1.

In performing a risk-based audit, which risk assessment is completed initially by the IS

auditor?
a. Detection risk assessment
b. Control risk assessment
c. Inherent risk assessment
d. Fraud risk assessment

2. The FIRST step in planning an audit is to:

a. define audit deliverables.
b. finalize the audit scope and audit objectives
c. gain an understanding of the business’s objectives.
a. develop the audit approach or audit strategy.

3. A company performs a daily backup of critical data and software files and stores the backup
tapes at an offsite location. The backup tapes are used to restore the files in case of a
disruption. This is a:
a. preventive control. c. corrective control.
b. management control. d. detective control.

4. What is considered the MOST critical element for the successful implementation of an
information security (IS) program?
a. An effective enterprise risk management (ERM)framework
b. Senior management commitment
c. An adequate budgeting process
d. Meticulous program planning

5. Which of the following tasks may be performed by the same person in a well-controlled
information processing computer center?
a. Security administration and change management
b. Computer operations and system development
c. System development and change management
d. System development and systems maintenance

6. When a complete segregation of duties cannot be achieved in an online system environment,

which of the following functions should be separated from the others?
a. Origination c. Recording
b. Authorization d. Correction

7. An IS auditor is verifying the IT policies and found that some of the policies have not been
approved by management (as required by policy), but the employees strictly follow the policies.
What should the IS auditor do first?
a. Ignore the absence of management approval because employees follow the policies
b. Recommend the immediate management approval of the policies.
c. Emphasize the importance of approval to management
d. Report the absence of documented approval

8. An IS auditor is reviewing changes to a company’s disaster recovery (DR) strategy. The IS

auditor notices that the recovery point objective (RPO) has been shortened for the company’s
mission-critical application. What is the MOST significant risk of this change?
a. The existing DR plan is not updated to achieve the new RPO
b. The DR team has not been trained on the new RPO
c. Backups are not done frequently enough to achieve the new RPO
d. The plan has not been tested with the new RPO

9. A poor choice of passwords and transmission over unprotected communications lines are
example of:
a. Vulnerabilities c. Probabilities
b. Threats d. Impacts

10. An IS auditor is planning an audit of a bank wire transfer systems in the context of a regulation
that requires bank to accurately report transactions. Which of the following represents the
PRIMARY focus of the audit scope?
a. Data availability c. Currency of data
b. Data confidentiality d. Data integrity