Practice Questions

1.

A1:

2.

A2:

3.

A3:

4.

If an organization c hooses to implement a c ontrol self-assessment program, the

auditor should participate primarily as a:

A. Monitor

B. Fac ilitator

C. Project leader

D. The auditor should not participate in the organizations

CSA program because doing so would create a potential
c onflict of interest.

Answer: B. The traditional role of an IS auditor in a c ontrol self-assessment (CSA)

should be that of a fac ilitator.
Which of the following elements must be present to properly log activities and ac hieve
acc ountability for actions performed by a user?

A. Identific ation and authorization only

B. Authentic ation and authorization only

C. Identific ation and authentication only

D. Authorization only

Answer: C. If proper identification and authentic ation are not performed during access
control, no acc ountability can exist for any action performed.
When initially planning a risk-based audit, whic h of the following steps is MOST
critical?

A. Evaluating the organizations entire environment as a

whole

B. Establishing an audit methodology based on accepted

frameworks, such as CO BI T or COSO

C. Documenting proc edures to ensure that the auditor

achieves the planned audit objec tives

D. The identific ation of the areas of high risk for controls

failure

Answer: D. In planning an audit, the MOST critical step is identifying areas of high risk.

What is the PRIMARY purpose of audit trails?

A4:

5.

A5:
6.

A6:

7.

A. To better evaluate and correc t audit risk resulting from

potential errors the auditor might have committed by
failing to detec t c ontrols failure

B. To establish a c hronological chain of events for audit work

performed

C. To establish acc ountability and responsibility for processed

transactions

D. To c ompensate for a lac k of proper segregation of duties

Answer: C. Although secure audit trails and other logging are used as a c ompensatory
control for a lack of proper segregation of duties, the primary purpose of audit trails is
to establish ac countability and responsibility for processed transac tions.
Which of the following is the MOST appropriate type of risk to be associated with
authorized program exits (trap doors)?

A. Inherent

B. Audit

C. Detec tion

D. Business

Answer: A. Inherent risk is associated with authorized program exits (trap doors).
When performing an audit of an organizations systems, the auditors first step should
be to:

A. Develop a strategic audit plan

B. Gain an understanding of the focus of the business of the

organization

C. Perform an initial risk assessment to provide the foundation

for a risk-based audit

D. Determine and define audit sc ope and materiality

Answer: B. The IS auditors first step is to understand the business focus of the
organization. Until the auditor has a good understanding of the organizations business
goals, objec tives, and operations, the auditor will not be able to competently c omplete
any of the other tasks listed.
Which of the following risks results when the auditor uses an insufficient test
procedure, resulting in the auditors ill-informed conc lusion that material errors do not
exist, when, in fac t, they do?

A7:

8.

A8:

9.

A. Business risk

B. Detec tion risk

C. Audit risk

D. Inherent risk

Answer: B. Detec tion risk results when an IS auditor uses an inadequate test
procedure and conc ludes that material errors do not exist when, in fact, they do.
Which of the following is c onsidered the MOST signific ant advantage of implementing a
continuous auditing approac h?

A. It c an improve system security when used in time-sharing

environments that proc ess a large number of transactions.

B. It c an provide more actionable audit results because of

the increased input from management and staff.

C. It c an identify high-risk areas that might need a detailed

review later.

D. It c an significantly reduc e the amount of resources

nec essary for performing the audit because time
c onstraints are more relaxed.

Answer: A. The PRIMARY advantage of a c ontinuous audit approac h is that it can

improve system security when used in time-sharing environments that proc ess a large
number of transactions.
When an IS auditor finds evidence of minor weaknesses in c ontrols, such as use of
weak passwords, or poor monitoring of reports, which of the following courses of
action is MOST appropriate for the auditor?

A. Take c orrec tive ac tion by informing affected users and

management of the controls vulnerabilities

B. Realize that suc h minor weaknesses of c ontrols are usually

not material to the audit

C. Immediately report suc h weaknesses to IT management

D. Take no c orrec tive ac tion whatsoever, and simply rec ord

the observations and assoc iated risk arising from the
c ollective weaknesses into the audit report

A9:

Answer: D. While preparing the audit report, the IS auditor should record the
observations and the risk arising from the c ollective weaknesses.

10.

Which of the following is c onsidered to present the GREATEST c hallenge to using test
data for validating processing?

A10:

A. Potential corruption of actual live data

B. Creation of test data that c overs all possible valid and

invalid c onditions

C. Test results being compared to expec ted results from live

processing

D. Data isolation issues associated with high-speed

transaction proc essing

Answer: B. Creating test data that c overs all possible valid and invalid conditions is
often the greatest challenge in using test data.