Аудит-2023 test

<question>This course consists of __ weekly modules.
<variant>4
<variant>6
<variantright>8
<variant>10
<question>If I have a problem in the course I should:
Email the instructor.
<variantright>Report it to the Learner Help Center (if the problem is technical) or use the
<variant>"Report an Issue" button.
<variant>Call the instructor.
<variant>Drop the class.
<question>What types of assessments can be found in this course? You can select more
than one.
<variantright>Knowledge Check quizzes
<variantright>Peer Review exercise
<variant>Reading summaries
<variantright>Module Review quizzes
<question>All learners in this course are required to purchase the textbook.
<variant>True
<variantright>False
<question>A seal of approval can serve as a form of assurance for consumers.
<variantright>True
<variant>False
<question>The AICPA describes assurance as an independent professional service that

improves the quality of information for users.
<variantright>True
<variant>False
<question>According to the PCAOB, AICPA, and the IAASB, an auditor has a responsibility
to obtain absolute assurance that the financial statements are free of material misstatement.
<variant>True
<variantright>False
<question>The objective of an audit of financial statements by independent auditor is:
<variantright>To express an opinion on whether the financial statements are presented in

conformity with GAAP, in all material respects.
<variant>To conclude whether the financial statements are free of all misstatements.
<variant>To establish and maintain sound internal controls.
<variant>To present the financial statements in conformity with GAAP, in all material
respects.
<question>All of the following are mentioned in the video as audit standard setters, except
for:
<variant>AICPA
<variant>IAASB
<variantright>FASB
<variant>PCAOB
<question>According to PCAOB standards, the auditor is required to (check all that apply):
<variant>A. Establish and maintain internal control that will initiate, record, process, and
report transactions consistent with management’s assertions embodied in the financial
statements
<variantright>B. Identify those circumstances in which GAAP has not been consistently
observed in the preparation of the financial statements.
<variantright>C. Plan and perform the audit to obtain reasonable assurance about whether
the financial statements are free of material misstatement.
<variantright>D. State whether, in his or her opinion, the financial statements are presented
in conformity with GAAP
to obtain reasonable assurance that the financial statements are free of material
misstatement.
<variantright>A. True
<variant>B. False
<question>The PCAOB is the audit standard setter responsible for setting high-quality
international standards for auditing and assurance.
<variant>A. True
<variantright>B. False
<question>Which of the following is considered a form of attestation?
<variantright>A. Audit the financial statements
<variant>B. Establish sound accounting policies
<variant>C. Maintain good internal controls
<variant>D. Prepare the financial statements
<variantright>A. To express an opinion on whether the financial statements are presented in

<variant>B. To conclude whether the financial statements are free of all misstatements.
<variant>C. To establish and maintain sound internal controls.
<variant>D.To present the financial statements in conformity with GAAP, in all material
respects.
<question>The trust relationship between the promiser and truster is unique to financial
reporting.
<variant>A. True
<question>Which of the following is true about a verifier?
<variant>A. Is always hired by the promiser
<variantright>B. Helps bridge the gap between the promiser and truster
<variant>C. Is also known as the promiser
<question>Auditors are in the ‘comfort production business,’ as they give comfort to decision
makers who are vulnerable to erroneous, self-interested, and possibly fraudulent financial
statements from corporate management.
<variant>B. False
<question>According to PCAOB standards, the auditor is required to (check all that apply):
<variant>A. Establish and maintain internal control that will initiate, record, process, and
report transactions consistent with management’s assertions embodied in the financial
statements
<variantright>B. Identify those circumstances in which GAAP has not been consistently
observed in the preparation of the financial statements.
<variantright>C. Plan and perform the audit to obtain reasonable assurance about whether
the financial statements are free of material misstatement.
<variantright>D. State whether, in his or her opinion, the financial statements are presented
in conformity with GAAP
to obtain reasonable assurance that the financial statements are free of material
misstatement.
<variant>B. False
<question>The PCAOB is the audit standard setter responsible for setting high-quality
international standards for auditing and assurance.
<variant>A. True
<question>Which of the following is considered a form of attestation?
<variantright>A. Audit the financial statements
<variant>B. Establish sound accounting policies
<variant>C. Maintain good internal controls
<variant>D. Prepare the financial statements
<variantright>A. To express an opinion on whether the financial statements are presented in

<variant>B. To conclude whether the financial statements are free of all misstatements.
<variant>C. To establish and maintain sound internal controls.
<variant>D.To present the financial statements in conformity with GAAP, in all material
respects.
<question>Which of the following is true about Phase 2 of the market game step-by-step
illustration?
<variantright>Grade quality is available to the market only after trading has been completed
<variant>New sellers will enter the market
<variant>This is the point where quality begins to converge
<question>In which phase of the market game step-by-step illustration shown in the lesson
videos does the verifier (i.e. the auditor) come into play?
<variant>Phase 1
<variant>Phase 2
<variantright>Phase 3
<variant>Phase 4
<question>The market game step-by-step illustration shown in the lesson videos shows that
Seller 1 benefits by hiring the auditor and being able to signal their quality grade to buyers in
conjunction with their asking price.
<variant>True
<variantright>False
<question>The market game step-by-step illustration showed that production of the highest
quality grade always resulted in the largest consumer surplus.
<variant>True
<variantright>False
<question>According to the video lesson, ‘The Market Game: Implications for Auditing,’ who
typically pays the auditor for verifying financial statements in the real world?
<variant>The Knower
<variantright>The Promisor
<variant>The Trustor
<variant>The Verifier
<question>Trustors will be willing to pay a higher price than they otherwise would pay for the
promisor’s stock after financial statement verification from an auditor.
<variantright>True
<variant>False
<question>According to the 1994 study by Kinney and Martin discussed in the lesson
videos, which of the following is true?
<variant>15 data sets of audit related adjustments were analyzed
<variant>Audit-related adjustments showed an overwhelmingly positive effect on pre-audit

net earnings and net assets.
<variantright>The average aggregate adjustment reduced earnings and assets by two to

eight times the minimum amount that would materially misstate the financial statements.
<question>According to the 2011 study by Minnis discussed in the lesson videos, which of
the following is true?
<variantright>Audited firms have a significantly lower cost of debt (i.e. are charged a lower
interest rate when they get a loan), compared to unaudited firms.
<variant>Audited firms enjoy a roughly 100 basis point lower interest rate, on average,
compared to unaudited firms.
<variant>Lenders do not place any weight on audited financial information in setting the
interest rate.
<question>Which of the following best describes ‘materiality?’
<variant>Data or information related to management’s financial statements
<variantright>The magnitude of a misstatement that makes it probable that the judgement of

a reasonable person relying on the information would have been changed or influenced by
the misstatement
<variant>The risk that the auditor expresses an inappropriate audit opinion when the
financial statements are materially misstated
<question>‘Evidence’ is best described as:

<variantright>Data or information related to management’s financial statements
<variant>The magnitude of a misstatement that makes it probable that the judgement of a

reasonable person relying on the information would have been changed or influenced by the
misstatement
<variant>The risk that the auditor expresses an inappropriate audit opinion when the
<question>According to the videos, ‘audit risk’ is best defined as the risk that the audit firm
will be exposed to loss from events arising in connection with the financial statements (e.g.
litigation, penalties, reputational loss, lack of profitability).
<variant>True
<variantright>False
<question>Which of the following interact to influence the nature, extent, and timing of the
planned audit work (check all that apply):
<variantright>Audit risk
<variantright>Evidence
<variant>Liquidity
<variantright>Materiality
<question>Of the options below, which evidence would you say is most persuasive to the
balance sheet account "cash" for a calendar-year audit client?
<variant>Inquiry of management as to the balance in their bank account, corroboration of

this amount that management provides with a sample of three months of deposits traced
from deposit slips to cash ledger (specifically, Feb, March, and April of the year being
audited).
<variant>Inquiry of management as to the balance in their bank account, corroboration of

this amount that management provides with a sample of three months of deposits traced
from deposit slips to cash ledger (specifically Oct, Nov, Dec of the year being audited).
<variant>Confirmation with the bank regarding the balance as of the end of October of the
calendar year being audited, and the corroboration of this amount that management
provides with a sample of three months of deposits traced from deposit slips to cash ledger
(specifically, Feb, March, and April of the year being audited).
<variantright>Confirmation with the bank regarding the balance as of the end of December,
and the corroboration of this amount that management provides with a sample of three
months of deposits traced from deposit slips to cash ledger (specifically Oct, Nov, Dec of the
year being audited).
<question>Which of the following best describes ‘audit risk?’
<variant>The risk that the client will experience adverse outcomes as a result of economic
conditions, events, circumstances, or management action/inaction
<variant>The risk that the magnitude of a misstatement that makes it probable that the
judgement of a reasonable person relying on the information would have been changed or
influenced by the misstatement
<variantright>The risk that the auditor expresses an incorrect audit opinion when the
<variant>The risk that the audit firm will be exposed to loss from events arising in connection
with the financial statements (e.g. litigation, penalties, reputational loss, lack of profitability)
<question>A material difference is best defined as one that:
<variant>Can result from fraud only
<variantright>Could affect the decisions of a reasonable person relying on the financial

statement information
<variant>Is typically small in nature
<variant>Is always easy to identify
<question>Which of the following best describes ‘Auditor’s Business Risk (ABR)?’
<variant>The risk of issuing an incorrect audit opinion (i.e. unqualified/clean) when the
<variantright>The risk that the audit firm will be exposed to loss from events arising in
connection with the financial statements (e.g. litigation, penalties, reputational loss, lack of
profitability)
<variant>The risk that the client will experience adverse outcomes as a result of economic
conditions, events, circumstances, or management action/inaction
<variant>The risk that the audit procedures performed by an auditor will fail to detect a
material misstatement
<question>The Risk of Material Misstatement (RMM) is largely outside of the control of the
auditor.
<variantright>True
<variant>False
<question>Which of the following describes the correct equation for the ‘Risk of Material
Misstatement (RMM)?’
<variant>RMM = IR*CR*DR
<variant>RMM = DR*IR
<variantright>RMM = IR*CR
<variant>RMM = DR*IR/CR
<question>Which of the following describes the correct equation for the ‘Audit Risk model?’
<variant>Audit risk = IR*CR*RMM
<variantright>Audit risk = IR*CR*DR
<variant>audit risk = (IR/CR)*DR
<variant>audit risk = (DR*IR)/CR
<question>Which of the following best describes ‘Detection Risk (DR)?’
<variantright>The risk that the audit procedures performed by an auditor will fail to detect a
<variant>The risk that a material misstatement could occur, before the consideration of any
internal controls
<variant>The risk that controls present will not prevail, or detect or correct, a material
misstatement
<variant>The risk of issuing an incorrect audit opinion (i.e. unqualified/clean) when the
<question>Information asymmetry can result in market failure.
<variantright>True
<variant>False
<question>Suppose Martha is a risk neutral person who wants to buy a used Toyota Prius.
It’s known that 70% of Priuses are good and worth $20,000. The other 30% of Priuses are
considered ‘lemons’ and are worth $7,000. What is the expected value (EV) of this car?
<variant>$7,000
<variantright>$16,100
<variant>$20,000
<variant>$27,000
<question>Suppose Frank is risk neutral and he wants to buy a used Maserati. It’s known
that 85% of Maserati’s are good and worth $60,000. The expected value of a Maserati is
$50,000. What is the maximum amount Frank would be willing to spend on a used Maserati?
<variant>$58,500
<variant>$60,000
<question>One way to make the market for used cars function again after a market failure
due to information asymmetry, would be to get an audit about the car’s quality from a
mechanic.
<variantright>True
<variant>False
<question>Suppose Harry is a risk neutral investor that wants to buy a used Toyota Prius.
considered ‘lemons’ and are worth $7,000. If Harry gets assurance from a mechanic, the
probability that the car is ‘good’ moves from 70% to 90%. What is the expected value of the
Toyota Prius with assurance?
<variant>$7,000
<variant>$16,100
<variant>$20,000
<question>Suppose Harry is a risk neutral investor that wants to buy a used Toyota Prius.
considered ‘lemons’ and are worth $7,000. If Harry gets assurance from a mechanic, the
probability that the car is ‘good’ moves from 70% to 90%. What is the most Harry would be
willing to pay for this assurance?
<variant>$0
<variant>$7,000
<question>Signaling value reduces the problem of information asymmetry.
<variant>True
<variantright>False
<question>The probability of a transaction increases as the bid-ask price narrows.
<variantright>True
<variant>False
<question>Suppose Paul wants to buy a used Toyota Prius. It’s known that 85% of Priuses
are good and worth $18,000. The other 15% of Priuses are considered ‘lemons’ and are
worth $2,000. What is the expected value (EV) of this car?
<variant>$2,000
<variant>$4,400
<variant>$18,000
<question>Suppose Donna wants to buy a used Maserati. It’s known that 75% of Maserati’s
are good and worth $80,000. The expected value of a Maserati is $70,000. What is the value
of a ‘lemon’ Maserati?
<variant>$10,000
<variant>$70,000
<variant>$80,000
<question>Assume that the expected value of a Honda Odyssey minivan is $6,000 and a
‘good’ Honda Odyssey is worth $11,000. Which of the following is true?
<variant>A risk neutral buyer would be willing to pay at least $11,000 to buy the minivan
<variantright>A risk neutral buyer would be indifferent between buying the car and paying
$6,000 or paying $0 and not buying the car
<variant>A seller who is certain they have a ‘good’ minivan would be willing to sell for less
than $6,000
<variant>A seller who is certain they have a ‘good’ minivan would be willing to sell at a
discounted price of $9,000
<question>Suppose Clara is a risk neutral investor that wants to buy a used Lamborghini
Aventador. It’s known that 80% of Aventador’s are ‘good’ and worth $400,000. The other
20% of Aventador’s are considered ‘lemons’ and are worth $50,000. If Clara gets assurance
from a mechanic, the probability that the car is ‘good’ moves from 80% to 95%. What is the
expected value of the Aventador with assurance?
<variant>$330,000
<variant>$390,250
<variant>$400,000
<question>Signaling value reduces the problem of adverse selection.
<variantright>True
<variant>False
<question>The probability of a transaction decreases as the bid-ask price narrows.
<variant>True
<variantright>False
<question>The auditor’s ultimate goal of a financial statement audit is to provide financial

statement users with absolute assurance that the financial statements prepared by
management are fairly presented.
<variant>True
<variantright>False
<question>Which of the following best describes the purpose of a financial statement audit?
<variantright>To form an opinion on whether the financial statements are free of material
misstatement
<variant>To provide financial statement users with absolute assurance that the financial
statements prepared by management are fairly presented
<variant>To maintain internal controls over financial reporting
<question>Two important factors that guide the audit are:
<variant>Absolute assurance and materiality
<variant>Inherent risk and materiality
<variantright>Reasonable assurance and materiality
<variant>Reasonable assurance and inherent risk
<question>Which of the following best describes audit risk?
<variantright>The risk that the auditor expresses an inappropriate audit opinion when the
company’s financial statements are materially misstated.
internal controls
misstatement
<question>Which of the following is NOT a direct component of audit risk?
<variantright>Business risk
<variant>Control risk
<variant>Detection risk
<variant>Inherent risk
<question>An effective audit plan relies on the audit team’s ability to identify and assess the
risk that the financial statements contain a material misstatement, whether caused by error
or fraud.
<variantright>True
<variant>False
<question>A financial statement audit is also referred to as a(n)?
<variant>Compilation
<variantright>Examination
<variant>Review
<question>A financial statement audit includes all of the following, EXCEPT:
<variantright>Maintenance of internal controls put in place by management
<variant>Assessment of the accounting principles used and estimates made by

management
<variant>Evaluation of the overall financial statement presentation
<question>All of the following are phases of the materiality process, EXCEPT:

<variant>A. Establish a materiality level for the financial statements as a whole
<variant>B. Determine an amount that should be used as a basis for designing audit tests
<variant>C. Evaluate audit results
<variantright>D. Assess the accounting principles used by management
<question>Tolerable misstatement is:
<variantright>A. Materiality used to establish a scope for the audit procedures for the
individual account balance or footnote disclosures
<variant>B. Materiality for the income statement as a whole
<variant>C. Materiality for the balance sheet as a whole
<variant>D. The amount of misstatement that management is willing to tolerate in the

financial statements
<question>In the study by Eilifsen and Messier, one main idea the authors discuss is how
firms determine multiple levels of quantitative materiality.
<variant>B. False
<question>All of the following are mentioned in the video as quantitative benchmarks used
to determine overall materiality, EXCEPT:
<variant>A. Income before taxes
<variant>B. Total assets
<variantright>C. Total liabilities
<question>In the study by Eilifsen and Messier, the majority of the firms in the study used
what percentage range of overall materiality for determining tolerable misstatement?
<variant>A. 3% to 5%
<variantright>B. 50% to 75%
<variant>C. 70% to 90%

<question>The auditor’s ultimate goal of a financial statement audit is to provide financial
statement users with reasonable assurance that the financial statements prepared by
management are fairly presented.
<variantright>True
<variant>False
<question>Which of the following best describes the purpose of a financial statement audit?
<variant>To examine every transaction, control and event that may affect the company’s
financial statements
<variantright>To form an opinion on whether the financial statements are free of material
misstatement
<variant>To provide financial statement users with absolute assurance that the financial
statements prepared by management are fairly presented
<variant>To maintain internal controls over financial reporting
<question>Two important factors that guide the audit are reasonable assurance and
materiality.
<variantright>True
<variant>False
<question>Which of the following best describes audit risk?
<variantright>The risk that the auditor expresses an inappropriate audit opinion when the
company’s financial statements are materially misstated.
internal controls
misstatement
<question>Tolerable misstatement is best defined as:
<variant>Materiality for the income statement as a whole
<variant>Materiality for the balance sheet as a whole
<variantright>Materiality used to establish a scope for the audit procedures for the individual
account balance or footnote disclosures
<variant>The amount of misstatement that management is willing to tolerate in the financial

statements
<question>A financial statement audit includes all of the following, EXCEPT:
<variant>Examination of evidence supporting the amounts and disclosures in the financial

statements
<variant>Assessment of the accounting principles used and estimates made by

management
<variant>Evaluation of the overall financial statement presentation
<variantright>Maintenance of internal controls put in place by management
<question>In the study by Eilifsen and Messier, one main idea the authors discuss is the
firms’ guidance on the incorporation of qualitative factors in determining and evaluating
materiality.
<variantright>True
<variant>False
<question>All of the following are mentioned in the video as quantitative benchmarks used
to determine overall materiality, EXCEPT:
<variant>Income before taxes
<variant>Total assets
<variantright>Total expenses
<variant>Total equity
<question>In the study by Eilifsen and Messier, the majority of the firms in the study used
what percentage range of overall materiality for determining tolerable misstatement?
<variant>3% to 5%
<variant>25% to 50%
<variantright>50% to 75%
<variant>70% to 90%
<question>Assertions can only concern quantitative factors.
<variant>True
<variantright>False
<question>Assertions are best described as:
<variantright>Representations by management that are embodied in the financial statements
<variant>Conclusions by the auditor that the financial statements are free of misstatement
<variant>Statements by the shareholders that financial statements were used in the decision
making process
<question>The auditor gathers evidence to test management’s assertions.
<variantright>True
<variant>False
<question>Management assertions fall into two main categories.
<variant>True
<variantright>False
<question>The ‘completeness’ assertion refers to ensuring that transactions and events that
should have been recorded have actually been recorded.
<variantright>True
<variant>False
<question>Which assertion refers to amounts and other data that have been properly
recorded, within the appropriate accounting period, and in proper accounts?
<variant>Completeness
<variantright>Accuracy, cutoff, and classification
<variant>Existence
<variant>Valuation
<question>Which assertions may be tested for the ‘account balance’ category of

management assertions?
<variant>Occurrence, completeness, accuracy, and cutoff & classification
<variant>Occurrence, presentation & disclosure, and allocation
<variantright>Existence, completeness, rights & obligations, and valuation
<question>Tracing is used primarily to test which of the following assertions about classes of
transactions and events?
<variant>Existence
<variantright>Completeness
<variant>Cutoff
<question>Deferred Revenue, such as from the sale of a Starbucks gift card, should be
recorded by the firm as revenue on the income statement.
<variant>True
<variantright>False
<question>A proper audit procedure that might be used to verify that all gift card liabilities
are real would be to vouch from the gift card subledger to sales invoices.
<variantright>True
<variant>False
<question>Assume you are an auditor and your objective is to verify that unredeemed gift
cards that are recognized in the financial statements are classified as deferred revenue, not
revenue. Which financial statement assertion does this most likely pertain to?
<variant>Existence
<variantright>Valuation
<question>Assume you are an auditor and your objective is to verify that all gift card
balances are recorded. Which financial statement assertion does this most likely pertain to?
<variant>Existence
<variant>Valuation
<question>Which of the following would be the best audit procedure to verify that
unredeemed gift cards are recognized as deferred revenue and not revenue?
<variant>Select a sample of sales invoices and match to the gift card subledger or general
ledger to ensure the sale was recorded.
<variant>Examine/reperform management’s hindsight analysis of abandonment.
<variant>Test a sample of gift card balances for unclaimed property compliance.
<variantright>Select a sample of sales invoices and match to the gift card subledger or
general ledger to ensure the sale was recorded in the proper account.
<question>Testing a sample of gift card balances for unclaimed property compliance is the
best audit procedure for verifying that all gift card balances are recorded.
<variant>True
<variantright>False
<question>Assertions can concern both quantitative as well as qualitative factors.

<variantright>True
<variant>False
<question>Assertions are best described as:
<variantright>Representations by management that are embodied in the financial statements
<variant>Conclusions by the auditor that the financial statements are free of misstatement
<variant>Statements by the shareholders that financial statements were used in the decision
making process
<variant>Opinions by the auditor that fraud was intentional
<question>Management assertions fall into three main categories.
<variant>True
<variantright>False
<question>Which assertion refers to all transactions and events that need to be included in
the financial statement have been recorded?
<variant>Existence
<variant>Rights & Obligations
<variant>Valuation
<question>The ‘valuation’ assertion refers to assets, liabilities, and equities that are included
at the appropriate carrying values per an acceptable accounting framework, such as GAAP.
<variantright>True
<variant>False
<question>All of the following are steps for assessing risk of material misstatement (RMM)
and verifying assertions, EXCEPT:
<variant>Assess and justify the assertion’s risk of material misstatement
<variantright>Assess the detection risk of the assertion
<variant>Determine an attest objective for verifying the assertion
<variant>Determine an attest procedure that addresses the risk of misstatement
<question>Deferred Revenue, such as from the sale of a Starbucks gift card, should be
recorded by the firm as a(n):
<variant>Asset
<variantright>Liability
<variant>Revenue
<variant>Expense
<question>Assume you are an auditor and your objective is to verify that unredeemed gift
cards are classified as deferred revenue not revenue. Which financial statement assertion
does this most likely pertain to?
<variant>Existence
<variant>Rights and obligations
<variantright>Valuation
<question>Which of the following financial statement assertions best pertains to verification

that all gift card balances are recorded?
<variant>Existence
<variant>Presentation and disclosure
<variant>Valuation
<question>Which of the following would be the best audit procedure to verify that all gift card
balances are recorded?
<variantright>Select a sample of sales invoices and match to the gift card subledger or
general ledger to ensure the sale was recorded.
<variant>Examine/reperform management’s hindsight analysis of abandonment.
<variant>Test a sample of gift card balances for unclaimed property compliance.
<variant>Select a sample of sales invoices and match to the gift card subledger or general
ledger to ensure the sale was recorded in the proper account.
<question>What is risk?
<variantright>The happening of an event is uncertain, with possibility to bring positive and/or

negative impacts
<variant>The happening of an event is uncertain
<variant>refers to natural disasters, while human impact is not part of the risk
<variant>The happening of an event must lead to the loss of money
<question>In the lecture video 1.2, Prof. Dias mentioned that internal man-made threat is
more serious than an external man-made threat. Why is it so?
<variantright>Internal man-made threat is relatively more difficult to be prevented as if a staff

is intended to steal the digital assets which he / she is being granted with corresponding
access rights to such digital assets according to his/her roles
<variant>External man-made threat can be eliminated by having right security architecture
<variant>External man-made threat is less vulnerable to an organization’s secret information

since hackers do not normally possess good understanding on an organization’s technology
architecture
<variant>Internal man-made threat cannot be detected
<question>When determine the risk level of an event, which two elements of such event
should be assessed?
<variantright>“Impact” and “Probability”
<variant>“Impact” and “Source of impact (i.e. internal or external)”
<variant>“Management’s appetite” and “Resource availability”

<variant>“Timing” and “Duration”
<question>When making decisions to mitigate a risk, which of the following statement is

NOT correct?
<variantright>Risk can ultimately be eliminated by putting in the maximum level of controls
<variant>None of them is correct
<variant>The more controls you put in, the more risk can be mitigated
<variant>The more controls you put in, the higher the cost of controls
<question>After the remaining risk is being transferred to third party after the completion of
risk mitigation exercise, which of the following statement is correct?
<variantright>The same risk level remains, however the impact posses by the relevant event
will be compensated by the third party
<variant>Risk level is lowered since the probability of having the relevant event to happen is
reduced
<variant>Risk is eliminated
<variant>Risk level is lowered since the impact posses by the relevant event is reduced
<question>When is the best time to conduct risk re-evaluation against an activity?
<variantright>When any of these conditions happen, risk re-evaluation should be conducted
<variant>Engaging new technology to conduct such activity
<variant>Changing of relevant regulatory requirements
<variant>According to the periodic risk re-evaluation requirements as per internal control

policy (e.g. every 12 months)
<question>Which of the following is a detective control to address unauthorized network

access?
<variantright>Reviewing of system access log regularly
<variant>Granting network access to the system from designated MAC and IP address of a
network device
<variant>Using username and password to authenticate legitimate users to access a system
<variant>Enforcing strong password policy
<question>Preventive controls could prevent a risk being realized. Should we only

implement preventive controls?
<variantright>No – none of the preventive, detective and corrective controls could solely help
to mitigate risk effectively, and not everything risk can be prevented or detected so
implementing a combination of these types of controls would provide the best protection to
the organisation
<variant>No – cost of implementing preventive controls is higher than the other types of
controls
<variant>Yes – preventive controls and the other types of controls are mutually exclusive,
we only need to implement the best type
<variant>Yes – cost of implementing preventive controls is lower than the other types of
controls
<question>What is the control category of “data backup and restoration”?
<variantright>Both preventive and corrective
<variant>Preventive control
<variant>Corrective control
<variant>Detective control
<question>Your company is looking into the feasibility of building the data center near the
coast and your supervisor would like you to conduct a risk assessment exercise. How would
you get started?
<variantright>Use the risk matrix to calculate the impact and probability of the risk
<variant>Avoid the risk by not setting up any data centers
<variant>List all the ways possible to mitigate the risk and apply them into the company
immediately
<variant>Buy an insurance policy to eliminate all the risk straightaway

<question>In performing an IS audit exercise for a company for the first time, which of the
following information should IS auditor review first?
<variantright>The company’s background and its audit areas
<variant>All the documentations relevant to the internal controls of the company
<variant>List of relevant policies and procedures of the company
<variant>The qualification of IS employees of the company
<question>Which of the following is NOT a major phase of the general audit procedure
<variantright>Win an Audit Engagement
<variant>Fieldwork and Documentation
<variant>Planning
<variant>Reporting & Follow-up
<question>Which of the following areas would likely be audited when you are auditing a
financial reporting system (i.e., the system that generates financial statements)?
i. User list and corresponding access rights of such system
ii. The time required to generate the financial statement
iii. Approval flow and approval matrix for posting an accounting journal
iv. System change controls
<variantright>(i), (ii) & (iv)
<variant>(i) only
<variant>(ii) only
<variant>All of the areas should be audited
<question>During the “Fieldwork and Documentation” phase, if the audit client asks the IS
auditors to share the observations they have obtained, can the IS auditors provide such
information to the audit client?
<variantright>It depends – observations cannot be shared as if it is about a crime that the IS

auditors should first inform the regulator / law enforcing organisation
<variant>Yes – auditor should always share their observations, as the information obtained
belongs to the client
<variant>It depends – observations can only be shared to C-Suite client personnel (e.g.,
CEO, CFO, COO, CIO, etc.) of the audit client, but not other personnel
<variant>No – IS auditors should not share any observations as they have no responsibility
to make any advice verbally, other than issuing an audit report
<question>Which of the following is the best way to review whether the system users have
changed their password in accordance to the password policy in the past 12 months during
the relevant compliance testing?
<variantright>Review the global security setting of the system and check whether it is
configured in accordance to the company password policy
<variant>Randomly extract and review the password change audit trail from the system, say
3 of 12 months of audit trail
<variant>Interview the IT administrator of the system and ask for the usual practice
<variant>Interview a good sample, say 25% of total staff
<question>What is “Substantive Testing”?
<variantright>Audit procedure to collect evidence and evaluate the integrity of detail data,
programming code and/or change requests
<variant>Audit procedure to understand and review whether the internal controls are well
designed and being effectively followed
<variant>Audit procedure to observe the users' system behaviors in a system
<variant>Audit procedure to check whether there is proposal internal policy and procedure
are implemented
<question>Under what circumstance IS auditors must perform “Substantive Testing”?
<variantright>No program change policy is in place
<variant>Proper programme change policy is in place, with good internal controls design, but
it is not followed properly by the company
<variant>Proper program change policy is in place, with good internal controls design
<variant>Proper programme change policy is in place, but with bad internal controls design
<question>When IS auditors collect evidence, which of the following is the most trustworthy
source?
<variantright>Security configurations of the system downloaded by the IS auditor
<variant>Interview notes documented during the interview with the system administrator
<variant>Security configurations of the system downloaded by the system administrator
<variant>Documentation of security policy settings derived from the security policy
<question>When should IS auditors perform “Re-performance”?
<variantright>When reviewing the control of an critical function of a system, where any

failure of such control can possibly lead to a great financial impact
<variant>Every time when performing evidence collection exercise
<variant>When reviewing a control of a system module that the IS auditor is not familiar with
<variant>Better not to perform “Re-performance” unless it is requested by the senior IS

auditors - it is time-consuming and won’t provide better evidence than other types of
evidence collection approach
<question>An IS auditor needs to obtain samples of documents from the audit client, such
as program change request forms, to review the internal control of the audit client over the
past 12 months. What would be the most appropriate action that the IS auditor should do in
terms of sampling?
<variantright>IS auditor to determine the number of samples required, randomly pick the
required samples based on the full set of documents from the last 12 months, and request
the audit client to provide accordingly
<variant>IS auditor to determine the number of samples required, audit client to pick the
required number of documents from the last 12 months randomly
<variant>IS auditor to determine the number of samples required, audit client to pick the
required documents from the last 3 months randomly
<variant>IS auditor to determine the number of samples required, randomly pick the required
samples from the available document provided by the audit client
<question>To understand whether an information system control, such as the ability to

assign different level of system access to different users of the financial trading system is
designed efficiently, which document from the System Development Life Cycle (SDLC)
should the IS auditor review to obtain the best relevant understanding?
<variantright>Technical design document of the system
<variant>User requirements document of the system
<variant>Contract signed with the system implementation vendor of the system
<variant>Feasibility study report to show whether the system should be built
<question>Some companies prefer to outsource system development work to third-party

development vendors. Which of the following is the best for the company to ensure the
system development work will be done successfully by the third-party development vendor?
<variant>Include sufficient and proper liability clause in the contract for the development
work
<variantright>Provide detail requirements / specifications to the vendor and assign

experience users to work with the development vendor on regular basis
<variant>Obtain insurance policy to transfer the risk of not having the system being
developed as expected to support the business operations
<variant>Ensure post-implementation review is performed
<question>Which of the following is the most important phase of the System Development
Life Cycle (SDLC) in the perspective of having the system to support the business
operations effectively?
<variantright>Requirement Phase
<variant>Feasibility Phase
<variant>Design / Selection Phase
<variant>Development / Configuration Phase
<question>When an IS Auditor audits the SDLC of a decision support system, of which the
development work is outsourced to the third-party, which of the following activity in relation to
the system would most concern the IS Auditor?
<variantright>The on-going maintenance support of the system
<variant>The implementation quality of the system

<variant>The cost spent to build the system
<variant>The number of staff works in the vendor
<question>Which of the following control activity is required before a newly built system can
be launched to support business operations?
<variant>Passing the stress test and security test which are done by IT colleagues
<variantright>Signing-off the final acceptance test which is done by user
<variant>Signing-off the user requirements
<variant>Settling the final payment to the vendor
<question>There are various types of system changeover approach. Which of the following
is the major advantage for performing Parallel Changeover approach?
<variant>To provide double processing power since users can use both old and new system
at the same time
<variant>To allow users to perform the same business operations on both old and new
system to compare results
<variant>To provide opportunities training the users to use the new system
<variantright>To minimize the impact to the business due to risk of system change over
failure
<question>Why do IS auditors perform the “Post-implementation Review” of an information

system 3-6 months after its implementation, but not right after the system launches?
<variant>To control company’s expense since the company has just paid a lot to develop the
system
<variant>3-6 months is the typical time required for IT developers to learn how to perform
post-implementation review
<variant>It is the legal requirement of most of the countries in the world
<variantright>To allow system bugs are fixed and sufficient business transactions are being
performed in the system to support the review
<question>Which of the following can be considered as risk in relation to system
development?
i. The misunderstanding of user requirements
ii. The change of relevant regulatory requirements
iii. The change of its project scope after requirement is signed-off
iv. The market competition among the outsource system development vendors
<variantright>(i), (ii) & (iii)
<variant>(ii) & (iii)
<variant>(i), (ii), (iii) & (iv)
<variant>(i) & (ii)
<question>What is the primary advantage for a company to engage an independent IS

auditor to review their in-house system development?
<variant>It is cheaper than requesting for internal auditors
<variantright>IS auditors are independent from the system development, senior

management can obtain true and fair review result from them
<variant>Independent IS auditors are the only group of people who have the relevant
professional knowledge to perform the review
<variant>Additional advice can be obtained from the independent IS auditor based on their
system review experience gained from their other clients
<question>The system users would like to do the following changes to an newly-

implemented accounting system. As an IS auditor, which of the changes do you think is in
the highest priority?
<variant>Enlarge the description textboxes in the journal entries page for better visibility
<variantright>Fix the issue of generating an incomplete list of fixed assets records
<variant>Upgrade to the latest version of budgeting module with a refined budget approval
workflow incorporated
<variant>Implement a two-form factor authentication when generating financial statements

for a more tightened security
<question>The system users would like to do the following changes to an newly-
implemented accounting system. As an IS auditor, which of the changes do you think is in
the lowest priority?
<variant>Fix the issue of generating an incomplete list of fixed assets records
<variant>Implement a two-form factor authentication when generating financial statements

for a more tightened security
<variantright>Enlarge the description textboxes in the journal entries page for better visibility
<variant>Upgrade to the latest version of budgeting module with a refined budget approval
workflow incorporated
<question>When auditing the change requests of a point of sale system, you notice 70% of
the change requests are related to adaptive maintenance, developers reflect that the effort
of implementing the change is huge. As an auditor, what would be your best
recommendation to the Management?
<variantright>Look for the feasibility of implementing a brand new point of sale system to
address the requests
<variant>Focus on implementing the change requests related to perfective maintenance to

make the system more perfect
<variant>Implement a better control to avoid the system users from submitting to many
change requests
<variant>Increase the budget of hiring developers to address all the change requests by the
system users
<question>Prof. Dias discussed about different system environments used in the change
management process in this module. Which of the following is true about the system
environments?
<variant>Developers should apply the code changes directly to the production environment
for quicker turnaround
<variant>Program library stores ONLY the latest copy of the production environment, which
can be restored in case the production environment crashes
<variant>Emergency environment typically has the same functionality as the production

environment such that users will not be affected in case of the production environment
crashes
<variantright>When developers modify the system, there must be a computer-generated
audit trail in place, tracking who modified the program and the corresponding timestamp
<question>A user submitted a change request, which has been approved and well-
documented. The developer also followed the change management procedure to make
modification in the appropriate system environment and has passed the testing. However,
the change does not take place in the production environment of the system eventually. The
reason is likely to be ___________________________
<variant>IS auditor is in the progress of checking the system, no changes can be applied
<variantright>The change management board does not approve this change
<variant>The program library is crashed
<variant>The emergency environment has been in place for half a year which the system
changes from the production environment cannot be reflected
<question>The developer has implemented the change request of enhancing the fund
transfer functionality in the production environment of an e-Banking system. After an hour,
the bank received complaints from customers as they cannot transfer funds, while other
modules of the e-Banking system work fine. What would be the immediate step to resolve
this issue from the perspective of having good IS controls and governance?
<variant>Re-submit a change request to decrease the fund transfer limit and run through the
change request procedure again
<variant>Request for an emergency ID and apply an emergency environment of the e-

Banking system. The emergency environment has a very limited functionality.
<variant>Request the developer to implement the changes again in the production

environment
<variantright>Reverse only the fund transfer module back to the previous version, following
the IT change procedure of the bank
<question>You notice the auditee’s financial system contains a tremendous amount of

program changes. As an IS auditor, how would you kickstart your audit practice?
<variantright>IS auditor should perform random sampling, extracting certain amount of

program changes for review
<variant>Terminate the audit practice and report to the supervisor, and wait for further
instructions
<variant>Review all the program changes under any circumstances
<variant>Auditee should perform random sampling, extracting certain amount of program

changes for IS auditor’s review
<question>“Adding a Simplified Chinese language instruction to the banking system for

fulfilling the latest regulatory requirement from the Chinese government ” is most probably a
kind of ___________ maintenance.
<variant>preventive
<variant>perfective
<variantright>adaptive
<variant>corrective
<question>“Installing a patch to resolve the file attachment failure in the job application
system” is a kind of __________ maintenance.
<variantright>corrective
<variant>adaptive
<variant>perfective
<variant>preventive
<question>Upon system implementation, the system maintenance changes is usually

____________ in nature. As time goes by, more and more system maintenance changes
are ___________ in nature instead.
<variant>adaptive; corrective
<variantright>corrective; adaptive
<variant>detective; adaptive
<variant>preventive; perfective
<question>Risk Assessment-
<variant>authoritative, international set of generally accepted IT practices or control
objectives that help employees, managers, executives, and auditors in: understanding IT
systems, discharging fiduciary responsibilities, and deciding adequate levels of security
and controls.
<variant>plan, build, run, and monitor the activities and processes used by the
organization to pursue the objectives established by the board.
<variant>inventory of all the potential audit areas within an organization.
<variantright>considered the foundation of the audit function as they assist in developing
the process for planning individual audits.
<question>Business Email Compromise (BEC)

<variant>form of malware targeting both human and technical weaknesses in an effort to
deny the availability of critical data and/or systems
<variant>occurs when the subject claims to be associated with a computer software or
security company, or even a cable or Internet company, offering technical support to the
victim.
<variantright>sophisticated scam targeting businesses working with foreign suppliers
and/or businesses who regularly perform wire transfer payments
<variant>This type of Internet crime involves posing as government, law enforcement
officials, or simply someone pretending to have certain level of authority in order to
persuade unaware victims to provide their personal information.
<question>Tech Support Fraud

<variantright>occurs when the subject claims to be associated with a computer software
or security company, or even a cable or Internet company, offering technical support to
the victim.
<variant>sophisticated scam targeting businesses working with foreign suppliers and/or
businesses who regularly perform wire transfer payments
<question>Ransomware
<variantright>form of malware targeting both human and technical weaknesses in an
effort to deny the availability of critical data and/or systems
victim.
<question>Intimidation/Extortion Scam
victim.
<variantright>This type of Internet crime involves posing as government, law
enforcement officials, or simply someone pretending to have certain level of authority in
order to persuade unaware victims to provide their personal information.
<question>Give the explanation of PCAOB:

<variantright> is a non-for-profit corporation instituted by Congress to oversee the audits
of public companies in order to protect the interests of investors and further the public
interest in the preparation of informative, accurate, and independent audit reports.
<variant>is a for-profit corporation instituted by Congress to oversee the audits of public
companies in order to protect the interests of investors and further the public interest in the
preparation of informative, accurate, and independent audit reports.
<variant> is a corporation instituted by Congress to oversee the audits of public
companies in order to protect the interests of investors and further the public interest in the
preparation of informative, accurate, and dependent audit reports.
<question>Select all possible appropriate options, ISACA:

<variant>provides knowledge and education on areas like IS assurance, information
security, enterprise governance, IT risk management, and compliance.
<variant>offers globally known certifications/designations, such as, CISA, CISM,
Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and CRISC.
<variant>develops and frequently updates international IS auditing and control standards,
such as, the COBIT standard. COBIT assist both, IT auditors and IT management
<variantright>All of them
<question> The term that defined as service availability, and the level of trust and confidence
that can be placed on the information
<variant>Information integrity
<variantright>Information assurance
<variant>Processing integrity
<variant>IT strategy
<question> Which one is not included in the IT audit?

<variant>Comprehension of business roles and expectations in the auditing of
systems under development as well as the purchase of software packaging and project
management
<variantright>Cancelling the needs of preparing paychecks for a large number of companies;
<variant>Examination and verification of the organization’s compliance with any IT-
related legal issues that may jeopardize or place the organization at risk;
<variant>Reporting to management and performing a follow-up review to ensure
actions taken at work
<question> What is big data as defined by TechAmerica Foundation’s Federal Big Data
Commission?
<variantright>describes large volumes of high velocity, complex and variable data
that require advanced techniques and technologies to enable the capture, storage,
distribution, management, and analysis of the information
<variant>includes policies and procedures that apply to many applications and
support the effective functioning of application controls.
<variant>describes configuration management with big data and action examples
carried out as part of the configuration management plan
<variant>defines solutions and technologies that provide the best return on the
management of the organization.
<question> Find an auditing service in the list below:

<variant>Management functions or human resources
<variant>Broker or dealer, investment advisor or investment banking
<variantright>Produce all types of financial reports and documentation
<variant>Internal audit outsourcing services
<question> What is not included in the risk assessment?

<variantright>describe the importance of a change control system and management.
<variant>improve the quality, quantity, and accessibility of planning data, such as risk
areas, past audits and results, and budget information;
<variant>examine potential audit projects in the audit universe and choose those that
have the greatest risk exposure to be performed first;
<variant>provide a framework for allocating audit resources to achieve maximum
benefits.
<question> Not an example of an IT audit report?

<variant>IT auditor discovering that the organization’s procedures manual does not
require management’s permission before implementing changes into applications.
<variant>a change implemented into a financial application that did not include
proper management authorization.
<variant>Working paper test reference where the finding was identified
<variantright>Interviewing organization personnel, including users, systems analysts,
and programmers.
<question>What does the ASL command Extract do ?
<variantright>Selects records or fields from a file or current table, and copies them to a
different file or table.
<variant>Sends data to external file (e.g., database, Excel, text file, etc.) for use outside
ACL.
<variant>Sorts or organizes the active table into ascending or descending order based on
specified key fields.
<variant>Checks for data validity errors in the active table. Ensures that data in a table
conform to the table layout and reports on any errors encountered
<question>What does the ASL command Export do ?

<variant>Selects records or fields from a file or current table, and copies them to a
<variantright>Sends data to external file (e.g., database, Excel, text file, etc.) for use
outside ACL..
conform to the table layout and reports on any errors encountered.
<question>What does the ASL command Sorting do ?

ACL.
<variantright>Sorts or organizes the active table into ascending or descending order based
on specified key fields.
conform to the table layout and reports on any errors encountered
<question>What does the ASL command Verify do ?

ACL.
<variantright>Checks for data validity errors in the active table. Ensures that data in a
table conform to the table layout and reports on any errors encountered
<question>What does the ASL command Search do ?

<variantright>Locates first record in an indexed table that meets a specified
criteria/condition.
<variant>Adds command output to the end of an existing file instead of overwriting the
existing file.
<variant>Totals the number of records in the current table, or only those records that meet
a specified criteria or test condition.
<variant>Sums numeric fields or expressions in the active table.
<question>What does the ASL command Append do ?

<variant>Locates first record in an indexed table that meets a specified criteria/condition.
<variantright>Adds command output to the end of an existing file instead of overwriting
the existing file.
<variant>Totals the number of records in the current table, or only those records that meet
a specified criteria or test condition.
<variant>Sums numeric fields or expressions in the active table
<question> What is the process by which an enterprise’s IT is directed and controlled?

<variant> IT Auditor
<variantright> IT Governance
<variant> IT Environment
<variant> IT Control
<question>What kind of category does GAAS cover?

<variantright> General Standards, Standards of Fieldwork, Standards of Reporting
<variant> Financial Accounting Standards Board (FASB),International Accounting
Standards Board (IASB)
<variant> International Financial Reporting Standards (IFRS),International Accounting
Standards Board (IASB)
<variant> Standards of Fieldwork, Standards of Reporting
<question> What type of audit function evaluates the reliability and the validity of
systems controls in all forms?
<variant> Internal Audit Function
<variant>Analytical Audit Function
<variant>Expert Audit Function
<variantright> External Audit Function
<question> Which phase of an audit may include procedures such as examining

documentary evidence, as well as performing corroborating interviews, inspections,
and personal observations?
<variant> Document results
<variant>Risk assessment
<variantright>Test controls
<variant>Audit plan
<question>Nonprofit corporation created by the Sarbanes–Oxley Act (SOX) of 2002 to

oversee the audits of public companies?
<variantright>PCAOB
<variant>SEC
<variant>CSEA
<variant>FISMA
<question>What is the primary emphasis of the COBIT framework?

<variant>to assure that management-authorized controls are being applied effectively
<variant>to evaluate the reliability and the validity of systems controls in all forms
<variantright>to ensure that technology provides businesses with relevant, timely, and
quality information for decision-making purposes
<variant>to develop a single set of high-quality, understandable, enforceable, and globally
accepted financial reporting standards
<question>___________ supports the need to research, develop, publicize, and promote

up-to-date interna- tionally accepted IT control objectives.
<variant>Audit Schedule
<variantright>COBIT
<variant>Audit Plan
<variant>Access Control Management
<question>Choose the correct phases of an audit.
<variantright> Risk assessment->Audit plan->Preliminary review->Design audit
procedures
<variant>Preliminary review->Risk assessment->Audit plan-> Design audit procedures
<variant>Design audit procedures-> Risk assessment-> Preliminary review->Audit plan
<variant>Risk assessment-> Audit plan -> Design audit procedures-> Preliminary review
<question>How many principles are there in COBIT?

<variant>1
<variant>4
<variantright>5
<variant>8
<question>Which of the following is true about “Governance”?

<variant>plan, build, run, and monitor the activities and processes used by the
organization to pursue the objectives established by the board.
<variant>Promoting good culture, ethics, and behavior in the organization.
<variant>Taking into account the infrastructure, technology, and applications that

provide the organization with IT processing and services.
<variantright>optimizes the use of organizational resources to effectively address

risks.
<question>What statement is correct about “Management”?

<variant>Recognizing that people, skills, and competencies are required for
successfulcomple- tion of all activities and correct-decision making.
<variantright>plan, build, run, and monitor the activities and processes used by the
organization topursue the objectives established by the board.
<variant>Promoting good culture, ethics, and behavior in the organization.
<variant>Taking into account the infrastructure, technology, and applications that

provide the organization with IT processing and services.
<question>What is the ERP?
<variant>European Recruitment Plan
<variantright> Enterprise Resource Planning
<variant>Enterprise Research Planning
<variant>Electronical Resource Plan
<question>Name criteria for use by practitioners when providing professional attestation
<variantright>Security, availability, processing integrity, confidentiality, privacy
<variant>Security, privacy, economy, availability, digital vulnerability
<variant>Digital vulnerability, processing integrity, availability, economy
<variant>Digital vulnerability, availability, confidentiality, privacy
<question>Why IT auditing became an integral part of the audit function?
<variant>Because traditional auditing contributes knowledge of internal control practices

and the overall control philosophy
<variantright>Because it supports the auditor’s judgment on the quality of the

information processed by computer systems
<variant>Because he breadth and depth of knowledge required are extensive
<variant>Because the auditing of IT and communications protocols typically involves the

Internet
<question>What helps ensure that IT supports business goals, maximizes business investment
in IT, and appropriately manages IT-related risks?
<variant>IT auditioning
<variant>IT operating
<variantright>Effective IT governance
<variant>IT application control
<question>What was the purpose of the Privacy Act of 1974?
<variant>to hide certain safeguards to an individual against an invasion of personal

privacy
<variant>to provide all safeguards to an individual against an invasion of personal

privacy
<variantright>to provide certain safeguards to an individual against an invasion of

personal privacy
<variant>to provide certain safeguards to general against an invasion of personal privacy
<question>___________ is concerned with matching the demand for

materials in the organization with the supply.
<variant> Production Process
<variantright> Material Planning
<variant> Document Management
<variant>Lifecycle Data Management
<question>_____________enables an organization to optimize its product

development process, from design to market, while ensuring that it complies
with industry, quality, and regulatory standards?
<variant>Inventory and warehouse management (IWM)
<variant>Human Capital Management (HCM)
<variant>Project Management
<variantright> Lifecycle Data Management
<question>Which system connects a company's ERP system to those of its

customers?
<variant>Product Lifecycle Management (PLM)
<variantright> Customer Relationship Management (CRM)
<question>_____________ is the administration of mobile devices, such as

smartphones, tablet computers, and laptops.
<variantright>Mobile device management (MDM)
<variant>Human Capital Management (HCM)
<variant>Document Management
<question>Access control management is an important component of
effectively managing the flow of people and restricting access where there is
a need.
<variantright>Access control management
<question>_____________ plan, build, run, and monitor the activities and

processes used by the organization to pursue the objectives established by the
board.
<variant>Process
<variant>Governance
<variantright> Management
<variant>Plan
<question>_____________ plan, build, run, and monitor the activities and

processes used by the organization to pursue the objectives established by the
board.
<variant>Process
<variant>Governance
<variantright>Management
<variant>Plan
<question> Change control management system refers to the controlled set of
actions to ensure that a change does not negatively impact a product’s safety,
quality or compliance.
<variant>Access control management
<variantright>Change control management
<question> The economic demand for auditing is driven by

<variantright>information risk
<variant>accounting
<variant> evidence
<variant>auditing
<question>The recording, classifying, and summarizing of economic events

in a logical manner for the purpose of providing financial information for
decision making purposes
<variant>information risk
<variantright>accounting
<variant>evidence
<variant>auditing
<question>Any information used by the auditor to determine whether the

information being audited is stated in accordance with the established criteria
<variant>information risk
<variant>accounting
<variantright>evidence
<variant>auditing
<question>the accumulation and evaluation of evidence about information to

determine the report on the degree of correspondence between the
information and established criteria
<variant> information risk
<variant>accounting
<variant> evidence
<variantright>auditing
<question>An independent professional service that improves the quality of

information for decision makers
<variant>accounting
<variant>attestation services
<variantright>assurance service
<variant>auditing
<question>Type of assurance service in which the CPA firm issues a report

about a subject matter or assertion that is made by another party
<variant> accounting
<variantright>attestation services
<variant> assurance service
<variant>auditing
<question>How many types of audits?

<variantright> 3
<variant> 4
<variant> 2
<variant>7
<question> What are an audit productivity tools?

<variant>methods, such as flowcharting, data flow diagram, and business process diagrams
applied to document and test application systems, IT processes, and their integration within
the IT environment.
<variant>software that helps auditors evaluate application controls, and select and analyze
computerized data for substantive audit tests.
<variant>hardware that helps auditors evaluate application controls, and select and analyze
computerized data for substantive audit tests.
<variantright>software that helps auditors reduce the amount of time spent on administrative
tasks by automating the audit function and integrating information gathered as part of the
audit process
<question> Abbreviation of CAATs

<variant>Computer-assistant audit techniques
<variantright>Computer-assisted audit techniques
<variant>Computer-analytic audit techniques
<variant>Computer-analysis audit techniques
<question>Examples of audit functions that may be automated throughauditor productivity

tools not include:
<variant>Audit planning and tracking
<variantright> Computer communication
<variant>Data management, electronic working papers, and groupware
<question>Human resource and payroll includes new employee form and existing employee
change form.
<variantright>True
<variant>False
<question>Flowcharts developed during the _________ analysis phase of audit engagement .

<variant> communication
<variantright>application
<variant>control
<variant>data
<question>_________ represent a method for identifying and evaluating control strengths

and weaknesses within a financial application system under examination.
<variant>System
<variant>Data management
<variantright>Flowcharts
<variant>Analysis
<question>CAATs can be used only by IT auditors in a variety of ways to evaluate the

integrity of an application, determine compliance with procedures, and continuously monitor
processing results.
<variant>True
<variantright>False
<question>Data analysis programs use technique such as:

<variantright> Histograms
<variant>Extension
<variant>Flowchart
<variant>Prototyping
<question>The sample is randomly selected and evaluated through the application of the
probability theory
<variant>Mathematical sampling
<variant>Evaluation sampling
<variant>Random sampling
<variantright>Statistical sampling
<question>A method of random sampling that separates the population into similar groups,
and then selects a random sample from the group
<variant>Difference Estimation
<variant>Systematic Sampling (Interval Sampling)
<variant>Mean Per Unit
<variantright>Cluster Sampling (Block Sampling)
<question>Which of these is NOT an operational planning process?

<variant>Technical review
<variant>Demand management
<variantright>Risk Management
<variant>Financial management
<question>IT Governance Framework(s) that provides best practice recommendations related
to the management of information security:
<variant>ITIL, COBIT
<variantright>ISO/IEK 27002
<variant>ISO
<variant>ISO/IEK 27002, COBIT
<question>What is Transition?
<variantright>aims at managing change, risk, and quality assurance during the
deployment of an IT service
<variant>constantly looks for ways to improve the overall process and service
provision.
<variant>guidelines or best practice processes to map the IT strategy with overall
business goals and objectives.
<variant>best practice processes (or requirements) implemented to guide toward a
solution designed to meet business needs.
<question>What are best practice processes (or requirements) implemented to guide toward a
solution?
<variant>Strategy
<variant>Transition
<variant>Continuous Improvement
<variantright>Design
<question>How many principles does the COBIT based on?
<variant>Three
<variant>Nine
<variantright>Five
<variant>Seven
<question>According to a Gartner Group report....

<variantright> 95% of businesses do not have a well-defined business strategy
<variant> 85% of businesses do not have a well-defined business strategy
<variant> 95% of businesses have a well-defined business strategy
<question>Who should be responsible for developing and implementing the IT strategy?

<variantright> senior management of the organization
<variant> developers
<variant>designers
<variant>analysts
<question>The basics of the CIO function as described by the Society for Human Resource
Management include:
-Formal communication of new or revised information systems policies and procedures to all
users in the organization.
<variantright>True
<variant>False
<question>The IT Steering Committee may include:
◾ Analysis of business and technology strategies and plans.
◾ Prioritization of major development projects.

<variantright>True
<variant>False
<question>Projects need to be reviewed early in their life cycle to ensure they have a sound
_________.
<variantright>Business case
<variant>Plan
<variant> Roadmap
<variant>Developers
<question>From what points of view is the risk assessed?

<variantright>likelihood and impact.
<variant>event and analysis
<variant>assessment and verification
<variant>event and impact
<question>Critical - risks can lead, for example, to bankruptcy?

<variantright>True
<variant>False
<question>Minor - possible losses will not lead to bankruptcy, but will require the company
to
<variant>True
<variantright>False
<question>What is information?
<variant>The data we get from interacting with the environment
<variantright>Data is organized and processed to give meaning and thus improve decision
making.
<variant>Data that is correct
<variant>Data that consist information about everything
<question>Relevance: the information is relevant and applicable to the decision (for example,
for a decision to extend a loan, the client will need relevant information about the client's
balance from the receivables maturities report, etc.).
<variantright>True
<variant>False
<question>In terms of risk assessments, what are Unimportant risks?

<variant>these are risks that can lead, for example, to bankruptcy.
<variant>possible losses would not lead to bankruptcy, but require the company to take
out loans to continue operations.
<variantright>exposures that could be accommodated by existing assets or current income
without imposing undue financial strain.
<variant>A method developed by IBM that assesses the probable loss and the
frequency of occurrence for all unacceptable events for each automated system or data file.
<question>What is the Transfer way in risk response?

<variant>Completely eliminate the risk. For example, a new feature included within the next
application software release is estimated to downgrade application performance by slowing
down some critical processing. To avoid the risk, the software feature is eliminated from the
next release.
<variant>Risk through implementing IT controls, such as performing validity checks
upon inputting data; cleaning disk drives and properly storing magnetic and optical
media to reduce the risk of hardware and software failures; configuring logical setting
security controls in the application system.
<variant>Risk through taking mitigation actions, such as having controls detecting errors
after data are complete. Examples of these include implementing user access reviews,
conducting reconciliations, and performing data transmission controls, among others.
<variantright> Common methods of risk transfer include acquiring insurance or outsourcing
services. As an example, a companythat needs to update its financial application system may
choose to outsource or subcontract such a project to an outsider.
<question>___ are intended to discover problems that cannot be prevented. Examples of a
detective control include performing reconciliations of bank accounts, trial balances, etc.
What type of control is this part?
<variantright>Detective
<variant>Preventive
<variant> Corrective
<variant>Transfer
<question>Two or more independent people can produce the same conclusion. In the item
information and communication, what type is this?
<variant>Relevant
<variant>Complete
<variant>Understandable
<variantright>Verifiable
<question>The work of the IT department, headed by the chief technology officer (CTO)?
<variantright>would be evaluating, managing, and accepting
the risks associated with this type of enterprise-wide technology.
<variant>create optimal value from IT by maintaining a balance between
realizing benefits and optimizing risk levels and resource use.
<variant>of standards includes techniques that help organizations secure their
information assets
<variant>compelling federal government requirements for IT standards related to security
and
interoperability, and there are no acceptable industry standards or solutions.
<question>NIST.gov. has provided a number of audit, control, and security resources as well
as identification of best practices in managing and reviewing IT risk in many areas.
<variant>True
<variantright>False
<question>Statements on Auditing Standards (SAS) are issued by the Auditing Standards
Board of the AICPA and are recognized as interpretations of the 10 generally accepted
auditing standards.
<variantright>True
<variant>False
<question>Government Accountability Office (GAO) –

<variantright>is a nonpartisan agency within the legislative branch of the government.
<variant>is a world-wide not-for-profit association of more than 28,000 practitioners
dedicated to IT audit, control,
and security in over 100 countries.
<variant>is a well-known IT governance framework that helps organiza-
tions in the areas of regulatory compliance and alignment of IT strategy and
organizational
goals
<variant>is an organization that develops guidelines for businesses to evaluate
internal controls, risk management, and fraud deterrence.
<question>____ helps organizations create optimal value from IT by maintaining a balance

between
<variant>ISO/IEC
<variantright>COBIT
<variant>NIST
<variant>GAO
<question> Choose the correct question of prevention risk response technique
<variant> Is the risk too expensive to avoid?
<variant> Can the risk be partially reduced and partially transferred?
<variantright> Are there controls in place to prevent the risk from occurring?
<variant> Is the risk too time consuming to avoid?
<question>What is the purpose of project management?

<variant>The purpose of project management is to negotiate with customers and warn
about the timing of tasks
<variantright>The purpose of project management is to identify, establish, coordinate,
and monitor activities, tasks, and resources for a project that is consistent with the
goals and objectives of the organization.
<variant>The purpose of project management is the quality and timing of the project
<variant>The purpose of project management is to oversee the project and create
presentations
<question>What project management methodologies exist?

<variant>Business Modeling Methodology; Architecture methodology
<variant>Operational; Functional; Traditional
<variantright>Traditional / Waterfall;Agile Project Management ;Systems Development
Life Cycle
<variant>All the above
<question>What does SDLC stand for?

<variant>Systems Design Limited Cycle
<variant>Systematic Designed Life Cycle
<variant>Software Development Life Cycle
<variantright>Systems Development Life Cycle
<question>When to use the AgIle Methodology?

<variantright>used in projects requiring special flexibility in requirements, focuses on
adaptability to changing situations and constant feedback.
<variant>used in evaluating various project objectives and provides a process for
managing and monitoring completion of these tasks.
<variant>used in large scale software development projects where careful planning and
predictable processes are vital
<variant>no correct answer
<question>According to a Gartner Group report....

<variantright> 95% of businesses do not have a well-defined business strategy
<variant> 85% of businesses do not have a well-defined business strategy
<question>Who should be responsible for developing and implementing the IT strategy?

<variantright> senior management of the organization
<variant> developers
<variant>designers
<variant>analysts
<question>The basics of the CIO function as described by the Society for Human Resource
Management include:
-Formal communication of new or revised information systems policies and procedures to all
users in the organization.
<variantright>True
<variant>False
<question>The IT Steering Committee may include:
◾ Analysis of business and technology strategies and plans.
◾ Prioritization of major development projects.

<variantright>True
<variant>False
<question>Projects need to be reviewed early in their life cycle to ensure they have a sound
_________.
<variantright>Business case
<variant>Plan
<variant> Roadmap
<variant>Developers
<question>From what points of view is the risk assessed?

<variantright>likelihood and impact.
<variant>event and analysis
<variant>assessment and verification
<variant>event and impact
<question>Critical - risks can lead, for example, to bankruptcy?

<variantright>True
<variant>False
<question>Minor - possible losses will not lead to bankruptcy, but will require the company
to
<variant>True
<variantright>False
<question>What is information?
<variant>The data we get from interacting with the environment
<variantright>Data is organized and processed to give meaning and thus improve decision
making.
<variant>Data that is correct
<variant>Data that consist information about everything
<question>Relevance: the information is relevant and applicable to the decision (for example,
for a decision to extend a loan, the client will need relevant information about the client's
balance from the receivables maturities report, etc.).
<variantright>True
<variant>False
<question>In terms of risk assessments, what are Unimportant risks?

<variant>these are risks that can lead, for example, to bankruptcy.
<variant>possible losses would not lead to bankruptcy, but require the company to take
out loans to continue operations.
<variantright>exposures that could be accommodated by existing assets or current income
without imposing undue financial strain.
<variant>A method developed by IBM that assesses the probable loss and the
frequency of occurrence for all unacceptable events for each automated system or data file.
<question>What is the Transfer way in risk response?

<variant>Completely eliminate the risk. For example, a new feature included within the next
application software release is estimated to downgrade application performance by slowing
down some critical processing. To avoid the risk, the software feature is eliminated from the
next release.
<variant>Risk through implementing IT controls, such as performing validity checks
upon inputting data; cleaning disk drives and properly storing magnetic and optical
media to reduce the risk of hardware and software failures; configuring logical setting
security controls in the application system.
<variant>Risk through taking mitigation actions, such as having controls detecting errors
after data are complete. Examples of these include implementing user access reviews,
conducting reconciliations, and performing data transmission controls, among others.
<variantright> Common methods of risk transfer include acquiring insurance or outsourcing
services. As an example, a companythat needs to update its financial application system may
choose to outsource or subcontract such a project to an outsider.
<question>___ are intended to discover problems that cannot be prevented. Examples of a

detective control include performing reconciliations of bank accounts, trial balances, etc.
What type of control is this part?
<variantright>Detective
<variant>Preventive
<variant> Corrective
<variant>Transfer
<question>Two or more independent people can produce the same conclusion. In the item
information and communication, what type is this?
<variant>Relevant
<variant>Complete
<variant>Understandable
<variantright>Verifiable
<question>The work of the IT department, headed by the chief technology officer (CTO)?
<variantright>would be evaluating, managing, and accepting
the risks associated with this type of enterprise-wide technology.
<variant>create optimal value from IT by maintaining a balance between
<variant>of standards includes techniques that help organizations secure their
information assets
<variant>compelling federal government requirements for IT standards related to security
and
interoperability, and there are no acceptable industry standards or solutions.
<question>NIST.gov. has provided a number of audit, control, and security resources as well
as identification of best practices in managing and reviewing IT risk in many areas.
<variant>True
<variantright>False
<question>Statements on Auditing Standards (SAS) are issued by the Auditing Standards
Board of the AICPA and are recognized as interpretations of the 10 generally accepted
auditing standards.
<variantright>True
<variant>False
<question>Government Accountability Office (GAO) –

<variantright>is a nonpartisan agency within the legislative branch of the government.
<variant>is a world-wide not-for-profit association of more than 28,000 practitioners
dedicated to IT audit, control,
and security in over 100 countries.
<variant>is a well-known IT governance framework that helps organiza-
tions in the areas of regulatory compliance and alignment of IT strategy and
organizational
goals
<variant>is an organization that develops guidelines for businesses to evaluate
internal controls, risk management, and fraud deterrence.
<question>____ helps organizations create optimal value from IT by maintaining a balance

between
<variant>ISO/IEC
<variantright>COBIT
<variant>NIST
<variant>GAO
<question> Choose the correct question of prevention risk response technique
<variant> Is the risk too expensive to avoid?
<variant> Can the risk be partially reduced and partially transferred?
<variantright> Are there controls in place to prevent the risk from occurring?
<variant> Is the risk too time consuming to avoid?
<question>What is the purpose of project management?

<variant>The purpose of project management is to negotiate with customers and warn
about the timing of tasks
<variantright>The purpose of project management is to identify, establish, coordinate,
and monitor activities, tasks, and resources for a project that is consistent with the
goals and objectives of the organization.
<variant>The purpose of project management is the quality and timing of the project
<variant>The purpose of project management is to oversee the project and create
presentations
<question>What project management methodologies exist?

<variant>Business Modeling Methodology; Architecture methodology
<variant>Operational; Functional; Traditional
<variantright>Traditional / Waterfall;Agile Project Management ;Systems Development
Life Cycle
<variant>All the above
<question>What does SDLC stand for?

<variant>Systems Design Limited Cycle
<variant>Systematic Designed Life Cycle
<variant>Software Development Life Cycle
<variantright>Systems Development Life Cycle
<question>When to use the AgIle Methodology?

<variantright>used in projects requiring special flexibility in requirements, focuses on
adaptability to changing situations and constant feedback.
<variant>used in evaluating various project objectives and provides a process for
managing and monitoring completion of these tasks.
<variant>used in large scale software development projects where careful planning and
predictable processes are vital
<variant>no correct answer
<question>What does NOT include project management tools?

<variant>Labor hour tracking
<variant>Time capture and billing
<variantright>Development testing
<variant>Project budgeting
<question>What are the responsibilities of a project manager?

<variant> Deliverables are produced successfully and in a timely fashion; Management is
being communicated with and sufficiently involved.
<variant>The project has a work breakdown structure that is sufficiently detailed to carry
out ;Project tasks are prioritized to prevent interference with other projects due dates.
<variant> Appropriate governance is in place ;Right resources, such as money, people,
and facilities are available at the right time.
<variantright>All of the above
<question>Which groups does the auditor establish relationships with?

<variantright>Database administrators
<variant>Marketing team
<variant>Clients
<variant>Cloud administrators
<question>Which includes the area of management and monitoring and control?

<variant>includes managing teams effectively while coordinating expectations and
achieving milestones on time and within budget.
<variant>includes the processes, activities and skills needed to assess the definition of
start project. They appear in self-installed permits, authorizations, and initial work orders.
<variantright>includes processing change requests, reviewing the current budget,
considerations and mitigation of contingencies that could impair the ability of the
team to meet the original goals and expectations of the project.
<variant>includes defining the scope of the project; establishes strategic plans to
maximize workflow; defines the goals and expectations of the project; makes priority lists
<question>From what project management audit begins?

<variant>assessment of adequacy of the control environment
<variant>representation of checkpoints
<variantright>preliminary analysis of the control environment
<variant>review of project task list and budget
<question>Where does the task of the auditor to determine the level of participation
begin?
<variantright>risk assessment
<variant>workload
<variant>distribution of tasks
<variant>audit plan
<question>During which phase the auditor can facilitate communication between functions
and raise issues that may impact the quality of the project?
<variant>initiating
<variant>closing
<variant>executing
<variantright>planning
<question>The scope of a project management audit can include an evaluation of the

administrative controls over the project.
<variantright>True
<variant>False
<question> What does PERT stand for in an IT audit?

<variant>Progress Evaluation and Renew Technique
<variantright>Program Evaluation and Review Technique
<variant>Program Effectiveness and Review Technique
<variant>Progress Effectiveness and Renew Technique
<question>The PMI defines methodology as a “system of practices, techniques, procedures

and rules used by those who work in a discipline.”
<variantright>True
<variant>False
<question>What is the primary standards organization for project management ?
<variant>Project Organization Institute
<variant>International Standard Organization
<variant>Project Standard Institute
<variantright>Project Management Institute
<question>SDLC stands for…
<variantright>System development life cycle.
<variant> Software development litigation cycle.
<variant> System development life conditions.
<variant>Software development life cycle.
<question>Which of these is the correct order of the SDLC?
<variant> Maintenance, Planning, Design, Analysis, Implementation
<variant> Analysis, Planning, Design, Maintenance, Implementation
<variantright>Planning, Analysis, Design, Implementation, Maintenance
<variant>Planning, Analysis, Implementation, Design, Maintenance
<question>What happens in the design phase?
<variant> The code is produced
<variant> Making changes when the sotware has been created
<variantright>Planning the solution, look and feel of the software interface
<variant> Ensuring the requirements are understood
<question>What happens in the implementation phase?
<variant>The code is tested against the specfication
<variant> Making changes when the sotware has been created

<variant> Planning the solution, look and feel of the software interface
<variantright>The deliverables of the implementation stage are created e.g. the code
<question>What happens in the Analysis Stage?
<variantright> Look at the existing system and find areas to improve
<variant> Create the new system and test it
<variant>Place the new system into the company for use
<variant> Decide how well the new system is working
<question>Which stage comes after Design?
<variant> Evaluation
<variant> Documentation
<variantright>Development and Testing
<variant> Design
<question>What happens in the Development and Testing Stage?
<variant> Plan the proposed system
<variant>Place the new system into the company for use
<variant> Decide how well the new system is working
<variantright>Create the new system and test it
<question>User Manuals and Technical guides are created in which stage of the System
Analysis and Design?
<variant> Design
<variant> Analysis
<variantright>Documentation
<variant> Evaluation
<question>How many types of testing are given in system life cycle
<variant> 1
<variant> 2
<variant> 3
<variantright>4
<question>Which of them is the slowest method of system implementation.
<variant> Direct
<variantright>Parallel
<variant> Pilot
<variant> Phased
<question>Allowing the designer of the new system to review documentation. What

needs to take place to make sure a newly developed system works correctly?
<variantright> Testing
<variant> Designing
<variant> Backing up
<variant> Evaluating
<question>Conversion strategies used to change from old system to new system.
<variantright>True
<variant> False
<question>A rudimentary prototype can be redesigned and enhanced many times before
the final form is accepted.
<variantright>True
<variant> False
<question>Define SDLC
<variant>Set of activities / phases used to build a multimedia
<variantright> Set of activities / phases used to build an information system
<variant>Set of activities / phases used to build a multimedia and information system
<variant>Set of activities / phases used to build a data model
<question>ERP is:
<variant>financial planning systems
<variantright>enterprise resource planning systems
<variant>material requirements planning systems
<variant>enterprise resource planning systems synchronized with the customer
<question>On what basis are ERP systems usually built?
<variantright>Modular
<variant>by discrete
<variant>by context
<variant>by production
<question>The main areas for the dissemination of security information are:
<variant>development, managers, company administrators
<variant>law, government, business
<variant>network databases, firewalls
<variantright>IT, users, management
<question>After launching the application into production, what kind of access is

available to programmers?
<variant> For editing
<variantright> Read-only
<variant> For modification
<variant> All answers are correct
<question>Which devices are really at risk of "Remote Access" if it is unauthorized?
<variantright> client devices
<variant> standard devices
<variant> organizational devices
<variant> organizational client devices
<question>What does EUD stands for?
<variantright>End-user development
<variant>End User Devices
<variant>End User Diagnostics
<variant> None of them
<question>What is the description of Field check
<variantright>Confirms that characters in a field are of a proper type.
<variant>Checks that the size of the data entered fits into the specific field
<variant> Corroborates that all required and necessary data is entered.
<variant>Checks for correctness of logical relationship between two data items.

<question>What does EDI stands for?
<variantright> Electronic Data Interchange
<variant>Electron Drift Instrument
<variant>Electronic Document Interchange
<variant>None of them
<question>Based on the McAfee Labs report, 650 million virus attacks are approaching in
December
<variantright>True
<variant>.False
<question>The scope of a project management audit can include an evaluation of the

administrative controls over the project.
<variant>False
<variantright>True
<question>Which groups does the auditor establish relationships with?
<variantright>Database administrators
<variant>Marketing team
<variant>Clients
<variant>Cloud administrators
<question>What is ERP?
<variantright>Enterprise Resource Planning
<variant>Enterprise Rescue Plan
<variant>Educational Resource Planning

<variant>Educational Rescue Plan
<question>Which stage comes after Design?
<variant>Evaluation
<variant>Documentation
<variantright>Development and Testing
<variant>Design
<question>How many types of testing are given in system life cycle
<variantright> 4
<variant>3
<variant> 9
<variant>6
<question>Which of the following has a potential transformational effect on IT

environments, data centers, technology providers?
<variantright> IoT
<variant>MDM
<variant>BPM
<variant>ERP
<question>The goal of this strategy is to ensure that systems to be integrate well and are
compatible with existing software and technology infrastructure
<variantright>True
<variant>False
<question> Select one of the processes of Systems Acquisition Process
<variant>Observing related business processes.
<variantright> Carrying out the selection process
<variant>Researching other companies in a related industry
<variant> Meeting with IT management and support staf
<question> What is the final process of Systems Acquisition Process?
<variant>Performing a feasibility analysis
<variant> Procuring selected software
<variantright>Completing final acceptance
<variant> Identifying alternatives
<question>Which option describes the economic category of performing a feasibility
analysis?
<variant>Reviews any related legal or contractual obligations associated with the
proposed system.
<variant> Examines how well the proposed system solves business problems or provides
opportunities to the business
<variant>It evaluates the consistency of the proposed system with the company’s
technical strategy, infrastructure, and resources
<variantright>The expenses of a system include procurement, start-up, project-specific
issues, and impact to operations.
<question>A Request for Proposal (RFP) offers flexibility to respondents to further define or
explore the requested requirements
<variantright>True
<variant>False
<question> Choose the option that NOT includes as a software contract terms
<variant> Terms or limitations with the use of any related trademark rights or copyrights.
<variant> Supplier staffing and specified qualifications.
<variantright>Documentation for business analysis processes
<variant> Description of payment terms
<question> Request for Information (RFI) is a document that specifies the minimally
acceptable requirements (functional, technical, and contractual)
<variant>True
<question>_______________ for an organization includes defined IT services; SLAs; design

services and pricing; service engagement and delivery; and service measurements to track
performance.
<variantright>The service management process
<variant>The risk management process
<variant>The project management
<variant>The change control management
<question>Service management is dependent on well-functioning processes in asset

management, financial management, service delivery, service desk, problem management,
change management, and relationship management.
<variantright>True
<variant>False
<question>Choose the wrong answer “SLA can be made between?”
<variant>Between IT and its customers
<variant>Between operations and application groups
<variant>Between suppliers and IT
<variantright>Between customers and suppliers
<question>SLA –
<variantright>Service Level Agreement
<variant> Service Local Application
<variant> Service Local Audit
<variant> Security level audit
<question>Types of Service Level Agreement – Customer Service Level Agreement,

Operating Service Level Agreement, Supplier Service Level Agreement
<variant>TRUE
<variantright>FALSE
<question>An operating level agreement helps set expectations between

<variant>Between IT and its customers
<variantright>Between operations and application groups
<variant>Between suppliers and IT
<variant>Between customers and suppliers
<question>All models in service management require an internal process

<variantright>Manage service levels, costs, risk
<variant>Manage client service, costs, risk
<variant>Manage operating service, costs, supporting
<variant>Manage service, costs, supporting
<question>Internal measures keep the IT group focused on things the customer cares about.
<variant>TRUE
<variantright>FALSE
<question>Tools are needed to capture performance, usage metrics from the various
platforms, and to consolidate and report on all of this information.
<variantright>TRUE
<variant>FALSE
<question>Service organizations (S.O.) are established to offer services to organizations that

decide to outsource, for example, their data processing services.
<variantright>TRUE
<variant>FALSE
<question> What is the main purpose of an IT change control management?

<variant>implementation of new features
<variantright>ensure the integrity, availability, reliability, security, confidentiality, and
accuracy of an organization or IT system supporting the organization
<variant>security implementation
<variant>VR app development
<question> Is the change management system part of the three main computer systems?
<variantright>True
<variant>False
<question> The change management process does not benefit organizations by reducing
system disruptions
<variant>True
<variantright>False
<question> Is ensuring a consistent implementation of changes that allows management to
allocate staff and system time efficiently and meet planned implementation deadlines as a
benefit of change control management?
<variantright>True
<variant>False
<question> A change control management process typically covers:
<variantright>Change request form
<variant>Mobile app bag fixes
<variant>AR implementation
<variant>Hardware releases
<question> A change request form ensures that only authorized changes are implemented
<variantright>True
<variant>False
<question> Which law is appropriate for integrating change requests, software changes, and
software distribution
<variant>Regulation on TC 34
<variant>Bylaws in the field of ICT
<variant>Model Legislation
<variantright>Sarbanes-Oxley Act of 2002
<question> Git is not a VCS change tracking tool
<variant>True
<variantright>False
<question> What is Application Software for?
<variant>Application software is computing software designed to perform a specific task,
other than one that is not related to the operation of a computer and is usually intended for
use with first-time users.
<variantright>Application software is computing software designed to perform a specific
task other than that related to the operation of the computer itself and is usually intended
for use by end users.
<variant>Application software is changes that are required outside of a set schedule.
<variant>Application software is the changes that are required within the established
schedule.
<question> Which of these is not one of the types of Change Control Management Process
<variant>Routine
<variant>non-standard
<variantright>non-urgent
<variant>extraordinary
<question> What methods should not include software distribution (multiple choice)
<variantright>Obtaining copies of help desk call logs to determine adverse impacts from
changes.
<variant>Distribution is made in a timely manner only to those authorized.
<variant>A means is in place for ensuring verification of integrity, and this is
incorporated into the installation.
<variant>A formal record exists of who has received software and where it has been
implemented. This record should also match with the number of purchased licenses.
<question> A change control management process typically covers the following:
<variantright>Change request form, Controls, Change documentation
<variant>Controls, Hardware, Operating system software
<variant>Change documentation, Controls, Hardware
<variant>Hardware, Operating system software, Database instances, Application software
<question> What is the most important area of control in any information processing
environment?
<variantright>management that makes changes to existing systems
<variant>confirmation of the existing system
<variant>architecture of information systems
<variant>editorial management in the system
<question> Potential objectives of change control management procedures include:
<variant>Remember the reason(s) of the change
<variantright> Identify the personnel requesting the change
<variant>Just know who is making the changes
<variant>Let the staff know how the change will be made
<question> Which of them are not possible sources of information for members of the
management board or the change control committee?
<variant>Data Center Operations
<variant>Networks/Telecommunications
<variant>Help Desk
<variantright>Ordinary users
<question> All key employees and departments affected by the change should be notified of
its implementation schedule. Those who may require notification include:
<variantright>End users of the system and manufacturers
<variant>Manufacturers and first users of the system
<variant>Passersby and testers
<variant>Any personnel not related to data control
<question> "Control of the physical inventory and the relationships between the components
that form a set of “basic” objects that can be changed." what does it say here?
<variantright>Conguration Management
<variant>change control management process
<variant>change control management procedures
<variant>organizational change management
<question> What does the CIs stand for?
<variant>Continuous integration
<variantright>Software Configuration Elements
<variant>Computer information
<variant>Computer integration
<question> "The change of culture and structure should be carried out throughout the entire
life cycle. This includes people, organization, and culture." What does it say here?
<variantright>Managing Organizational Change
<variant>Audit Involvement
<variant>Sample activities within such SCM plan.
<variant>Review Points
<question> Authorization, Testing (acceptance of the device, system and user),

Documentation these areas cover:
<variantright>Audit Involvement
<variant>Managing Organizational Change
<variant>Scope
<variant>Objectives
<question> How does SCM stand for?
<variant>Supply Chain Planning
<variantright>Software configuration management
<variant>Supply Chain Management
<variant>There is no right answer
<question> How many blocks does a flowchart consist of, depicting a standard change
control management process?
<variantright>4
<variant>1
<variant>2
<variant>5
<question> Errors in data processing usually relate to ________ and actual monitoring of
the job processing.
<variantright>job scheduling
<variant>Operating Policy
<variant>Procedures
<variant>end-user computing (EUC)
<question> Physical security and access controls NOT include
<variant>Security alarms
<variant>Visitors logs
<variantright>Schedule
<variant>Biometric authentication
<question> BCP
<variant>business country plan
<variant>business continuity planning
<variantright>business continuity plan
<variant>business country planning
<question> DRP
<variantright>Disaster Recovery Plan
<variant>Disaster Recovery Planning
<variant>Document Recovery Plan
<variant>Document Recording Plan
<question> DRP is a
<variant>a tool that helps businesses create an event that disrupts business operations
<variantright>survival tool that helps businesses respond to threats and recover in the
wake of an event that disrupts normal business operations
<variant>a survival tool that helps create threats and not recover from an event that
disrupts the normal operation of the business.
<variant>describe processes, steps, and/or procedures to be carried out in the event of an
emergency (i.e., natural disaster or an unplanned interruption to normal business
operations) to achieve a timely recovery and availability of all essential business
processes, including the information systems.
<question>The DRP should identify various levels of recovery, from an isolated event to a
widespread disaster.
<variantright>True
<variant>False
<question> Why are physical security and access controls important to organizations
<variantright>control movement of servers, network-related equipment
<variant>permits theft, damage and unauthorized access to data and software
<variant>grants access to every user and keeps documents in the public domain
<variant>helps businesses create an event that disrupts business operations
<question>DRP should address components:

1. Objectives and mission statement 2. Key personnel involved 3. Full and incremental
program and data backups 4. Tests and drills 5. Program and data backups stored off-site 6.
Disaster recovery chairperson and committee appointed
<variantright>True
<variant>False
<question> Once controls are in place, they can be tested for adequacy and effectiveness.
Who does this?
<variant>IT Specialist
<variantright>auditors
<variant>Accountant
<variant>Business Process Controller.
<question> Who should evaluate the controls and determine whether the objectives have
been achieved?
<variant>IT Specialist
<variant>auditors
<variant>Accountant
<variantright>IT auditors
<question> How many of the organizations surveyed have either moved most of their
business continuity and disaster recovery tasks to the cloud (including backup) or plan to do
so in the near future?
<variantright>44%
<variant>34%
<variant>54%
<variant>64%
<question>What are the three fundamental objectives for information and confidentiality?
<variantright>Confidentiality, integrity, availability
<variant>Confidentiality, encryption, integrity
<variant>Confidentiality, availability, consistency
<variant>Integrity, connectivity, accuracy
<question>What is FIPS?
<variantright>Federal Information Processing Standards
<variant>Federal Information Protection Standards
<variant>Federal Instruction Principal Security
<variant>Federal Instruction Processing Standards
<question>What is ERP?
<variantright>Enterprise Resource Planning
<variant>Enterprise Rescue Plan
<variant>Educational Resource Planning
<variant>Educational Rescue Plan
<question>Primary ERP supplies include:
<variantright>SAP, Oracle, Microsoft
<variant>Java, React, SOAP
<variant>SAP, SOAP, Microsoft
<variant>Java, Oracle, React
<question>Based on the July 2015’s ISACA Innovation Insights report, which one was
considered as a key trend driving business?
<variantright>Cloud computing
<variant>BPM
<variant>Oracle
<variant>Kaspersky
<question>What is the main tool which is used by cloud computing?
<variantright>Internet
<variant>VPN
<variant>SSD
<variant>HDD
<question>MDM stands for:
<variantright>Mobile Device Management
<variant>Mobile Desktop Manager
<variant>Machine Division Manager
<variant>Middle Device Maintenance
<question>MDM is responsible for:
<variantright>Managing and administrating mobile devices
<variant>Storing and showing mobile devices
<variant>Managing and storing mobile devices
<variant>Only administrating mobile devices
<question>Employees can bring their own mobile device to the organization
<variantright>True
<variant>False
<question>How can mobile devices be used in organizations?
<variantright>Personal and work purposes
<variant>Personal and common purposes
<variant>Work and common purposes
<variant>Public and common purposes
<question>Which of the following has a potential transformational effect on IT
environments, data centers, technology providers?
<variantright>IoT
<variant>MDM
<variant>BPM
<variant>ERP
<question>IoT, as defined by Gartner, Inc., is a system that allows remote assets from
“things” (e.g., stationary or mobile devices, sensors, objects, etc.) to interact and
communicate among them and with other network systems.
<variantright>True
<variant>False
<question>What is “spamming”?
<variantright>Disruptive online messages, especially commercial messages posted on a
computer network or sent as email.
<variant>Attack designed to disable a network by flooding it with useless traffic.
<variant>Piece of program code that contains self-reproducing logic, which piggybacks
onto other programs and cannot survive by itself.
<variant>Independent program code that replicates itself and eats away at data, uses up
memory, and slows down processing.
<question>What is “Denial-of-service attack”?
<variantright>Attack designed to disable a network by flooding it with useless traffic.
<variant>Disruptive online messages, especially commercial messages posted on a
<variant>Independent program code that replicates itself and eats away at data, uses up
memory, and slows down processing.
<question>What is “worm”?
<variantright>Independent program code that replicates itself and eats away at data, uses
up memory, and slows down processing.
<variant>Attack designed to disable a network by flooding it with useless traffic.
<variant>Disruptive online messages, especially commercial messages posted on a
<question> How many categories does the Feasibility Analysis include?
<variant>3
<variantright>5
<variant>6
<variant>9

Аудит-2023 test

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Аудит-2023 test

Uploaded by

Copyright:

Available Formats

<question>This course consists of __ weekly modules.

<question>If I have a problem in the course I should:

Email the instructor.

<variant>Call the instructor.

<variant>Drop the class.

<variantright>Knowledge Check quizzes

<variantright>Peer Review exercise

<variantright>Module Review quizzes

<question>All learners in this course are required to purchase the textbook.

<question>A seal of approval can serve as a form of assurance for consumers.

<question>The AICPA describes assurance as an independent professional service that

<question>The objective of an audit of financial statements by independent auditor is:

<variantright>To express an opinion on whether the financial statements are presented in

<variant>To establish and maintain sound internal controls.

<question>Which of the following is considered a form of attestation?

<variantright>A. Audit the financial statements

<variant>B. Establish sound accounting policies

<variant>C. Maintain good internal controls

<variant>D. Prepare the financial statements

<question>The objective of an audit of financial statements by independent auditor is:

<variantright>A. To express an opinion on whether the financial statements are presented in

<variant>C. To establish and maintain sound internal controls.

<question>Which of the following is true about a verifier?

<variant>A. Is always hired by the promiser

<variant>C. Is also known as the promiser

<question>Which of the following is considered a form of attestation?

<variantright>A. Audit the financial statements

<variant>B. Establish sound accounting policies

<variant>C. Maintain good internal controls

<variant>D. Prepare the financial statements

<question>The objective of an audit of financial statements by independent auditor is:

<variantright>A. To express an opinion on whether the financial statements are presented in

<variant>C. To establish and maintain sound internal controls.

<variant>This is the point where quality begins to converge

<variant>15 data sets of audit related adjustments were analyzed

<variant>Audit-related adjustments showed an overwhelmingly positive effect on pre-audit

<variantright>The average aggregate adjustment reduced earnings and assets by two to

<question>Which of the following best describes ‘materiality?’

<variant>Data or information related to management’s financial statements

<variantright>The magnitude of a misstatement that makes it probable that the judgement of

<question>‘Evidence’ is best described as:

<variant>The magnitude of a misstatement that makes it probable that the judgement of a

<variant>Inquiry of management as to the balance in their bank account, corroboration of

<variant>Inquiry of management as to the balance in their bank account, corroboration of

<question>Which of the following best describes ‘audit risk?’

<question>A material difference is best defined as one that:

<variant>Can result from fraud only

<variantright>Could affect the decisions of a reasonable person relying on the financial

<variant>Is typically small in nature

<variant>Is always easy to identify

<question>Which of the following best describes ‘Auditor’s Business Risk (ABR)?’

<variant>Audit risk = IR*CR*RMM

<variantright>Audit risk = IR*CR*DR

<variant>audit risk = (IR/CR)*DR

<variant>audit risk = (DR*IR)/CR

<question>Which of the following best describes ‘Detection Risk (DR)?’

<question>Signaling value reduces the problem of information asymmetry.

<question>The probability of a transaction increases as the bid-ask price narrows.

<question>Signaling value reduces the problem of adverse selection.

<question>The auditor’s ultimate goal of a financial statement audit is to provide financial

<variant>To maintain internal controls over financial reporting

<question>Two important factors that guide the audit are:

<variant>Absolute assurance and materiality

<variant>Audit risk = IRCRRMM

<variantright>Audit risk = IRCRDR