Sei sulla pagina 1di 11

1.

The susceptibility of a business or process to make an error that is material in nature, assuming there
were no internal controls.
A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk
Answer : A
2. The risk that the controls put in place will not prevent, correct, or detect errors on a timely basis.
A. Inherent risk
B. Control risk
C. Detection risk
D. Correction risk
Answer : B
3. The risk that the IS auditor's substantive procedures will not detect an error that could be material.
A. Inherent risk
B. Control risk
C. Detection risk
D. Material risk
Answer: B
4. Log reviews may not result in timely detection or correction of errors. This is an example of
A. Inherent risk
B. Control risk
C. Detection risk
D. Race condition risk
Answer: B
5. Controls that are designed to prevent an error, omission, or negative act from occurring are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: A
6. Controls that are designed to predict potential problems before they occur
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: A
7. Employ only qualified personnel is a example of

A. Preventive controls
B. Detective controls
C. Corrective controls
D. Internal controls
Answer: A
8. Segregation of duties is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
9. Control access to physical facilities is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
10. Use well-designed documents to prevent errors is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
11. Establish suitable procedures for authorization of transactions is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
12. Use access control software that allows only authorized personnel to access sensitive files is an
example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
13. Controls put in place to detect or indicate that an error or a bad thing has happened are

A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: B
14. Controls that enable a risk or deficiency to be corrected before a loss occurs are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: C
15. Controls that reduce the likelihood of a deliberate act to cause a loss or an error are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: D
16. Controls that indirectly mitigate a risk or the lack of controls directly acting upon a risk are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: D
17. Locking the door is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
18. Taking positive actions and proactive steps based on previously identifying the risks are usually
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: A
19. An alarm on the door is an example of
A. Preventive controls
B. Detective controls

C. Corrective controls
D. Compensating controls
Answer: B
20. A check subroutine that identifies an error and makes a correction before enabling the process to
continue is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: C
21. Barriers or warning signs are example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: D
22. The process of paying someone else to assume the risk is
A. Risk transference
B. Risk mitigation
C. Risk acceptance
D. Inherent risk
Answer: A
23. An "Echo" message in telecommunications protocol is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: B
24. Making a duplicate checking of calculations is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: B
25. Check points in a production jobs are examples of
A. Preventive controls
B. Detective controls
C. Corrective controls

D. Compensating controls
Answer: B
26. The analysis of periodic performance reports with variances is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: B
27. The analysis of Past-due account reports is an example of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: B
28. The Internal Audit functions are examples of
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: B
29. Control that minimize the impact of a threat are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: C
30. Controls that remedy problems discovered by detective controls are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Answer: C
31. Controls that identify the cause of a problem are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls

Answer: C
32. Controls that modify the processing system(s) to minimize future occurrences of problems are
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Deterent controls
Answer: C
33. A contingency planning is an example of
A. Preventive control
B. Detective control
C. Corrective control
D. Deterent control
Answer: C
34. A backup procedure is an example of
A. Preventive control
B. Detective control
C. Corrective control
D. Deterent control
Answer: C
35. A rerun procedure is an example of
A. Preventive control
B. Detective control
C. Corrective control
D. Compensating controls
Answer: C
36. Control objectives in an information systems environment compared from those of a manual
environment :
A. are totaly different.
B. remain unchanged but features may be different
C. should be changed but features are the same
D. should not be changed as features are the same.
Answer: B
37. Evidence gathering to evaluate the integrity of individual transactions, data or other information is typical
of which of the following?
A. Substantive testing
B. Compliance testing
C. Detection testing
D. Control testing

Answer: A
Evidence gathering to evaluate the integrity of individual transactions, data or other information is called
substantive testing whereas evidence gathering for the purpose of testing an organization's compliance with
control procedures is called compliance testing. Detection and control tests are irrelevant.
38. What is the first action an IS auditor should take after identifying a weakness in a control?
A. Suggest a corrective action
B. Take the finding directly to the steering committee
C. Try and find a compensating control for the identified weakness
D. Take note of it for inclusion in the final audit report
Answer: C
A control objective will not normally be achieved by considering one control adequate. The IS auditor will
rather perform a variety of testing procedures and evaluate how these relate to one another. An IS auditor
should always review for compensating controls prior to reporting a control weakness.
39. Whom of the following should an internal IS audit function report to in an organization?
A. Senior management
B. User management
C. IS management
D. Business units
Answer: A
The audit function should normally report to senior management. The higher the reporting relationship in an
organization, the greater the importance attached to the audit function. This provides independence and
protects the auditor from organizational pressures.
40. In a properly segregated environment, which of the following functions could be performed by the same
person?
A. Data entry and job scheduling
B. Database administration and security administration
C. Security administration and data entry
D. Security administration and quality assurance
Answer: D
Segregation of duties is an important means by which fraudulent and/or malicious acts can be discouraged
and prevented. When duties are properly segregated, no one person has complete control over a
transaction throughout its initiation, authorization, recording, processing and reporting. In a properly
segregated environment, quality assurance can be an additional responsibility of the security administrator
without violating the segregation of duties principle. Other functions are incompatible. Database
administration and security administration are incompatible because of possible manipulation of access
privileges and rules for personal gain. Data entry and job scheduling are incompatible because a data entry
person could submit unauthorized jobs. Security administration is incompatible with data entry since the
security administrator would be in a position to openly introduce fraudulent data.
41. In a properly segregated environment, which of the following functions is NOT compatible with that of
Quality Assurance?
A. Systems analyst

B. Data entry
C. Security administrator
D. Computer operator
Answer: A
A proven method to ensure that transactions are properly authorized and recorded and that the company's
assets are safeguarded is to structure separation of duties. Lack of proper separation of duties can result in
potential damage to the organization. When a proper separation of duties cannot be achieved,
compensating controls must exist in order to mitigate the resulting risk. Nevertheless, some functions should
not be combined since no compensating controls can mitigate the separation of duties risk. In this case, the
quality assurance function should not be performed by the systems analyst for the obvious reason that an
evaluation of a system's design quality might be biased.
42. Which of the following best describes a Trojan Horse?
A. A macro virus embedded in email
B. A malicious computer program embedded in an executable file
C. A computer program embedded in an authorized program
D. A malicious computer program embedded in an application program
Answer: C
A Trojan horse is classified as a program that can be malicious or nonmalicious during execution. Thus, a
malicious computer program embedded in an application program and a malicious computer program
embedded in an executable file are incorrect answers because they do not consider nonmalicious Trojan
horses. A macro virus embedded in email is incorrect because a Trojan horse may not have a virus element.
43. The IT steering committee's role in the IT planning process is to:
A. document meeting notes.
B. make presentations.
C. conduct meetings regularly.
D. approve meeting notes.
Answer: B
Choices (A, C, and D) are the responsibility of the top IT executive who can schedule, organize, and
document meetings. It is important to have a business person from the IT steering committee who can make
the majority of the presentations to the executive committee. This demonstrates business management's
ownership, support, and commitment. The role of the executive committee in the planning process is to
provide IT with strategic business direction, to set priorities, and to approve the expenditure of funds.
44. There are seven layers in the open system interconnection (OSI) reference model offering security
services to enhance the security of information systems. Which of the following OSI layers provides
confidentiality, authentication, and data integrity services ?
A. Network layer
B. Presentation layer
C. Session layer
D. Physical layer
Answer: A
The network layer is responsible for transmitting a message from source to destination. It provides routing
(path control) services to establish connections across communications networks. Achieving this goal

requires confidentiality, authentication, and data integrity services. Presentation layer (choice B) is incorrect
because it provides authentication and confidentiality services, but not data integrity. The presentation layer
defines and transforms the format of data to make it useful to the receiving application. Session layer (choice
C) is incorrect because it does not provide any security-related services. It establishes, manages, and
terminates connections between applications, and provides checkpoint-recovery services. It helps users
interact with the system and with other users. Physical layer (choice D) is incorrect because it provides
confidentiality service only. The physical layer provides for the transmission of unstructured bit streams over
the communications channel. It is the innermost software that handles the electrical interface between a
terminal and a modem.
45. Which of the following situations poses the least threat to ensuring the security and integrity of
alternative components used in telecommunications backup?
A. Switching from fiber optics to wire pair
B. Switching from digital to analog line
C. Switching from analog to digital line
D. Switching from dedicated to dial up line
Answer: C
Choice (C) is the correct answer. Switching from analog to digital is more secure and less prone to errors
than other options. Digital lines are more reliable. Security and the data integrity of alternative components
used must be considered in the contingency plan. Switching from fiber optics to wire pair (choice A),
dedicated to dial up line (choice D), or digital to analog (choice B) may make the line more susceptible to a
wiretap or to line noise, which can result in errors. Using dial up lines could facilitate access by the public.
46. Fire has swept through the premises of an organization's computer room. The company has lost its
entire computer system. The best thing the organization could have done is to:
A. plan for cold-site arrangements.
B. plan for mutual agreements-negotiate with other similar organizations to back each other.
C. plan for warm-site arrangements since everything was ready to go.
D. take daily backups to an off-site storage facility.
Answer: D
Choice (D) is the correct answer. Daily backups taken to off-site storage facilities can minimize damage. A
whole company can suffer when disaster strikes. There is no room for complacency. Even hot/warm/cold
sites and mutual agreements (choices A through C) require backups to continue with business operations.
"No backup, no recovery" should be practiced.
47. In order for a system to provide for continuity and effective control over the proposed IS activities, the
system development process should be performed in a certain order. In which of the following sequences
are the computer systems development phases listed in the order in which they should be performed?
A. Implementation planning, development of user specifications, systems planning, and programming
B. Development of user specifications, development of technical specifications, implementation planning,
and programming
C. Training of user department personnel, implementation planning, and system testing
D. Implementation planning, programming, conversion, and system testing
Answer: B
Choice (B) is the correct answer. Development of business/user specifications is followed by the
development of technical specifications, requiring implementation planning, followed by programming,

testing, and training. In other words, business/user requirements drive the entire system development
process.
48. The Annual Loss Expectancy (ALE) of a risk without controls is expected to be $35,000 to a business
process you are evaluating. You are recommending a control that will save 80 percent of that loss at an
annual cost of $20,000 over the life of the process. Is the control justifiable?
A. No, the savings is insignificant and relative to the cost.
B. Yes, 80 percent of the loss amounts to $28,000 per year, which exceeds the annual cost by $8,000 per
year.
C. No, ALE is a subjective number and cannot be depended on to make this decision.
D. Maybe, it depends on the managements appetite for risk and loss.
Answer: B
The correct answer is B. This is a justifiable control mechanism for management to consider for
implementation. The significance of the savings compared to the cost (A) is a management decision and not
one the IS auditor should be making. While ALE may be somewhat subjective (C), if its source and the
method used to derive it is objective and reliable, it is a valid way to determine potential saving or loss over
time. While management does have the responsibility for making decisions related to implementing all
controls (D), this is still a justifiable control, should management choose to implement it.
49. A risk assessment has determined that the losses that could be potentially incurred with the delivery
system of a business may cost up to $10,000 per month. Preventive controls have been recommended that
will save the company $7,000 per month but this control will take three months to implement at a cost of
$100,000 and at an ongoing cost of $1,000 per month. The business process has a life span of five years
and has been in production for one year. Is the control justified?
A. Yes, the savings over the remaining life of the process would be $315,000, thus justifying the expense.
B. No, the $3,000 per month that will be missed over the life of the process ($144,000) exceeds the cost of
the control.
C. Yes, the total cost of the control over the remaining process life is $145,000, while the potential loss
without the control would be $480,000.
D. Maybe, if the potential savings over the remaining life of the process ($315,000) minus the total cost of
the control ($145,000) represents a material risk to the companys management ($170,000), management
may consider implementing the control and avoiding the risk.
Answer: D
The correct answer is D. This question is about potential loss not actual loss. The risk of loss is a
management decision that must be weighed against the probability of occurrence (not referenced in the
problem), and the appetite for risk by management. The cost of funds and other priorities may influence this
decision as well. While control looks justifiable on paper (savings exceed cost over the life of the process by
a significant amount), the probability of that loss occurring to the business needs to be factored into the
decision process.
50. What is the primary difference to keep in mind when evaluating automated and manual controls?
A. Automated controls can operate in an unattended fashion, which requires less testing and monitoring.
B. Manual controls require human interaction to be successfully deployed and must consider human fallibility
as part of the accuracy assessment.
C. Potential losses are more difficult to measure with manual controls because the error rates are more
difficult to measure.
D. Training and documentation are required for manual controls while automated controls do not require
such documentation.

Answer: B
The correct answer is B. The human factor is the most important consideration when evaluating manual
controls against automated controls. Training and documentation (D) is one aspect of this human interaction
as a control mechanism, but there are other aspects, such as human nature, which also play a part in this
analysis. Potential loss when using manual controls (C) may be a factor to consider in this evaluation, but it
is not the primary concern.
Although the automated controls are automatic by design, they still must be monitored and tested (A)
commensurate with the risk they are put in place to control.

Potrebbero piacerti anche