1.

It serves as the primary guideline for allocating scarce resources throughout the firm and keeping the organization headed
in a profitable direction.
a. IT governance
b. Strategic plan
c. Mission and vision
d. Company policy

2. The following are the participants in systems development, except:

a. End users
b. Management
c. Accountants/auditors
d. System professionals

3. Big bang implementation is when

a. new application is placed into production alongside the existing application and both are used to simultaneously process
live data
b. the old system is ceased from using and immediately begins operating the new system
c. relatively small group of users are identified to first use the new system before placing it into use
d. none of the above

4. Parallel implementation is when

a. new application is placed into production alongside the existing application and both are used to simultaneously process
live data
b. the old system is ceased from using and immediately begins operating the new system
c. relatively small group of users are identified to first use the new system before placing it into use
d. none of the above

5. Big bang implementation is when

a. new application is placed into production alongside the existing application and both are used to simultaneously process
live data
b. the old system is ceased from using and immediately begins operating the new system
c. relatively small group of users are identified to first use the new system before placing it into use
d. none of the above

6. In project development, monitoring of activities and use of benchmarks, milestones and deliverables to track progress are
done under what phase?
a. First phase
b. Second phase
c. Third phase
d. Fourth phase

7. In fourth phase
a. the specific sequencing and timing of each activity and associated resources are scheduled
b. it involves planning, setting time, scope and cost parameters for the entire project
c. controlling and development of specific actions aimed at keeping a project moving forward in the most efficient are
done
d. project manager should obtain client acceptance, release and evaluate project personnel, identify and reassign
remaining project assets, consider a post-project evaluation and chronicle the history of the project
8. Below are the roles of a project manager, except:
a. Overall Responsible for the project
b. Should be the sole responsible in planning the project
c. Should have a great deal of experience in the domain area and skill at managing projects
d. Should work with representatives from senior management, the IT staff, and affected users in planning and executing
the project

9. IT function scorecard includes

a. Company’s mission and vision
b. Project plan and budget
c. Operational performance
d. IT risks

10. All are important policy areas of IT function, except:

a. Organizational
b. Hardware
c. Contingency
d. Risks

11. Information systems acquisition can be made through

a. In-house development
b. Commercial systems
c. Either a or b
d. Neither a nor b

12. The following are types of commercial systems, except:

a. General accounting system
b. Special purpose system
c. Turnkey systems
d. Extreme programming system

13. This serves as the foundation for setting an explicit IT strategy, which details how the IT Function will achieve its objectives
through its organizational structure, relationships with others and IT configurations
a. IT function
b. IT governance
c. IT objective
d. IT controls

14. Strategy
a. Represents the guiding light for developing a set of objectives
b. Support the mission and objectives of the organization
c. Is used to develop a set of policies
d. All of the above

15. Which of the following statements is/are correct?

I. Information technology plans can be incongruent with company plans
II. Long term planning is one of the most effective means of minimizing the risk that organizational resources will be used
in ways that are congruent with the company’s overall goals and objectives
a. Both statements
b. Only statement I
c. Only statement II
d. None of the statements

16. Cultural feasibility is achieved when

a. The current, affordable and reliable technology can be reasonably applied to the project
b. The project can be justified on an economic basis considering the start-up capital, expenses, revenues, and investor
income and disbursements
c. The scientific as well as ethical, behavioural, and social issues do not affect the project development
d. None of the above

17. Technical feasibility is achieved when

a. The necessary skills, such as intellectual skills, are available in-house or outsourced
b. The project can be justified on an economic basis considering the start-up capital, expenses, revenues, and investor
income and disbursements
c. The scientific as well as ethical, behavioural, and social issues do not affect the project development
d. None of the above

18. Financial feasibility is achieved when

a. The necessary skills, such as intellectual skills, are available in-house or outsourced
b. The project can be justified on an economic basis considering the start-up capital, expenses, revenues, and investor
income and disbursements
c. The scientific as well as ethical, behavioural, and social issues do not affect the project development
d. None of the above

19. Information systems development proposal

I. Formally documents the reasons why the project should be considered and how it maps to the strategic plan
II. Is responsibility by the project manager only
III. Reviewed by the steering committee

a. All statements are correct

b. Only 1 statement is correct
c. Only 2 statements are correct
d. All statements are incorrect

20. All are implementation issues, except

a. Affected Parties are Not Involved
b. Work Breakdown Structure
c. Training and Educational Programs
d. Formal Change Management Policy

21. What is the order of a coherent IT planning process?

I. Strategy
II. Policies
III. Mission
IV. Objectives
V. Vision
a. IV,V,III,II,I
b. V,III,IV,I,II
c. V,III,IV,II,I
d. IV,V,III,I,II

22. All are IT risks, except:

a. Business risk
b. Continuity risk
c. Privacy risk
d. Security risk

23. Arrange the risk management process in order.

I. Identify IT risks
II. Identify IT controls
III. Document IT controls
IV. Assess IT risks

a. I,IV,II,III
b. I,II,III,IV
c. II,III,I,IV
d. II,I,III,IV

24. It is the likelihood that an organization will not achieve its business goals and objectives
a. Business risk
b. Audit risk
c. Objective risk
d. Security risk

25. Which of the following is an external factor of a business risk?

a. Labor disputes
b. Equipment failures
c. Management fraud
d. New competitor in the market place

26. Which of the following statements is/are correct?

I. Managers and auditors strive to balance the risk, rather than eliminate them
II. IT makes business more efficient at the same time riskier

a. Both statements
b. Only statement I
c. Only statement II
d. None of the statements

27. Audit risk is

a. The likelihood that an organization’s external auditor makes a mistake when issuing an opinion attesting to the fairness of
its financial statements.
b. That an external auditor fails to uncover a material error or fraud.
c. Only A is correct
d. Both A and B are correct
28. The audit risk model includes all, except:
a. Inherent
b. Residual
c. Control
d. detection

29. Statement I: Inherent risk, control risk and detection risk are independent from each other.
Statement II: Auditors can reduce risks to zero by managing risks at an acceptable level and in a cost-effective manner.

a. Both statements are true

b. Only statement I is true
c. Only statement II is true
d. Both statements are false

30. Security risk

a. Includes risk associated with an information system’s availability and backup and recovery
b. Ensures that in case of interruptions, the procedures are available to restore data and operations.
c. Includes risk associated with data access and integrity
d. All of the above

31. Risk assessment includes all, except:

a. Identify threats and exposures
b. Evaluate vulnerabilities to risk
c. Determine acceptable risk levels
d. Document risk levels

32. Statement I: The COSO international framework definition emphasizes that internal control is a process and that it is a
responsibility of an organization’s management, employees, and board of directors.
Statement II: Included within the COSO framework are five interrelated components of internal control that relates to the
three objectives of internal control.
a. Both statements are true
b. Only statement I is true
c. Only statement II is true
d. Both statements are false

33. Which of the following is not an objective of internal control as defined by COSO?
a. Effectiveness and efficiency of operations
b. Reliability of financial reporting
c. Compliance with laws and regulations
d. Prevention of IT risks

34. Statement I: Canadian Criteria Control Committee defines internal control as this encompasses financial and operational
controls and auditor should report on both
Statement II: Canadian Criteria Control Committee is less complex than Cadbury and COSO
a. Both statements are true
b. Only statement I is true
c. Only statement II is true
d. Both statements are false
35. Which of the following is not a dimension of CobiT?
a. Information criteria
b. IT governance
c. IT processes
d. IT resources

36. In system reliability assurance engagements

a. Auditors seek to give comfort that controls over an IT ensure its reliability.
b. IT auditors can use CobiT as a foundation for making the system reliability assurances
c. Controls are identified over IT and test the extent to which controls are meeting their objectives for the period
covered by the engagement
d. All of the above

37. Documenting Information Technology Controls can be through, except:

a. Internal control narratives
b. Internal control testing
c. Flow charts
d. Internal control questionnaires

38. Which of the following is incorrect about monitoring information technology risks and controls?
a. Risk management can be made from time to time basis but not continuous
b. It ensures that IT meets business objectives
c. It may include exception reporting systems
d. It points to the fact that sometimes humans do not make use of IT controls

39. When electronic information is compromised, the ramifications of such crime fall into the following categories, except:
a. Confidentiality
b. Objectivity
c. Integrity
d. Availability

40. It occurs when an authorized user is prevented from timely, reliable access to data or a system, such as a denial of service
attack
a. Confidentiality
b. Objectivity
c. Integrity
d. Availability

41. It occurs when a system or data has been accidentally or maliciously modified, altered, or destroyed without authorization.
a. Confidentiality
b. Objectivity
c. Integrity
d. Availability
42. It occurs when a person knowingly accesses a computer without authorization or when a person exceeds his authorized
access.
a. Confidentiality
b. Objectivity
c. Integrity
d. Availability

43. If the audit client owns one or more copyrights, the auditor should
a. Make sure that client has policies or activities aimed at protecting their copyrights
b. Look if such are copyrighted, if not suggest it to the client
c. Auditor should ensure that the client has the right to use it
d. All of the above

44. If the audit client uses trademarks of other entities, the auditor should
a. Make sure that client has policies or activities aimed at protecting it
b. Look if such are registered, if not suggest it to the client
c. Auditor should ensure that the client has the right to use it
d. All of the above

45. Statement I: If IT Auditor works for communication services or remote computing services, they must check the
internal control in securing the contents of electronic communications
Statement II: If computers have been accessed without proper authorization, they should not jump to conclusion of a possible
cybercrime.

a. Both statements are true

b. Only statement I is true
c. Only statement II is true
d. Both statements are false

46. Which of the following is not a reason for organizations to develop codes of ethical conduct?
a. Promote high standards of practice throughout the organization
b. Offer a vehicle for occupational identity
c. Provide a benchmark for organization members to use for self-evaluation
d. Prevent members of organizations from committing irregular and illegal acts

47. Which of the following is an example of irregular and illegal act?

a. Fraud
b. Computer crimes
c. Nonconformity with agreements and contracts between the organization and third parties
d. Reporting of company’s illegal act to the government authority

48. Statement I: Auditors are not qualified to determine whether an irregular, illegal or erroneous act has occurred.
Statement II: Determination of irregular and illegal acts should be made by a qualified expert, such as IT auditor or external
auditor.
a. Both statements are true
b. Only statement I is true
 c. Only statement II is true
d. Both statements are false

49. To whom can the IT auditor report suspected irregular and illegal acts?
a. Government authority
b. Co-IT auditor
c. Board of directors/audit committee
d. Employees suspected of irregular and illegal act

50. Statement I: Common laws are written laws enacted by a legislature, the collection of rules imposed by authority.
Statement II: Statutory law reflects customs and general principles that serve as precedents to situations not covered by
common law.
a. Both statements are true
b. Only statement I is true
c. Only statement II is true
d. Both statements are false

51. Statement I: IT auditor must look to ensure that at least one of the three elements (Consent, Object or Consideration) is
stated in the contract.
Statement II: IT auditors will examine written contracts of purchase and sale of goods (e.g. computer equipment and software
applications) and services (e.g. outsourcing arrangements and maintenance agreements)
a. Both statements are true
b. Only statement I is true
c. Only statement II is true
d. Both statements are false

52. Which of the following is not a general personal and business skills that IT auditors must possess?
a. Business education
b. Technical computer skills
c. Accounting skills
d. Marketing skills

53. Statement I: IT auditor may work hand-in-hand with the financial auditor through each step in the engagement, from
planning through delivery of the report.
Statement II: The amount of work IT auditor does not depend on the support the financial auditor requests.
a. Both statements are true
b. Only statement I is true
c. Only statement II is true
d. Both statements are false

54. Which of the following is an engagement that an IT auditor might not perform?
a. Providing third party assurance
b. Penetrating testing
c. Supporting the financial audit
d. All of the above can be performed by an IT auditor
55. Statement I: Roles of IT auditors vary with their position within or outside an organization and with each individual project.
Statement II: The level of expertise needed for an engagement varies from the very technical to a need for plain common
sense and good communication skills.
a. Both statements are true
b. Only statement I is true
c. Only statement II is true
d. Both statements are false