit knowledge is unarticulated and represented as intuition,
perspective, beliefs, and values that individuals form based on
their experiences.
(c) Explicit knowledge is personal, experimental and context - specific.
(d) Explicit knowledge is articulated, and represented as spoken
words, written material and compiled data.
3. The access control mechanism of an Online application’s boundary system
allows only the authentic users to access authorized resources. This access
control mechanism has three sequential steps____, ____ and _____.
∗
Students are requested to take a note of change in option (c) of Question No. 92 on page 27 of
the Booklet

2 INFORMATION SYSTEMS CONTROL AND AUDIT
(a) Identification, Authentication, Authorization

(b) Authentication, Documentation, Authorization
(c) Authorization, Authentication, Identification
(d) Identification, Authorization, Documentation
4. Which of the following statement is incorrect w.r.t Incremental Data
Backup?
(a) With Incremental backups, one full backup is done first and
subsequent backup runs are the changes made since the last
full backup only.
(b) Incremental Backup restores are slower than a full backup and
differential backup.
(c) The use of storage space in incremental backup is efficient as
the files are not duplicated.
(d) Incremental backups are faster than Differential Backups.
5. After the Request for Proposals (RFPs) are received by an enterprise
from various vendors, which of the following factor is not considered
as a valid criterion for vendor’s selection?
(a) Presentation by the selected vendor
(b) Financial stability of the selected vendor
(c) Market feedback of the selected vendor
(d) Geographical location of the selected vendor
6. The Quality Assurance Management controls involve various functions
that ensure that the development, implementation, operation and
maintenance of information systems conform to quality standards.
With such scope of the controls in mind, what do you think is not true
about Quality Assurance Management Controls?
(a) Auditors might use interviews, observations and reviews of
documentation to evaluate how well Quality Assurance (QA)
personnel perform their monitoring role.
(b) Auditors might evaluate how well QA personnel make
recommendations for improved standards or processes through
interviews, observations, and reviews of documentation.

MCQs & CASE SCENARIOS 3
(c) Auditors can evaluate how well QA personnel undertake the

reporting function and training through interviews,
observations, and reviews of documentation.
(d) Auditors check whether the organizations that have been
audited have appropriate, high-quality disaster recovery plan in
place or not.
7. The Section 69 of Information Technology Act, 2000 is related to
_____________.
(a) Powers to issue directions for interception or monitoring or
decryption of any information through any computer resource
(b) Preservation and Retention of information by intermediaries
(c) Power of the Controller to give directions
(d) Punishment for publishing or transmitting of material depicting
children in sexually explicit act, etc. in electronic form
8. Every business decision is accompanied with a set of threats and so is
BYOD program too. The risk exemplified and hidden in “Lack of Device
Visibility” is related to ___________risk in which the IT practice team
is unaware about the number of devices being connected to the
network.
(a) Network
(b) Device
(c) Application
(d) Implementation
9. While giving presentation on the topic COBIT 5, Mr. Ravi mentioned
about specific process named MEA - Monitor, Evaluate and Assess and
raised a query for the audience to identify the statement which does
not fall under the purview of MEA.
(a) To enable the management to identify management
deficiencies and inefficiencies and to initiate improvement
actions.
(b) To continuously monitor and evaluate the control environment,
including self-assessments and independent assurance reviews.

(c) To evaluate, direct and monitor IT management to ensure

effectiveness, accountability and compliance of IT.
(d) To plan, organize and maintain standards for internal control
assessment and assurance activities.
10. Which of the following is not a characteristic of Computer Based
Information Systems?
(a) All systems work for predetermined objectives and the system
is designed and developed accordingly.
(b) A system has number of non-related and independent
subsystems or components. The subsystems can function in
isolation and do not depend on other subsystems.
(c) If one subsystem or component of a system fails; in most of
the cases, the whole system does not work. However, it
depends on ‘how the subsystems are interrelated’.
(d) The work done by individual subsystems is integrated to
achieve the central goal of the system.
11. In order to identify the Systems maintenance needs on a timely basis,
the management of a company establishes formal mechanisms to
monitor the status of their operational programs. Which of the
following does not fall under this scope of system maintenance?
(a) Repair maintenance in which program errors are corrected.
(b) Adaptive maintenance in which program is modified to meet
changing user requirements.
(c) Perfective maintenance in which the program is tuned to
decrease the resource consumption.
(d) Adaptive maintenance in which the program is tuned to
decrease the resource consumption.
12. Following are various data backup options in case any disaster occurs
in an enterprise. Which of the following backup options is most
expensive to be maintained because of its critical activities and
minimum tolerance of downtime?
(a) Cold Site

(b) Warm Site

(c) Hot Site
(d) Reciprocal Agreement
13. Mr. X is a member of System Development Team who visits his client
company XYZ Ltd. frequently to interview its employees to gather the
details regarding the drawbacks of the existing systems in the
company XYZ Ltd. and understand their future requirements. Identify
the role Mr. X is performing?
(a) Programmer
(b) Business Analyst
(c) Project Leader
(d) Project Manager
14. In an organization ABC Ltd.; the adherence of policies, procedures and
standards as defined by the management are required to be followed.
An accountant Mr. X, due to enmity, misused his access rights and
made changes in the credit points earned by the salesperson Mr. A on
every sale of his customer. During the audit, the auditor Mr. B
suspected this discrepancy and preferred to embed an audit software
module into the accountant Mr. X’s host application software to
determine the frequency with which he had made the changes in the
credit points of Mr. A. Which of the following audit tool is used by Mr.
B in this case?
(a) Integrated Test Facility (ITF)
(b) System Control Audit Review File (SCARF)
(c) Snapshots
(d) Audit Hooks
15. The Section 43A of Information Technology Act 2000 was introduced
on ______.
(a) casting responsibility on government
(b) casting responsibility on body corporates
(c) casting responsibility to protect sensitive personal information

(d) casting responsibility on body corporates to protect sensitive

personal information
16. In Cloud Computing, which of the following cloud provides highest
level of security and privacy to the user?
(a) Private Cloud
(b) Public Cloud
(c) Hybrid Cloud
(d) Community Cloud
17. In database, the implementation of database is implemented at the
three levels- Physical, Logical and External. Which of the statement is
true about these levels?
(a) Physical Level involves the implementation of the database on
the hard disk.
(b) Physical Level defines the schema which is divided into smaller
units known as sub-schemas.
(c) Logical Level defines the schema which is divided into smaller
units known as sub-schemas.
(d) External Level deals with the nature of data stored and the
scheme of the data.
18. Business Continuity Planning by nature is a type of ______.
(a) Compensatory Control
(b) Detective Control
(c) Corrective Control
(d) Preventive Control
19. An MNC acquired an Indian company. The day acquisition was
implemented, the MNC replaces all systems in the Indian Company
with a Brand B systems whereas Indian Company was using Brand A
systems. Above scenario shows that replacing systems can be a huge
cost. In today's competitive environment, it may not be possible for all
companies to bear such expenses, so they allow employees to use
their own systems rather than changing the same with a specific
brand. This concept refers to ____________.

(a) Digital Revolution

(b) Emerging Technology
(c) Bring Your Own Device (BYOD)
(d) Grid Computing
20. In today’s changing times where audit evidences are more in
electronic form; auditors need to use audit tools and techniques
helping them do such an audit. Which section within Information
technology Act, 2000 (As amended 2008) talks audit where records are
kept in electronic form.
(a) Section 6A
(b) Section 7A
(c) Section 10A
(d) Section 43A
21. Amongst various System Development Methodologies, a software
development model that combines iterative and incremental methods
is _______.
(a) Spiral
(b) Agile
(c) Prototype
(d) Rapid Application Development (RAD)
22. The Board of Directors of a company have appointed you as a BCP
consultant and have requested you to explain the implementation of
Business Continuity (BCP) to prevent/minimize losses. Your report shall
highlight following reasons for having BCP except this reason.
(a) Revenue Loss
(b) Reputation Loss
(c) Productivity Loss
(d) New Customer Acquisition

23. ABC Ltd. has decided to implement Balanced Scorecard, a strategy

performance management tool. This initiative is covered under which
part of Enterprise Governance?
(a) Corporate Governance
(b) Business Governance
(c) Social Governance
(d) Legal Governance
24. PQR Ltd. has implemented Customer Relationship Management System
which is also integrated with ERP. So whenever, a new Purchase Order
from customer is entered in ERP, the CRM flashes customer's history
with the company and advices whether to accept the order or not. This
CRM system will be classified under which category?
(a) Abstract System
(b) Physical System
(c) Deterministic System
(d) Probabilistic System
25. PQR Ltd. got a small program developed to extract its Customer
related billing and payment information in a pre-defined format. The
programmer introduced a small patch whereby the same information
will be directly emailed to him without intimation to PQR Ltd. PQR Ltd.
is facing which type of virus attack?
(a) Logic Bomb
(b) Worm Attack
(c) Trojan Horse Attack
(d) Denial of Service (DoS) Attack
26. ABC Ltd. has installed LHJ Backup system whereby the data is backed
up almost every second from the live environment to the backup drive.
Which type of back-up ABC Ltd. has implemented?
(a) Full Backup
(b) Incremental Backup
(c) Differential Backup

(d) Mirror backup

27. ABC Ltd. is proposing to introduce the Fitness awareness among its
employees by giving FitBit gadget to all employees. The employees will
be given targets for personal fitness. The Management wants to
evaluate the Feasibility of this initiative. Which dimension is tested
here?
(a) Technical Feasibility
(b) Economic Feasibility
(c) Operational Feasibility
(d) Behavioral Feasibility
28. PQR Ltd. has Intranet system wherein the authorized user must sign in
with credentials and all the software available on the Intranet can be
used without individual sign-in process. This Single-Sign-in system
ensures which control?
(a) Output Control
(b) Communication Control
(c) Input Control
(d) Boundary Control
29. ABC Ltd. provides Server Hosting, Website hosting, database hosting
services to its customers. It enters into SLAs with the customers to
provide agreed level of services. Which Security Standard ABC Ltd.
should adopt from service management point of view?
(a) ISO 27001
(b) COBIT
(c) IT Infrastructure Library (ITIL)
(d) Decision Support System
30. ABC Ltd. is Digital Signature issuing company based out of Delhi. It
has outsourced its Core Infrastructure of Digital Signature
Infrastructure repository to PQR Ltd. which provides IT Infrastructure
Hosting services to its customers. PQR Ltd. has provided separate
space and servers within its office premises for ABC's application,

database and network hosting and no other company is sharing that

infrastructure. Which type of cloud service is used by ABC Ltd.?
(a) On-Premise Private Cloud
(b) Outsourced Private Cloud
(c) Public Cloud
(d) Hybrid Cloud
31. The Governance Process under COBIT 5 involve EDM Practices. What
does EDM stand for?
(a) Evaluate, Deployment and Monitor
(b) Evaluate, Direct and Monitor
(c) Evaluate, Direct and Machine
(d) Electronic, Direct and Monitor
32. Which of the following statement is true about Management
Information Systems (MIS)?
(a) The study of MIS is about use of computers.
(b) Any computer-based information system is a MIS.
(c) More data in generated reports refers more information to
managers.
(d) MIS is management oriented.
33. _____ is the act of following an authorized person through a secured
door or electronically attaching to an authorized telecommunication
link that intercepts and alters transmissions.
(a) Piggybacking
(b) Denial of Service
(c) Data Leakage
(d) Wire Tapping
34. In case of development of Business Continuity Plan (BCP), which of
the following is not an objective of performing BCP Tests?
(a) The recovery procedures are complete and workable.

(b) The competence of personnel in their performance of recovery

procedures can be evaluated.
(c) To identify the critical business processes.
(d) The success or failure of the business continuity training
program is monitored.
35. Which of the following is true about Spiral Model?
(a) It combines features of the prototyping model and waterfall
model.
(b) It combines features of the prototyping model only.
(c) It combines features of the waterfall model only.
(d) It is intended for small and simple projects.
36. Which of the following is not an advantage of continuous audit
techniques?
(a) Timely, Comprehensive and Detailed Auditing
(b) Training for new users
(c) Surprise test capability
(d) No need of prior knowledge and experience of working with
CAAT
37. The Section 66A of Information Technology Act, 2000 relates to
_______________.
(a) Computer Related Offences
(b) Punishment for sending offensive messages through
communication service, etc.
(c) Punishment for identity theft
(d) Punishment for violation of privacy
38. Is the statement “Public cloud are highly scalable and affordable but
less secure” true?
(a) No, less scalable that private cloud.
(b) No, more secure than private cloud.
(c) Yes, but require stringent SLAs.

(d) No, there is a limit for the number of users.

39. The following terms are related to the concept of ”Internal Control”
except ___________.
(a) Section 133 of Companies Act, 2013
(b) COSO
(c) SOX
(d) Clause 49 of Listing Agreement
40. Which of the following statement is not correct?
(a) Cost Accounting System is an example of Decision Support
Systems.
(b) Explicit knowledge is articulated, and represented as spoken
words, written material and compiled data
(c) Tacit knowledge is articulated, and represented as spoken
words, written material and compiled data.
(d) Middle management requires tactical information that helps in
implementing decisions taken by the top management.
41. Which of the following is not an example of Detective Controls?
(a) Hash Totals
(b) Duplicate checking of calculations
(c) Cash counts and bank reconciliation
(d) Backup procedure
42. Identify the correct broad and sequential sections into which the
Business Continuity Life Cycle is broken.
(a) Risk Assessment, Determination of Recovery Alternatives,
Recovery Plan Implementation, Recovery Plan Validation
(b) Determination of Recovery Alternatives, Recovery Plan
Implementation, Recovery Plan Validation, Risk Assessment
(c) Recovery Plan Validation, Determination of Recovery
Alternatives, Recovery Plan Implementation, Risk Assessment

(d) Risk Assessment, Recovery Plan Validation, Determination of

Recovery Alternatives, Recovery Plan Implementation
43. In Systems Development Life Cycle, ______________ is normally
responsible for more than one project and liaisoning with the client or
the affected functions.
(a) Project Leader
(b) Project Manager
(c) Business Analyst
(d) Database Administrator
44. Under Application Controls, ________ are responsible for computing,
sorting, classifying and summarizing the data.
(a) Boundary Controls
(b) Communication Controls
(c) Output Controls
(d) Processing Controls
45. XYZ Bank has implemented Core Banking Solution (CBS). Since the
Password policy is not implemented properly, users can keep short
length login passwords for CBS access. This is called __________
under Information Systems concepts.
(a) Threat
(b) Exposure
(c) Vulnerability
(d) Attack
46. Meteorological Department declares prediction of rains in the month of
May based on which farmers decide to sow seeds in their fields. If the
prediction goes wrong, farmers face severe problems of re-sowing
seeds. Which characteristic of the information is failed here?
(a) Confidentiality
(b) Integrity

(c) Availability
(d) Reliability
47. XYZ Bank has implemented a strict password policy whereby every
user has minimum 8 characters’ alpha-numeric login password and
that password must be reset after 30 days to get access to Core
Banking Solution (CBS). As per classification of IS Controls, which type
of control is this?
(a) Preventative Control
(b) Detective Control
(c) Corrective Control
(d) Compensatory Control
48. ABC Ltd. carries out Fire drills in its company every 6 months whereby
fire like situation is simulated and the preparedness of its organisation
and its personnel for facing disaster is verified. This is ____ under the
Business Continuity Management.
(a) Emergency Plan
(b) Test Plan
(c) Back-up Plan
(d) Recovery Plan
49. PQR Ltd. is a software development company. One of its employee,
Mr. Rajesh has the responsibility to interact with users of the computer
system and understand their requirements from the system. Which
role is performed by Mr. Rajesh in the company?
(a) Project Manager
(b) Project Leader
(c) Business Analyst
(d) Programmer
50. ABC Company has implemented an ERP and the Sales Team requested
to provide access to Accounts / Finance Module which was denied by
the IT Team. Which of the Application Security control was tested
here?

(a) Confidentiality
(b) Integrity
(c) Availability
(d) Timeliness
51. PQR Ltd. is a BPO managing the health records for a renowned
hospital in Mumbai. It was observed that one of the employee Mr. X
was sharing the confidential health records of the patients with an
Insurance Company. Who will be held responsible under the IT Act for
this offence?
(a) Only Mr. X who was sharing records
(b) Mr. X and Directors
(c) Mr. X, Directors and Shareholders
(d) Only Directors
52. ABC Ltd. is engaged in providing Data Processing services. It has
received a big contract from insurance company for policy processing.
ABC Ltd. has limited PCs at their office so it approached Amazon Web
Services to access Virtual Machines for data processing. ABC Ltd. is
using which Cloud Computing Service Model?
(a) Software as a Service (SaaS)
(b) Platform as a Service (PaaS)
(c) Infrastructure as a Service (IaaS)
(d) Network as a Service (NaaS)
53. Which of the following statement is incorrect?
(a) IT Steering Committee is ideally led by a member of the Board
of Directors and comprises of functional heads from all key
departments of the enterprise. including the audit and IT
department.
(b) The role and responsibility of the IT Steering Committee and its
members must be documented and approved by senior
management.

(c) The IT Steering Committee provides overall direction to

deployment of IT and information systems in the enterprises.
(d) The Project Manager should work independently from the
Steering Committee in finalizing the detailed work plan and
developing interview schedules.
54. In an organization, the Top management generally comprises of
_______________.
(a) owners/shareholders, Board of Directors, its chairman,
managing director, or the chief executive
(b) heads of functions departments like purchase manager,
production manager and marketing managers
(c) marketing managers, financial controller, and divisional
sectional officers working under functional heads
(d) superintendents and supervisors
55. An Information Security policy addresses many issues that may involve
the following:
(i) confidentiality, integrity and availability concerns
(ii) who may access what information and in what manner based
on which access decision is made
(iii) maximized sharing versus least privilege and separation of
duties
(iv) programming new system, maintaining old systems and
providing general support software.
Choose the correct combination of issues addressed under IS Policy.
(a) (i), (ii), (iii)
(b) (i), (ii), (iv)
(c) (ii), (iii), (iv)
(d) (i), (ii), (iii), (iv)
(a) A Full Backup captures all files on the disk or within the folder
selected for backup.

(b) The Mirror backup is clean and does not contain old and
obsolete files.
(c) With differential backups, one full backup is done first and
full backup.
(d) Incremental Backup consumes the most storage space as
compared to full and differential backups.
57. Which of the following activity is not involved in Database Designing
during System Designing phase of System Development Life Cycle
(SDLC)?
(a) Storage Structure Design
(b) Cost Analysis
(c) Physical Layout Design
(d) Conceptual Modeling
58. The audit trail of _______________ maintains the chronology of
events from the time data is received from the input or communication
subsystem to the time data is dispatched to the database,
communication, or output subsystems.
(a) Database Controls
(b) Output Controls
(c) Processing Controls
(d) Communication Controls
59. In Information Technology Act 2000; __________ is defined as a
person in whose name the Electronic Signature Certificate is issued.
(a) Controller
(b) Intermediary
(c) Originator
(d) Subscriber

60. Which of the following issue is not related to security in Mobile

Computing?
(a) Confidentiality
(b) Integrity
(c) Bandwidth
(d) Accountability
61. In Information Systems; an action, device, procedure, technique or
other measure that reduces the vulnerability of a component in it is
referred as _____________.
(a) Residual Risk
(b) Counter Measure
(c) Risk Management
(d) Threat
62. Which of the following activity is not involved in Office Automation
Systems (OAS)?
(a) Document Creation
(b) Filling, Search, Retrieval and Follow up
(c) Receipts and Distribution
(d) Decision Making
63. Which of the following is not a type of Application Control under
controls classified based on Audit functions?
(a) Boundary
(b) Input
(c) Security Administration
(d) Output
64. Which of the following document is not classified as being part of the
Business Continuity Management System?
(a) The Risk Assessment Report
(b) The Business Impact Analysis report

(c) Local Authority Risk Register

(d) Performance Analysis Report
65. Under which dimension, the Feasibility Study under System
Development Life Cycle (SDLC) is not evaluated?
(a) Technical
(b) Legal
(c) Operational
(d) Incremental
66. Which of the following is not an example of Information Systems Audit
Tool?
(a) Flowchart
(b) System Control Audit Review File (SCARF)
(c) Integrated Test Facility (ITF)
(d) Continuous and Intermittent Simulation (CIS)
67. Which of the following is not an Enterprise’s management practice
required aligning IT Strategy with Enterprise Strategy?
(a) Defining the target IT Capabilities
(b) Assessing the current environment, capabilities and
performance
(c) Communicating the IT strategy and Direction
(d) Mitigating the risk
68. In an interview, a candidate was asked to mention about all
components of Enterprise Resource Planning (ERP) Model that can be
implemented through a methodology. Identify the correct answer that
may be given by the candidate.
(a) Software Component, Process Flow, Customer mindset, Change
Management
(b) Software Component, Process Flow, Business applications,
Change Management

(c) Software Component, Process Flow, Customer mindset,

Hardware component
(d) Software Component, Process Flow, Business applications,
Hardware component
69. Identify the correct statement out of the following:
(a) To have a proper backup procedure in an enterprise is a best
example of Preventive Control.
(b) Logical Access Controls are related to logical security of the
tangible Information resources and intangible resources stored
on tangible media etc.
(c) Piggybacking is defined as an act of following an authorized
person through a secured door or electronically attaching to an
authorized telecommunication link that intercepts and alters
transmissions.
(d) An internetwork device Bridge connects heterogeneous Local
Area Networks (LANs).
70. Which of the following statement is incorrect w.r.t Differential Backup?
(a) With Differential backups, one full backup is done first and
full backup.
(b) Differential backup is faster and more economical in using the
backup space.
(c) Differential backups are faster than Incremental backups.
(d) With Mirror backups, when a file that is deleted, that file is
eventually also deleted in the mirror backup.
71. In an organization, as most of the Information Systems require some
modification after development; the System Maintenance phase
becomes one of an important aspect of SDLC. There are different
categories of Maintenance which are Scheduled, Adaptive, Corrective,
Rescue, Preventive and Perfective. Which of the following statement is
not correct about these categories of Maintenance?
(a) Scheduled Maintenance is planned to ensure operational
continuity and avoid of anticipated risks.

(b) Rescue Maintenance deals with the undetected malfunctions

that require immediate troubleshooting solution.
(c) Adaptive Maintenance mainly deals with accommodating to the
new or changed user requirements and concerns functional
enhancements to the system.
(d) Corrective Maintenance deals with fixing bugs in the code or
defects found during the executions.
72. Which of the following statement is incorrect w.r.t Auditing of
(a) The Planning Phase in IS Audit ensures that the audit is
performed in an effective manner.
(b) The IS Audit process evaluates the adequacy of internal
controls regarding both specific computer program and the data
processing environment.
(c) The IS auditor should satisfy not only the effectiveness of
various technical controls but also the overall controls
safeguarding the business against environmental risks.
(d) According to SA-234, Audit Documentation refers to the record
of audit procedures performed, relevant audit obtained and
conclusions the auditor reached.
73. Which of the following definition is incorrect in purview of Information
Technology Act, 2000?
(a) Electronic Form with reference to Information means any
information generated, sent, received or stored in media,
magnetic, optical, computer memory, microfilm, computer
generated micro fiche or similar device.
(b) Addressee means a person including intermediary who is
intended by the originator to receive the electronic record.
(c) Cyber Cafe means any facility from where access to the
Internet is offered by any person in the ordinary course of
business to the members of the public.

(d) Asymmetric Crypto System means a system of a secure key pair

consisting of a private key for creating a digital signature and a
public key to verify the digital signature.
74. Below are the facts related to Community Cloud however, there is one
statement which is incorrect? Identify that statement.
(a) As the complete cloud is being shared by several organizations
or community, it becomes highly expensive.
(b) Community Cloud is suitable for organizations that cannot
afford a private cloud and cannot rely on the cloud either.
(c) Community Cloud has better security then Public Cloud.
(d) The cloud is distributive, and no single company has full control
over the whole cloud.
(a) Every enterprise regardless of its size needs to have an internal
control system built into its enterprise structure.
(b) The IT Steering Committee of an enterprise provides overall
direction to deployment of IT and information systems in the
enterprises.
(c) Vulnerabilities of software can originate from the flaws on the
software’s design, defects in its implementation, or problems in
its operation.
(d) The GRC framework which has been a regulatory requirement
not only for listed enterprises but also for all types of
enterprises stands for Governance, Risk and Control.
76. Which of the following statement is not correct about Management
Information Systems (MIS)?
(a) An MIS usually takes 1 to 3 years and sometimes even longer
period to get established firmly within a company.
(b) MIS cannot be implemented without using a computer.
(c) An MIS is integrated that takes a comprehensive view or a
complete look at the interlocking subsystems that operate
within a company.

(d) An MIS can be broken down into meaningful subsystems that

set the stage for the phasing plan.
77. Which of the following statement is incorrect w.r.t. various controls
implemented in an enterprise/organization?
(a) The surprise check of raw materials stock by a supervisor in a
manufacturing company is an example of Corrective Control.
(b) The Contingency Planning done by an enterprise is an example
of Corrective Control.
(c) Firewalls are installed in an organization as a part of Preventive
Control.
(d) Duplicate checking of calculations in financial transactions of an
enterprise is an example of Detective Control.
78. In the Business Impact Analysis (BIA) Matrix also known as Risk
Assessment Matrix; risks are placed on the matrix based on the
following two criterions:
(a) Likelihood, Vulnerability
(b) Vulnerability, Consequences
(c) Likelihood, Consequences
(d) Vulnerability, Threat
79. During System Testing in Systems Development Life Cycle (SDLC), the
software and other system elements are tested as a whole. Which of
the following is not type of System Testing?
(a) Security Testing
(b) Performance Testing
(c) Recovery Testing
(d) Alpha Testing
80. Which of the following is the correct sequence of steps involved in
Information System Audit?
(a) Scoping, Planning, Reporting, Close, Fieldwork, Analysis
(b) Analysis, Planning, Reporting, Scoping, Fieldwork, Close

(c) Planning, Scoping, Analysis, Reporting, Fieldwork, Close

(d) Scoping, Planning, Fieldwork, Analysis, Reporting, Close
81. The students of an institute are usually required to create documents
like charts, graphs, handouts; preparing documents, dictation and
editing of texts etc. Which of the following Information System is
suitable for carrying out these tasks?
(a) Transaction Processing System
(b) Office Automation System
(c) Management Information System
(d) Decision Support System
82. Though Mr. X, an accountant is involved in the system development
work; which of the following is not an expected skillset to be acquired
by the accountant in order to perform his duties?
(a) Expert in Book-keeping
(b) Understanding of the business objectives
(c) Understanding of system development methodologies
(d) Conducting cost-benefit analysis
83. Which of the following statements are not correct w.r.t. Management
and its levels?
(a) Senior management is responsible for strategic planning and
objectives, thus setting the course in the lines of business that
the company will pursue.
(b) The levels of management are fixed to three irrespective of its
size and structure.
(c) Middle management develops the tactical plans, activities and
functions that accomplish the strategic objectives.
(d) Supervisory management oversees and controls the daily
activities and functions of the tactical plan.
84. The key management practices involved in the implementation of Risk
Management in an enterprise is as follows:
(i) Analyze Risk

(ii) Articulate Risk

(iii) Respond to Risk
(iv) Collect Data
(v) Maintain a Risk Profile
(vi) Define a Risk Management Action Portfolio
Choose the correct sequence for the implementation of these
practices.
(a) (i)-(iii)-(v)-(ii)-(iv)-(vi)
(b) (iv)-(i)-(v)-(ii)-(vi)-(iii)
(c) (i)-(ii)-(iii)-(iv)-(v)-(vi)
(d) (i)-(iv)-(vi)-(iii)-(v)-(ii)
85. Identify which of the following is not the principle of COBIT 5?
(a) Meeting stakeholders’ needs
(b) Applying a single integrated framework
(c) Evaluate and Direct Risk Management
(d) Separating Governance from Management
86. Under the phase of Feasibility Study of SDLC, what possible dimension
of the proposed web-based knowledge portal system is said to have
been compromised in a situation where the students of XYZ university
are not able to access the e-resources available on university’s website
anytime?
(a) Technical Feasibility
(b) Resource Feasibility
(c) Behavioral Feasibility
(d) Economic Feasibility
87. Identify the Information System that would be useful for an
organization in case it wishes to remotely access its documents for
internal communication.
(a) Electronic Message Communication System

(b) Text Processing System

(c) Teleconferencing and Videoconferencing System
(d) Electronic Document Management System
88. Which of the following statement is incorrect w.r.t Decision Support
Systems (DSS)?
(a) A DSS includes one or more databases that contain both
routine and non-routine data from both internal and external
sources.
(b) The DSS is intended to make decisions for managers in solving
semi-structured and unstructured problems in their own.
(c) The Model Base is the brain of the DSS as it performs data
manipulations and computations with the data provided to it by
the user and the database.
(d) DSS is an interactive software-based system intended to help
decision makers to compile useful information from raw data,
documents and personal knowledge.
89. During System Acquisition in SDLC, the top management of an
enterprise should establish acquisition standards that address the
security and reliability issues as per current state-of-the art
development standards. Which of the following is not be considered
while focussing on acquisition standards?
(a) Ensuring security, reliability, and functionality already built into
a product.
(b) Ensuring managers’ complete reviews of appropriate vendor,
contract and licensing.
(c) Request for proposals soliciting bids when acquiring off-the-
shelf or third-party software.
(d) To select the programming techniques and languages to be
used for systems development.
90. Which of the following statement is incorrect w.r.t Auditing of

(a) Audit trail attempts to ensure that a chronological record of all

events that occurred in an organization are maintained.
(b) One of the audit techniques named Integrated Test Facility
(ITF) is used to trap exceptions whenever the application
system uses a DBMS.
(c) The Boundary Controls under Application Controls maintain the
chronology of events that occur when a user attempts to gain
access to and employ systems resources.
(d) While auditing, an auditor must check that risk assessment
procedure adequately covers periodic and timely assessment of
all assets and physical access threats.
91. Mr. Rajesh is an accountant who is working on Return on Investment
(RoI) Analysis of the company ABC Ltd. For this analysis, he requires
different types of data. Below is the list of different types of data that
a company may have. Which of the following data is not required by
Mr. Rajesh for carrying out his work?
(a) Development Cost
(b) Operational Cost
(c) Incremental Cost
(d) Intangible Cost
92. Mr. Ravi, who is an internal auditor of XYZ Insurance Company,
determined that the company’s policyholder system was vulnerable to
fraud as every time a policyholder changed his/her name or address;
the funds get withdrawn from the policy subsequently. He devised the
system by using one of the audit tools to tag all the records with a
change in the name or address, so that the internal audit department
could investigate these tagged records for detecting fraud. Which type
of audit tools Mr. Ravi worked on?
(a) Continuous and intermittent Simulation
(b) Snapshots
(c) Audit Hook
(d) Integrated Test Facility

93. Top management of Karol Ltd., a company based in Tamil Nadu,

strategically planned and initiated its new branch in Bangalore.
Identify from following the incorrect statement about Strategic
Planning?
(a) It is the primary plan that guides the long run development of
the enterprise.
(b) It is the process by which top management determines overall
organizational purposes and objectives
(c) It is the process of assuring that specific tasks are carried out
effectively and efficiently.
(d) It is the process that determines how the organizational
objectives are to be achieved.
94. Charole Ltd., a washing machine manufacturer company identifies
some risks related to its sensors used in the machine. To address the
concern, the management plans a strategy that involves its trading
partner and supplier KLM Ltd. for providing them Internet of Things
(IoT) Sensors to be installed in their new model of Washing Machine.
Which risk management strategy is being followed by the company?
(a) Accept the risk
(b) Eliminate the risk
(c) Share the risk
(d) Mitigate the risk
95. The electronic mode of communication has evolved as a solo
alternative during the period of lockdown in pandemic COVID-19.
Various offices, educational institutes and companies initiated
electronic means like via teleconferencing and Videoconferencing
through different web applications to approach their clients,
employees, customers and hold virtual meetings of communication to
resolve the grievances of customers etc. These teleconferencing and
video-conferencing means of communication systems can be classified
under _______.
(a) Operational-Level System
(b) Knowledge-Level System

(c) Management-Level System

(d) Strategic Level System
96. GPS route planning provides the fastest route between starting and
destination point by analyzing and comparing various possible routes
(in terms of time) in real-time basis. Identify the system from the
following where this example fits in.
(a) Decision Support System (DSS)
(b) Management Information System (MIS)
(c) Executive Information System (EIS)
(d) Knowledge Level System
97. On stealing the credit card of Mr. Amit, Mr. Suraj telephoned Mr. Amit
pretending himself as bank employee and informed him that his credit
card has been found. Mr. Suraj convinced Mr. Amit that to avoid any
fraud, his existing credit card should be blocked and the new credit
card shall be issued to him by the bank. On pretext of verification, Mr.
Suraj insisted Mr. Amit to share his credit card PIN. Mr. Amit shared
the PIN with Mr. Suraj and made a purchase of ₹ 5000/-. Which of the
technique Mr. Suraj used to commit such Cyber Fraud?
(a) Data Diddling
(b) Masquerading
(c) Internet Terrorism
(d) Dumpster Diving
98. MXN developers, a software company has a requirement of backup
facility on which the recovery time for the company’s operations in
case of disaster is 24 hours or lesser. What do you think is the most
suitable back-up facility for the company?
(a) Cold site
(b) Warm site
(c) Hot site
(d) Reciprocal agreement

99. ABC Ltd. and XYZ Ltd. signed a reciprocal agreement to provide
backup facilities to each other in the event of one suffering a disaster.
Sooner, both the parties realized that reciprocal agreement is not a
suitable alternative for offsite backup because of the following reason.
(a) Very expensive.
(b) Slow response to requests to recover operations.
(c) Network Incompatibilities.
(d) Difficulties in maintaining sufficient capacity to operate
another’s critical system.
100. Softtech, a software development company that has clients in many
fields like pharmaceuticals, educational institutes, health industry etc.
The company follows an approach to develop the software by
releasing multiple versions, wherein each new version has something
more added to it than its previous version. Identify the System
development approach adopted by Softtech.
(a) The Waterfall Model
(b) The Prototyping Model
(c) The Spiral Model
(d) The Incremental Model
Answer Key
Question Answer
No.
1. (d) A statement that the registered private
accounting firm that audited the financial
statements included in the monthly report has
issued an attestation report on management’s
assessment of the company’s internal control
over financial reporting.
2. (c) Explicit knowledge is personal, experimental
and context - specific.
3. (a) Identification, Authentication, Authorization
4. (a) With Incremental backups, one full backup is
done first and subsequent backup runs are the
changes made since the last full backup only.

5. (a) Presentation by the selected vendor

6. (d) Auditors check whether the organizations
audited have appropriate, high-quality disaster
recovery plan in place or not.
7. (a) Powers to issue directions for interception or
monitoring or decryption of any information
through any computer resource.
8. (a) Network
9. (c) To evaluate, direct and monitor IT
management to ensure effectiveness,
accountability and compliance of IT.
10. (b) A system has number of non-related and
independent subsystems or components. The
subsystems can function in isolation and do not
depend on other subsystems.
11. (d) Adaptive maintenance in which the program is
tuned to decrease the resource consumption
12. (c) Hot site
13. (b) Business Analyst
14. (b) System Control Audit Review File (SCARF)
15. (d) casting responsibility on body corporates to
protect sensitive personal information.
16. (a) Private Cloud
17. (a) Physical Level involves the implementation of
the database on the hard disk.
18. (c) Corrective Control
19. (c) Bring Your Own Device (BYOD)
20. (b) Section 7A
21. (b) Agile
22. (d) New Customer Acquisition
23. (b) Business Governance
24. (c) Deterministic System
25. (c) Trojan Horse Attack
26. (d) Mirror backup
27. (d) Behavioral Feasibility

28. (d) Boundary Control

29. (c) IT Infrastructure Library (ITIL)
30. (b) Outsourced Private Cloud
31. (b) Evaluate, Direct and Monitor
32. (d) MIS is management oriented.
33. (a) Piggybacking
34. (c) To identify the critical business processes.
35. (a) It combines features of the prototyping model
and waterfall model.
36. (d) No need of prior knowledge and experience of
working with CAAT
37. (b) Punishment for sending offensive messages
through communication service, etc.
38. (c) Yes, but require stringent SLAs.
39. (a) Section 133 of Companies Act, 2013
40. (c) Tacit knowledge is articulated, and represented
as spoken words, written material and
compiled data
41. (d) Backup procedure
42. (a) Risk assessment, Determination of Recovery
Alternatives, Recovery Plan Implementation,
Recovery Plan Validation
43. (b) Project Manager
44. (d) Processing Controls
45. (c) Vulnerability
46. (d) Reliability
47. (a) Preventative Control
48. (b) Test Plan
49. (c) Business Analyst
50. (a) Confidentiality
51. (b) Mr. X and Directors
52. (c) Infrastructure as a Service (IaaS)
53. (d) The Project Manager should work
independently from the Steering Committee in

finalizing the detailed work plan and

developing interview schedules.
54. (a) owners/shareholders, Board of Directors, its
chairman, managing director, or the chief
executive
55. (a) (i), (ii), (iii)
56. (d) Incremental Backup consumes the most
storage space as compared to full and
differential backups
57. (b) Cost Analysis
58. (c) Processing Controls
59. (d) Subscriber
60. (c) Bandwidth
61. (b) Counter Measure
62. (d) Decision Making
63. (c) Security Administration
64. (d) Performance Analysis Report
65. (d) Incremental
66. (a) Flowchart
67. (d) Mitigating the risk
68. (a) Software Component, Process Flow, Customer
mindset, Change Management
69. (c) Piggybacking is defined as an act of following
an authorized person through a secured door
or electronically attaching to an authorized
telecommunication link that intercepts and
alters transmissions.
70. (c) Differential backups are faster than
Incremental backups.
71. (c) Adaptive Maintenance mainly deals with
accommodating to the new or changed user
requirements and concerns functional
enhancements to the system.
72. (d) According to SA-234, Audit Documentation refers
to the record of audit procedures performed,
relevant audit obtained and conclusions the

auditor reached.
73. (b) Addressee means a person including
intermediary who is intended by the originator to
receive the electronic record.
74. (a) As the complete cloud is being shared by several
organizations or community, it becomes highly
expensive.
75. (d) The GRC framework which has been a regulatory
requirement not only for listed enterprises but
also for all types of enterprises stands for
Governance, Risk and Control.
76. (b) MIS cannot be implemented without using a
computer.
77. (a) The surprise check of raw materials stock by a
supervisor in a manufacturing company is an
example of Corrective Control.
78. (c) Likelihood, Consequences
79. (d) Alpha Testing
80. (d) Scoping, Planning, Fieldwork, Analysis,
Reporting, Close
81. (b) Office Automation System
82. (c) Understanding of system development
methodologies.
83. (b) The levels of management are fixed to three
irrespective of its size and structure.
84. (b) (iv)-(i)-(v)-(ii)-(vi)-(iii)
85. (c) Evaluate and Direct Risk Management
86. (c) Behavioral Feasibility
87. (d) Electronic Document Management System
88. (b) The DSS is intended to make decisions for
managers in solving semi-structured and
unstructured problems in their own.
89. (d) To select the programming techniques and
languages to be used for system development.
90. (b) One of the audit techniques named Integrated
Test Facility (ITF) is used to trap exceptions
whenever the application system uses a DBMS.

91. (c) Incremental Cost

92. (c) Audit Hook
93. (c) It is the process of assuring that specific tasks
are carried out effectively and efficiently.
94. (b) Eliminate the risk
95. (b) Knowledge-Level System
96. (a) Decision Support System (DSS)
97. (b) Masquerading
98. (c) Hot Site
99. (d) Difficulties in maintaining sufficient capacity to
operate another’s critical system.
100. (d) The Incremental Model

CASE SCENARIOS
1. New India Global Healthcare Private Limited is a medical insurance

service provider company. Due to system vulnerability, recently an
incident took place wherein an employee Mr. R was caught sharing
confidential records of Mr. Z (who was insured under Mediclaim Policy)
to Satyam Cell Marketing Global Private Limited. Presently, the
company is working on its software called “Nirogaya” to maintain all
records such as detail of all policyholder, premium collection,
outstanding premium, and various reports that may require further
customization on manual basis.
Mr. S is appointed as IS auditor who conducted IS audit of the
Company and highlighted some key control weakness issues and
comments on company’s password policy that was prepared but not
implemented by the Information Technology (IT) Department. He
submitted his audit report to Board of Directors and recommended an
immediate attention of Management of the Company on present
Information System.
After considering the recent incident of Mr. R and recommendations of
IS auditor, Board of Directors hold a meeting with company’s senior
management persons including Chief Information Officer, Chief
Financial Officer and Chief Executive Officer. The decisions of the
meeting were as follows:
♦ Company will approach to Big 4 system development and
service provider to develop ERP system and its implementation
at various locations across the country with in-built effective
and efficiently IT Control.
♦ Company also decided to implement Balance Scorecard, a
strategy performance management tool.
♦ None of the employee can access detail of customer without
prior permission of IT head.
Mr. SK an employee of Big 4 system development and service provider
was assigned the job to understand the requirements for the proposed
system of New India Global Healthcare Private Limited. For that, he
frequently visited the company and interacted with users of the
computer system.

The Company also approached to Amazon Web Services to provide

them access to Virtual Machines for data processing. The company
went-live with new ERP system. Company had also prepared the
backup strategy whereby the data is taken from the live environment
to backup drive.
Based on the facts of the case scenario given above, choose
the most appropriate answer to Q. Nos. 1.1 to 1.8.
1.1 In light of IT Act, 2000; who will be responsible for paying
compensation to Mr. Z for failure to protect his data?
(A) Directors of Satyam Cell Marketing Global Private
Limited
(B) Directors of New India Global Healthcare Private Limited
(C) Shareholders of New India Global Healthcare Private
Limited
(D) Directors of Big 4 system development and service
provider
1.2 IS auditor has observed that the Company has not implemented
password policy, therefore users kept short length login
passwords for system access and not aware for frequently
changing it. This refers to _________________ in purview of
Information System Concepts. Fill the blank with appropriate
word from following?
(A) Exposure
(B) Threat
(C) Vulnerability
(D) Attack
1.3 Mr. SK frequently visits New India Global Healthcare Private
Limited and interacts with various users of the computer
system and understand their requirements from the system.
Which is the role performed by Mr. SK?
(A) Programmer
(B) Project Leader

(C) Project Manager

(D) Business Analyst
1.4 Company has prepared backup strategy, to take the backup of
files and folders in one backup set and the data is saved almost
every second from the live environment to backup drive.
Identify the type of back-up that Company has implemented.
(A) Full Backup
(B) Incremental Backup
(C) Mirror Backup
(D) Differential Backup
1.5 In the given case scenario, New India Global Healthcare Private
Limited has decided to implement Balance Scorecard, a strategy
performance management tool. This initiative is covered under
which part of Enterprise Governance?
(A) Legal Governance
(B) Business Governance
(C) Social Governance
(D) Corporate Governance
1.6 New India Global Healthcare Private Limited approached to
Amazon Web Services to provide them access to Virtual
Machines for data processing. Which of the following Cloud
Computing Service Model will be useful for this?
(A) Network as a Service (NaaS)
(B) Infrastructure as a Service (IaaS)
(C) Platform as a Service (PaaS)
(D) Software as a Service (SaaS)
1.7 If you were requested to advice on Company’s Password Policy
for all users to protect the data, which of the following feature
will you recommend to make the password control strong?
(A) Password length should at least be of 4 characters.

(B) Password should be changed once in a year.

(C) Password should always be in numeric form.
(D) Password of user should be blocked after 3 unsuccessful
login attempts.
1.8 Suppose you are appointed as an IS Auditor of New India
Global Healthcare Private Limited. Which of the following will
you consider under risk assessment and planning?
(A) Obtain sufficient and appropriate evidence to achieve
the audit objectives.
(B) Use an appropriate risk assessment approach and
supporting methodology to develop the overall IS audit
plan.
(C) Provide supervision to IS audit staff for whom they have
supervisory responsibility, to accomplish audit
objectives.
(D) Conclusions on objective(s), scope, timeline and
deliverables, compliance with applicable laws and
professional auditing standards.
Answer Key
Question Answer
No.
1.1 (B) Directors of New India Global Healthcare Private
Limited
1.2 (C) Vulnerability
1.3 (D) Business Analyst
1.4 (C) Mirror Backup
1.5 (B) Business Governance
1.6 (B) Infrastructure as a Service (IaaS)
1.7 (D) Password of user should be blocked after 3
unsuccessful login attempts
1.8 (B) Use an appropriate risk assessment approach
and supporting methodology to develop the
overall IS audit plan.

2. CBZ Singapore Global Insurance Limited is a reputed Insurance

Company with its Head Office Located in Singapore. With an aim to
expand their business, they started a subsidiary company in India in
the year 2019 and obtained the License from Insurance Regulatory
and Development Authority (IRDA).
In India, IRDA is an autonomous statutory body tasked with regulating
and promoting the insurance and re-insurance industries in India. It
protects the interest of policy holders, regulates, promotes and
ensures orderly growth of the insurance in India. Information System
Audit has a significant role in the emerging insurance sector.
CBZ Singapore Global Insurance Limited has framed and setup a
committee of 10 management personnel for implementation of COBIT
5 in their company and also responsible for the compliance of various
rules and regulations of IRDA and other applicable laws.
The Company adopts emerging technologies like Mobile Computing to
sell their insurance products online. Also, the company establishes 50
branches throughout India to appoint agents to promote the selling of
their insurance products. Company uses a Wide Area Network to allow
its agents away from home office to obtain current rates and client
information and to submit approved claim using notebook computers
and dial in modems.
2.1 CBZ Singapore Global Insurance Limited wants to implement
COBIT 5 framework in their organization as the framework
provides following key management practices for ensuring
external compliances as relevant to the company.
(i) Optimize Response to External Requirements
(ii) Obtain Assurance of External Compliance
(iii) Identify External Compliance Requirements
(iv) Confirm External Compliance
The correct sequence of these practices is _______.
(A) (iii), (i), (iv), (ii)

(B) (ii), (iii), (i), (iv)

(C) (i), (ii), (iii), (iv)
(D) (iv), (iii), (ii), (i)
2.2 CBZ Singapore Global Insurance Ltd. wants to implement
COBIT 5 that will involve all the below mentioned component’
activities except ______.
(A) to organize IT governance objectives and good practices
by IT domains and processes.
(B) to provide a complete set of high-level requirements to
be considered by management for effective control of
each IT process.
(C) to help assign responsibility, agree on objectives,
measure performance, and illustrate interrelationship
with other processes.
(D) to upgrade its processes based on the continuous
feedback from the users.
2.3 CBZ Singapore Global Insurance Limited uses a Wide Area
Network to allow agents away from home office to obtain
current rates and client information and to submit approved
claim using notebook computers and dial in modems. In this
situation, which of the following methods would provide the
best data security?
(A) Dedicated Phone Lines
(B) Call Back Devices
(C) Frequent Changes of User IDS and Passwords
(D) End to End Data Encryption
2.4 In the given case scenario, the security issues/concerns that
will be considered by CBZ Singapore Global Insurance Limited
related to Mobile Computing will not include the following.
(A) Ensuring unauthorized modification, destruction or
creation of information cannot take place.

(B) Ensuring authorized users getting the access they

require.
(C) Preventing unauthorized users from gaining access to
critical information of any particular user.
(D) The users’ disrupted access of information due to
insufficient bandwidth.
2.5 As per Insurance Regulatory and Development Authority of
India (IRDA), all insurers shall have their systems and process
audited _______________.
(A) At least once in two years by a CA firm
(B) At least once in three years by a CA firm
(C) At least once in five years by a CA firm
(D) At least once in ten years by a CA firm
2.6 In the given scenario, suppose if there is a leakage of
sensitive/confidential data of a policyholder; under IT Act,
2000, who will be held liable to pay compensation for failure to
protect policyholder’s data?
(A) Directors of CBZ Singapore Global Insurance Limited
(B) Shareholders of CBZ Singapore Global Insurance Limited
(C) Officer of Telecom Regulatory Authority of India
(D) Agents of CBZ Singapore Global Insurance Limited
2.7 Suppose you are appointed as an IS auditor of CBZ Singapore
Global Insurance Limited. When you are going to audit the
physical access controls, which of the following activity are not
undertaken by you?
(A) You must check that the risk assessment procedure
adequately covers periodic and timely assessment of all
physical access threats.
(B) You must check whether the physical access controls are
adequately in place.
(C) You must examine the relevant documents such as
security policies and procedures are prepared.

(D) You must develop and document an overall audit plan

describing the expected scope and conduct of the audit.
Answer Key
Question Answer
No.
2.1 (A) (iii), (i), (iv), (ii)
2.2 (D) to upgrade its processes based on the
continuous feedback from the users.
2.3 (D) End to End Data Encryption
2.4 (D) The users’ disrupted access of information due
to insufficient bandwidth.
2.5 (B) At least once in three years by a CA firm
2.6 (A) Directors of CBZ Singapore Global Insurance
Limited
2.7 (D) You must develop and document an overall
audit plan describing the expected scope and
conduct of the audit.
3. To assist various organizations globally in system development,

strategic planning and e-governance areas; ABC International Global
Company proposes to launch a new subsidiary to provide e-
Consultancy services to them. The fundamental guidelines, programme
module and draft agreements between these individual organizations
and ABC International Global Company are all preserved and
administered in e-form only.
The Company intends to utilize the services of a professional analyst
Mr. Murthy to conduct a preliminary investigation and present a report
on smooth implementation of ideas of the new subsidiary. Based on
the report submitted by the analyst, the Company decided to proceed
further with below specific objectives.
♦ Reduce operational risk
♦ Increase business efficiency
♦ Ensure that information security is being rationally applied

The Company has been advised to adopt ISO 27001 for achieving the
same. Top management has felt that the time is appropriate for them
to convert its existing information system into a new one to integrate
all its current activities. One of the main objectives of taking this
exercise is to maintain continuity of business plans even while
continuing the progress towards e-governance.
3.1 To retain e-documents of the company for specified period,
there are certain conditions that are laid down in Section 7,
Chapter III of the Information Technology Act, 2000 that are as
follows:
(i) Accessible so as to be usable for a subsequent
reference.
(ii) Manner and format in which such electronic-record shall
be generated sent or received.
(iii) Facilitate the identification of the origin; destination,
date and time of dispatch or receipt of such electronic
record are available in the electronic record.
(iv) The specifications of the Government on the scale of
service charges to be collected by Government itself for
retaining e-records.
Which of the following combination is required to be satisfied
under Section 7 of IT Act, 2000?
(A) (i), (ii), (iv)
(B) (ii), (iii), (iv)
(C) (i), (iii), (iv)
(D) (i), (ii), (iii)
3.2 ABC International Global Company has been advised to adopt
ISO 27001 for achieving its objectives for the following reasons.
(i) If Company is certified once, it is accepted globally.

(ii) If company is certified once, it does not require IS audit

for initial five years.
(iii) If company is certified once, there is no separate
strategy and policy required for Business Continuity
Planning (BCP) & Disaster Recovery Planning (DRP).
(iv) It is suitable for protecting critical and sensitive
information.
(v) It provides a holistic, risk-based approach to secure
information and compliance.
(vi) It creates a market differentiation due to prestige,
image and external goodwill.
Identify the correct reasons for which ABC International Global
Company may adopt ISO 27001.
(A) (i), (ii), (ii), (iv) (vi)
(B) (ii), (iii), (iv), (v)
(C) (i), (iv), (v), (vi)
(D) (i), (ii), (iii), (iv), (v), (vi)
3.3 Mr. Murthy, a Professional Analyst conducts a preliminary
investigation and presents a report on smooth implementation
of ideas of the new subsidiary. The Management along with
Mr. Murthy are working on long-term planning and deciding the
overall objectives and resources to achieve these objectives.
What level of management activity is carried out by
Mr. Murthy?
(A) Business Continuity Management
(B) IT Governance
(C) Strategic Planning
(D) Business Governance Control Activities
3.4 You have been engaged as a Consultant to carry out IS audit of
ABC International Global Company. While doing the risk
assessment of the company, what is the first step you would
take while commencing your work?

(A) Studying network diagrams to understand the logical

and physical network connectivity.
(B) Recommending the controls to mitigate the risks
(C) Studying IT policies, framework and guidelines.
(D) Identify the risks present in an IT environment of the
company.
3.5 ABC International Global Company exercise is to maintain
continuity of business plans and for which the Business
Continuity Life Cycle is broken into various activities given
below.
(i) Determination of Recovery Alternatives
(ii) Recovery Plan Validation
(iii) Risk Assessment
(iv) Recovery Plan Implementation
Identity the correct sequence of activities.
(A) (i), (ii), (iii), (iv)
(B) (iv), (iii), (ii), (i)
(C) (iii), (i), (iv), (ii)
(D) (ii), (iv), (i), (iii)
3.6 ABC International Global Company has implemented an IT
based solution to support its business function. Which of the
following situation shall indicate the need to initiate SDLC
project?
(A) Vendor has launched a new hardware which is faster.
(B) Company has unused surplus budget for IT.
(C) Regulators have requested additional reports from
business.
(D) Competitor has launched an efficient IT based service.
3.7 ABC International Global Company adopted a process that
gathered and interpreted facts, diagnosed problems, and used

the information to recommend improvements to the system.

Which phase of SDLC does these activities pertain to?
(A) System Analysis
(B) System Design
(C) System Development
(D) System Implementation
Answer Key
Question Answer
No.
3.1 (D) (i), (ii), (iii)
3.2 (C) (i), (iv), (v), (vi)
3.3 (C) Strategic Planning
3.4 (D) Identify the risks present in an IT environment
of the company.
3.5 (C) (iii), (i), (iv), (ii)
3.6 (D) Competitor has launched an efficient IT based
service.
3.7 (A) System Analysis
4. M/s XTC LTD., a FMCG company dealing home care, human care,
health care and stomach care products. The company has been seeing
drop in sales over past few years. Company has traditional distribution
channels which include wholesale dealers, retailers and agents.
Company has been using a legacy integrated system since 2004. To
get better understanding for the reasons for such decline in sales, XTZ
decides to appoint a consultant. XTC appoints Ms. Venus Andromida
(Ms. VA) a business consultant.
Ms. VA has more than a decade of experience and is a MBA from IIMA
plus qualified CISA, CISM expert. Ms.VA has been given in six months
to submit the report. Ms.VA, submits her reports in two parts. Part one
deals with identification of key reasons for business decline. Part two
is solutions to identified problems.

Ms. VA found that, Customer order execution (turnaround time: TAT)

is twice the market norms. In the present system, retailers’ orders are
accepted by sales representatives, who send the same to HO on email.
Sales head at HO takes gives the necessary instructions. This process
has many human interfaces leading to delay in supply of material once
email has been sent for orders, and many times the received goods
and ordered goods do not match.
1. Ms. VA applied the principles of risk management and
suggested following solutions: XTC needs to implement a new
system. The proposed system shall integrate all departments of
the company including key departments; Sales and Distribution
& Material Management & Financial Management & Production,
Planning and costing and Human Resources. This shall help XTC
optimize resource utilization and increase profitability.
2. The proposed system shall have an online mobile APP enabled
system of order acceptance from retailers and wholesalers.
Mobile APP to be installed on all sales representative systems.
3. In the new system, XTC limited plans to preload reorders levels
for various products for each wholesaler individually. This will
help better inventory management. As soon inventory level of a
product will reach reorder level, system will send a purchase
order for Re-order Quantity / Economic Order Quantity to XTC
Ltd. This shall significantly reduce the Turnaround Time.
4.1 Expert used risk management principles to suggest a solution.
Risk management terminologies include all except ________.
(A) Vulnerability Assessment
(B) Threat Assessment
(C) Risk Sharing
(D) Exposure
4.2 Which system types can best define the new system?
(A) Manual, Close

(B) Physical, Open

(C) Automated, Open
(D) Physical, Probabilistic
4.3 XTC Limited hired Ms. VA for system implementation. XTC
Limited wants Ms. VA to continue giving her services to the
company post implementation. What job Profile Company
cannot provide to Ms.VA?
(A) User Training
(B) System Manual Updating
(C) Quality Assurance Person
(D) New Technologies Adoption
4.4 An old legacy system is being replaced by an integrated
system. You are further informed that XTC Limited has asked
the implementers to go step by step and that implementers
have reasonable time to implement the new system. What is
the best system implementation method in the situation?
(A) System Development Life Cycle
(B) Prototype
(C) Rapid Action Development
(D) Agile
4.5 Use of Mobile APP by employee is convergence of two emerging
technologies referred to as Mobile Computing and BYOD. The
common risk associated with both technologies include ______.
(A) Security Risk
(B) Bandwidth
(C) Application Risk
(D) Health Hazard

Answer Key
Question Answer
No.
4.1 (C) Risk Sharing
4.2 (C) Automated, Open
4.3 (C) Quality Assurance Person
4.4 (A) System Development Life Cycle
4.5 (A) Security Risk
5. ABC Limited is a large data processing company. It provides services

to major banks and financial institutions for their daily credit card data
processing. Company has a primary datacenter in India and its back up
data centre is in USA. ABC Limited was hit by a malicious program
worm called as SOBIG F on 15th May, 2019 (Wednesday). The result
was that company lost all client data from its main server. A specific
bank’s (customer of ABC Limited) confidential customer data including
credit card details were found uploaded on social media site. The bank
brought law-suit against the company ABC Limited, for loss of data as
well loss of goodwill. ABC requested its clients to share available data.
It took virtually a month for company to restart its operation. During
this period, it lost 10 valuable clients. ABC Limited having lost all client
data decided to recoup same from its back-up database.
Company has been following an Incremental Data Backup Strategy.
Company has laid down plan for incremental data backup for its
customers based on the nature of their business. For banking
customers, it follows a full back up every Saturday after at 11:59 PM
IST. Timing of data backup is important as it is done after day end at
each of banks. For next six days it takes an incremental back up. As
soon as backup database was accessed it was found that last full back
up was taken seven days back and since then no incremental data
backup has been done. Company decided to overhaul its whole backup
process and decided to create a daily online backup arrangement. It
took services of a professional M/s Safe and Secure Limited (SASL), a
company providing such services. The service provider will install
software, and all data shall be automatically real time backed up on
cloud environment run by SASL. ABC Limited asked the SASL to ensure

that daily data transfer was made in a secure mode that ensures
messages integrity and confidentiality. ‘
5.1 “Worm” likes Trojans and Virus are malicious programs. Each of
these has features making them distinct from each other. Tick
the feature NOT associated with a WORM.
(A) Self propagating. They do not need a host program.
(B) Worm can copy itself and send itself to another machine
on its own.
(C) They are not stand alone.
(D) They are of two types, Existential Worm and Alarm Clock
Worm.
5.2 Customers of ABC Limited wish to bring law-suit against the
company for wrongful loss of their data. Identify the section of
Information Technology Act, 2000 under which such damages
can be claimed.
(A) Section 72A
(B) Section 43A
(C) Section 66A
(D) Section 7A
5.3 ABC Limited is a large data processing company. As per the
definition of various information systems, the nature of services
being provided by ABC Limited would make it a ______.
(A) Transaction Processing Systems Company
(B) Management Information Systems Company
(C) Decisions Support Systems Company
(D) An Enterprise Resource Planning Software Company
5.4 ABC Ltd. has many banks as its customers. A table is being
given for the daily transactions done by few of banking
customers preceding the day when the company was hit by

SOBIG F. Identify the customer whose data loss would have

been minimum. Transactions in ‘000.
S. Name 11.05.2019 12.05.2019 13.05.2019 14.05.2019
No. of
(Saturday) (Sunday) (Monday) (Tuesday)
Bank
1 B Ltd. 100 Weekly off 150 250
2 A Ltd. Weekly Off 100 150 250
3 N Ltd. 100 100 150 250
4 K Ltd. 100 100 Weekly off 250
(A) B Ltd.
(B) A Ltd.
(C) N Ltd.
(D) K Ltd.
5.5 The change in back up strategy of ABC Limited shall be best
identified as ___________.
(A) Incremental Backup to Differential Backup
(B) Differential Backup to Full Backup
(C) Incremental Backup to Full Backup
(D) Incremental Backup to Differential Backup
5.6 ABC Limited is now going to share its clients (banks and
financial institutions) data with a third party SASL. Whether
ABC Limited needs to inform its customers about this? Identify
the most appropriate statement.
(A) No need to inform, as the customers are old.
(B) Need to inform.
(C) Need to inform and update in the Service Level
Agreement and get positive concurrence from
customers.
(D) Need to inform and update in the Service Level
Agreement.

Answer Key
Question Answer
No.
5.1 (C) They are not stand alone.
5.2 (B) Section 43A
5.3 (A) Transaction Processing Systems Company
5.4 (D) K Ltd.
5.5 (C) Incremental Backup to Full Backup
5.6 (C) Need to inform and update in the Service Level
Agreement and get positive concurrence from
customers.
6. VK Textile Cotton Fabrics Private Limited is an export-oriented unit

established in the year 2016. Company manufactures Cotton Fabrics in
India and exports it to some foreign countries also. In December 2019;
Company acquired a manufacturing unit situated in Dubai (UAE).
Presently, Company is going in the process of listing in Bombay Stock
Exchange and National Stock Exchange for listing its securities. Mr.
Sameer Jain joined the Company as Chief Executive Officer (CEO) with
effect from 01st January, 2020. After taking his duty charge; he held
various meetings with the company’s management and stakeholders
and presented a unified proposal on future of the company in meeting
which are as given below:
♦ Expansion of the company business in other foreign countries
includes European Countries and Gulf Countries and Asia-Pacific
Countries.
♦ With best quality product under reasonable price i.e., called
value for money for its customers worldwide.
♦ Adoption of Total Quality Management (TQM).
♦ Spreading out e-commerce business activities and online
presence worldwide.
♦ Propose Sales Plan (Budget) Turnover setting for the incoming
Financial Year (2020-2021) is ₹ 2500 Crores from present
budgeted turnover of ₹ 800 Crores in the Current Financial Year

(2019-2020) with the help of boost strong sales and marketing

strategy.
♦ Recognize with International ISO Certification and Corporate
Branding.
♦ Development & Implementation of IS security policy.
♦ Adoption of new and emerging IT technologies includes Cloud
Computing, Mobile Computing, Green Computing etc. for the
company.
♦ Adoption of best practices of Corporate and Business
Governance and COBIT 5 framework.
♦ Undertaking of a Business Process Reengineering (BPR) project
in support of a new and direct marking approach to its
customers.
♦ Upgrading to all business processes through latest technology &
trends & keeping all records and documents in electronic
digitalized form.
♦ IS Audit, ISO Certification and Process Audit.
♦ Reciprocal agreement for disaster recovery with another
company called G.K. Global Textile and Cotton Fabrics Limited
(already a listed entity in Bombay Stock Exchange) w.e.f. 5th
January, 2020.
6.1 VK Textile Cotton Fabrics Private Limited is under the process
of implementing COBIT 5 framework. Which of the following
benefits, the company shall not achieve by using COBIT 5?
(A) Increased value creation from use of IT
(B) User satisfaction related to the product offered by the
company
(C) Management of IT related risk
(D) Policy development and good practice for IT
management.

6.2 VK Textile Cotton Fabrics Private Limited has entered into a

reciprocal agreement as one of the strategies of Disaster
Recovery Planning. Which of the following risk treatment
approach does it indicate?
(A) Risk Transfer
(B) Risk Avoidance
(C) Risk Mitigation
(D) Risk Acceptance
6.3 VK Textile Cotton Fabrics Private Limited has entered into a
reciprocal agreement as one of the strategies of Disaster
Recovery Planning. Which of the following represents the
greatest risk created by reciprocal agreement for Disaster
Recovery made between two companies?
(A) The Security Infrastructure in each company may be
different.
(B) The Recovery Plan cannot be tested.
(C) The Resources may not be available when needed.
(D) The development may result in Hardware and Software
incompatibility.
6.4 VK Textile Cotton Fabrics Private Limited has acquired a
manufacturing unit situated in Dubai (UAE) and Company
briefed about its human resources and business practices to all
employees working in manufacturing unit situated in Dubai
(UAE). After understanding the human resources policy and
business practices of Company, they happily accepted the
acquisition with all happiness. This process of VK Textile Cotton
Fabrics Private Limited is part of COBIT 5 and is part of its
_________.
(A) Principle
(B) Enabler
(C) Governance
(D) Management

6.5 Suppose you are an IS auditor of VK Textile Cotton Fabrics

Private Limited. Company undertakes a Business Process
Reengineering (BPR) project in support of a new and direct
marking approach to its customers through establishment of
new innovative information support system. Which of the
following would be your primary key concern about the new
process?
(A) Are key controls in place to protect assets and
information resources?
(B) Does it address the corporate customer requirements?
(C) Does system meet the performance goals (time and
resource)?
(D) Have owners been identified who will be responsible for
this process?
6.6 Suppose you are appointed as IS auditor of this VK Textile
Cotton Fabrics Private Limited. The activities involved in
Information Systems’ Audit are as follows:
(i) Planning
(ii) Close
(iii) Analysis
(iv) Reporting
(v) Fieldwork
(vi) Scoping
How will you conduct IS audit in correct order/manner?
(A) (ii), (i), (iv), (iii), (vi), (v)
(B) (iii), (ii), (i), (iv), (v), (vi)
(C) (i), (iii), (ii), (iv), (v), (vi)
(D) (vi), (i), (v), (iii), (iv), (ii)
6.7 VK Textile Cotton Fabrics Private Limited is planning to keep all
records and documents in electronic form. Which of the
following Section of Information Technology Act, 2000 (IT Act)

provides that the documents, records or information which are

to be retained for any specified period shall be deemed to have
been retained if the same are retained in the electronic form?
(A) Section 4
(B) Section 5
(C) Section 6
(D) Section 7
6.8 Which of the following is a practice of using computers and IT
resources in a more efficient environmentally friendly and
responsible way?
(A) Grid Computing
(B) Cloud Computing
(C) Virtualization
(D) Green Computing
Answer Key
Question Answer
No.
6.1 (B) User satisfaction related to the product offered by
the Company
6.2 (C) Risk Mitigation
6.3 (D) The development may result in Hardware and
Software incompatibility
6.4 (B) Enabler
6.5 (A) Are key controls in place to protect assets and
information resources.
6.6 (D) (vi), (i), (v), (iii), (iv), (ii)
6.7 (D) Section 7
6.8 (D) Green Computing
7. KD Health and Medical Care Limited provides a medical health check

and other medical outsource services to its various its
clients/customers that includes pharmacists, physicians, patients,

educational institutions, day care establishments, government agencies

and insurance companies. The company is located in Agra with all its
100 employees living on the private land space situated at Agra.
The Company has a policy of allocating the super-user password to
General Manager in Finance Department. The same is defined in the
Job Profile of GM (Finance) who is responsible to supervise the
allocation, deletion, modification and suspension of user rights based
on approvals made by HR Department. On 26th September, 2018; the
General Manager (Finance) resigned from the Company and on 1st
October 2018; a new joinee who joined the company as GM was given
another super-user password.
In due course of time, the Company hired Mr. J as its internal auditor
in the month of March 2019. After the due procedure, he submitted his
Draft IS Audit Report to Chief Executive Officer (CEO) and Managing
Director highlighting following key control issues:
♦ All employees of Accounts Departments have been using the
Super-User Password of the previous General Manager
(Finance). For past six months, after the new joinee has joined,
the audit logs of some dates are missing and not available.
♦ There is no basic configuration in the accounting system to
restrict cash payment in excess of ₹ 10,000/- that result in the
expense being disallowed as a business expenses. That shall
lead to increase in the tax liability of the company.
♦ There is no effective internal control system regarding user
management, creation and modification of accounting voucher.
♦ Company has no emergency plan with an outdated list of
names to contact in case there is some type of emergency
within the company.
♦ There are unused computer systems lying idle. There is no
antivirus or security mechanism existing in the computer
systems of the employees carrying out day to day transactions.
♦ There are versions of unauthorized software installed on
numerous computer systems.

♦ No documentation regarding plans of disaster recovery and

business continuity.
♦ IT department has made its data backup system once in every
six months, but that is no substitute for a fully implemented
BCP.
♦ There is no physical and environmental control policy for
safeguarding of company assets.
IS auditor recommended a proposed solution to overcome the
aforementioned issues. To implement the same, he recommended a
strategy to adopt new accounting system with the old and new
systems both being used alongside each other, both being able to
operate independently. If all goes well, the old system is stopped and
new system carries on as only system.
7.1 Mr. J made many recommendations in his Draft IS Audit
Report. He recommended that though till date, there has not
been any case of interruption so far. However, KD Health and
Medical Care Limited should develop a practical logistical plan
known as Business Continuity Plan (BCP) to take care of
recovery and restoration partially/fully in case of occurrence of
any disaster. Which of the following will not form part of
Business Continuity Plan Methodology?
(A) Defining recovery requirements from the perspective of
business functions.
(B) Disaster prevention and impact minimization as well as
orderly recovery.
(C) Documenting the impact of an extended loss to key
business functions.
(D) Clear distinction and non-integration between System
Development process and business planning to keep
plan viable over time.

7.2 Mr. J is an IS auditor of KD Health and Medical Care Limited.

During his audit, he prepared list of risks associated with
breaches of security in an application system that are ordinarily
high because logs for the whole period of the audit are not
available at the time of the audit. Which type of risk Mr. J is
working on?
(A) Detection Risk
(B) Control Risk
(C) Inherent Risk
(D) Security Risk
7.3 In the given case scenario, the Basic Configuration in the
Accounting System of the Company does not have an option to
restrict payments in excess of ₹ 10000/- in cash which lead to
enhance _______.
(A) Detection Risk and non-compliance with law
(B) Control Risk and non-compliance with law
(C) Inherent Risk and non-compliance with law
(D) Security Risk and non-compliance with law
7.4 An accountant has rights to create as well as modify accounting
vouchers. Which of the following principle has not been
followed by the company in the given scenario?
(A) Confidentiality
(B) Availability
(C) Integrity
(D) Segregation of Duties
7.5 In the given case, which of the following new accounting
system implementation strategy recommended by the IS
auditor?
(A) Direct Implementation/Abrupt Change-Over
(B) Phased Changeover

(C) Pilot Changeover

(D) Parallel Changeover
7.6 In the given case scenario, IS auditor using concurrent audit
technique to check whether the accounting system restricting
the cash payment in excess of ₹ 10,000/- or not. Identify from
the following concurrent audit techniques which will be useful
in above case.
(A) Use of System Control Audit Review File (SCARF)
(B) Use of Integrated Test Facility (ITF)
(C) Use of Continuous and Intermittent Simulation (CIS)
(D) Use of Snapshot
7.7 In the given case scenario, if a junior employee of Mr. AB from
finance department sends email to banker for request for
money transfer and pertained to be as GM (Finance) of
Company. Under which of the following section of Information
Technology Act (IT Act), 2000; Mr. AB will be punished?
(A) Section 66A
(B) Section 66B
(C) Section 66C
(D) Section 66D
Answer Key
Question Answer
No.
7.1 (D) Clear distinction and non-integration between
System Development process and business
planning to keep plan viable over time.
7.2 (A) Detection Risk
7.3 (C) Inherent Risk and non-compliance with law
7.4 (D) Segregation of Duties
7.5 (D) Parallel Changeover
7.6 (B) Use of Integrated Test Facility (ITF)
7.7 (D) Section 66D

8. Jammu Kashmir based ABC University is a renowned University;

especially known for its faculty for Business Management & Economics
in the state of Jammu and Kashmir. The university offers various UG
and PG programs along with Research Studies viz. Master of
Philosophy and Ph.D. Recently, the Academic Council of the University
approved the proposal of the faculty to start some UG and PG courses
in distance learning mode too. It is observed that the students of
distance education are normally dependent on self-study only along
with a little support from the concerned department/s. In view of this
aforementioned fact, the Management of University decided to launch
a web-based knowledge portal to facilitate the students of different
courses. It is proposed to upload the Study Materials, e-lectures, tips
to prepare for the examination and online mock test papers for
students to self-analyse their preparation levels of the approved
courses on this Knowledge Portal. It is expected that the portal will be
very useful for the students as it aims to provide the access of various
academic resources on anytime anywhere basis.
For the implementation of this portal, a technical team of three IT
Consultants carried out a feasibility study under various dimensions
and prepared a detailed report that was submitted to the Management
of the University for its approval. On receiving a go-ahead nod from
the management, an expression of interest was published by the
University in various national/regional newspapers inviting various IT
companies to propose the best solution as per the requirements of the
concerned faculty of the university. All the valid criterions were duly
considered and subsequently the solution proposed by Hire-IT
Solutions was well implemented in the university. The responsibility of
portal’s maintenance and updation reside with Mr. A, an employee of
Hire-IT Solutions on paid basis.
Later it was found that Mr. A was involved in certain anti-national
activities by misusing IT resources he had been in-charge of. During
an internal inquiry, he was found to be guilty and the Hire-IT Solutions
terminated him from his services immediately. Mr. A before leaving the
city threatened the Company with dire consequences. He disclosed
that he has set certain conditions, on the fulfillment of which some
malicious content would get broadcasted to portal’s users, thus
demeaning the reputation of the university. To disclose the same, he

demanded hefty amount to be transferred to his account through net

banking.
8.1 In the given case scenario, which of the following attribute of
information system security will be having the highest priority
while developing web-based knowledge portal?
(A) Confidentiality
(B) Integrity
(C) Availability
(D) Completeness
8.2 What possible dimension under feasibility study of the proposed
web-based knowledge portal system is said to have been
compromised if the students are not able to access the e-
resources available on the website anytime?
(A) Technical feasibility
(B) Resource feasibility
(C) Behavioral feasibility
(D) Economic feasibility
8.3 In the given case scenario, all are valid criteria taken into
consideration for vendor selection for proposed web-based
knowledge portal system development for university except:
(A) Financial Stability of Vendor
(B) Market feedback of Vendor Performance
(C) Constitution members of Vendor
(D) Geographical Location of Vendor
8.4 In the given case scenario, the following phases of proposed
web-based knowledge portal system development life cycle are
involved.
(i) Investigation

(ii) Implement
(iii) Maintenance and Review
(iv) Requirements Analysis
(v) Design
Arrange them in correct order.
(A) (i), (ii), (iii), (iv), (v)
(B) (ii), (iii), (i), (iv), (v)
(C) (iii), (iv), (i), (ii), (v)
(D) (i), (iv), (v), (ii), (iii)
8.5 In the given case scenario, under which of the following Section
of Information Technology Act, 2000; the IT Manager shall be
punishable if he initiated that attack on university’s system?
(A) Section 66
(B) Section 67C
(C) Section 68
(D) Shall not be punishable under IT Act, 2000
8.6 In the given case scenario, the name of the damaging act that
uses a computer program to trigger an unauthorized malicious
activity when some predefined condition occurs:
(A) Computer viruses
(B) Worm
(C) Nak attack
(D) Logic Bombs
8.7 If the IT manager, plans for a Denial of Service Attack, what is
the purpose of a Denial of Service Attack you will understand?
(A) Exploit a weakness in the TCP/IP stack
(B) To execute a Trojan on a system
(C) To overload a system so that it is no longer operational
(D) To shutdown services by turning them off

Answer Key
Question Answer
No.
8.1 (C) Availability
8.2 (C) Behavioral feasibility
8.3 (C) Constitution members of Vendor
8.4 (D) (i), (iv), (v), (ii), (iii)
8.5 (A) Section 66
8.6 (D) Logic Bombs
8.7 (C) To overload a system so that it is no longer
operational
9. Bharat Mera Mahan Bank is a private sector Bank. There are various
branches of the Bank located all over Gujarat state. One of its
branches is situated near Vadodara Railway Station and just outside
the branch, there is one ATM machine installed by Bank for 24x7
operations. The fact related to ATM room is as follows:
♦ The ATM room has glass partition, so that, inside view is visible
from outside.
♦ ATM room has a split AC just above the machine for maximum
cooling.
♦ There is no register inside the room.
♦ The ATM machine is of front-loading type from where the cash
is loaded inside the ATM machine.
♦ There are two people responsible for cash loading – one cashier
and the other main cashier. If main cashier is absent, an officer
helps the clerk to load the cash. Physical cash is tallied once in
a week.
♦ Many-a-times the machine is down due to on-availability of
cash or connectivity problems, but no log is available.
♦ There is a smoke detector installed in ATM room but there is no
fire extinguisher. Security guards are available only during 8 AM
to 8 PM and CCTV surveillance.

♦ There is a security guard stationed outside the ATM machine

room. He has been instructed to help customers who need help
in cash withdrawal.
♦ Security guards have been hired from an outsourcing agency.
They undergo transfers haphazardly (but in six months), and
the branch is not aware of the same.
Bharat Mera Mahan Bank has to take into consideration various
notification and circular issued by the Reserve Bank of India (RBI). RBI
issues guidelines covering various aspects of secure technology
deployment in banking & financial sector for adoption &
implementation of COBIT & ISO 27001. The requirements of RBI for
System Controls and Audit states that IT Governance, Information
Security governance related aspects, critical IT general controls such
as data centre controls and processes and critical business
applications/system having financial/compliance implications, including
regulatory reporting, risk management, customer access (delivery
channels) and MIS systems, needs to be subjected to IS audit as per
frequency or more frequently, if warranted by the risk assessment.
9.1 In the given case scenario, two personnel simultaneously
accessing and refilling cash in the ATM machine of a branch of
Bharat Mera Mahan Bank is the best example of _________.
(A) Dual Access
(B) Dual Control
(C) Supervisory Control
(D) Maker Checker Control
9.2 As a part of auditing Information Security of a Bharat Mera
Mahan Bank, an IS auditor wants to assess the security of
information in ATM facilities. Under which privacy policy should
he look for details pertaining to security guards and CCTV
surveillance of ATM’s?
(A) Acceptable use of Information Assets Policy
(B) Physical Access Control and Security Policy

(C) Asset Management Policy

(D) Business Continuity Management Policy
9.3 Many-a-times the ATM machine is down due to on-availability
of cash or connectivity problems, but no log is available. Which
type of risk is an IS Auditor handling in this case?
(A) Detection Risk
(B) Control Risk
(C) Inherent Risk
(D) Security Risk
9.4 Reserve Bank of India issue guidelines covering various aspects
of secure technology deployment and emphasis on
implementation of COBIT 5. What does COBIT 5 mean?
(A) It is best suited for large corporate
(B) It is best suited for small and medium enterprises
(C) It is not ideally suited for non-profit and government
enterprises
(D) It is a set of globally accepted principles, practices,
analytical tools and models.
9.5 Reserve Bank of India has been advised to adopt ISO 27001 for
achieving its objectives. Identify the reasons given below for
which may adopt ISO 27001 for Banking and Financial Sector
Industry:
(i) If it is certified once, it is accepted globally.
(ii) If it is certified once, it is not required IS audit forever.
(iii) If it is certified once, there is no separate strategy and
policy require for Business Continuity Planning (BCP) &
Disaster Recovery Planning (DRP).
(iv) It is suitable for protecting critical and sensitive
information.
(v) It provides a holistic, risk-based approach to secure
information and compliance.

(vi) It creates a market differentiation due to prestige,

image and external goodwill.
Which of the reasons are correct?
(A) (i), (ii), (ii), (iv) (vi)
(B) (ii), (iii), (iv), (v)
(C) (i), (iv), (v), (vi)
(D) (i), (ii), (iii), (iv), (v), (vi)
9.6 Requirement of RBI for System Controls and Audit stated that
IT Governance, Information Security governance related
aspects, critical IT general controls such as data centre controls
and processes and critical business applications/system having
financial/compliance implications, including regulatory
reporting, risk management, customer access (delivery
channels) and MIS systems, needs to be subjected to IS audit:
(A) At least once in a year or more frequently, if warranted
by the risk assessment.
(B) At least once in two year or more frequently, if
warranted by the risk assessment.
(C) At least once in three year or more frequently, if
(D) At least once in five year or more frequently, if
9.7 Suppose you are appointed as an IS auditor of this branch. The
assessment areas are as follows:
(i) Impact- It is the outcome if the risk gets exploited
(ii) Vulnerability - refers to the weakness contained by the
system which can be exploited by the threat to create
risk.
(iii) Risk- potential that a given threat will exploit the
vulnerability of an asset or group of assets to cause loss
or damage to the assets.
(iv) Threat- represents a lack of adequate internal control.

How will you categorize your assessment in chronological

order?
(A) (ii), (iv), (iii), (i)
(B) (iii), (iv), (i), (ii)
(C) (i), (ii), (iii), (iv)
(D) (iv), (iii), (ii), (i)
Answer Key
Question Answer
No.
9.1 (B) Dual Control
9.2 (B) Physical Access Control and Security Policy
9.3 (A) Detection Risk
9.4 (D) It is a set of globally accepted principles, practices,
analytical tools and models.
9.5 (C) (i), (iv), (v), (vi)
9.6 (A) At least once in a year or more frequently, if
9.7 (A) (ii), (iv), (iii), (i)
10. SMS Limited is a multinational company engaged in providing financial

services in all over India. Most of the transactions are done online.
Presently, SMS Limited has Centralized Data Server which is accessed
by users from various geographical locations anywhere. However, their
current system is unable to cope up with the growing volume of
transactions. Frequent connectivity problems, slow processing and a
few instances of phishing attacks and virus attacks were also reported.
Hence, the Company has decided to develop more comprehensive
robust in-house software for providing good governance and sufficient
use of computer and IT resources with implementation of effective and
efficient controls provided in the system to ensure the data integrity,
confidentiality and availability.
Also, an updated backup plan is to be prepared for SMS Limited in
order to specify the type of backup to be kept, frequency with which

backup is to be undertaken, procedures for making a backup, location

of backup resources, site where these resources can be assembled and
operations restarted, personnel who are responsible for gathering
backup resources and restarting operations, priorities to be assigned
to recover various systems and a time frame for the recovery of each
system. SMS Limited is also planning to take various types of
insurance coverage for safeguarding of their assets and to avoid
unexpected future liabilities due to uninterrupted event or disaster.
10.1 Let us assume that the SMS Limited is adopting the Differential
Backup Plan/Strategy. In such a case, restoring from a
Differential backup would involve:
(A) Restoring from last full backup and then every
incremental backup
(B) Restoring from full backup-alone
(C) Restoring from last full backup and then the differential
backup
(D) Restoring from differential backup alone
10.2 SMS Limited has Centralized Data Base Server which is being
accessed by users from various geographical locations and they
have concurrency controls in their system that primarily
ensures:
(A) Usability of Data
(B) Availability of Data
(C) Confidentiality of Data
(D) Integrity of Data
10.3 A few instances of phishing attacks were also reported in SMS
Limited. Which of the following section of Information
Technology Act, 2000 fixes liability on SMS Limited to secure
data of their customers?
(A) Section 43A

(B) Section 46
(C) Section 66D
(D) Section 75
10.4 Suppose you are appointed as an IS auditor of SMS Limited for
auditing the Information System. You are determining what
controls are exercised to maintain data integrity. You might
also interview database users to determine their level of
awareness of these controls. Which of the following Control are
you working on?
(A) Data Resource Management Control
(B) Security Management Control
(C) Operation Management Control
(D) Quality Assurance Control
10.5 SMS Limited is also planning to take various types of insurance
coverage for safeguarding of their assets and to avoid
unexpected future liabilities due to uninterrupted event or
disaster. Under which type of a specific risk mitigation strategy
do these Insurance Coverage fall?
(A) Terminate/Eliminate the Risk
(B) Treat/Mitigate the Risk
(C) Tolerate/Accept the Risk
(D) Transfer/Share the Risk
10.6 Due to virus attack and phishing attack on Information System
of SMS Limited, in order to protect its critical data from virus
attack; it is decided that in future the access to the social
networking site to its employees need to be limited. What type
of risk response has the SMS Limited exercised?
(A) Terminate/Eliminate the Risk
(B) Treat/Mitigate the Risk
(C) Tolerate/Accept the Risk
(D) Transfer/Share the Risk

10.7 Identify which of the following systems are very useful for a
management of SMS Limited to remotely access
documents/internal communication?
(A) Electronic Message Communication System
(B) Text Processing System
(C) Teleconferencing and Videoconferencing System
(D) Electronic Document Management System
10.8 Suppose you are an IT consultant of SMS Limited and advice to
Board of Directors of Company to use Hot Site as a data backup
alternative. Identify which of the following is your best
explanation to Board of Directors?
(A) The costs related with hot site are low.
(B) The hot site can be used for a long amount of time.
(C) That hot site does not require the equipment and
systems software to be compatible with the primary
installation being backed up.
(D) That hot site can be made ready for operation within a
short span of time.
Answer Key
Question Answer
No.
10.1 (C) Restoring from last full backup and then the
differential backup
10.2 (D) Integrity of Data
10.3 (A) Section 43A
10.4 (A) Data Resource Management Control
10.5 (D) Transfer/Share the Risk
10.6 (B) Treat/Mitigate the Risk
10.7 (D) Electronic Document Management System
10.8 (D) That hot site can be made ready for operation within
a short span of time.

11. Queen was appointed as Manager – Operational Risk and Compliance

in ABC Company. HR of ABC Company had completed all the
formalities for her appointment. Mr. Maharana, the head of Human
Resource (HR) department had signed her joining letter through black
ink pen and delivered the same to her. On her joining, she was
handed over a well written document by the HR Department that
provided instructions to its employees briefing upon what kind of
behavior or resource usage is required and acceptable in the
Company. It also contained detailed information on how to protect
company’s information asset and instruction regarding acceptable
practices and behavior. In a week’s time, she got to meet Mr. Raja,
Chief Executive Officer (CEO) of the ABC Company. Mr. Raja instructed
her to conduct broad review of Human Resource Department Process
to determine the probable risks and to analyze the effectiveness and
efficiency of existing controls in HR process.
Based on that, Ms. Queen started to review HR processes and controls
implemented in the company and highlighted following key matters in
her report submitted to CEO:
♦ Absence of rotation of duties control.
♦ Absence of Segregation of duties control.
♦ Lack of maker and checker concept.
♦ Manual authorization procedures exist.
♦ Key Man policies not implemented.
♦ Manual attendance registers and leaves record.
♦ Invalid data in Human Resource Computer System.
♦ Using of Social Networking Website like Facebook, Twitter etc.
in office timings using computer resources of HR Department.
♦ Plan & Budget approved for development of Robust & Fully
Automated Payroll Software but not implemented till date.
♦ Suggested to implementation of BYOD concept.
The CEO Mr. Raja appreciated the detailed report of Ms. Queen and
started taking corrective steps for improvement.


11.1 On joining the ABC Company as Manager - Risk and
Compliance, Ms. Queen was given a well written document that
provided instructions to employees what kind of behavior or
resource usage is required and acceptable in the ABC Company.
It also provided information on how to protect ABC Company’s
information asset and instruction regarding acceptable practices
and behavior. Identify the document that was given to Ms.
Queen on her joining the ABC Company.
(A) Appointment Policy
(B) Information Security Policy
(C) Network Access Control Policy
(D) Information System Control Policy
11.2 Which of the following would be best to provide integrity
assurance of Ms. Queen (new staff) that can be treated as
preventive control measure for ABC Company?
(A) Background Screening
(B) References
(C) Bonding
(D) Qualifications listed on a resume
11.3 During review, Ms. Queen found that head of HR Department
Mr. Maharana uses black pen for signing every official
document. During computerization, the ABC Company decided
to replace it with computerized authorization controls written
into the computer programs. Identify the Internal Control
Procedure that has been computerized by the ABC Company in
this case.
(A) Segregation of Duties
(B) Management Supervision
(C) Authorization Procedure
(D) Delegation of Authority and Responsibility

11.4 During review, Ms. Queen found that an employee Mr. X is

using social networking websites i.e., Facebook and Twitter
after Office hours. Under which of the following section of
Information Technology Act, 2000; shall he be punishable?
(A) Under Section 43
(B) Under Section 66A
(C) Under Section 66D
(D) Not be punishable unless they come under the
provisions of the Indian Penal Code, 1860
11.5 In the given case scenario, implementation of Bring Your
Device (BYOD) policy makes the ABC Company’s systems
vulnerable to related threats. Any lost or stolen device could
result in an enormous financial and reputational embarrassment
to the company. Which of the risk does this refer to?
(A) Device Risk
(B) Implementation Risk
(C) Confidentiality Risk
(D) Application Risk
11.6 In the given case scenario, achieving the objectives of
requirement analysis, the process of understanding the present
payroll system and its related problems come under which of
the following steps?
(A) Fact finding
(B) Analysis of present system
(C) Requirements of proposed systems
(D) Identifying rationale and objectives
11.7 Suppose you are appointed as an IS auditor of the ABC
Company. You wish to determine the extent to which invalid
data can be contained in computer system of HR Department
that may include invalid job classification, age in excess of
retirement age etc. The best approach to determine the extent
of the potential problem is to:

(A) Submit test data to test the effectiveness of edit controls

over the input of data.
(B) Review and test access controls to ensure that access is
limited to authorized individuals.
(C) Manual checking one by one data stored in the
computer system.
(D) Use generalized audit software to develop a detailed
report of all data outside specified parameters.
Answer Key
Question Answer
No.
11.1 (B) Information Security Policy
11.2 (A) Background Screening
11.3 (C) Authorization Procedure
11.4 (D) Not be punishable unless they come under the
provisions of Indian Penal Code, 1860
11.5 (A) Device Risk
11.6 (B) Analysis of present system
11.7 (D) Use generalized audit software to develop a
detailed report of all data outside specified
parameters.
12. Gold Silver Watch India Limited (GSWIL) is a company domiciled in

India, with its registered office situated at Mumbai. The Company has
been incorporated under the provisions of the Indian Companies Act
and its equity shares are listed on the National Stock Exchange (NSE)
and Bombay Stock Exchange (BSE) in India. The Company is primarily
involved in manufacturing and sale of Gold and Silver Watches,
Jewelry, Eyewear and other related accessories and products.
Company located 200 retail stores all over India and launched Loyalty
Card for its customers in which the customer data for the loyalty card
issued by a retail store is picked from a form filed by the customer.
The data from the form is entered into the software by data entry
operators who report to a manager. In order to protect customer data,

Segregation of Duties are built in the software in such a way that the
operators have permission only to enter data. Any editing or
modification can be done only by the manager. The retail store across
India collecting customer data for loyalty programs consolidated into
one database and accessible in from centralized IT server anytime
anywhere and also Company maintained a separate fully equipped
facility where the company can move immediately after disaster and
resume business. Company Data Centre Housing about 350 employees
are involved in handling business processes of the Company and for
security reasons, Management decides to shift its network server and
mail server to a secluded room with restricted entry.
On the recommendation of Chief Information Officer of the Company,
existing system of the company is being extensively enhanced by
extracting and reusing design and program components.
12.1 In the given case scenario, the manager quits his employment
and the store elevates the position of one of its existing
operators to that of a manager. Who do you think is
responsible for removing the permission of the existing
manager and changing that of new manager?
(Assume there are no distributed systems).
(A) Vice President of GSWIL
(B) New Manager
(C) System Administrator
(D) Information Owner
12.2 Gold Silver Watch India Limited (GSWIL) decides to control the
access to a software application by segregating entry level and
updating level duties. What type of Internal Control does this
amount to?
(A) Physical Implementation of a Control
(B) Corrective Control

(C) Detective Control

(D) Preventive Control
12.3 Gold Silver Watch India Limited (GSWIL) has a data centre
housing about 350 employees involved in handling businesses
processes of company. For security reasons, it decides to shift
its network server and mail server to a secluded room with
restricted entry. What kind of internal control is applied by the
Company in this situation?
(A) Manual Preventive Control
(B) Manual Detective Control
(C) Computerized Preventive Control
(D) Computerized Corrective Control
12.4 Suppose you are appointed as an IS auditor of Gold Silver
Watch India Limited (GSWIL). Which of the following steps
would you normally perform first in a data center security
review?
(A) Evaluate physical access test results
(B) Determine the risks/threats to the data center site
(C) Review business continuity procedures
(D) Test for evidence of physical access at suspect locations
12.5 Gold Silver Watch India Limited (GSWIL) maintains a separate
fully equipped facility where the company can move
immediately after disaster and resume business. This facility is
known as:
(A) Warm Site
(B) Cold Site
(C) Hot Site
(D) Disaster Recovery Plan
12.6 In Gold Silver Watch India Limited (GSWIL), an IS auditor
wants to collect evidences based on system user profiles. Which

of the following can be used by the IS auditor to achieve this

objective?
(A) Continuous and intermittent Solution (CIS)
(B) Audit Hooks
(C) System Control Audit Review File (SCARF)
(D) Integrated Test Facility (ITF)
12.7 On the recommendation of Chief Information Officer of the
Company, existing system of the company is being extensively
enhanced by extracting and reusing design and program
components. This is classified into ____________.
(A) Reverse Engineering
(B) Prototyping
(C) Software reuse
(D) Reengineering
12.8 If Gold Silver Watch India Limited (GSWIL) has been found
negligent in handling personal information of customers then
company’s liability to damages is covered under __________.
(A) Information Technology Act, 2000, Section 7A
(B) Right to Information Act, 2000, Section 43A
(C) Information Technology Act, 2000, Section 43A
(D) Right to Information Act, 2000, Section 7A
Answer Key
Question Answer
No.
12.1 (C) System Administrator
12.2 (D) Preventive Control
12.3 (A) Manual Preventive Control
12.4 (B) Determine the risks/threat to the data center site
12.5 (C) Hot Site

12.6 (C) System Control Audit Review File (SCARF)

12.7 (D) Reengineering
12.8 (C) Information Technology Act, 2000, Section 43A
13. ABC Capital Finance Limited (‘the Company or ‘ACFL’) was inaugurated
on 21st July 2019. The Company is registered with the Reserve Bank of
India (RBI) as a Non-Banking Financial Company vide. Certificate No.
N-13.14.2019, Head Office/Corporate Office of the Company situated
at Mumbai. The Company is primarily engaged in Lending Business.
There are 10 Regional offices and 255 branches located all over the
country that use various types of remote access information systems
for smooth and fast processing of different types of loan applications
all over branches & regional offices.
Company has adopted an internal control work in line with Section
134(5) (e) of the Companies Act, 2013 and as per Clause 49 V (C) and
(D) of SEBI, Equity Listing Agreement ensuring the orderly and
efficient conduct of its business, including adherence to the Company’s
policies, safeguarding of its assets and prevention and detection of
frauds and errors, accuracy and completeness of Information to
various stakeholders. Company is hosted on a robust Data Centre (DR)
and Disaster Recovery Centre has designed on fundamental principles
– data security, data integrity, data availability and data scalability and
has strict information security procedures. Company also entered into
a reciprocal agreement with TBJ Capital Finance Limited (i.e., Internal
Business Group Company) as one of its strategist in Disaster Recovery
Planning. The Management of Company appointed a reputed Mumbai-
based Chartered Accountancy Firm called as DKT specialized in IS
audit for conducting Information System Audit of the Company.
Further, the Company is now gearing up to enhance its technology
capabilities across other areas such as mobile computing, cloud
computing, BYOD and adoption of COBIT 5 framework.
13.1 In the given case scenario, Provisions as per Clause 49 V (C)
and (D) of SEBI Equity Listing Agreement issued by SEBI in
India is on similar lines of SOX regulation that has made a

major change in internal controls by holding ______

responsible for establishment and maintenance of Internal
Controls.
(A) Managing Director of ABC Capital Finance Limited
(B) Board of Directors of ABC Capital Finance Limited
(C) Audit Committee of ABC Capital Finance Limited
(D) CEO/CFO of ABC Capital Finance Limited
13.2 Mr. Ravi is a member of IS audit team appointed by DKT. He is
evaluating whether a high-quality information system's plan
formulated by the top management of ABC Capital Finance
Limited is appropriate to needs of company or not. Which of
the following activity is he working on?
(A) Leading
(B) Organizing
(C) Planning
(D) Controlling
13.3 A Vehicle Loan application filed in an Indore Branch of ACFL
can be accessed by the sanctioning officer for scrutiny at its
Head Office situated at Mumbai. In the given case, which of the
following systems are very useful for a sanctioning officer at
Head Office for remote access of vehicle loan application?
(A) Electronic Message Communication System
(B) Text Processing System
(C) Teleconferencing and Videoconferencing System
(D) Electronic Document Management System
13.4 ABC Capital Finance Limited has strict Information Security
Procedures. One of the requirements which have to be adhered
under these procedures is to set a strong login password.
Which of the following is an example of a strong password?
(A) Abcde
(B) Bosy98

(C) 54321
(D) ppRqs$W
13.5 IS auditor requires to check whether the Application System is
calculating correct interest on loan provided by ABC Capital
Finance Limited using creation of a dummy entity in the
application system. Identify which of the following auditing
technique is this process referring to so that authenticity and
accuracy of the processes can be verified?
(A) Snapshot
(B) Integrated Test Facility (ITF)
(C) Audit Hooks
(D) Audit Trail
13.6 ABC Capital Finance Limited entered into a reciprocal
agreement with TBJ Capital Finance Limited (i.e., Internal
Business Group Company) as one of the strategies of Disaster
Recovery Planning. Identify which of the following risk
treatment approach does it indicate?
(A) Transfer/Share the risk or Risk Transfer
(B) Terminate/Eliminate the risk or Risk Avoidance
(C) Treat/Mitigate the risk or Risk Mitigation
(D) Tolerate/Accept the Risk or Risk Acceptance
13.7 XYZ Limited is engaged in providing Data Processing Service. It
received a big contract from ABC Capital Finance Limited (Non-
Banking Financial Company) for its various loan processing
activities. XYZ Limited has limited Personal Computers at their
office, so it approached Amazon Web Service to provide them
access to Virtual Machines for data processing. XYZ Limited is
using which Cloud Computing Service Model?
(A) Software as a Service (SaaS)
(B) Platform as a Service (PaaS)
(C) Infrastructure as a Service (IaaS)
(D) Network as a Service (NaaS)

13.8 ABC Capital Finance Limited has effective internal control

system that includes Segregation of Duties. Is Segregation of
duties useful for Company? Why?
(A) Yes, it reduces employee cost.
(B) No, it complicates the role of the manager who has to
manage more employees.
(C) Yes, it reduces fraud risk & facilitates accuracy check of
one person’s work by another.
(D) No, it is not an advantage; it increases employee cost.
Answer Key
Question Answer
No.
13.1 (D) CEO/CFO of ABC Capital Finance Limited
13.2 (C) Planning
13.3 (D) Electronic Document Management System
13.4 (D) ppRqs$W
13.5 (B) Integrated Test Facility (ITF)
13.6 (C) Treat/Mitigate the risk or Risk Mitigation
13.7 (C) Infrastructure as a Service (IaaS)
13.8 (C) Yes, it reduces fraud risk & facilitates accuracy
check of one person’s work by another.
14. Great India Gramin Co-Operative Society Bank Limited established in

the year 2000. It is a single state scheduled rural cooperative bank
that provides banking facility to some villages of Rajasthan only. In
2001, an internal review was conducted by a team of inspection and
supervision department of National Bank for Agriculture & Rural
Development (NABARD) that highlighted certain key controls issues
that are as follows:
 The password policies were prescribed but not implemented by
the bank.
 Branches use outdated security manual or documentation of
security procedures.

 There was only one ATM machine near Bank Premises which had
deposits as well as withdrawal facility. Its maintenance was
outsourced through at third party. The service level agreement
was not renewed since last three years and also there is no
security guard since last six month.
 During the inspection, it was observed that while refilling cash in
ATM machine, the presence of security guard was not mandatory.
 Illegal and unauthorized software were installed on few computer
systems of the Bank.
 Antivirus software was not updated on few computers of the
bank’s branches.
 Disaster Recovery Plan existed but was not tested by the
employees.
 During inspection, Inspection and Supervision team observed a
fraud where an employee had transferred a small amount of
money from various account holders to his own account while
rounding off in computerized banking system. That fraud turned
around to be of ₹ 2,49,587/-.
After review report, the NABARD instructed the Great India Gramin Co-
Operative Society Bank Limited to sort out the security control
weakness and demanded a reasonable assurance for better security
control in future in effective and efficient manner.
Subsequently, Bank worked on all the observation made by NABARD
and established the following controls:
 Highly qualified IT personnel were appointed in every branch.
 Strict follow up and compliance of Information Security and
Password Policy for all users.
 Fulfilled the mandatory requirement of two personnel for
accessing and refilling cash in the ATM machine.
 Predefined role and responsibility of each employee.
 Regular training on risk awareness was to be given to every
employee on periodically basis.

 Updated Antivirus software, Intrusion Detection System and

firewall on all computers.
 CCTV cameras were installed in every branch of the Bank.
 Bio-metric attendance system was made compulsory for every
employee of the Bank.
 New service level agreement with ATM Caretaker Company was
renewed to provide ATM security guard.
14.1 Under which control Great India Gramin Co-Operative Society
Bank Limited has implemented the mandatory practice of
appointing two personnel for accessing and refilling cash in
ATM?
(A) Input/ Output Verification
(B) Supervisory Control
(C) Dual Control
(D) Maker Checker Control
14.2 Inspection team observed a fraud where an employee
transferred a small amount of money of various account
holders to his own bank account while rounding off. That fraud
turned around to be ₹ 2,49,587/-. Identify the appropriate
example of Rounding down Technique from given below which
may be used by that employee.
(A) Turning ₹102.02 To ₹ 102.00
(B) Turning ₹ 102.02 To ₹ 102.10
(C) Turning ₹ 102.02 To ₹ 102.50
(D) Turning ₹ 102.02 To ₹ 102.05
14.3 In the given case scenario, cashier had also right to authorize
the withdrawal cheque of account holder; this will be covered
which type of operational control issue in the bank?
(A) Lack of appropriate Segregation of Duties

(B) Lack of password control policy

(C) Lack of supervision of branch manager
(D) Lack of detection control over operation
14.4 From the given case scenario, it is observed that proper division
of work and responsibility are necessary to ensure that one
person cannot single-handedly commit a fraud. This can be
achieved by using the concept of __________.
(A) Access Control
(B) Segregation of Duties
(C) Need to know
(D) Least privilege
14.5 Great India Gramin Co-Operative Society Bank Limited has
password policy but not implemented properly, therefore, users
were able to keep short length passwords for their convenience
to access the banking system. It refers to ___________under
Information System concepts.
(A) Threat
(B) Exposure
(C) Vulnerability
(D) Attack
14.6 Great India Gramin Co-Operative Society Bank Limited
implemented a new and strict password policy where users
have to keep minimum 8 characters alpha-numeric login
password and that password must be reset after 30 days to get
access in the Banking System. As per classification of the
Information System controls, which type of control is this?
(A) Preventive control
(B) Detective control
(C) Corrective control
(D) Compensatory control

Answer Key
Question Answer
No.
14.1 (C) Dual Control
14.2 (A) Turning ₹ 102.02 To ₹ 102.00
14.3 (A) Lack of appropriate Segregation of Duties
14.4 (B) Segregation of Duties
14.5 (C) Vulnerability
14.6 (A) Preventive control
15. In the recent past, Indian Private Sector has invested heavily in the IT
infrastructure. However, the concept of cyber terrorism, theft of data,
hacking and DoS attacks on any company’s web site are alarming.
There is huge increase in attacks on websites and theft of data. The
information related to these attacks is usually kept under “Strict” policy
to avoid embarrassment from business partners, investors, media and
customers. Huge losses sometimes remain un-audited and the only
solution the companies have found is to develop a model where one
can see a long-run business led approach to Information Security
Management. The companies are adopting the approach to build their
Security Infrastructure. One of the model that helps companies to
maintain IT security through ongoing, integrated management of
policies and procedures, personal training, selecting and implementing
effective controls, reviewing their effectiveness and improvement is
Information Security Management System (ISMS). The other benefits
of ISMS are improving customer confidence, a competitive edge,
better personnel motivation and involvement, and reduced incident
impact. Ultimately these benefits increase profitability of companies.
There is an international profession association that provides
management of companies about Information Technology
management, control and security and IS auditors with guidance on
various Information Technology associated risks and recommended
practices. Many Indian Companies have taken various international
certifications to achieve clients’ assurance. It controls the dependency
of any individual and put reliance on the processes. It certifies the
companies which mean that an independent certification body

confirms that the implementation of information security in the

company is under defined policies and procedures. Information
systems help the company in taking strategic decisions for the growth
and increase its profitability in the competitive environment.
Information systems also play a vital role in the enterprise
collaboration and management and strategic success of businesses
that must operate in an inter-networked group environment and also
facilitate E-business and E-commerce operations.
In India, the latest concepts of Governance, Risk and Compliance
(GRC), has been a regulatory requirement not only for listed
enterprises but also for all types of enterprises. Securities and
Exchange Board of India, RBI and IRDA and other regulatory
authorities also support the concept of GRC and issue various rules
and regulations.
15.1 In purview of given case scenario, identify the model that helps
companies to maintain IT security through ongoing, integrated
management of policies and procedures, personal training,
selecting and implementing effective controls, reviewing their
effectiveness and improvement.
(A) British Standard BS 7799 (ISO 27001)
(B) Sarbanes Oxley Act, 2003
(C) Information Technology Infrastructure Library (ITIL)
(D) Committee of Sponsoring Organizations (COSO) 2013
15.2 In the recent years; cyber terrorism, theft of data, hacking and
DoS attacks on Indian companies’ websites are alarming. From
the above attacks, what is the main purpose of Denial-of-
Service attack?
(A) To execute a Trojan on an information system
(B) To exploit a weakness in the TCP/IP stack
(C) To shutdown services by turning them off
(D) To overload a system so that it is no longer operational

15.3 Identify clause from following clauses of the Listing Agreements

issued by SEBI in India is on similar line of SOX regulation?
(A) Clause 22
(B) Clause 35
(C) Clause 49
(D) Clause 56
15.4 Corporate Governance including Internal Controls, Enterprise
Risk Management etc. are covered under the provisions of
______.
(A) Section 126A of Sarbanes Oxley Act, 2000
(B) Section 43A of the Information Technology Act, 2000
(C) Clause 49 of the Listing Agreement of SEBI
(D) Section 14A of the Gramm Leach Bliley Act, 1999
15.5 In a social media risk management, the most important asset
an IS auditor focuses on is _________.
(A) Brand and reputation
(B) Compliance to policy
(C) Corrective controls in place
(D) Type of service offered by social media
Answer Key
Question Answer
No.
15.1 (A) British Standard BS 7799 (ISO 27001)
15.2 (D) To overload a system so that it is no longer
operational
15.3 (C) Clause 49
15.4 (C) Clause 49 of the Listing Agreement of SEBI
15.5 (A) Brand and reputation

16. Healthcare is an area where any nation’s Government must invest as

the growth of any nation is directly related to health of its population.
With the growing population, the demand in the Indian healthcare
industry has drastically changed in terms of IT requirements of
hospitals also. The challenges existing within the current healthcare
system must be catered to. In current situation, some challenges are
insufficient good quality care mainly in rural areas; lack of equipped
health centers with specialized doctors, nurses and infrastructure like
beds, equipment and diagnostic labs; manual processing of patient’s
records and appointments; non-availability of medicines and treatment
etc. Under this situation, automation is the only solution that makes
processing in hospitals hassles free to maintain and monitor the quality
of medical services in a holistic manner. The automation comes with a
challenge to secure the sensitive information of the patients
undergoing treatment in a hospital.
Owing to the facts of the health industry, one of the reputed hospital
named ABC Hospital, having a network of five hospitals under it in
Delhi/NCR, has well implemented the automation of its business
processes. All the hospitals use a user-friendly ERP package named
“SafeHealthWiz” and are well connected with each other using a
central database.
16.1 Due to security breach, the database of all the patients of ABC
hospital got available in public domain. Under which section of
IT Act, 2000; the hospital is bound to compensate for the
failure to protect the critical details of its patients.
(A) Section 43
(B) Section 43A
(C) Section 44
(D) Section 45
16.2 All the five branches of hospital in Delhi/NCR are
interconnected to each other with a central database. The
patients may visit any of these five branches with no hassle to
carry their past prescription. Using technology, the complete

medical history of the patient is available in any of these

branches of the hospital. What do you think is the technology
behind such a concept?
(A) Cloud Computing
(B) Bring Your Own Device
(C) Grid Computing
(D) Mobile Computing
16.3 During the Data Backup process from Central Server, an IT
supervisor noticed that many invoices from Faridabad branch of
ABC hospital involved slicing of small amounts of money from a
computerized transaction or account. Which type of technical
exposure does it refer to?
(A) Data Diddling
(B) Salami Technique
(C) Bomb
(D) Worm
16.4 The management of the ABC hospital entered into a contract
where they hired a third party for the backup and recovery
process for each of its branch. The IT security administrator
must ensure that the following is incorporated in the contract
except _______.
(A) The conditions under which the site can be used.
(B) The facilities and services the site provider agrees to
make available.
(C) How soon the site will be made available subsequent to
a disaster.
(D) The frequency for which the site provider agrees to
make itself available for a particular time period.

Answer Key
Question Answer
No.
16.1 (B) Section 43A
16.2 (A) Cloud Computing
16.3 (B) Salami Technique
16.4 (D) The frequency for which the site provider agrees to
make itself available for a particular time period.
17. XYZ University was established in the year 1965 in India and is now
one of the premier universities in India. At present, there are 30
affiliated colleges under its umbrella. These colleges operate
independently with XYZ University having some level of control or
influence over their academic policies, standards or programs. In the
recent past, the XYZ University proposes that irrespective of the fact
whether the affiliated colleges have their own Library Management
System or not, each college must have a commonly shared Online
Library Management System (LMS) under its brand name. The
management of XYZ University envisaged that –
♦ The shared LMS can streamline working practices allowing all
the affiliated colleges to share their e- learning resources with
each other. These resource files are provided as a service
through different networks using Cloud Computing.
♦ Students and researchers will be provided a common platform
so that all stakeholders like students and faculties of these
affiliated colleges can search e-library collections in a consistent
way and accordingly access and share their e-learning
resources such as e-books, e-lectures, webinars, videos and
powerpoint presentations etc.
♦ The e-learning resource pool is continuously enhanced with
many lectures, webinars and powerpoint presentations of
experts, faculties and motivational speakers getting added into
it on regular basis.

♦ The resource pool is updated in terms of addition of relevant e-

resources and deletion of irrelevant and redundant content
periodically.
♦ Each college is required to pay on the basis of quantum of the
data accessed by its students, faculties and other authorized
users. The data may include text, images, sounds and videos.
♦ Each authorised stakeholder of these colleges will have a
unique username and password through which they can have
access to these files in only readable mode with no access
rights to modify, download, print and email any of them.
To acquire the requisite system, the competent vendors initially were
requested to submit their Request for Proposals (RFP) for the
requirements highlighted by the XYZ University. The RFPs were duly
considered and finally the vendor KIO Ltd. was selected. The XYZ
University acquires the customized Online Library Management System
through a third-party vendor KIO Ltd.
The responsibility of the vendor KIO Ltd. involves the customization,
implementation and maintenance of the system by providing 24x7
support. The centralized database is maintained on a server located in
the campus area of XYZ University with well-placed air-conditioners,
fire extinguishers, water and smoke detectors. The dedicated IT Team
members of KIO Ltd. have full access control to modify, print, read
and email of e-resource files as per the request generated.
17.1 The online LMS of XYZ University is accessed by the registered
stakeholders of its affiliated colleges through a unique
username and password. The passwords can be changed by the
stakeholders. However, the password policy of the application
system is not strong enough and allows weak passwords also.
Which of the following precisely defines this feature of the
application system?
(A) Threat
(B) Vulnerability

(C) Risk
(D) Likelihood
17.2 The online Library Management System (LMS) of XYZ university
possesses the characteristics of _______, ______, ______ and
______ systems.
(A) Manual, Deterministic, Open, Abstract
(B) Automated, Probabilistic, Closed, Physical
(C) Automated, Deterministic, Closed, Abstract
(D) Automated, Deterministic, Open, Physical
17.3 To achieve an objective of restricting the individual access
privileges to online LMS and data of XYZ university to only
authorized users of different affiliated colleges including
librarians, faculties, students and IT Support Team members;
the Logical Access Controls are required to be well
implemented. Which of the following factor will not play any
considerable role while defining Logical Access Controls for
online LMS?
(A) Confidentiality and Authorization of User
(B) Virus prevention and detection to the LMS
(C) Controlled visitors’ access to the library
(D) User training and tools for monitoring compliance
17.4 Let us assume that the IT Team members of KIO Ltd. runs a
data backup software on online LMS of XYZ University on first
Monday of every month to perform a complete backup of all the
resource files containing audio, video and powerpoint files. On
Tuesday, the backup software scans the backup selection and
sends only new files and changes of existing files. You would
now have a second version of the changed files and this
process continues. Which type of data backup is this
methodology referring to?
(A) Incremental Backup
(B) Differential Backup

(C) Full Backup

(D) Mirror Backup
17.5 After performing the standard selection criterion, the XYZ
University selected KIO Ltd. for its proposed online LMS.
Identify the statement that shall not have formed part of the
contract between XYZ University and the vendor KIO Ltd.
(A) The description of the rights and responsibilities of both
the parties.
(B) Assurances about software and data security.
(C) The programming languages used in the development of
source code.
(D) Assurances for the performance.
17.6 The installation of water and smoke detectors, air-conditioners
and fire extinguishers near the server room located in the
campus of XYZ university are done to ensure that _________
controls are well-implemented.
(A) Environmental
(B) Physical
(C) Managerial
(D) Application
17.7 Mr. A, the in-charge of IT team of KIO Ltd. is responsible for
the maintenance of online LMS of XYZ University. While on
duty, he receives an urgent call from his senior on his mobile
phone and leaves his system unattended. Finding this an
appropriate opportunity, a mischievous student Mr. X accesses
Mr. A’s computer system in his absence and downloads many
resource files from e-learning pool of LMS and further shares
some of these files in the public domain. Under which section of
the IT Act, 2000; Mr. X will be held liable for his misdeed?
(A) Section 15
(B) Section 43
(C) Section 43A

(D) Section 45
17.8 The e-resource files are accessible to stakeholders of each
affiliated college of XYZ university on pay-as-per-usage basis.
Which type of Cloud Computing Service Model provides such
facility?
(A) Platform as a Service
(B) Data as a Service
(C) Software as a Service
(D) Infrastructure as a Service
Answer Key
Question Answer
No.
17.1 (B) Vulnerability
17.2 (D) Automated, Deterministic, Open, Physical
17.3 (C) Controlled visitors’ access to the library
17.4 (B) Differential Backup
17.5 (C) The programming languages used in the
development of source code.
17.6 (A) Environmental
17.7 (B) Section 43
17.8 (B) Data as a Service
18. ABC is a Domestic Airlines having its Reservation System that runs in a
real-time environment maintaining their records in electronic form so
that it becomes usable for subsequent reference. The details of
electronic records are also maintained to facilitate the identification of
the origin, destination, date and time of dispatch or receipt of such
electronic records.
The ABC Airlines has well implemented COBIT 5 business framework
for the governance and management of enterprise Information
Technology. The nature of transactions being online, cyber security is
a must. To address such security issues like Confidentiality, Integrity

and Availability; ABC has documented its Information Security controls

and activities in a document referred as Information Security Policy.
Accordingly; the control procedures, secure system and secure
procedure are well implemented in the company.
Later, it was brought in notice of Top Management of ABC Airlines that
there have been various computing resources in the System that are
essential for performing certain operations in ABC, however these
resources lay underutilized for most of the time. For its fair audit; ABC
Airlines hires an IS Auditor, Mr. A who is expected to be competent
with regards to standards, practices and organizational processes
world-wide. Mr. A along with his team members prepared a checklist
to investigate and focus on the areas like – Optimum utilisation of
computing resources, proper documentation, record maintenance, log
files, data backup procedures etc.
18.1 To make use of non-utilized computing power of various
resources in an effective manner, it was decided by top
management of ABC Airlines that computing power of
underutilized resources may be shared with needy
organizations. Which technology is Top Management referring
to?
(A) Cloud Computing
(B) Web 3.0
(C) Green Computing
(D) Grid Computing
18.2 ABC Airlines prepared an Information Security Policy that will
include the following except ____________.
(A) Definition of Information Security
(B) Reasons for information security importance
(C) Specifications of Technologies and solutions
(D) Definition of all relevant information security
responsibilities

18.3 During the audit, Mr. A refused to conduct audit of the

electronic records stating that all the records must be provided
to him in physical format. Can ABC Airlines defend its stand of
maintaining electronic records and providing the same to Mr. A
for the audit purpose?
(A) No, the maintenance of the physical records is required
to be maintained by ABC Airlines.
(B) Yes, under Section 7A of IT Act that is based on Audit of
Documents etc. maintained in electronic form.
(C) Yes, under Section 7 of IT Act that is based on
Retention of Electronic Records.
(D) Yes, under Section 7 of IT Act that is based on Audit of
Documents etc. maintained in electronic form.
18.4 Later, Mr. A made many recommendations in his report post
audit. He recommended that though till date, there has not
been any case of interruption so far. However, ABC Ltd. should
develop a practical logistical plan known as Business Continuity
Plan (BCP) to take care of recovery and restoration
partially/fully in case of occurrence of any disaster. Which of
the following will not form part of Business Continuity Plan
Methodology?
(A) Defining recovery requirements from the perspective of
business functions.
(B) Disaster prevention and impact minimization as well as
orderly recovery.
(C) Documenting the impact of an extended loss to key
business functions.
(D) Clear distinction and non-integration between Systems
Development process and business planning to keep
plan viable over time.
18.5 The Airlines has well implemented COBIT 5 business framework
for the governance and management of enterprise Information
Technology. Choose the incorrect statement related to
COBIT 5:

(A) The COBIT 5 framework integrates the two disciplines -

Governance and Management that encompass various
activities, organizational structures and serve same
purpose.
(B) COBIT 5 defines a set of enablers to support the
implementation of a comprehensive governance and
management system for enterprise IT.
(C) COBIT 5 provides all the required processes and other
enablers to support business value creation using IT.
(D) COBIT 5 framework can be implemented in all sizes of
enterprises, whether commercial, not-for-profit or in the
public sector.
Answer Key
Question Answer
No.
18.1 (D) Grid Computing
18.2 (C) Specifications of Technologies and solutions
18.3 (B) Yes, under Section 7A of IT Act that is based on
Audit of Documents etc. maintained in electronic
form.
18.4 (D) Clear distinction and non-integration between
Systems Development process and business
planning to keep plan viable over time.
18.5 (A) The COBIT 5 framework integrates the two
disciplines - Governance and Management that
encompass various activities, organizational
structures and serve same purpose.

Information Systems Control and Audit: Inal LD Ourse

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Systems Control and Audit: Inal LD Ourse

Uploaded by

Copyright:

Available Formats

FINAL (OLD) COURSE

BOOKLET ON MCQS &

© The Institute of Chartered Accountants of India

© The I nstitute of Chartered Accountants of India

Committee/Department : Board of Studies

Price (All Modules): `

Published by : The Publication Department on behalf of The

© The Institute of Chartered Accountants of India

Wishing you happy reading!

© The Institute of Chartered Accountants of India

1. Identify the statement that is not included in “Internal Control report

© The Institute of Chartered Accountants of India

(a) Identification, Authentication, Authorization

© The Institute of Chartered Accountants of India

(c) Auditors can evaluate how well QA personnel undertake the

© The Institute of Chartered Accountants of India

(c) To evaluate, direct and monitor IT management to ensure

© The Institute of Chartered Accountants of India

(b) Warm Site

© The Institute of Chartered Accountants of India

(d) casting responsibility on body corporates to protect sensitive

© The Institute of Chartered Accountants of India

(a) Digital Revolution

© The Institute of Chartered Accountants of India

23. ABC Ltd. has decided to implement Balanced Scorecard, a strategy

© The Institute of Chartered Accountants of India

(d) Mirror backup

© The Institute of Chartered Accountants of India

database and network hosting and no other company is sharing that

© The Institute of Chartered Accountants of India

(b) The competence of personnel in their performance of recovery

© The Institute of Chartered Accountants of India

(d) No, there is a limit for the number of users.

© The Institute of Chartered Accountants of India

(d) Risk Assessment, Recovery Plan Validation, Determination of

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

(c) The IT Steering Committee provides overall direction to

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

60. Which of the following issue is not related to security in Mobile

© The Institute of Chartered Accountants of India

(c) Local Authority Risk Register

© The Institute of Chartered Accountants of India

(c) Software Component, Process Flow, Customer mindset,

© The Institute of Chartered Accountants of India

(b) Rescue Maintenance deals with the undetected malfunctions

© The Institute of Chartered Accountants of India

(d) Asymmetric Crypto System means a system of a secure key pair

© The Institute of Chartered Accountants of India

(d) An MIS can be broken down into meaningful subsystems that

© The Institute of Chartered Accountants of India

(c) Planning, Scoping, Analysis, Reporting, Fieldwork, Close

© The Institute of Chartered Accountants of India

(ii) Articulate Risk

© The Institute of Chartered Accountants of India

(b) Text Processing System

© The Institute of Chartered Accountants of India

(a) Audit trail attempts to ensure that a chronological record of all

© The Institute of Chartered Accountants of India

93. Top management of Karol Ltd., a company based in Tamil Nadu,

© The Institute of Chartered Accountants of India