Master File

Column1 QUESTION ANSWER
Q. Self Service assistance to users provided by help desk such as resetting passwords etc. is considered which
1 level of assistence? Ans. Level 0
2 Q.A MN org. has decided to implement an ERP soln across all geolocations. The org shall initiate a- Ans. Program
3 Q. Which of the following model user need to know URL to access the app? Ans. Web based application deveopment.
4 Q. Who is responsible for classification of data in a Dept? Ans. Data owner
5 Q. Expert system is an example of- Ans. Knowledge Software.
Q. Which of the following interface testing approach, a tester may start at top or bottom level and depending
6 on Situation move downward or upward? Ans. Sandwich Approach
Q.Which of the following tool is considered useful for comparing processing output with
7 independentlycalculated data? Ans. Integrated Test facility
Q. The practice of limiting permissions to the minimal level that will allow users to perform their jobs. It is
8 known as Ans. Least privileges
9 Q. Which of the following is an example of external schema in a database mgt system? Ans. User views.
10 Q. A user Account is terminated by the IT dept, only when the request is approved and sent by the- Ans. HR dept
Q. Which of the following categories of maintanance, changes are made to the program(s), when a defect or
11 error arises in working of softwae? Ans. Correcrive maintance
12 Q. Batch total is an example of_ Ans. Processing total
13 Q. Which of the following is one of the imp operations performance metrics? Ans. Incident.
14 Q.Which of the following test is done by the programmer? Ans. Unit test.
15 Q. Which of the following test checks whether programs do what they are supposed to do? Ans. Functional test
16 Q. Which of the following test is concerned with examining the internal processing logic of a software system? Ans. Structural test
Q. Users have more privileges than they need and may use them to perform actions outside of their job
17 description. It is known as_ Ans. Privilege creep
Q. Which of the following relates to the accuracy and completeness of info as well as to its validity in
18 accordance with business values and expectations? Ans. Integrity
19 Q.Completeness and accuracy of accumulated data is ensured by_ Ans. Processing control Procedures
Q.Which of the following relates to the provision of appropriate info for mgt to operate the entity and exercise
20 its fiduciary and governance responsibilities? Ans. Reliability.
Default settings are used by vendors to help users get the system up and running. What is the auditor's primary
21 area of interest regarding default settings? Save time and money for the user
22 Which of the following software developing methodology primarily focuses on risk avoidance? Sprial
23 Which of the following is the list of OSI Model levels from the top down ? Application , Presentaion, Session
24 Performance, Security, user Interface are examples of which of the following testing ? Non Functional
25 Which of the following is the best definition of stack space on a hard disk ? Unused space leftover after disk formating
System needs to be configured and then someone needs
26 What is likely to be the biggest issue regarding log management ? to read the logs and respond
Which of the following parameters should not be considered for computing function points under function
27 point analysis? Date elements to be processsed
28 Who amongst the following has the highest stake in benefit realization from the project ? Project Sponsor
29 Which type of network device directs packets through the internet ? Routers
Which of the following testing is used to identify any errors and improvements in the software by observing
30 the users through their usage and operation ? Usability Testing
31 Which type of Control is representative of Exception Reporting ? Processing
32 Which of the following is the role of IS Auditor in SDLC ? All of the above
33 Which of the following methods is designed to permanently destroy data on hard disk ? Risk Wiping
34 Criticial function is to be frewall is to act a Sevice used to connect
35 QIA Personnel Responsible to handle the I ntegrity
36 what is the purpose of address resolution protocol find the MAC Addresss
37 performance of third party should be compated to the agrred upon service level matrics reviewd by management
38 what is primary objective in primary escalation Improved Customer Satisfaction
39 which of the following protocol is used for monitoring the health of service SNMP
40 which of the following is major issue in facing incident response scheduling of internal personnel
41 Arrange the following in order of activities plan risk, identify risk,analyze risk,plan risk response
42 Which of the following methods is used to make a backup copy of all the data files for a forensic invertigation bitstream image backup
43 in bank which one is best one for S/w Implmntn strategy Pilot
44 data validation edits is effective in detecting data transposition and transcription error check digit
45 which of following DRP conponent provide the greatst assurance of recovery after a disaster alt facility wil be available
46 backed up on preodic basis mitigation
47 it dept perform more than one role develpoer have access and can migrate data to PE
48 done 1st while preparing drp BIA
49 most siig level of effort for bcp early stages of planning
50 vialbility of duplicate inf procesiing facitlity the work olf of primary site is monitored to ensure
51 benefit of Call back devices Provide n audit trail
52 a drp for an organization should Reduce rovery time and cost of recovery
53 most imp element for succ implementation of it governance Indifying organizational stratigies
54 true regarding streeing commite Focus on agenda of it isues
55 A data administrator is responsible for efining data elements, data names and their relationship.
56 Which of the following types of data validation editing checks is used to determine if a field contains data Completeness check
The workload of the primary site is monitored to ensure
57 Which of the following must exist to ensure the viability of a duplicate information processing facility? adequate backup is available
dentify the correct sequence of Business Process Reengineering (BPR) benchmarking process from the given PLAN, RESEARCH, OBSERVE, ANALYZE, ADOPT and
58 choices below? IMPROVE
59 Itaf Genral
60 select tran or process need to be examined CIS
61 audit risk inherent risk
62 responsible to ensure IT enabled investment provide business value snr mgt
Independent testing of client accounting procedures and controls that was originally done as part of entity;s
63 accounting and internal control systems performane
64 s/w file are backed on on priodic basis mitigation
65 which risk treat option enable implementation of control to reduce risk mitigate
66 cert in it act 2000 70B
67 which phase start with damage assessment restoration
68 which of the following is an u primary internal control control policy
69 what would IS auditor perform if he concludes that control envt is poor substantive test
70 which SIA defines fraud and lays responsibilty on MGT n TCWG to detect frauds SIA11
71 conditions that effect the risk profile of orgnzn risk factors
72 first initiative in systematic approach of implementing EGIT Establish Desire to change
73 Aft enterin USER ID and PW you get error that user id password is wrong preventive
74 sustain critical business process during an unplanned interuption bcp
75 what would IS auditor perform if he concludes that control envt is poor substantive test
76 prioritization of IT resources is primarily based on expected benefit realization
77 primary rsn for perodic review of risk risk factors
78 PRIMARILY RESPONSIBLE to support value creation by reducing risk of IT to acceptable level IT risk management
79 1. Which of following may help to establish accuracy and completeness of data? Hash value
80 2. Which of following types of attacks may be prevented by input validation? SQL injection
3. Which of following is central storage for all kinds of structured, semi structured or unstructured raw data
81 collected from multiple sources? Data lake
4. After major earthquake a business decides to shift to location of data center from earthquake zone 5 to
82 earthquake zone 2 which type of risk respond option it has exercise? Avoid
83 5. Which of following is not example of ai platform? Microsoft power bi
84 6. Which of following is a cloud deployment model is highly scalable? Public
7. Use of license software, patch updates, disabling default users and using anti-malware software are the
85 control against? Back door
8. Which of the following types of attacks may be prevented by using anti-malware and application from
86 trusted source? Logic bomb
87 9. At that strives for natural, human like interaction with machine is known as? Cognitive computing
88 10. Which of the following provides secure connection between two end points? Transport mode
11. Which of the block chain principals state that each node stores and forwards information to all other
89 nodes? Peer to Peer
12. Which of the following types of smart card enables card reader to send the card in possession of user in the
90 general area and allow access? Wireless proximity reader
13. Which of the following is a type of malware that takes control of administrative rights for execution of
91 malicious codes? Trojan
92 14. Which of the following is example of robotic process automation? Cross application macros
93 15. Which of the following is a sense of minor attacks those together results in larger attack? salami theft
94 16. Which of the following enable hackers to exploit system vulnerabilities including human element? Attack vector
95 17. Which of the following cloud deployment model, customer hold the control of operating system? Iaas
18. Which of the following analytics assist in identifying the best option to choose to achieve the desire out
96 come through optimization techniques and machine learning? prescriptive analytics
97 19. which of the following is primary requirement of granting users access to information asset? Identification
98 20. Primary purpose of access control dead man door, turnstile, mantrap is to? prevent unauthorized entry
MODULE TEST 1
business impact
1 sustain critical business process during an unplanned interuption bcp disaster recovery plan incident response analysis
2 which phase start with damage assessment crisis recovery incident response restoration
3 which risk treat option enable implementation of control to reduce risk accept trfr mitigate avoid
4 what would IS auditor perform if he concludes that control envt is poor internal control compliance test substantive test cost/benefit analysis
5 which of the following is an u primary internal control fail safe fail close control policy admin control
result of risk recommendation
6 prioritization of IT resources is primarily based on assessment expected benefit realization of CIO rate of obsolescence of IT
demands for appropriate documented procedures to comply with
7 requests of CERT-IN regarding cyber security incidents 43A 69D 70B 72A
MOST useful for business decision making and framing of future
8 policy based on actual transactional data data warehouse datamining EIS Expert System
Establish Desire Form Effective Communicate Empower role players
9 first initiative in systematic approach of implementing EGIT to change implementation team Desired Vision and identify quick wins
which SIA defines fraud and lays responsibilty on MGT n TCWG
10 to detect frauds SIA2 SIA7 SAI9 SIA11
PRIMARILY RESPONSIBLE to support value creation by reducing Busness process
11 risk of IT to acceptable level IT Governance IT risk management owner IT steering committee
12 as per ITAF, which is a standard under IS Audit and Assurance Standard General STd Assurance std Control Std Audit Std
13 most useful tool when only select trans/process needs to be analysed ITF CIS Audithook snapshots
14 responsible to ensure IT enabled investment provide business value snr mgt operational mgt CIO IT steering committee
15 primary purpose is devt of evidence for enforcement of judicial authorities forensic specialized IS Integrated
Independent testing of client accounting procedures and controls that was analytical
16 originally done as part of entity;s accounting and internal control systems recalculation performane procedures confirmation
17 Aft enterin USER ID and PW you get error that user id password is wrong corrective detective preventive deterreny
18 primary reason for review of risk is change in risk factors risk appetite budget risk strategy
19 conditions that effect the risk profile of orgnzn risk factors residual risk risk tolerance current risk
20 which is audit risk inherent risk current risk scoping risk residual risk
Q. Self Service assistance to users provided by help desk such as resetting passwords etc. is considered which level of assistence?
Ans. Level 0
Q.A MN org. has decided to implement an ERP soln across all geolocations. The org shall initiate a- Module 2
Ans. Program
Q. Which of the following model user need to know URL to access the app?
Ans. Web based application deveopment.
Q. Who is responsible for classification of data in a Dept?
Ans. Data owner
Q. Expert system is an example of-
Ans. Knowledge Software.
Q. Which of the following interface testing approach, a tester may start at top or bottom level and depending on Situation move downward or upward?
Ans. Sandwich Approach
Q.Which of the following tool is considered useful for comparing processing output with independentlycalculated data?
Ans. Integrated Test facility
Q. The practice of limiting permissions to the minimal level that will allow users to perform their jobs. It is known as
Ans. Least privileges
Q. Which of the following is an example of external schema in a database mgt system?
Ans. User views.
Q. A user Account is terminated by the IT dept, only when the request is approved and sent by the-
Ans. HR dept
Q. Which of the following categories of maintanance, changes are made to the program(s), when a defect or error arises in working of softwae?
Ans. Correcrive maintance
Q. Batch total is an example of_
Ans. Processing total
Q. Which of the following is one of the imp operations performance metrics?
Ans. Incident.
Q.Which of the following test is done by the programmer?
Ans. Unit test.
Q. Which of the following test checks whether programs do what they are supposed to do?
Ans. Functional test
Q. Which of the following test is concerned with examining the internal processing logic of a software system?
Ans. Structural test
Q. Users have more privileges than they need and may use them to perform actions outside of their job description. It is known as_
Ans. Privilege creep
Q. Which of the following relates to the accuracy and completeness of info as well as to its validity in accordance with business values and expectations?
Ans. Integrity
Q.Completeness and accuracy of accumulated data is ensured by_
Ans. Processing control Procedures
Q.Which of the following relates to the provision of appropriate info for mgt to operate the entity and exercise its fiduciary and governance responsibilities?
Ans. Reliability.
1. Which of following may help to establish accuracy and completeness of data?
- Hash value
2. Which of following types of attacks may be prevented by input validation?
- SQL injection
3. Which of following is central storage for all kinds of structured, semi structured or unstructured raw data collected from multiple sources?
- Data lake
4. After major earthquake a business decides to shift to location of data center from earthquake zone 5 to earthquake zone 2 which type of risk respond option it has exercise?
- Avoid
5. Which of following is not example of ai platform?
- Microsoft power bi Module 3
6. Which of following is a cloud deployment model is highly scalable?
- Public
7. Use of license software, patch updates, disabling default users and using anti-malware software are the control against?
- Back door
8. Which of the following types of attacks may be prevented by using anti-malware and application from trusted source?
- Logic bomb
9. At that strives for natural, human like interaction with machine is known as?
- Cognitive computing
10. Which of the following provides secure connection between two end points?
- Transport mode
11. Which of the block chain principals state that each node stores and forwards information to all other nodes?
- Peer to peer
12. Which of the following types of smart card enables card reader to send the card in possession of user in the general area and allow access?
- Wireless proximity reader
13. Which of the following is a type of malware that takes control of administrative rights for execution of malicious codes?
- Trojan
14. Which of the following is example of robotic process automation?
- Cross application macros
15. Which of the following is a sense of minor attacks those together results in larger attack?
- salami theft
16. Which of the following enable hackers to exploit system vulnerabilities including human element?
- Attack vector
17. Which of the following cloud deployment model, customer hold the control of operating system?
- Iaas
18. Which of the following analytics assist in identifying the best option to choose to achieve the desire out come through optimization techniques and machine learning?
- prescriptive analytics
19. which of the following is primary requirement of granting users access to information asset?
- Identification
20. Primary purpose of access control dead man door, turnstile, mantrap is to?
-prevent unauthorized entry
3. The accuracy of the response to each question and time spent are correlated and interpreted in terms of expert advice on preparedness level.
Question wise details

Please click on question to view detailed analysis
= Not Evaluated = Evaluated = Correct = Incorrect = Not Attempted = Marked for Review
= Answered = Correct Option = Your Option
Question Details
Q1. Which of the following is known Root Certifying Authority?
Status : Incorrect
Options :
1. Certifying Authority
2. Controller of Certifying Authority
3. Registering Authority
4. Chief Certifying Authority
Timespent (in sec): 0 Correct to Incorrect: 0 Incorrect to Correct: 0 Incorrect to Incorrect: 0 Correct to unanswered: 0 Incorrect to unanswered: 0
Comments: You have most probably committed a numerical or conceptual mistake or you would have guessed the answer.
/
Q2. Which of the following is the function of processor management?
Status : Incorrect
Options :
1. Provides mechanism for deadlock handling

2. Decides the processes that are to be loaded into memory when memory space becomes available
3. Keeps track of information, location, uses, status etc
4. Decides which process gets the device when and for how much time
Q3. Which of the following services is included in the core of the CBS?
Status : Incorrect
Options :
1. Internet Banking
2. RTGS
3. Data warehouse
4. Cheque Truncation System
/
Q4. In which of the following WAN message transmission technology, once the route is established, all packets follow the route but
it is logical connection for fix duration?
Status : Incorrect
Options :
1. Circuit switching
2. Packet switching
3. Message Switching
4. Virtual Circuits
Q5. Which of the following rule relates to relational database model?
Status : Incorrect
Options :
1. All the entries in any column are of the same type or same domain
2. Ordering of rows and columns is significant.
3. Duplicate rows are allowed.
4. All data items stored in the columns are atomic in nature, that is, they can be split further without loss of information.
/
Q6. Which of the following is the Configuration Control aspect of Configuration Management System?
Status : Incorrect
Options :
1. Configuration, version of the items

2. Configuration of components of these Items
3. All Items are correctly identified
4. Ensures that latest approved version of items are used
Q7. Which of the following is the function of memory management?
Status : Incorrect
Options :

/
Q8. Which of the following is most commonly used network topology in the local area network?
Status : Correct
Options :
1. Bus
2. Ring
3. Star
4. Mesh
Comments: You are on the right preparation track on this topic.
Q9. Which of the following database language retrieves, inserts and deletes data of a relational database model?
Status : Incorrect
Options :
1. Data Definition Language (DDL)

2. DML (Data Manipulation Language
3. TCL (Transmission Control Language)
4. DCL (Data Control Language)
/
Q10. SAP belongs to which of the following category?
Status : Correct
Options :
1. Application Suite
2. Enterprise Software
3. Enterprise Infrastructure Software
4. Information Worker Software
Q11. Which of the following statement refers to internal schema of relational database model?
Status : Incorrect
Options :
1. Contains the logical structure of the entire database

2. Individual users are given different views according to the user’s requirement.
3. Represents all entities, their attributes and their relationships
4. Concerned with storage space allocation, Record descriptions, Records placement, Data Compression and Data Encryption Techniques
/
Q12. Which of the following statement is correct for public key cryptography (PKI)?
Status : Incorrect
Options :
1. It is also known as secret key cryptography

2. Identity of the owner of the digital certificate is bind with Public key
3. The key pair consists of one public and one private key that are mathematically unrelated
4. private key of the digital certifivate is known to the owner and Certfying Authority
Q13. Which of the following IDS detection methodology assumes that an intrusion can be detected by observing a deviation from
the normal?
Status : Incorrect
Options :
1. Statistical Anomaly Based

2. Attack signature
3. Task-based
4. Signature-based
/
Q14. Which of the following firewall implementation contains two NICs: one connected to the external network, and other
connected to the internal network?
Status : Correct
Options :
1. Packet filtering routers
2. Single-homed firewalls
3. Dual-homed firewalls
4. Screened subnet firewalls (DMZ)
Q15. Which of the following statement is correct about the firewall?
Status : Incorrect
Options :
1. Firewalls can enforce password policy and prevent misuse of passwords.
2. Firewalls are effective against non-technical security risks
3. Firewalls cannot stop internal users from accessing websites with malicious code
4. A firewall can prevent users or attackers with modems from dialling-in or dialling-out of the internal network
/
Q16. The applications which are not a part of the Core Banking Solution have an interface built (through middleware) with CBS.
Which of the following application is having seamless integration with CBS?
Status : Correct
Options :
1. Internet Banking
2. Automated Teller Machine (ATM)
3. MPLS
4. NPCI
Q17. Security software belongs to which of the following category?
Status : Incorrect
Options :
1. Application Suite
2. Enterprise Software
3. Enterprise Infrastructure Software
4. Information Worker Software
/
Q18. Which of the following operating system is used to run multiple tasks simultaneously by sharing the CPU time?
Status : Correct
Options :
1. Multi-tasking OS
2. Real time OS
3. Multi-processing OS
4. Multi-threading OS
Q19. Which of the following is the Configuration identification aspect of Configuration Management System?
Status : Incorrect
Options :
1. Configuration, version of the items

2. Version control
3. All Items are correctly identified
4. Ensures that latest approved version of items are used
/
Q20. Cryptography is a branch of which of the following?
Status : Correct
Options :
1. Cryptanalysis
2. Cryptology
3. Hash Function
4. Coding
Q21. Which of the following secondary storage media creates microscopic pits on the surface of a disc?
Status : Correct
Options :
1. HDD
2. Flash drive
3. VRAM
4. DVD
/
Q22. Which of the following decides about the route based on the latest routing information gathered from connected routers?
Status : Incorrect
Options :
1. Static router
2. Dynamic router
3. Packet filtering router
4. Gateway
Q23. Which of the following is the function of File management?
Status : Correct
Options :
/
Q24. Which of the following set of techniques that permit the simultaneous transmission of multiple signals on a single carrier?
Status : Incorrect
Options :
1. Multiplexing
2. Switching
3. Routing
4. Tunnelling
Q25. Which of the following WAN switching technology known as store-and-forward switching?
Status : Incorrect
Options :
1. Circuit switching
2. Packet switching
3. Message Switching
4. Virtual Circuits
/
Q26. Which of the following network topology is having highest fault tolerance?
Status : Correct
Options :
1. Bus
2. Ring
3. Star
4. Mesh
Q27. Which of the following manages the Asymmetric Keys, and a means of certifying the authenticity of holder of the key?
Status : Correct
Options :
1. PKI
2. SSL
3. HTTPS
4. S/MIME
/
Q28. Which of the following performs stateful packet inspection, enables secure remote access to networks and prevents malicious
payloads and centralised reporting as the basic features?
Status : Incorrect
Options :
1. Stateful Inspection Firewall
2. Unified Theatre Monitoring (UTM)
3. Intrusion Prevention System (IPS)
4. Intrusion Detection System (IDS)
Q29. Which of the following is Public Key Cryptography (PKI)?
Status : Correct
Options :
1. Secret-key cryptography
2. Hash Function
3. Coding
4. Asymmetric key cryptography
/
Q30. Which of the following is a one-way encryption?
Status : Correct
Options :
1. Secret-key cryptography
2. Public key cryptography
3. Asymmetric key cryptography
4. Hash Function
Your Response Change Pattern: Module Test 2

The below table provides the number of times you have changed your responses to the Module Test 2 questions and also the nature of those response changes.
CORRECT TO INCORRECT INCORRECT TO CORRECT INCORRECT TO INCORRECT CORRECT TO UNANSWERED INCORRECT TO UNANSWERED
0 0 1 0 0
Error Identification and Rectification: Module Test 2
/
1. An offsite information processing facility having electrical wiring, air conditioning and
flooring but no computer or communication equipment is a
Cold Site
2. Which of the following implementation is the most useful for business decisions making and
framing of future policies based on actual transaction data?
Data Warehouse
3. Which of the following is the primary requirement in reporting results of an IS audit. The
report should be
Backed by sufficient and appropriate audit evidence
4. Which of the following aims to sustain critical business process during an unplanned
interruption period?
Business Continuity Plan
5. Which of the following helps to gain a clear understanding of the business process while
developing a business continuity plan?
Risk Assessment
6. Which of the following phase starts with a damage assessment?
Restoration Phase
7. As per IATF, which of the following is a standard under IS Audit and Assurance Standard.
General Standard
8. When an Individual in an IT department, perform more than one role, which one of the
following poses the greatest risk.
Developers have access and can migrate data
9. Which of the following function is primarily responsible to support value creation by
reducing the risk of IT to an acceptable level?
IT Governanve
10. Which is the name of the decentralized control method enabling someone to make a
decision based on her own options.
Discretionary
11. Which of the following is known as condition that affect the risk profile of the organization?
Residual Risk
12. Which of the following statement is true concerning the steering committee?
Absence of formal charter indicates lack of controls
13. What is the best way to ensure that organizations policies comply with legal requirements?
Periodic review of the policies
14. Who are responsible for ensuring IT enabled investments provide business value?
Senior Management
15. Which of the following business process reengineering (BPR) risk are likely to occur during
the design phase.
Scope Risk, Skill risk, Political Risk
16. Which of the following should be done first when preparing a disaster recovery plan?
Perform a business impact analysis
17. Prioritization of IT initiatives within organization is primarily based on
Expected benefit realization
18. Which of the following is a benefit of using callback devices?
Provide an audit trail
19. Which of the following should be first initiative while using systematic approach for
implementing EGIT?
Establish desire to change
20. What is the correct sequence for benchmark process in BPR projects?
Plan, Research, Observe, analyze, adapt, improve
CONCEPTS OF IS AUDIT
1.14 Questions
1 The primary purpose and existence of an audit charter is to:
A. Document the audit process used by the enterprise
B. Formally document the audit department’s plan of action
C. Document a code of professional conduct for the auditor
D. Describe the authority and responsibilities of the audit department
2 Which of the following control classifications identify the cause of a problem and
minimize the impact of threat?
A. Administrative Controls
B. Detective Controls
C. Preventive Controls
D. Corrective Controls
3. To conduct a system audit, the IS auditor should

A. Be technically at par with client’s technical staff
B. Be able to understand the system that is being audited
C. Possess knowledge in the area of current technology
D. Only possess a knowledge of auditing.
4 Which of the following are most commonly used to mitigate risks discovered by
organizations?
A. Controls
B. Personnel
C. Resources
D. Threats
5 The rate of change in technology increases the importance of:

A. Outsourcing the IS function
B. Implementing and enforcing good processes
C. Hiring personnel willing to make a career within the organisation
D. Meeting user requirements
6 What means the rate at which opinion of the IS Auditor would change if he selects
a larger sample size?
A. Audit Risk
B. Materiality
C. Risk Based Audit
D. Controls
7 Which of the following cannot be classified as Audit Risk?

A. Inherent Risk
B. Detection Risk
C. Controllable Risk
D. Administrative Risk
8 After you enter a purchase order in an on-line system, you get the message, “The
request could not be processed due to lack of funds in your budget”. This is an
example of error?
A. Detection
B. Correction
C. Prevention
D. Recovery
9 When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. Controls needed to mitigate risks are in place.
B. Vulnerabilities and threats are identified.
C. Audit risks are considered.
D. Gap analysis is appropriate
10 Reviewing management's long-term strategic plans helps the IS auditor:

A. Gains an understanding of an organization's goals and objectives.
B. Tests the enterprise's internal controls.
C. Assess the organization's reliance on information systems.
D. Determine the number of audit resources needed.
1.15 Answers and Explanations
1 An audit charter describes the authority, responsibility of the audit department. These
are established by the senior management. Correct answer is D.
2 Corrective Controls classification identify the cause of a problem and minimize the
impact of threat. The goal of these controls is to identify the root cause of an issue
whenever possible and eliminate the potential for that occurring again. The other
controls are useful but perform other functions instead. Correct answer is D.
3 To conduct IS Audit by the IS Auditor, the primary requirement is that he should be

able to understand the system and technology being audited. He is not required to be
the expert in all subjects. There is no comparison of his knowledge with that of
auditee’s staff. He should have the knowledge of audit along with the technology in
the related subject of audit. Correct answer is B.
4 Controls are most commonly used to mitigate risks discovered by organizations. This
is what organizations implement as a result of the risks an organization discovers.
Resources and personnel are often expended to implement controls. Correct answer
is A.
5 Rate of change of technology increases the importance of implementing and enforcing

good practices. Correct answer is B.
6 Audit risk means the rate at which opinion of the IS Auditor would change if he selects
a larger sample size. Audit risk can be high, moderate or low depending on the sample
size selected by the IS Auditor. A risk-based audit approach is usually adapted to
develop and improve the continuous audit process. Materiality means importance of
information to the users. It is totally the matter of the professional judgment of the IS
Auditor to decide whether the information is material or immaterial. Correct answer is
A.
7 Inherent risk means overall risk of management which is on account of entity’s

business operations as a whole. Controllable risk is the risk present in the internal
control system and the enterprise can control this risk completely and eliminate it from
the system. Detection risk is the risk of the IS Auditor when he is not able to detect
the inherent risk or the controllable risk. Correct answer D
8 To stop or prevent a wrong entry is a function of error prevention. All other options
work after an error. Prevention works before occurrence of error. Correct answer is C.
9 In developing a risk-based audit strategy, risks and vulnerabilities are to be

understood. This determines areas to be audited and the extent of coverage.
Understanding whether appropriate controls required to mitigate risks are in place is
a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly
related to the audit process and are not relevant to the risk analysis of the environment
to be audited. Gap analysis would normally be done to compare the actual state to an
expected or desirable state. Correct answer B.
10 Strategic planning sets corporate or departmental objectives into motion. It is time and
project-oriented, but must also address and help determine priorities to meet business
needs. Reviewing long-term strategic plans will not achieve objectives by other
choice. Correct answer is A.
CHAPTER 2 IS AUDIT IN PHASES
LODR – Listing Obligations & Disclosure Requirements of SEBI on

Corporate Governance
As per the above regulation of SEBI, the role of the Audit Committee has sharpened with specific
responsibilities including recommending appointment of Auditors and monitoring their
independence and performance, approval of related party transactions, scrutiny of intercorporate
loans and investments, valuation of undertaking/assets etc. Audit committee is
contemplated as a major vehicle for ensuring controls, sound financial reporting and overall
good corporate governance.
Some of the reviews done by the Audit committee are as follows:
Internal audit reports relating to internal control weaknesses; and
The appointment, removal and terms of remuneration of the Chief internal Auditor shall
be subject to review by the Audit Committee
2.12 Creation of Risk Control Matrix (RCM)

An IS Audit is performed using the Risk Based approach. An IS Auditor charts a Risk and Control
Matrix and uses the same for the audit engagement. The risk matrix details the risks that have
been identified in the Risk Assessment phase. A typical RCM would consist of the following:
A series of spreadsheets marking a single process (Purchase Process), application
(Custom Business Application), area (Information security, Logical Security, Physical
security) etc.
Each Spread sheet would contain generally the following columns –
o Risk No, Risk in depth
o Control Objective – This column would contain the control(s) that is ideal to counter
the identified risk.
o Control number
o Control Implemented – The control that is implemented by the enterprise to counter
the risk.
In addition to the above columns, the RCM may also be used as an Audit Notebook which
contains the details of the control owner, process owner, testing plans and results, audit
observations, evidences, risk ranking, recommendations etc.
By using the RCM Methodology, an IS Auditor would be able to effectively identify and evaluate
the controls that are in place. This way adequacy of the controls would be evaluated better and
thus the IS Auditor would be able to provide better assurance with regards to the controls that
are in place and their sufficiency.
As an IS auditor performing the IS audit, respond to the following:

1. What should an IS Auditor do FIRST, when he observed that two users are constantly
trying to access some external sources?
A) Inform the management and expand the sample to get further evidences.
B) Issue an Audit Finding
C) Seek Explanations from Management
D) Ask for clarification from the Firewall Vendor
Correct Answer is A.
Explanation
A) IS Audit and Assurance Standards suggest that an IS Auditor should gather
sufficient and appropriate audit evidence on which his opinion is based. Here the
IS Auditor needs to determine whether this is an isolated incident or a systematic
failure. It would be a good practice to make management informed about the
incident.
B) Directly issuing an Audit Finding, without gathering sufficient and appropriate audit
evidence is not the proper practice as per the Standards.
C) Directly seeking explanations from management, without gathering sufficient and
appropriate audit evidence is not the proper practice as per the Standards.
D) Directly asking clarifications from Firewall Vendor without investigating the matter
further is not the proper practice on the part of IS Auditor. (Note: As per information
detailed in question, Vendor is not managing the firewall configuration files.
Rushing to Vendor means the auditor is overstepping the premise and is not in line
with auditor’s responsibilities).
2. An IS Auditor found one security loophole in the System. However, when the IT
Management got to know about it, immediately corrected it. The IS Auditor should:
A) Report the same in his Audit Report if the finding is material.
B) Don’t include in the Audit Report as the same is corrected.
C) Don’t include in the Audit Report but discuss the same in Exit Interview for
recommendation.
D) Don’t include in the Audit Report and send a letter of appreciation to IT
Management.
Explanation
A) As per the IS Audit and Assurance Standards, any finding, whether subsequently
corrected or not should be included in the IS Audit Report if it is material.
B) Not including the finding as it is corrected is not the proper treatment as per IS
Audit and Assurance Standards.
C) Not including the finding and discussing the same only at Exit Interview is not the
proper treatment as per IS Audit and Assurance Standards.
D) Not including the material audit finding is not the proper treatment as per IS Audit
and Assurance Standards. A Letter of appreciation has nothing to do with Auditor’s
Responsibilities of including material finding in IS Audit Report.
3. IS Auditor rightly found one weakness in the Firewall implementation and he

recommended the name of sister concern to address the weakness. The IS Auditor has
failed to maintain:
A) Professional Independence
B) Professional Competence
C) Organizational Independence
D) Personal Competence
Explanation
A) Professional Independence carries the highest weight in Assurance Services field.
If due to any action of the IS Auditor, his capacity to carry out audit independently
is hindered then the same amounts to failure to maintain Professional
Independence.
B) Professional Competence is nowhere failed as the diagnosis of the Auditor is
correct.
C) Organizational Independence has no role to play here as in the given question only
one matter is involved which is related to only one of the area of organization.
D) Personal Competence has no role to play here.
2.27 Questions
1. Which of the following forms of evidence would be considered to be the most
reliable when assisting an IS Auditor develop audit conclusion?
A. A confirmation letter received from a third party for the verification of an account
balance.
B. Assurance via a control self-assessment received from the management that an
application is working as designed.
C. Trend data obtained from World Wide Web (Internet) sources.
D. Ratio analysis developed by an IS Auditor from reports supplied by line
Management
2. During a review of the controls over the process of defining IT service levels, an IS
auditor would most likely interview the:
A. Systems programmer
B. Legal staff
C. Business Unit Manager
D. Programmer
3. Which of the following procedures would an IS Auditor not perform during pre-audit
planning to gain an understanding of the overall environment under review?
A. Tour key organisation activities
B. Interview key members of management to understand business risks
C. Perform compliance tests to determine if regulatory requirements are met.
D. Review prior audit reports.
4. The first step IS Auditor should take when preparing the annual IS audit plan is to:
A. Meet with the audit committee members to discuss the IS audit plan for the
upcoming year.
B. Ensure that the IS audit staff is competent in areas that are likely to appear on the
plan and provide training as necessary.
C. Perform a risk ranking of the current and proposed application systems to prioritize
the IS audits to be conducted.
D. Begin with the prior year's IS audit plan and carry over any IS audits that had not
been accomplished.
5. The purpose of compliance tests is to provide reasonable assurance that:

A. Controls are working as prescribed.
B. Documentation is accurate and current.
C. The duties of users and data processing personnel are segregated.
D. Exposures are defined and quantified.
6. IS Auditors being most likely to perform tests of internal controls if, after their
evaluation of such controls, they conclude that:
A. A substantive approach to the audit is cost-effective
B. The control environment is poor.
C. Inherent risk is low.
D. Control risks are within the acceptable limits.
7. Which of the following is the least important factor in determining the need for an
IS Auditor to be involved in a new system development project?
A. The cost of the system
B. The value of the system to the organization.
C. The potential benefits of the system.
D. The number of lines of code to be written.
8. Each of the following is a general control concern EXCEPT:

A. Organization of the IS Department.
B. Documentation procedures within the IS Department.
C. Balancing of daily control totals.
D. Physical access controls and security measures
9. Which of the following types of audits requires the highest degree of data
processing expertise?
A. Systems software audits
B. General controls reviews
C. Microcomputer application audits
D. Mainframe application audits
10. A manufacturing company has implemented a new client/server system enterprise

resource planning (ERP) system. Local branches transmit customer orders to a
central manufacturing facility. Which of the following controls would BEST ensure
that the orders are accurately entered and the corresponding products produced?
A. Verifying production to customer orders
B. Logging all customer orders in the ERP system
C. Using hash totals in the order transmitting process
D. Approving (production supervisor) orders prior to production

1. Correct answer is: A. The IS Auditor requires documented evidence to be submitted
during audit procedures. Control self-assessment though is a good control but it cannot
work as an evidence. Trend and ratio analysis can be used to justify some conclusion but
cannot be considered as a conclusive evidence whereas a confirmation letter is.
2. Correct answer is: C. Business unit manager is the owner of that business unit and he is
the right authority to provide the required information in this context. First point of
interview should be with the person related to business not the programmer or legal staff
3. Correct answer is: C. During pre-audit planning there is no question of doing any
compliance test. Compliance test starts during the process of audit. All other options are
the process of collecting information during pre-audit process
Background Material on Information Systems Audit 3.0 Course (Module 1)
90
4. Correct answer is: C. IS audit services should be expended only if the risk warrants
it. Answers A, B and D occur after C has been completed. Answer "B" is NOT correct
because the IS Audit Manager does not know what areas are to appear on the IS audit
plan until a risk analysis is completed and discussions are held with the Audit Committee
members. Answer "A" is NOT correct because the IS Audit Manager would not meet with
the audit committee until a risk analysis of areas of exposure has been
completed. Answer "D" is NOT correct because a risk analysis would be the first step
before any IS audit services are expended.
5. Correct answer is: A. The compliance tests determine whether prescribed controls are
working as intended. Answer "B" is NOT the best choice. Current and accurate
documentation may be a good procedure but it is only one type of control procedure,
therefore, answer 'A' is a better choice as more control procedures are
evaluated. Answer "C" is NOT the best choice because segregation of duties is only one
type of control procedure; therefore, answer 'A' is a better choice as more control
procedures are evaluated. Answer "D" is NOT the correct choice. Exposures are defined
and quantified to determine audit scope. Compliance tests provide reasonable assurance
that controls are working as prescribed.
6. Correct answer is: B. IS auditor will most probably perform the test of internal control
when control environment is poor. When inherent risks are low and control risks are within
acceptable limit, likelihood of testing internal controls get reduced. Concluding the cost effectiveness
of substantive approach is not the outcome of testing internal controls.
7. Correct answer is: D. The size of the system is the least important of the factors listed. All
other factors have specific financial implications and an IS Auditor can be used to help
mitigate the risk to the corporation with the development of a new system.
8. Correct answer is: C. Balancing of daily control totals relates to specific applications and
is not considered an overall general control concern. Answer "B" is NOT the correct
answer since documentation procedures within the IS Department are an important
general control concern. Answer "A" is NOT the correct answer since organization of the
IS Department is an important general control concern. Answer "D" is NOT the correct
answer since physical access controls and security measures are important general
control concerns.
9. Correct answer is: A. The IS Auditor needs specialized type of education in hardware and
operating system software. Options at B, C and D can be performed when an IS auditor
has a basic level of data processing technical knowledge and usually requires no special
training.
10. Correct answer is: A. Verification will ensure that production orders match customer
orders. Logging can be used to detect inaccuracies, but does not in itself guarantee
accurate processing. Hash totals will ensure accurate order transmission, but not
accurate processing centrally. Production supervisory approval is a time-consuming
manual process that does not guarantee proper control.
IS AUDIT TOOLS & TECHNIQUES
3.2 Computer Assisted Audit Techniques

CAAT is a significant tool for auditors to gather evidences independently. It provides means to
gain access and to analyse data for predetermined audit objectives, and report the audit findings
with evidences. It helps the auditor to obtain evidence directly on the quality of records produced
and maintained in the system. The quality of the evidence collected gives reassurance on the
quality of the system processing such transactional evidences.
Purpose of CAATs
CAATs give auditors ability to maximize their efficiency and effectiveness in performing
audit.
These are considered to be essential part of Auditors’ Toolkit.
3.5 Questions
1. What is one of the key tests which can be ideally carried out using Computer Assisted
Audit Tools (CAATs)?
A. Identification of exceptional transactions based upon set criteria
B. Projections on future trends for specific parameters
C. Carrying out employees’ reference checks
D. Carry out employee appraisals Key
2. Find out the best process carried out using Computer Assisted Audit Tools (CAATs)?
A. Identify potential areas of fraud
B. Carry out employee appraisals of Information Systems Assurances Services
C. Projections on future trends for specific parameters
D. Carrying out employees’ reference checks Key
3. What can be ideally carried out using Computer Assisted Audit Tools (CAATs)?
A. Identify data which is inconsistent or erroneous
B. Carry out employee appraisals
D. Carrying out employees’ reference checks Key.
A. Perform various types of statistical analysis
D. Carrying out employees’ reference checks Key
A. Establishing whether the set controls are working as prescribed
D. Estimation of competitor activity Key.
A. Establishing relationship between two or more areas & identify duplicate
transactions
B. Carry out market surveys for a new product launch
D. Estimation of competitor activity Key
7. Which is one of the most effective tools and techniques to combat fraud?
A. Computer Assisted Audit Techniques (CAAT)
B. Threats of severe punishment
C. Validation by the I.T. dept. of the police
D. Use of authenticated hard copies Key
8. An IS Auditor, concerned that application controls are not adequate to prevent duplicate
payment of invoices, decided to review the data processing files for possible duplicate
payments. Which of the following techniques/tools would be useful to the IS Auditor?
A. An integrated test facility.
B. Statistical sampling.
C. Generalized audit software.
D. The Audit Review File.
9. Many automated tools are designed for testing and evaluating computer systems. Which
one of the following such tools impact the systems performance with a greater load and
stress on the system?
A. Test data generators
B. Statistical software packages
C. Test drivers
D. Network traffic analyzers
10. The most appropriate type of CAAT tool the auditor should use to test security
configuration settings for the entire application systems of any organization is:
A. Generalised Audit Software
B. Test Data
C. Utility Software
D. Expert System

1 One of the many key tests that can be carried out by CAATs is identification of
exceptional transactions based upon set criteria. The IS auditor can set the criteria
based upon the sort of transactions which are not expected to occur on the basis of
the controls which presumably have been incorporated in the organization’s systems.
CAATs are more in the nature of audit tools & would not be ideal for the other purposes
listed in Options B to D above. Hence, answer at Option A alone is correct.
2 One of the many key tests that can be carried out by CAATs is identification of potential
areas of fraud. The IS auditor can set the criteria based upon the sort of transactions
which are not expected to occur on the basis of presumably have been incorporated
in the organization’s systems. CAATs are more in the nature of audit tools & would not
be ideal for the other purposes listed in Options B to D above. Correct answer is A.
3 One of the many key tests that can be carried out by CAATs is identification of data
which is inconsistent or erroneous. The IS auditor can set the criteria based upon the
sort of data which are not expected to occur on the basis of the controls which
presumably have been incorporated in the organization’s systems. CAATs are more
in the nature of audit tools & would not be ideal for the other purposes listed in Options
B to D above. Hence, answer at Option A alone is correct.
4 One of the many key tests that can be carried out by CAATs is the carrying out of
various types of statistical analysis which could throw up areas of inconsistencies,
defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the
other purposes listed in Options B to D above. Hence, answer at Option A alone is
correct.
5 One of the many key tests that can be carried out by CAATs is establishing whether
the set controls are working as intended. CAATs are more in the nature of audit tools
& would not be ideal for the other purposes listed in Options B to D above. Hence,
answer at Option A alone is correct.
6 One of the many key tests that can be carried out by CAATs is establishing relationship
between two or more areas & identify duplicate transactions. CAATs are more in the
nature of audit tools & would not be ideal for the other purposes listed in Options B to
D above. Hence, answer at Option A alone is correct.
7 CAAT is one of the tools useful for carrying out the detection of suspicious transactions
as a pre-emptive or post fraud activity. Hence, answer at Option A is correct.
8 Generalised Audit software is mainly used to find duplicate data. Options A and D are
on line application audit tools and statistical sampling may not be able to find
duplicates. Correct answer is C.
9 Statistical software packages use all data resources impacting the processing time
and response time. Network traffic analyzers also use the system resources but not
putting stress on production data. Test data generator is not resource intensive and
test drivers are for specific use without impacting much resources. Correct answer is
B.
10 When testing the security of the entire application system including operating system,
database and application security, the auditor will most likely use a utility software that
assists in reviewing the configuration settings. In contrast, the Auditor may use GAS
to perform a substantive testing of data and configuration files of the application. Test
data are normally used to check the integrity of the data and expert systems are used
to inquire on specific topics. Hence correct answer is C.
APPLICATION CONTROLS REVIEW OF BUSINESS APPLICATIONS

4.9 Questions
1 Application controls shall include all except
A. Application controls are a subset of internal controls.
B. The purpose is to collect timely, accurate and reliable information.
C. It is part of the IS Auditor’s responsibility to implement the same.
D. It is part of business application software.
2 As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of banks
need to submit their PAN or form 60/61(a form as per Income Tax Act/Rules). A bank
in its account opening form, has not updated the need for form 60/61 in case PAN is
not there. This defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation
B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
3 In a public sector bank while updating master data for advances given, the bank
employee does not update “INSURANCE DATA”. This includes details of Insurance
Policy, Amount Insured, Expiry Date of Insurance and other related information. This
defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation
B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
4 An IS Auditor observed that users are occasionally granted the authority to change
system data. The elevated system access is not consistent with company policy yet is
required for smooth functioning of business operations. Which of the following controls
would the IS Auditor most likely recommend for long term resolution?
A. Redesign the controls related to data authentication
B. Implement additional segregation of duties controls
C. Review policy to see if a formal exception process is required
D. Implement additional logging controls.
5 An IS Auditor, processes a dummy transaction to check whether the system is allowing

cash payments in excess of Rs.20,000/-. This check by auditor represents which of
the following evidence collection technique?
A. Inquiry and confirmation
B. Re-calculation
C. Inspection
D. Re-performance
6 An IS Auditor is performing a post implementation review of an organisation’s system

and identified output errors within an accounting application. The IS Auditor
determined that this was caused by input errors. Which of the following controls should
the IS Auditor recommend to management?
A. Recalculations
B. Limit Checks
C. Run-to-run total
D. Reconciliation
7 RBI instructed banks to stop cash retraction in all ATMs across India from April 1,
2013. This was result of few ATM frauds detected. This action by RBI can be best
classified as:
A. Creation
B. Rectification
C. Repair
D. None of above
8 A central antivirus system determines whether each personal computer has the latest
signature files and installs the latest signature file before allowing a PC to connect to
the network. This is an example of a:
A. Directive control
B. Corrective Control
C. Compensating Control
D. Detective Control
9 Company’s billing system does not allow billing to those dealers who have not paid
advance amount against proforma invoice. This check is best called as:
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check
10 While posting message on FACEBOOK, if user posts the same message again,
FACEBOOK gives a warning. The warning indicates which control.
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check

1 C. It represents what auditor verifies but not that what he/she implements. Rest is part
of the definition and purpose of application controls.
2 A. is the correct answer as the source data capture is not proper. Ensure that source
documents are prepared by authorised and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the
origination and approval of these documents. Errors and omissions can be minimised
through good input form design.
3 C. This ensures that transactions are accurate, complete and valid. Validate data that
were input, and edit or send back for correction as close to the point of origination as
possible.
4 C. is the correct answer. Policy is not a static document. When an exception is a

regular requirement, the best control is to modify the policy accordingly.
5 D. is the correct answer. The IS Auditor may process test data on application controls
to see how it responds.
6 D is correct. For finding the anomaly between input and output, reconciliation is the
best option. Re-calculation and run-to-run total will provide the same result as earlier
and limit check is a data validation control.
7 B. is the right answer. A, is not an answer as action by RBI is based on fraud detection.
Repair is done to rectify an error which has occurred in a working system.
8 B. is the correct answer. After detecting the deficiency, it is correcting the situation
hence it is a corrective control.
9 B. Dependency check is one where value of one field is related to that of another.
10 D. is the answer as this is a duplicate check.
APPLICATIONS CONTROLS REVIEW OF SPECIALISED SYSTEMS
Artificial Intelligence (AI)

A computer is an electromechanical machine that contains no live elements. However, it is
used for simulating human working in a given situation which involves thinking and reasoning,
solving complex problems, doing calculations, etc. Computer history shows that computers are
good at making calculations of repetitive nature speedily.
The applications of AI can be classified into three major categories:
1. Cognitive Science: This is an area based on research in disciplines such as biology,

neurology, psychology, mathematics and allied disciplines. It focuses on how human
brain works and how humans think and learn. Applications of AI in the cognitive science
area are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and Fuzzy Logic
2. Robotics: This technology refers to robot machines with artificial intelligence and humanlike
physical capabilities. This includes applications that give robots visual perception,
capabilities to feel by touch, dexterity and locomotion.
3. Natural Languages: Being able to 'converse' with computers in human languages is the
goal of research in this area. Interactive voice response and natural programming
languages, closer to human conversation, are some of the applications. Virtual reality is
another important application that can be classified under natural interfaces.
5.6 Questions
1 Which of the following business purposes can be met by implementing Data
warehouse in an organisation?
A. Business continuity can be ensured in case of disaster.
B. Data in the data ware house can work as a backup
C. The data in the warehouse can be used for meeting regulatory requirements.
D. Business decisions can be taken and future policies can be framed based on
actual transactional data.
2 Which of the following is a characteristic of a decision support system (DSS)?
A. DSS is aimed at solving highly structured problem.
B. DSS combines the use of models with non-traditional data access and retrieval
functions.
C. DSS emphasizes flexibility in decision making approach of users.
D. DSS supports only structured decision-making tasks.
3 Which of the following audit tools is MOST useful to an IS auditor when an audit trail
is required?
A. Integrated test facility (ITF)
B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots
4 A retail company recently installed data warehousing client software in multiple,

geographically diverse sites. Due to time zone differences between the sites, updates
to the warehouse are not synchronized. This will affect which of the following most?
A. Data availability
B. Data completeness
C. Data redundancy
D. Data accuracy
5 The cashier of a company has rights to create bank master in TALLY. This error is a
reflection of poor definition for which type of control:
A. User Controls
B. Application Control
C. Input Control
D. Output Control
6 An employee has left the company. The first thing to do is to:

A. Hire a replacement employee.
B. Disable his/her access rights.
C. Ask the employee to clear all dues/advances.
D. Escort employee out of company premises
7 As part of auditing Information Security of a multinational bank, an auditor wants to

assess the security of information in ATM facilities. Under which privacy policy should
he look for details pertaining to security guards and CCTV surveillance of ATM’s?
A. Physical Access and Security Policy
B. Acceptable use of Information Assets Policy
C. Asset Management Policy
D. Business Continuity Management Policy Key.
8 Neural Networks and Fuzzy Logics are classified under which category of Artificial
intelligence?
A. Cognitive Science
B. Robotics
C. Natural Sciences
D. Virtual Reality
9 In an inter school competition on Artificial Intelligence, four children develop software

which performs the following different functions respectively. Which of them is a
correct example of the use of basic Artificial Intelligence?
A. Predictive & self-learning word-processing software
B. A calculation software which arrives at the arithmetic total of figures keyed in
C. A password system which allows access based upon keying in of the correct
password
D. A software which rejects invalid dates like 32nd March 2019.
10 Which are the business activities which are strong contenders for conversion to
ecommerce?
A. Those that are paper-based, time consuming & inconvenient for customers
B. Those relating to software development
C. Those relating to the ‘electronic’ aspects of commerce
D. Those that are not paper-based, speedy & convenient for customers.
1 Correct answer is D. Purpose of Data warehouse is to take business decisions and
frame future policies based on the analysis of transactional data. It cannot act as an
alternative to backup. Purpose of the data ware house is not for business continuity
nor is it for regulatory requirements.
2 Correct answer is B. It goes with the purpose and definition of decision support system.
3 Correct answer is D. Snapshot is the right answer as in this technique, IS auditor can
create evidence through IMAGE capturing. A snapshot tool is most useful when an
audit trail is required. ITF can be used to incorporate test transactions into a normal
production run of a system. CIS is useful when transactions meeting certain criteria
need to be examined. Audit hooks are useful when only select transactions or
processes need to be examined.
4 Correct answer is B. One of the major bottlenecks in data ware house is time
synchronisation as the data of different time zones is merged in data ware house. It
ultimately results in in-complete data for decision making purposes.
5 Correct answer is A. User controls are not properly defined. User controls need to be
defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a
greater problem of improper assessment of user profiles created in the system.
6 Correct answer is B. the first thing to do as soon as an employee leaves the company
is to disable his/her access rights in system. This needs to be done to prevent frauds
being committed. Other answers may be valid but are not the first thing to do.
7 Correct answer is A. Physical security describes security measures that are designed
to restrict unauthorized access to facilities, equipment and resources, and to protect
personnel and property from damage or harm (such as espionage, theft, or terrorist
attacks). Physical security involves the use of multiple layers of interdependent
systems which include CCTV surveillance, security guards, Biometric access, RFID
cards, access cards protective barriers, locks, access control protocols, and many
other techniques. B is incorrect - An acceptable use policy (AUP), also known as an
Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or
manager of a network, website or large computer system that restrict the ways in which
the network, website or system may be used. C is incorrect – This policy defines the
requirements for Information Asset’s protection. It includes assets like servers,
desktops, handhelds, software, network devices etc. Besides, it covers all assets used
by an organization- owned or leased. D is incorrect – This policy defines the
requirements to ensure continuity of business-critical operations. It is designed to
minimize the impact of an unforeseen event (or disaster) and to facilitate return of
business to normal levels.
8 Correct answer is A. Cognitive Science. This is an area based on research in

disciplines such as biology, neurology, psychology, mathematics and allied
disciplines. It focuses on how human brain works and how humans think and learn.
Applications of AI in the cognitive science are Expert Systems, Learning Systems,
Neural Networks, Intelligent Agents and Fuzzy Logic. B, C and D are incorrect. B.
Robotics: This technology produces robot machines with computer intelligence and
human-like physical capabilities. This area includes applications that give robots visual
perception, capabilities to feel by touch, dexterity and locomotion. C. Natural
Languages: Being able to 'converse' with computers in human languages is the goal
of research in this area. Interactive voice response and natural programming
languages, closer to human conversation, are some of the applications. D. Virtual
reality is another important application that can be classified under natural interfaces.
9 Correct answer is A. The word-processing software pops up suggested words based

upon the first few words keyed in by the user. Also, when the user keys in a new word
which is not available in its repertoire, it adds it to its collection & reflects it as an
option the next time similar letters are initiated. In effect, the software is able to
observe & record patterns and improves through ‘learning’. The other answers in
Options B to D involve the basic computing functions of a computer which are based
on a ‘go / no-go’ logic which does not involve pattern recognition or further learning.
Hence, the correct answer is only as in Option A which displays characteristics of
artificial intelligence.
10 Correct answer is A. Maximum mileage can be gained from e-commerce by converting

those business activities which are paper-based, time consuming & inconvenient for
customers as indicated in Option A. This will help us reduce paperwork, accelerate
delivery & make it convenient for customers to operate from the comfort of their homes
as also at any other place of their convenience. Hence, the other options are wrong.
CHAPTER 6: IT ENABLED ASSURANCE ASSURANCE SERVICES

There is a wide variety of services that can be offered by the IS Auditors in every area of IT
implementation depending on their areas of technical expertise. IS Auditors can provide
assurance or consulting services at various stages of technology deployment right from
conception to post-implementation. Below is an illustrative sample problem statement with
proposed solutions and listing of service opportunities for IS Auditors.
6.5.1 Fraud Detection
Information technology has immensely benefited enterprises in terms of increased quality of
information delivery. However, widespread use of information technology and Internet has led
to enhanced risks resulting into perpetration of errors and frauds. Fraud is any act meant to
deceive and to obtain illegal, and undue advantage. Detecting frauds in IT environment poses
its own challenges since the data is in digital format and a fraudster can easily erase his tracks.
Let us look at the regulatory requirements of fraud as per Indian legislations.
1. Information Technology (Amendment) Act 2008: Casts responsibility on body
corporates to protect sensitive personal information by implementing reasonable security
practices and procedures. It also recognises and punishes offences committed by
companies and individuals through the misuse of IT.
2. LODR of SEBI: Makes the top management accountable for weaknesses in the internal
control systems. It requires CEOs and CFOs to certify on the effectiveness of the Internal
Controls.
3. CARO 2003: Requires verifying the adequacy of internal control procedures and
determining whether there were any continuing failures to correct major weaknesses in
internal controls. It also requires to report whether any frauds on or by the company had
been noticed or reported during the year.
6.9 Questions
1 Which of the following factors should not be considered in establishing the
priority of audits included in an annual audit plan?
A. Prior audit findings
B. The time period since the last audit
C. Auditee procedural changes
D. Use of audit software
2 Which of the following is LEAST likely to be included in a review to assess the

risk of fraud in application systems?
A. Volume of transactions
B. Likelihood of error
C. Value of transactions
D. Extent of existing controls
3 An IS auditor discovers evidence of fraud perpetrated with a manager's user id.

The manager had written the password, inside his/her desk drawer. The IS auditor
should conclude that the:
A. Manager’s assistant perpetrated the fraud.
B. Perpetrator cannot be established beyond doubt.
C. Fraud must have been perpetrated by the manager.
D. System administrator perpetrated the fraud.
4 Which of the following situations would increase the likelihood of fraud?

A. Application programmers are implementing changes to production programs.
B. Application programmers are implementing changes to test programs.
C. Operations support staff are implementing changes to batch schedules.
D. Database administrators are implementing changes to data structures.
5 Neural networks are effective in detecting fraud, because they can:
A. Discover new trends since they are inherently linear.
B. Solve problems where large and general sets of training data are not obtainable.
C. Attack problems that require consideration of a large number of input variables.
D. Make assumptions about shape of any curve relating variables of output
6 The FIRST step in managing the risk of a cyber-attack is to:
A. Assess the vulnerability impact.
B. Evaluate the likelihood of threats.
C. Identify critical information assets.
D. Estimate potential damage.
7 Which of the following refers to imaging of original media in presence of an

independent third party?
A. Identify
B. Preserve
C. Analyze
D. Present
8 As a measure of IT General controls, an organization decides to separate those

who can input data from those that can reconcile or approve data. Is this a good
move? Why?
A. Yes, it is a good move; it can help prevent unauthorised data entry.
B. No, it is not a good move; the person who inputs the data is the best person to
approve the data too.
C. Yes, it is a good move; inputting data & reconciling data requires different skills.
D. No, it is not a good move; data entry errors would be compounded.
9 A holistic approach to deterrence & prevention of fraud would be:

A. Strengthening of Governance and Management framework
B. Focussing on integrity of new recruits
C. Establishing severe punishment for fraud
D. Compensating employees adequately to minimize temptation
10 After initial investigation, IS auditor has reasons to believe that there is
possibility of fraud, the IS auditor has to:
A. Expand activities to determine whether an investigation is warranted.
B. Report the matter to the audit committee.
C. Report the possibility of fraud to top management and ask how they would like to
proceed.
D. Consult with external legal counsel to determine the course of action to be taken.

1 D. Use of audit software merely refers to a technique that can be used in performing
an audit. It has no relevance to the development of the annual audit plan.
2 B. An error is the least likely element to contribute to the potential for fraud. Answer
A and C are incorrect since volume and value of transactions give an indication
of the maximum potential loss through fraud. Answer D is incorrect since gross
risk less existing controls give net risk.
3 B. The password control weaknesses mean that any of the other three options
could be true. Password security would normally identify the perpetrator. In this
case, it does not establish guilt beyond doubt.
4 A. Production programs are used for processing an enterprise's data. It is

imperative that controls on changes to production programs are stringent. Lack
of controls in this area could result in application programs being modified to
manipulate the data. Application programmers are required to implement
changes to test programs. These are used only in development and do not
directly impact the live processing of data. The implementation of changes to
batch schedules by operations support staff will affect the scheduling of the
batches only; it does not impact the live data. Database administrators are
required to implement changes to database structures. This is required for
reorganization of the database to allow for additions, modifications or deletions
of fields or tables in the database.
5 C. Neural networks can be used to attack problems that require consideration of

numerous input variables. They are capable of capturing relationships and
patterns often missed by other statistical methods, and they will not discover
new trends. Neural networks are inherently nonlinear and make no assumption
about the shape of any curve relating variables to the output. Neural networks
will not work well at solving problems for which sufficiently large and general
sets of training data are not obtainable.
6 C. The first step in managing risk is the identification and classification of critical
information resources (assets). Once the assets have been identified, the
process moves onto the identification of threats, vulnerabilities and calculation
of potential damages.
7 B. Preserve refers to practice of retrieving identified information and preserving it

as evidence. This practice generally includes the imaging of original media in
presence of an independent third party.
8 A. Segregation of duties is an important control tool whereby, conflicting roles in

particular, are segregated and handled by different individuals. It reduces the
risk of fraud since one person cannot independently commit any fraud but would
need to collude with the second. Also, since the output of one individual may
become the input for another, an independent accuracy check of one person’s
work by another person becomes a built-in reality. Hence, the answer in Option
A is correct.
9 A. A holistic approach to deterrence and prevention of fraud would require

strengthening of governance and management framework. The answers in
options B to D address the issue in bits and pieces and, hence, are not the right
answers. Answer at Option A alone is correct.
10 A. An IS auditor’s responsibility for detecting fraud includes evaluating fraud

indicators and deciding whether any additional action is necessary or whether
an additional investigation should be recommended. The IS auditor should notify
the appropriate authorities within the organization only if it has determined that
the indicators of fraud are sufficient to recommend an investigation. Normally,
the IS auditor does not have authority to consult with external legal counsel.
RFP FROM BANK FOR IS AUDIT OF APPLICATION SOFTWARE

CHAPTER-1
Concepts of Governance and Management of
Information Systems
1. Who is responsible for establishing right structure of decision-making accountabilities?
A. Senior management
B. Operational management
C. Chief information officer
D. IT steering committee
2. The MOST important benefit of implementing Governance of Enterprise IT is:

A. Monitor and measure enterprise performance
B. Provide guidance to IT to achieve business objectives
C. Run the companies to meet shareholders’ interest
D. Ensure strategic alignment of IT with business
3. The primary objective of Corporate Governance is:

A. Reduce IT cost in line with enterprise objectives and performance.
B. Optimise implementation of IT Controls in line with business needs
C. Implement security policies and procedures using best practices.
D. Increase shareholder value by enhancing economic performance.
4. The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an

enterprise are directed and controlled to achieve business objectives for meeting the
needs of:
A. Shareholders
B. Stakeholders
C. Investors
D. Regulators
5. Which of the following is a key component of Corporate Governance?

A. Employee rights
B. Security policy
C. Transparency
D. Risk assessment
6. Effective Governance of Enterprise IT requires processes to ensure that:

A. risk is maintained at a level acceptable for IT management
B. the business strategy is derived from an IT strategy
C. IT governance is separate and distinct from the overall governance
D. the IT strategy extends the organization's strategies and objectives.
7. Business Governance helps the Board by enabling them to understand:

A. enterprise functions
B. risk assessment
C. key performance drivers
D. Key controls
8. The effectiveness of the IT governance structure and processes are directly dependent
upon level of involvement of
A. Heads of Business units
B. Internal auditor department
C. Technology management
D. Board/senior management
9. Which of the following is one of the key benefits of EGIT?

A. Identification of relevant laws, regulations and policies requiring compliance.
B. Improved transparency and understanding of IT’s contribution to business
C. Better utilization of human resources by using automation
D. Increased revenues and higher Return on investments.
10. Which of the following is the primary objective for implementing ERM?
A. Implement right level of controls.
B. Better availability of information.
C. Tighter security at lower cost.
D. Implement IT best practices.

1. A. The senior management is responsible for ensuring right structure of decision-making
accountabilities. The operational management is responsible for ensuring that
operations of the enterprise are run as per enterprise policy. The chief information
officer is responsible for ensuring IT enabled investments provide business value and
the IT steering committee is responsible for steering IT enabled projects toward
successful completion of objectives.
2. D. The MOST important benefit of implementing Governance of Enterprise IT is that it
helps in ensuring strategic alignment of IT with business. Alignment of IT strategy in
tune with enterprise strategy ensures value delivery from IT enabled investments. The
monitoring and measuring of enterprise performance is one of the key processes of
EGIT. EGIT does not provide guidance to IT to achieve business objectives but
provides overall framework and setting for IT to achieve business objectives. Although
EGIT is often implemented from a regulatory perspective and enables enterprises to
meet corporate governance requirements, it does not directly focus on running the
enterprises based on shareholders’ interest. Shareholders are one of the key
stakeholders whose objectives are considered while formulating enterprise goals.
3. C. The primary objective of Corporate Governance is increasing shareholder value by
enhancing economic performance. Reducing IT cost in line with enterprise objectives
and performance is not an objective. Further, optimise implementation of IT Controls in
line with business needs has to be considered as part of EGIT and is not directly
objective of corporate governance. Implementing security policies and procedures
using best practices is not the primary objective of corporate governance.
4. B. The ultimate objective Enterprise Governance of Information Technology (EGIT) is to
ensure that IT activities in an enterprise are directed and controlled to achieve business
objectives for meeting the needs of the stakeholders. There are multiple stakeholders
and EGIT requires balancing the needs of these stakeholders. Shareholders, Investors
and Regulators are some of the stakeholders.
5. C. One of the key components of Corporate Governance is ensuring transparency. This
promotes effective governance through establishing, communication and monitoring of
performance. Employee rights are not the focus of corporate governance. Security
policy as prepared by the IT as applicable for the enterprise is approved by the board.
Corporate governance requirements do not provide any specific details of risk
assessment but only outline need for implementing risk management as appropriate for
the enterprise.
6. D. Effective IT governance requires that board and executive management extend
governance to IT and provide the leadership, organizational structures and processes
that ensure that the organization’s IT sustains and extends the organization’s strategies
and objectives, and that the strategy is aligned with business strategy. Risk acceptance
levels are set by senior management, not by IT management. The business strategy
drives the IT strategy, not the other way around. IT governance is not an isolated
discipline; it must become an integral part of the overall enterprise governance.
7. C The primary objective of Business Governance is to ensure performance and hence the
focus by Board is to understand and implement key performance drivers. The other
options are related to operational areas which are dealt by management at their level as
required.
8. D. The Board/senior management play the most critical role in ensuring the effectiveness
of the IT governance structure and processes. Hence, the effectiveness of Governance
is directly dependent upon their level of involvement. The head of business units work
on implementing the directions of the board and are focussed on management. The
internal auditor department play an important role in evaluating how well IT governance
is implemented but their role is providing guidance. The technology management is
responsible for aligning IT strategy in line with the enterprise strategy and implementing
IT solutions which help meet enterprise objectives.
9. B. Implementing EGIT requires active collaboration between the board/senior management
in directing IT towards enterprise objectives and putting a governance framework in
place. Hence, the key benefit of EGIT is the improved transparency and understanding
of IT’s contribution to business which is reflected in the performance management
system. Although identification of relevant laws, regulations and policies requiring
compliance is important in implementing EGIT, this is not the primary benefit. Directly,
the focus of EGIT is neither on better utilization of human resources by using
automation or on increased revenues and higher return on investments although they
are considered as required.
10. A. The primary objective for implementing ERM is it helps in deciding and implementing
the right level of controls. The other 3 options are indirect benefits of implementing ERP.
CHAPTER 2
GRC FRAMEWORKS AND RISK MANAGEMENT PRACTICES
1. The most important requirement for IT governance function to be effective is:
A. Monitoring
B. Evaluation
C. Directing
D. Managing
2. The MOST important benefit of implementing IT risk management process is that it

helps in:
A. optimizing internal control framework.
B. ensuring residual risk is at acceptable level.
C. prioritizing business functions for audit planning.
D. complying with regulatory requirements.
3. Which of the following is a major risk factor?

A. Existence of inflationary trends.
B. Vendor launches new software.
C. Board of directors elects new chairman.
D. Change in government post elections.
4. The level to which an enterprise can accept financial loss from a new initiative is:
A. Risk tolerance
B. Risk management
C. Risk appetite
D. Risk acceptance
5. Designing and implementing a control to reduce the likelihood and/or impact of risk
materializing is a:
A. Risk acceptance
B. Risk transfer
C. Risk treatment
D. Risk transfer
6. Which of the following is a valid risk statement?

A. Network service provider is unable to meet bandwidth.
B. Hacker attempts to launch attack on web site.
C. Application server crash due to power failure.
D. Delay in servicing customers due to network congestion.
7. Which of the following is primary reason for periodic review of risk? The changes in:
A. risk factors
B. risk appetite
C. budget
D. risk strategy
8. Which of the following is a strategic IT risk?
A. IS audit may not identify critical non-compliance.
B. Non-availability of networks impacting services to customers.
C. New application may not achieve expected benefits.
D. Defer replacement of obsolete hardware.
9. Which of the following is the most essential action after evaluation of inherent risks?
A. Evaluate implemented controls.
B. Update risk register.
C. Prepare heat map.
D. Prioritized evaluated risk.

1. C. Directing is the most critical of the Governance function which can be performed by the
Board. Although, governance has three critical functions: Evaluate, direct and monitor,
evaluation and monitoring can be performed against directions.
2. B. The primary function of IT risk management process is to support value creation by

reducing the risk to an acceptable level. The other options are secondary benefits of IT
risk management.
3. D. Risk factors are conditions that affect the risk profile of organization. Change in
government is one of major risk factor as compared with other options.
4. C. Risk appetite denotes the level of risk acceptable by management. Risk tolerance is the
time up to which an organization can afford to accept the risk. Risk management is a
process of risk mitigation and risk acceptance is decision of the management and is
considered as risk response.
5. C. Implementing control is a risk treatment.
6. D. Options A, B and C are threats and not risks.
7. A. Changes in risk factors is the primary reason for reviewing changes in risk levels for an
organization. The other options are secondary reasons.
8. D. Deferring replacement of obsolete hardware is strategic decision and hence it is a

strategic IT risk. Others are operational IT risks.
9. A. Once risks are evaluated it is necessary to find out the current state of risk mitigation
(gaps in controls) by evaluating the existing controls. This help in identifying gaps and
implementing controls so as to reduce the total exposure within acceptable limits. Other
activities are required but not as essential as identifying gaps in controls.
CHAPTER 3
Key Components of A Governance System
1. Which of the following is most important resource of the organization?

A. Policies and procedures
B. IT infrastructure and applications
C. Information and data
D. Culture, ethics and behaviour
2. Which of the following is most important characteristic of policies?

A. Must be limited in number.
B. Requires framework to implement.
C. Reviewed periodically.
D. Non-intrusive and logical.
3. Primary function of a process is to:

A. Act on input and generate output.
B. Define activities to be performed.
C. Focus on achieving business goals.
D. Comply with adopted standards.
4. Effective organizational structure focuses on:

A. Defining designations.
B. Delegating responsibility.
C. Defining escalation path.
D. Deciding span of control.
5. Prioritization of IT initiatives within organization is primarily based on:

A. Results of risk assessments
B. Expected benefit realization
C. Recommendations of CIO
D. Rate of obsolescence of IT
6. Primary objective of IT steering committee is to:

A. Align IT initiatives with business
B. Approve and manage IT projects
C. Supervise IT and business operations
D. Decide IT strategy for organization
7. Which of the following is best control for building requisite skills and competencies
within organization?
A. Hiring only highly qualified people
B. Outsourcing the critical operations
C. Conducting skill enhancement training
D. Defining skill requirements in job description
1. C. Entire EGIT implementation focuses on Information and data. Policies are defined
based on nature of information and data, culture and behaviour. IT infrastructure and
applications stores, process and communicates information.
2. D. Policies are vehicle to communicate intent of management and hence must be clear and
easy to implement that will make them effective. B and C are requirements to maintain
policies and A is characteristic of principles.
3. A. Primary function of process is to process received inputs and generate output to

achieve process goals. Process is a set of activities, but it is not primary function to
define activities. Although processes are defined to achieve business goals, these are
broken down to arrive at process goals. Compliance with standards may need certain
processes but the primary function is to process input.
4. B. Effectiveness of organization structure depends on right level of delegation of

responsibilities. Defining designation is only naming of specific role which is not directly
relevant. Other options depend upon level of delegation.
5. B. Although the IT steering committee considers all inputs, the primary consideration is
expected benefits to the organization.
6. A. The primary objective of appointing IT steering committee is to ensure that IT initiatives

are in line with business objectives. D is objective of IT strategy committee. B and C
are secondary objectives derived from A.
7. C. The best control for building requisite skills and competencies within organization is to
ensure skill enhancement training is provided.
CHAPTER 4
Performance Management Systems
1. Which of the following is best approach for monitoring the performance of IT resources?
A. Compare lag indicators against expected thresholds
B. Monitor lead indicators with industry best practices
C. Define thresholds for lag indicators based on long term plan
D. Lead indicators have corresponding lag indicator.
2. Performance monitoring using balance score card is most useful since it primarily
focuses on:
A. Management perspective
B. Product and services
C. Customer perspectives
D. Service delivery processes
3. Which of the following is considered as an example of a lead indicator?

A. Number of gaps with respect to industry standard.
B. Comparative market position of organization.
C. Percentage of growth achieved over three years.
D. Improvement in customer satisfaction survey.
4. The PRIMARY objective of base lining IT resource performance with business process
owners is to:
A. define and implement lead and lag indicators.
B. ensure resource planning is aligned with industry.
C. assess cost effectiveness of outsourcing contracts.
D. benchmark expected performance measurement.
5. Which of the following is BEST measure to optimize performance of skilled IT human

resources?
A. Include personal development plan in job description.
B. Document personal expectations during exit interviews.
C. Implement ‘Bring Your Own Device (BYOD)’ policy.
D. Monitor performance measure against baseline.
6. IT resource optimization plan should primarily focus on:

A. Reducing cost of resources
B. Ensuring availability
C. Conducting training programs
D. Information security issues
7. The PRIMARY objective of implementing performance measurement metrics for
information assets is to:
A. decide appropriate controls to be implemented to protect IT assets.
B. compare performance of IT assets with industry best practices.
C. determine contribution of assets to achievement of process goals.
D. determine span of control during life cycle of IT assets.
8. Which of the following is the PRIMARY purpose of optimizing the use of IT resources
within an enterprise?
A. To increase likelihood of benefit realization.
B. To ensure readiness for future change.
C. To reduce cost of IT investments.
D. To address dependency on IT capabilities.
9. While monitoring the performance of IT resources the PRIMARY focus of senior

management is to ensure that:
A. IT sourcing strategies focus on using third party services.
B. IT resource replacements are approved as per IT strategic plan.
C. key goals and metrics for all IT resources are identified.
D. resources are allocated in accordance with expected performance.
10. Organization considering deploying application using cloud computing services provided
by third party service provider. The MAIN advantage of this arrangement is that it will:
A. minimize risks associated with IT
B. help in optimizing resource utilization.
C. ensure availability of skilled resources.
D. reduce investment in IT infrastructure.

1. B. Lead indicators are proactive approach for ensuring performance shall be as expected
and hence are defined using industry best practices. Lag indicators are useful after the
fact (A), Thresholds based on long term plan may not provide input on performance
during execution. (C). All lead indicators may not have lag indicator.
2. C. The Balance score card (BSC) focuses on Financial, Customer, internal and learning
perspective.
3. A. Lead indicators are proactive in nature and helps management in planning.

Identification of gaps with respect to industry standard is beginning of process of
implementing best practices. Other indicators are result of past performance.
4. D. In order to plan resources performance of resource must be determined and compared

with business expectation from IT. This will help management in implementing
performance measures against expected performance. Other options use baselines.
5. A. Motivation helps human resources in performing better. Career progression planning

including in job description along with performance norms shall help in motivating
human resources.
6. B. Resource optimization plan primarily focus on availability of right resources at right time.
Other requirements are secondary.
7. C. Resource performance is essential to measure the performance of business and IT
processes so as to monitor the level of contribution in achieving process goals and
hence business objectives. Performance measurement is performed to measure this
contribution.
8. A. IT resource optimization within an enterprise must primarily focus on increasing benefit

realization from IT so as to deliver value to business. B. Ensuring readiness for future
change is essential to meet the growing IT service delivery and is part of resource
optimization requirements, but not the primary purpose. C. Resource optimization may
or may not reduce IT costs, however it will help in increasing return on IT investment. D.
Business dependency on IT depends on capabilities of IT to deliver services to
business. Resource optimization is one of the processes to address this dependency
not objective.
9. D. Management must monitor the performance of IT resources to ensure that the expected
benefits from IT are being realized as per planned performance. This is done by
allocating IT resources in accordance to the planned performance of business process
cascaded down to IT resources supporting business processes.
10. B. Outsourcing shall help organization in optimizing use of existing IT resources by

outsourcing, which in turn shall help in focusing on more critical business requirements
and hence improving benefit realization. However, outsourcing may or may not
minimize risks associated with IT. i.e. it may minimize risks associated with own
investment but may introduce risks associated with outsourcing. Although outsourcing
helps in ensuring availability of skilled resources, it is not main advantage.
Outsourcing may or may not reduce investment in IT, i.e. it may reduce need for
acquisition of IT infrastructure, but there is cost associated with outsourcing and there is
additional cost for SLA monitoring.
CHAPTER 5
Business Continuity Management
1. Which of the following is MOST important to have in a disaster recovery plan?
A. Backup of compiled object programs
B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms
2. Which of the following BEST describes difference between a DRP and a BCP? The
DRP:
A. works for natural disasters whereas BCP works for unplanned operating incidents
such as technical failures.
B. works for business process recovery and information systems whereas BCP
works only for information systems.
C. defines all needed actions to restore to normal operation after an un-planned
incident whereas BCP only deals with critical operations needed to continue
working after an un-planned incident.
D. is the awareness process for employees whereas BCP contains procedures to
recover the operation?
3. The MOST significant level of BCP program development effort is generally required
during the:
A. Early stages of planning.
B. Evaluation stage.
C. Maintenance stage.
D. Testing Stage.
4. An advantage of the use of hot sites as a backup alternative is:

A. The costs related with hot sites are low.
B. That hot sites can be used for a long amount of time.
C. That hot sites do not require that equipment and systems software be compatible
with the primary installation being backed up.
D. That hot sites can be made ready for operation within a short span of time.
5. All of the following are security and control concerns associated with disaster recovery
procedures EXCEPT:
A. Loss of audit trail.
B. Insufficient documentation of procedures.
C. Inability to restart under control.
D. Inability to resolve system deadlock.
6. As updates to an online order entry system are processed, the updates are recorded on
a transaction tape and a hard copy transaction log. At the end of the day, the order
entry files are backed up onto tape. During the backup procedure, the disk drive
malfunctions and the order entry files are lost. Which of the following are necessary to
restore these files?
A. The previous day's backup file and the current transaction tape
B. The previous day's transaction file and the current transaction tape
C. The current transaction tape and the current hardcopy transaction log
D. The current hardcopy transaction log and the previous day's transaction file
7. An IS auditor reviewing an organisation's information systems disaster recovery plan

should verify that it is:
A. Tested every 1 month.
B. Regularly reviewed and updated.
C. Approved by the chief executive officer
D. Approved by the top management
8. Which of the following offsite information processing facility conditions would cause an
IS auditor the GREATEST concern?
A. Company name is clearly visible on the facility.
B. The facility is located outside city limits from the originating city.
C. The facility does not have any windows.
D. The facility entrance is located in the back of the building rather than the front.
9. Which of the following methods of results analysis, during the testing of the business
continuity plan (BCP), provides the BEST assurance that the plan is workable?
A. Quantitatively measuring the results of the test
B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results

1. A. Of the choices, a backup of compiled object programs is the most important in a
successful recovery. A reciprocal processing agreement is not as important, because
alternative equipment can be found after a disaster occurs. A phone contact list may aid
in the immediate aftermath, as would an accessible supply of special forms, but neither
is as important as having access to required programs.
2. C. The difference pertains to the scope of each plan. A disaster recovery plan recovers all
operations, whereas a business continuity plan retrieves business continuity (minimum
requirements to provide services to the customers or clients). Choices A, B and D are
incorrect because the type of plan (recovery or continuity) is independent from the sort
of disaster or process and it includes both awareness campaigns and procedures.
3. A. A company in the early stages of business continuity planning (BCP) will incur the most
significant level of program development effort, which will level out as the BCP program
moves into maintenance, testing and evaluation stages. It is during the planning stage
that an IS Auditor will play an important role in obtaining senior management's
commitment to resources and assignment of BCP responsibilities.
4. D. Hot sites can be made ready for operation normally within hours. However, the use of
hot sites is expensive, should not be considered as a long-term solution and does
require that equipment and systems software be compatible with the primary installation
being backed up.
5. D. The inability to resolve system deadlock is a control concern in the design of database
management systems, not disaster recovery procedures. All of the other choices are
control concerns associated with disaster recovery procedures.
6. A. The previous day's backup will be the most current historical backup of activity in the
system. The current day's transaction file will contain all of the day's activity. Therefore,
the combination of these two files will enable full recovery up to the point of interruption.
7. B. The plan must be reviewed at appropriate intervals, depending upon the nature of the
business and the rate of change of systems and personnel, otherwise it may quickly
become out of date and may no longer be effective (for example, hardware or software
changes in the live processing environment are not reflected in the plan). The plan must
be subjected to regular testing, but the period between tests will depend on nature of
the organisation and relative importance of IS. Three months or even annually may be
appropriate in different circumstances. Although the disaster recovery plan should
receive the approval of senior management, it need not be the CEO if another executive
officer is equally, or more appropriate. For a purely IS-related plan, the executive
responsible for technology may have approved the plan. the IS disaster recovery plan
will usually be a technical document and relevant to IS and communications staff only.
8. A. The offsite facility should not be easily identified from the outside. Signs identifying the
company and the contents of the facility should not be present. This is to prevent
intentional sabotage of the offsite facility should the destruction of the originating site be
from malicious attack. The offsite facility should not be subject to the same natural
disaster that affected the originating site. The offsite facility must also be secured and
controlled just as the originating site. This includes adequate physical access controls
such as locked doors, no windows and human surveillance.
9. A. Quantitatively measuring the results of the test involves a generic statement measuring
all the activities performed during BCP, which gives the best assurance of an effective
plan. Although choices B and C are also quantitative, they relate to specific areas or an
analysis of results from one viewpoint, namely the accuracy of the results and the elapsed time.
1 which of the following should be done first when preparing a disaster recovery plan
perform a business impact analysis
an offiste information processing facility having electrical wiring air conditioning and flooring
2 but no computer or communications equipment is a
cold site
which of the following must exist to ensure the viability of a duplicate information processing
3 facility
the workload of primary site is monitored to ensure adequate backup is available
during the course of an application software review, an IS auditor identifie dminor
weaknesses in a relevant database environment that is out of scope for the audit. The best
4 option is to
formally report the weaknesses as observed
5 which of the following phase starts with damage assessment
incident response phase
which of the following business process reengineering risks are likely to occur during the
6 design phase
scope risk, skill risk, political risk
which of the following section of IT act 2000 demands the appropriate documented
7 procedure to comply with the request of CERT-IN regarding cyber security incidents
Sec. 70B
8 which of the following is not considered a control failure
which of the following helps to gain clear understanding of the business process while
9 developing a business continuty plan
which of the following audit's primary purpose is the development of evidence for review by
10 law enforcement and judicial authorities
forensic audit
what is the best way to ensure that organizational polocies comply with the legal
11 requirements
which of the following disaster recovery/ continuity plan components provides the greatest
12 assurance of recovery after a disaster
the alternate facility will be available until the original information processing facility is
restored
13 who sets the priorities and objectives of the IT balanced scorecard
chief information officer (CIO)
which of the following is the primary requirement in reporting results of and IS audit? The
14 report should be
15 why is change control considered a governanec issue
which of the following function is primarily responsible to support value creation by reducing
16 the risk of IT to acceptable level
IT risk management
17 which of the following is the primary reason for periodic review of risk? The change in
risk factors
which of the following aims to sustain critical business process during an unplanned
18 interruption period
business continuity plan
which of the following risk treatment options enables implementation of control to reduce
19 level of risk
mitigate
20 which of the following is a benefit of using callback devices
provide an audit trail
which of the following data validation edits is effective in detecting transposition and
21 transcrption errors
check digit
while reviewing the IT security policies, IS auditor observed that some of the sub-plicies were
not approved by the management but employees striclty follows the policies. What should IS
22 auditor to do first
which of the following is the most useful for business decisions making and framing policies
23 based on actual transactional data
executive inforation system
24 which of the following statements is true concerning the steering committee
the steering committee foucses on the agenda on IT issues
which of the following audit tools is most useful to an IS auditor when only select
25 transactions or processes need to be examined
audit hooks
Q. Self Service assistance to users provided by help desk such as
1 resetting passwords etc. is considered which level of assistence? Ans. Level 0
Q. Which of the following model user need to know URL to access the
2 app? Ans. Web based application deveopment.
3 Q. Who is responsible for classification of data in a Dept? Ans. Data owner
4 Q. Expert system is an example of- Ans. Knowledge Software.

Q. Which of the following interface testing approach, a tester may
start at top or bottom level and depending on Situation move
5 downward or upward? Ans. Sandwich Approach
Q.Which of the following tool is considered useful for comparing

6 processing output with independentlycalculated data? Ans. Integrated Test facility
Q. The practice of limiting permissions to the minimal level that will

7 allow users to perform their jobs. It is known as Ans. Least privileges
Q. Which of the following is an example of external schema in a

8 database mgt system? Ans. User views.
9 Q. Batch total is an example of_ Data entry control
Q. Which of the following is one of the imp operations performance

10 metrics? Ans. Incident.
11 Q.Which of the following test is done by the programmer? Ans. Unit test.
Q. Which of the following test checks whether programs do what
12 they are supposed to do? Ans. Functional test
Q. Which of the following test is concerned with examining the
13 internal processing logic of a software system? Ans. Structural test
Q. Users have more privileges than they need and may use them to
14 perform actions outside of their job description. It is known as_ Ans. Privilege creep
Q. Which of the following relates to the accuracy and completeness
of info as well as to its validity in accordance with business values and
15 expectations? Ans. Integrity
Q.Which of the following relates to the provision of appropriate info
for mgt to operate the entity and exercise its fiduciary and
16 governance responsibilities? Ans. Reliability.
Default settings are used by vendors to help users get the system up
and running. What is the auditor's primary area of interest regarding
17 default settings? indicate well known settings published by vendor
Which of the following software developing methodology primarily
18 focuses on risk avoidance? Sprial
19 Completeness and Accuracy of Data is assured by ? Processing Control Procedures
Which of the following is the list of OSI Model levels from the top
20 down ? Application , Presentaion, Session
Performance, Security, user Interface are examples of which of the

21 following testing ? Non Functional
System needs to be configured and then someone
22 What is likely to be the biggest issue regarding log management ? needs to read the logs and respond
Which of the following parameters should not be considered for

23 computing function points under function point analysis? number of source lines of code
Who amongst the following has the highest stake in benefit
24 realization from the project ? Project Sponsor
25 Which type of network device directs packets through the internet ? Routers
Which of the following testing is used to identify any errors and
improvements in the software by observing the users through their
26 usage and operation ? Usability Testing
A user account is terminated by the IT Department , only when the
27 request is approved and sent by the_____ Human Resource Department
28 Which type of Control is representative of Exception Reporting ? Processing
29 Which of the following is the role of IS Auditor in SDLC ? All of the above
Which of the following methods is designed to permanently destroy
30 data on hard disk ? Disk Wiping / Risk Wiping
Multinational organisation has decided to implement ERP solution
31 across all geographical locations. The Organisation shall initiate a Program
32 Tools not used by Project managers to control the projects Software Size Estimation
Plan Risk, Identify Risk, Analysis Risk, Plan Risk

33 Arrange the following in the order of activities ? Response
which of the following protocols is likely to be used for monitoring
34 the health of network ? SNMP
35 why ongoing system monitoring is important ? to find inconsistencies and errors

which of the following categories of maintenance, changes are made
to the program(s), when a defect or errors arises in working of
36 software? corrective maintenance
Which of the following is the best definition of slack space on a hard
37 disk? Unused space leftover after disk formatting
38 Which of the following is not a function of the Operating System? Detection of system penetration
Which among the following is the function of quality assurance Responsible to handle the integrity and security of
39 personnel information stored in data base
Device for preventing authorized users from

40 A critical function of a firewall is to act as a accessing the LAN
plan risk, identify risk, analyse risk,plan risk

41 arrange the following in the order of activities response,
42 what is security issue regarding packet analysers viewing passwords
43 What is the purpose of address resolution protocol? find the MAC address
44 what is the primary objective in problem escalation ensure the correct response
in case of an organisation like a bank, which of the following would

45 be the most appropriate software implementation strategy pilot changeover
46 which of the following is not an input authorisation control management review
is a process of updating and existing system by reusing design and

47 program components software re engineering
which of the following methods is used to make a backup copy of all

48 the data files for a forensic investigation bitstream image backup
possibility of the location being a technology crime

49 which of the following is a major issue facing incident response scene
when separation of duties is not possible, what would be the
terminology for forcing employees to take vacation, job rotation,
50 reconciliation and supervision review compensating control
performance of a third party should be compared to agreed upon

51 service level metrics and must be reviewed by the management
an IS auditor is auditing controls related to an employee termination.

52 which of the following is the most important aspect to be reviewed all login accounts of the employee are terminated
1 Which of following may help to establish accuracy and completeness of data? Ans : Hash Value
2 Which of following types of attacks may be prevented by input validation? Ans : SQL injection
Which of following is central storage for all kinds of structured, semi structured or
3 unstructured raw data collected from multiple sources? Ans : Data Lake
After major earthquake a business decides to shift to location of data center from
4 earthquake zone 5 to earthquake zone 2 which type of risk respond option it has exercise? Ans : Avoid
5 Which of following is not example of ai platform? Ans : Microsoft power b
6 Which of following is a cloud deployment model is highly scalable? Ans : Public
Use of license software, patch updates, disabling default users and using anti-malware
7 software are the control against? Ans : Back Door
Which of the following types of attacks may be prevented by using anti-malware and
8 application from trusted source? Ans : Logic bomb
9 At that strives for natural, human like interaction with machine is known as? Ans : Cognitive computin
10 Which of the following provides secure connection between two end points? Ans : Transport mode
Which of the block chain principals state that each node stores and forwards information to
11 all other nodes? Ans : Peer to Peer
Which of the following types of smart card enables card reader to send the card in
12 possession of user in the general area and allow access? Ans : Wireless proximity
Which of the following is a type of malware that takes control of administrative rights for
13 execution of malicious codes? Ans : Trojan
14 Which of the following is example of robotic process automation? Ans : Cross application m
15 Which of the following is a sense of minor attacks those together results in larger attack? Ans : salami theft
Which of the following enable hackers to exploit system vulnerabilities including human
16 element? Ans : Attack vector
Which of the following cloud deployment model, customer hold the control of operating
17 system? Ans : Iaas
Which of the following analytics assist in identifying the best option to choose to achieve
18 the desire out come through optimization techniques and machine learning? Ans : prescriptive analyt
19 which of the following is primary requirement of granting users access to information asset? Ans : Identification
20 Primary purpose of access control dead man door, turnstile, mantrap is to? Ans : prevent unauthoriz

Master File

Uploaded by

Copyright:

Available Formats

Master File

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Master File

Uploaded by

Copyright:

Available Formats

Column1 QUESTION ANSWER

Question wise details

Q1. Which of the following is known Root Certifying Authority?

1. Provides mechanism for deadlock handling

Q5. Which of the following rule relates to relational database model?

1. Configuration, version of the items

Q7. Which of the following is the function of memory management?

1. Provides mechanism for deadlock handling

1. Data Definition Language (DDL)

1. Contains the logical structure of the entire database

1. It is also known as secret key cryptography

1. Statistical Anomaly Based

Q15. Which of the following statement is correct about the firewall?

Q17. Security software belongs to which of the following category?

1. Configuration, version of the items

Q23. Which of the following is the function of File management?

Q29. Which of the following is Public Key Cryptography (PKI)?

Your Response Change Pattern: Module Test 2

Error Identification and Rectification: Module Test 2

3. To conduct a system audit, the IS auditor should

5 The rate of change in technology increases the importance of:

7 Which of the following cannot be classified as Audit Risk?

10 Reviewing management's long-term strategic plans helps the IS auditor:

3 To conduct IS Audit by the IS Auditor, the primary requirement is that he should be

5 Rate of change of technology increases the importance of implementing and enforcing

7 Inherent risk means overall risk of management which is on account of entity’s

9 In developing a risk-based audit strategy, risks and vulnerabilities are to be

CHAPTER 2 IS AUDIT IN PHASES

LODR – Listing Obligations & Disclosure Requirements of SEBI on

2.12 Creation of Risk Control Matrix (RCM)

As an IS auditor performing the IS audit, respond to the following:

3. IS Auditor rightly found one weakness in the Firewall implementation and he

5. The purpose of compliance tests is to provide reasonable assurance that:

8. Each of the following is a general control concern EXCEPT:

10. A manufacturing company has implemented a new client/server system enterprise

2.28 Answers and Explanations

IS AUDIT TOOLS & TECHNIQUES

3.2 Computer Assisted Audit Techniques

3.6 Answers and Explanations

APPLICATION CONTROLS REVIEW OF BUSINESS APPLICATIONS

5 An IS Auditor, processes a dummy transaction to check whether the system is allowing

6 An IS Auditor is performing a post implementation review of an organisation’s system

4.10 Answers and Explanations

4 C. is the correct answer. Policy is not a static document. When an exception is a

10 D. is the answer as this is a duplicate check.

APPLICATIONS CONTROLS REVIEW OF SPECIALISED SYSTEMS

Artificial Intelligence (AI)

1. Cognitive Science: This is an area based on research in disciplines such as biology,

4 A retail company recently installed data warehousing client software in multiple,

6 An employee has left the company. The first thing to do is to:

7 As part of auditing Information Security of a multinational bank, an auditor wants to

9 In an inter school competition on Artificial Intelligence, four children develop software

8 Correct answer is A. Cognitive Science. This is an area based on research in

9 Correct answer is A. The word-processing software pops up suggested words based

10 Correct answer is A. Maximum mileage can be gained from e-commerce by converting

CHAPTER 6: IT ENABLED ASSURANCE ASSURANCE SERVICES

2 Which of the following is LEAST likely to be included in a review to assess the

3 An IS auditor discovers evidence of fraud perpetrated with a manager's user id.

4 Which of the following situations would increase the likelihood of fraud?

7 Which of the following refers to imaging of original media in presence of an