ads

MCQ on Information Audit...Risk and controls (options in Bold is the Answer)

August 11, 2023

 

MCQ on Information Audit...Risk and controls

  1. Which is not the purpose of Risk analysis?
    1. It supports risk based audit decisions
    2. Assists the Auditor in determining Audit objectives
    3. Ensures absolute safety during the Audit
    4. Assists the Auditor in identifying risks and threats
  2. Which term best describes the difference between the sample and the population in the sampling process?
    1. Precision
    2. Tolerable error rate
    3. Level of Risk
    4. Analytical Data
  3. Name one of the purposes of creating Business Continuity Plan
    1. To maximise the number of decisions made during an incident
    2. To minimise decisions needed during a crisis
    3. To lower business insurance premiums
    4. To provide guidance for federal regulations
  4. Failing to prevent or detect a material error would represent which type of risk?
    1. Overall Audit Risk
    2. Detection Risk
    3. Inherent Risk
    4. Control Risk
  5. Which is one of the bigger concerns regarding asset disposal?
    1. Residual Asset Value
    2. Employees taking disposed property home
    3. Standing data
    4. Environmental Regulations
  6. Who should issue ogranisational policies?
    1. Policies should originate from the bottom and move upto the middle management level for approval
    2. The policy should be issued in accordance with the approved standards by the middle management level
    3. Policy can be issued by any level of management based on a case to case basis
    4. The policy should be signed and enforced by the highest level of management
  7. A program check that ensures data entered by a data entry operator is complete is an example of a
    1. Detective Control
    2. Preventive Control
    3. Corrective Control
    4. Redundancy Control
  8. What is the primary objective in problem escalation?
    1. Improve customer satisfaction
    2. Optimise the number of skilled personnel
    3. Ensure the correct response
    4. Prove that the IT staff is competent
  9. Which of the following is LEAST important when Auditors review Internal Controls?
    1. The existence of an Audit Committee in the Organisation
    2. The Organisational structure and the Management style used by the Organisation
    3. The existence of a Budgeting System
    4. The number of Personnel working for the Organisation
  10. What is the best example of why plan testing is important?
    1. To prove the plan worked the first time
    2. To find the correct problems
    3. To show the team that is not pulling their own weight
    4. To verify that everyone shows up at the recovery site
  11. Continuity planners can create plans without the business impact analysis (BIA) process because
    1. Business Impact Analysis is not required
    2. Management already dictated all the key processes to be used
    3. Not possible, critical processes continuously changes
    4. Risk assessment is acceptable
  12. What are the three competing demands to be addressed by the Project Management?
    1. Scope, Authority and Availability of Resources
    2. Time, Cost and Scope
    3. Requirements, Authority and Responsibility
    4. Authority, Organisational Culture and Scope
  13. How should management act to best deal with emergency changes?
    1. Emergency changes can not be made without advanced testing
    2. All changes should still undergo review
    3. The changes control process does not apply to emergency conditions
    4. Emergency changes are not allowed under any condition
  14. Which is the following is not an objective of a control?
    1. Reduce expected losses from irregularities
    2. Reduce the probability of an error occurring
    3. Reduce the amount of loss if an occurs
    4. Provide for all the failures and to ensure that business is protected fully from such failures
  15. IT audit is the process of collecting and evaluating evidence to determine
    1. Whether a computer system safeguards assets
    2. Whether maintains data integrity
    3.  Whether allows organisational goals to be achieved effectively and uses resources efficiently
    4. All of the above
  16. The objectives of IT audit include
    1. Ensures asset safeguarding
    2. Ensures that the attributes of data or information are maintained
    3. Both (a) and (b)
    4. None of the above
  17. Which is not an attribute of data or information
    1. Compliance
    2. Integrity
    3. Confidentiality
    4. Technology
  18. Which among the following does not encompass organisational and management controls within the information processing facility (IPF)
    1. Sound human resource policies and management practices
    2. Methods to assess effective and efficient operations.
    3. The regulatory framework within which the business is carried out
    4. Separation of duties within the information processing environment
  19. The essential aspect to be understood about the organisation subject to IT audit is
    1. Organisation’s business and its strategic goals and objectives
    2. The number of operating units / locations and their geographic dispersion
    3. Major pending projects in progress
    4. All of the above
  20. While understanding the type of software used in the organisation the IT auditor has to
    1. See the policy decision on developing software inhouse or to buy commercial products.
    2. Collect details of operating systems, application system and database management system
    3. Collect information relating to network architecture and technology to establish connectivity.
    4. All of the above
  21. The security goals of the organisation does not cover
    1. Confidentiality
    2. Probability and impact of occurrence
    3. Availability
    4. Integrity
  22. Find out the incorrect statement with reference to Risk assessment
    1. The detailed audit is needed where the risk assessment is low and the risk management is high
    2. An independent assessment is necessary whether threats have been countered / guarded against effectively and economically
    3. The assessment of the soundness of IT system will necessarily have to study the policies and process of risk management
    4. None of the above
  23. Consider the following statement and find out the correct one w.r.t. IT audit
    1. In inherent risk there is an assumption that there are related internal controls.
    2. In control risk errors will not be prevented or detected and corrected by the internal control system.
    3. The control risk associated with computerised data validation procedures is ordinarily high.
    4. None of the above
  24. What is the characteristic of ‘detective control’
    1. Minimise the impact of a threat
    2. Use controls that detect and report the occurrence of an error, omission or malicious act.
    3. Detect problems before they occur
    4. None of the above
  25. Which among the following is not characteristic of ‘preventive control’
    1. Monitor both operation and imports
    2. Prevent error, omission or malicious act from occurring
    3. Correct errors from occurring
    4. None of the above
  26. IT access is not controlled or regulated though password it indicates
    1. Poor security control
    2. High risk of the system getting hacked
    3. High risk of the system getting breached
    4. All of the above
  27. Basic risk areas which the external Govt. auditor may come across when reviewing internal audit’s work include
    1. Availability of sufficient resources, in terms of finance, staff and skills required
    2. Involvement of internal audit with IT system and under development
    3. Management not required to act on internal audit’s recommendations
    4. None of the above
  28. Which is the common audit objectives for an IT audit
    1. Review of the security of the IT system
    2. Evaluation of the performance of a system
    3. Examination of the system development process and the procedures followed at various stages involved
    4. All of the above.
  29. The type of audit evidence which the auditor should consider using in IT audit includes
    1. Observed process and existence of physical items
    2. Documentary audit evidence excluding electronic records
    3. Analysis excluding IT enabled analysis using
    4. None of the above

(A) System analysis of programmers

(A) To determine whether any application system to consume abnormal amounts of resources.

(B) Clerical / Data entry staff

(B) To determine their perceptions of how the system has affected the quality of working life

(C) Users of an application systems

(C) To determine how they correct input data.

(D) Operation staff

(D) To obtain a better understanding of the functions and controls embedded with the system.
  1. Match the following w.r.t interviews to be conducted with staff and purpose interviewing Kinds of staff / personnel Purpose of interview
    1. A–B; B–A; C–D; D–C
    2. A–D; B–C; C–A; D–A
    3. A–C; B–D; C–A; D–B
    4. None of the above
  2. Which of the following type of questions need to be included in the questionnaire(s)
    1. Ambiguous questions
    2. Leading questions
    3. Presumptuous questions
    4. Specific questions
  3. Analytical procedures are useful in the following way in collecting audit evidence in IT audit
    1. Use comparisons and relationships to determine whether account balances appear reasonable
    2. To decide which accounts do not need further verification
    3. To decide which audit areas should be more thoroughly investigated
    4. All of the above
  4. What is the commonly used example of generalised audit software?
    1. CAAT
    2. IDEA
    3. COBIT
    4. None of the above
  5. A higher risk of system violation happens where
    1. The audit module is not operational
    2. The audit module has been disabled
    3. The audit module is not periodically reviewed
    4. All of the above
  6. Which among the following is not a compliance test as related to IT environment
    1. Determining whether passwords are changed periodically.
    2. Determining whether systems logs are reviewed
    3. Determining whether program changes are authorised.
    4. Reconciling account balances
  7. Substantive tests as they relate to the IT environment does not include
    1. Conducting system availability analysis
    2. Conducting system outage analysis
    3. Performing system storage media analysis
    4. Determining whether a disaster recovery plan was tested
  8. Find out the incorrect statement w.r.t. attribute sampling used by IT auditors
    1. Attribute sampling is used in substantive testing situations
    2. Attribute sampling deals with the presence or absence of the attribute
    3. It provides conclusions that are expressed in rates of incidence
    4. None of the above
  9. Variable sampling is used and deals with and provide
    1. Applied in substantive testing situations
    2. Deals with population characteristics that vary
    3. Provides conclusions related to deviations from the norm
    4. All of the above
  10. Which among the following is true as to Audit Reporting
    1. Normal reporting format is not adhered to in the case of IT Audit
    2. In IT audit, the base of the focus is the system
    3. In IT audit the audience for the report should normally be ignored
    4. None of the above
  11. The conclusions of the IT audit report does not include
    1. Sweeping conclusions regarding absence of controls and risks
    2. A mismatch between hardware procurement and software development in the absence of IT policy
    3. Haphazard development which cannot be ascribed to lack of IT policy
    4. All of the above
  12. Which among the following is not a limitation in IT Audit
    1. Data used not from production environment
    2. If these is only production environment and audit could not test dummy data
    3. “Read only Access” given to audit
    4. None of the above
  13. With the help of what tools, IT auditor can plan for 100% substantive testing
    1. CAATs tools
    2. CMM (Software)
    3. COBIT
    4. None of the above
  14. The reason for management’s failure to use information properly is
    1. Failure to identify significant information
    2. Failure to interpret the meaning and value of the acquired information
    3. Failure to communicate information to the decision maker
    4. All of the above
  15. Find out the incorrect statement
    1. Distributed networks may decrease the risk of data inconsistencies
    2. Application software developed inhouse may have lower inherent risk than vendor supplied software
    3. Peripheral access devices or system interfaces can increase inherent risk
    4. None of the above
  16. Categories of general control do not include
    1. Logical access controls
    2. Acquisition and program change controls
    3. Control over standing data and master files
    4. None of the above
  17. Application controls includes
    1. IT operational controls
    2. Control over processing
    3. Physical controls
    4. None of the above
  18. What legal protection is available to prevent theft illegal copying of software
    1. Computer misuse legislation
    2. Data protection and privacy legislation
    3. Copyright laws
    4. None of the above
  19. Match the following w.r.t. the following critical elements and its impact

(A) Poor reporting structures

(A) Cannot satisfactorily review the computer systems and associated controls

(B) Inappropriate or no IT planning

(B) Leads to security breaches, data loss fraud and errors

(C) Security policies not in place or not enforced

(C) Leads to business growth being constrained by a lack of IT resources

(D) Ineffective internal audit function

(D) Leads to inadequate decision making and affect the future as a going concern
    1. A–D; B–A; C–B; D–C
    2. A–D; B–C; C–B; D–A
    3. A–B; B–A; C–D; D–C
    4. None of the above
  1. The risk areas associated with poorly controlled computer operations include
    1. Applications not run correctly
    2. Loss or corruption of financial applications
    3. lack of backups and contingency planning
    4. All of the above
  2. In case of outsourcing IT activities the IT auditor should
    1. Review the policies and procedures which ensure the security of the financial data
    2. Obtain a copy of the contract to determine if adequate controls have been specified
    3. Ensure that audit needs are taken into account and included in the contracts
    4. All of the above
  3. While reviewing the network management and control the IT auditor is required to
    1. Review the security and controls in non-financial systems
    2. Review the security and controls in financial system’
    3. Either (a) or (b) depending upon scope of audit and SAI’s mandate
    4. None of the above
  4. Which among the following is not true w.r.t. logical access controls
    1. Logical access control usually depend on the in – built security facilities
    2. The importance of logical access controls is increased where physical access control is more effective
    3. logical access control exits at both an installation and application level
    4. None of the above
  5. Weak input control may increase the risk of
    1. Entry of an authorised data
    2. incomplete data entry
    3. Entry of duplicate / redundant data
    4. All of the above
  6. Weak process controls would lead to:
    1. Unauthorised changes or amendments to the existing data
    2. Absence of audit trial rendering, sometimes the application unauditable
    3. Inaccurate processing of transactions leading to wrong outputs / results
    4. All of the above

 

 

Tags

Post a Comment

0 Comments

Post a Comment