IT Risks in Relation to IT Environment:

1) Access Risks
a) Access risks are risks where users may be granted inappropriate access to information, data or
programs that can lead to unauthorized activities.
b) It may turn out that authorized people may be denied, while unauthorized people may freely
access to confidential information especially financial matters.
c) This can seriously interrupt operations, affect the accuracy of financial statements or even incur
a financial loss.

2) Integrity Risks
a) Integrity risk is considered as an essential element to manage within a comprehensive
compliance program.
b) It refers to the threat to the reputation of the business and its profitability due to insufficient
compliance or people related incidents which includes misconduct, bullying, sexual harassment,
breaches of privacy, improper use of social media, bribery and corruption, fraud and whistle
blower mistreatment.
c) This type of risk can greatly affect the business as well as the employees, consequences such as
civil penalties, criminal charges, damage to reputation and fines will be imposed.
d) In order to prevent and protect the business against integrity risk, they must guarantee that they
are able to comply with all the legal and regulatory obligations and have effective policies and
procedures for the employees to abide by.

3) Relevance Risks
a) Relevance risk, also called as “systematic risk” or non-diversifiable risk, is the fluctuation of
returns caused by the macroeconomic factors that affect all risky assets.
b) It is consisting of the “unknown unknowns” that occurs as a result of everyday life.
c) It is unavoidable in all risky investments.
d) It can also be thought of as the opportunity cost of putting money at risk. In order to lessen
relevant risk, diversification as a strategy is applied.
e) A well-diversified portfolio will be made of securities from various industries with different levels
of risk

4) Availability Risks
a) Availability risk, also called as “IT Continuity Risk”, refers to the risk that performance and
availability of IT systems and data are adversely impacted.
b) This includes the incapability to timely recover the institution’s services, due to a failure of IT
hardware or software components; weaknesses in IT system management; or any other related
events

1|Page
5) Infrastructure Risks
a) Infrastructure risks are the possible losses due to failure of basic services, organizational
structures and facilities.
b) These risks consist of under-provisioning or over-provisioning hardware incompatibility, software
incompatibility, network issues and outages, migration issues, downtime, disaster recovery,
vendor reliability, and unexpected costs.

MULTIPLE CHOICE QUESTIONS

1) Which of the following is a type of IT risk

A) Operational risk C) Compliance risk
B) Strategic risk D) All of the above
Explanation: IT risks encompass a wide range of potential issues, including operational, strategic, and
compliance risks.

2) Which of the following is a technique for identifying and assessing IT risks

A) SWOT analysis C) Risk matrix
B) Brainstorming D) All of the above
Explanation: SWOT analysis, risk matrix, and brainstorming are all valid techniques for identifying and
assessing IT risks.
3) Which of the following is a benefit of IT risk management
A) Reducing costs and losses C) Improving decision making
B) Enhancing customer satisfaction D) All of the above

Explanation: IT risk management can lead to reducing costs and losses, improving decision-making, and
enhancing customer satisfaction.

4) To achieve this control objective, the auditor can select a sample of messages from the transaction
log and examine them for garbled content caused by line noise.
a. Audit Procedures Relating to Equipment Failure
b. Audit Objectives Relating to Equipment Failure
c. Audit Procedures Relating to Subversive Threats
d. None of the above
Explanation: This is an audit objective relating to equipment failure, specifically examining the integrity
of messages in the transaction log.

5) Statement 1: Biometric controls ensures that in the event of data loss due to equipment failure or
physical disaster can recover its data base
Statement 2: Data management can be divided into 3 general approaches, the FLAT FILE MODEL,
DATABASE MODEL and ACCESS CONTROL
Statement 3: Data can be corrupted and destroyed by malicious acts from externals hackers.

Which statement/s is/are correct?

2|Page
 A. Statement 1 is correct while the remaining statements are false
B. Statement 3 is false while statement 1 and 2 are correct
C. Statement 3 is correct while the remaining statements are false
D. Statement 3 and 1 are correct while statement 1 is False
Explanation: Statement 3 is correct regarding data corruption by external hackers, and statement 1 is
correct regarding biometric controls. Statement 2 is incorrect; data management typically includes
various models, but "FLAT FILE MODEL" is not a recognized general approach.

6) Audit Objective Relating to Database Backup

a) Verify backups are performed routinely and frequently
b) Verify that automatic backup procedures are in place and functioning and that copies of the
database are stored off-site
c) Verify that controls over the data resource are sufficient to preserve the integrity and physical
security of the database
d) All of the above
Explanation: All the provided options are valid audit objectives relating to database backup.

7) This is an automatic procedure that should be performed at least once a day.

a. Transaction log c. Backup
b. Recovery Module d. Checkpoint feature
Explanation: Regular backups are typically performed automatically to ensure data is protected and can
be restored in case of loss.

8) The auditor can test control by simulating access by a sample of users and attempting to retrieve
unauthorized data via:
A. Encryption control C. Inference control
B. Inference queries. D. Back up control
Explanation: Inference queries involve attempting to retrieve unauthorized data, making them suitable
for testing control over data access.
9) What are the three types of compromises that inference control attempt to prevent?
A. Positive language, Negative language and Approximate language
B. Positive ions, Negative ions and Approximate ions
C. Positive compromises, Negative compromises and Approximate compromises
D. Positive love, Negative love and Approximate value
Explanation: Inference controls aim to prevent various types of compromises in data security, including
positive, negative, and approximate compromises.
10) This will recognize your fingerprints, voice prints, retina prints or signature characteristics.
A. Heart C. User View
B. Data encryption D. Biometric Device
Explanation: Biometric devices utilize physical characteristics for identification or authentication.
11) Feature that suspends all data processing while the system reconciles the transaction log and the
database change log against the database.

3|Page
 a. Checkpoint feature c. Recovery Module
b. Transaction log d. Backup
Explanation: The checkpoint feature allows for the reconciliation of logs and database changes,
suspending processing for this purpose.
12) Audit Procedures for Testing Database Back up Control
a) Verify backups are performed routinely and frequently
b) Verify that controls over the data resource are sufficient to preserve the integrity and physical
security of the database
c) Verify that automatic backup procedures are in place and functioning and that copies of the
database are stored off-site
d) Both a and c
Explanation: Both verifying routine backups and ensuring off-site storage are important audit procedures
for testing database backup control.

13) Evidence may come from 3 sources. Which is not included:

A. Through personal interviews with programmers and Database Administrator (DBA) personnel
B. By reviewing company policy and job description
C. Through personal interviews without programmers and DBA personnel
D. By examining programmer authority tables for access privileges to data definition language
Explanation: Personal interviews without relevant personnel may not yield valuable evidence for auditing
purposes.

14) User defined procedures allow the user to create a personal security program while Back up controls
are designed to prevent unauthorized individuals from viewing, retrieving or corrupting the entity's
data.
A. I am sure that both User defined procedures and Back-up controls definition are correct
B. Only the User defined procedure statement is correct
C. I don't care about the topic
D. Back up control definition is correct
Explanation: Both statements are correct; user-defined procedures and backup controls serve distinct
but complementary roles in data security.

15) The auditor can select a sample of users and verify that their access privileges stored in the authority
table are consistent with their job descriptions organizational levels
a. Biometric Controls c. Encryption Controls
b. Inference Controls d. Appropriate Access Authority
Explanation: This action aligns with verifying appropriate access authority to ensure users' access
privileges match their roles and responsibilities.

16) The auditor should evaluate the costs and benefits of what controls?
a. Biometric Controls c. Encryption Controls
b. Inference Controls d. Appropriate Access
Explanation: Evaluating costs and benefits is essential for determining the effectiveness of controls
related to ensuring appropriate access to resources.

4|Page
17) The auditor should verify that database query controls exist to prevent unauthorized access via
inference.
a. Biometric Controls c. Encryption Controls
b. Inference Controls d. Appropriate Access
Explanation: Verifying database query controls is specifically related to inference controls, which aim to
prevent unauthorized access.

18) The auditor should verify that sensitive data, such as passwords, are properly encrypted.
a. Biometric Controls c. Encryption Controls
b. Inference Controls d. Appropriate Access
Explanation: Verifying proper encryption of sensitive data pertains to encryption controls, which
safeguard data from unauthorized access.

19) It also uses encryption procedures to protect highly sensitive stored data.
A. Access control C. Data encryption
B. Biometric device D. Inference control
Explanation: Encryption procedures are employed to protect highly sensitive data from unauthorized
access, making data encryption the correct choice.

5|Page