1 The primary purpose and existence of an audit Describe the authority

charter is to: and responsibilities of

the audit department
2 Which of the following control classifications Corrective Controls
identify the cause of a problem and minimize
the impact of threat?
3 To conduct a system audit, the IS auditor should Be able to understand
the system that is
being audited
4 Which of the following are most commonly used Controls
to mitigate risks discovered by organizations?
5 The rate of change in technology increases the Implementing and
importance of: enforcing good
processes
6 What means the rate at which opinion of the IS Audit Risk
Auditor would change if he selects a larger
sample size?
7 Which of the following cannot be classified as Administrative Risk
Audit Risk?
8 After you enter a purchase order in an on-line Prevention
system, you get the message, “The request could
not be processed due to lack of funds in your
budget”. This is an example of error?
9 When developing a risk-based audit strategy, an Vulnerabilities and
IS auditor should conduct a risk assessment to threats are identified.
ensure that:
10 Reviewing management's long-term strategic plans Tests the enterprise's
helps the IS auditor: internal controls.

1. Which of the following forms of evidence would be considered to be the

most reliable when assisting an IS Auditor develop audit conclusion?
A. A confirmation letter received from a third party for the
verification of an account balance.
2. During a review of the controls over the process of defining IT service levels,
an IS auditor would most likely interview the:
A. Business Unit Manager
3. Which of the following procedures would an IS Auditor not perform during pre-
audit planning to gain an understanding of the overall environment under
review?
A. Perform compliance tests to determine if regulatory
requirements are met.
4. The first step IS Auditor should take when preparing the annual IS audit plan
is to:
A. Perform a risk ranking of the current and proposed
application systems to prioritize the IS audits to be
conducted.
5. The purpose of compliance tests is to provide reasonable assurance that:
A. Controls are working as prescribed.
6. IS Auditors being most likely to perform tests of internal controls if,
after their evaluation of such controls, they conclude that:
A. The control environment is poor.
7. Which of the following is the least important factor in determining the
need for an IS Auditor to be involved in a new system development
project?
A. The number of lines of code to be written.
8. Each of the following is a general control concern EXCEPT:
A. Balancing of daily control totals.
9. Which of the following types of audits requires the highest degree of data
processing expertise?
A. Systems software audits
10. A manufacturing company has implemented a new client/server system
enterprise resource planning (ERP) system. Local branches transmit
customer orders to a central manufacturing facility. Which of the following
controls would BEST ensure that the orders are accurately entered and the
corresponding products produced?
A. Verifying production to customer orders

1. What is one of the key tests which can be ideally carried out using
Computer Assisted Audit Tools (CAATs)?
A. Identification of exceptional transactions based upon set criteria
2. Find out the best process carried out using Computer Assisted Audit
Tools (CAATs)?
A. Identify potential areas of fraud
3. What can be ideally carried out using Computer Assisted Audit Tools
(CAATs)?
 A. Identify data which is inconsistent or erroneous
4. What is one of the key tests which can be ideally carried out using
Computer Assisted Audit Tools (CAATs)?
A. Perform various types of statistical analysis
5. What is one of the key tests which can be ideally carried out using
Computer Assisted Audit Tools (CAATs)?
A. Establishing whether the set controls are working as prescribed
6. What is one of the key tests which can be ideally carried out using
Computer Assisted Audit Tools (CAATs)?
A. Establishing relationship between two or more areas &
identify duplicate transactions
7. Which is one of the most effective tools and techniques to combat fraud?
A. Computer Assisted Audit Techniques (CAAT)
8. An IS Auditor, concerned that application controls are not adequate to
prevent duplicate payment of invoices, decided to review the data
processing files for possible duplicate payments. Which of the following
techniques/tools would be useful to the IS Auditor?
A. Generalized audit software.
9. Many automated tools are designed for testing and evaluating computer
systems. Which one of the following such tools impact the systems
performance with a greater load and stress on the system?
A. Statistical software packages
10. The most appropriate type of CAAT tool the auditor should use to
test security configuration settings for the entire application systems of
any organization is:
A. Utility Software

1 Application controls shall include all except

It is part of the IS Auditor’s responsibility to implement the same.
2 As per Income Tax Act, 1961 and banking norms, all fixed deposit
holders of banks need to submit their PAN or form 60/61(a form as
per Income Tax Act/Rules). A bank in its account opening form, has
not updated the need for form 60/61 in case PAN is not there. This
defines which control lapse as per COBIT.
 Accuracy, Completeness and Authenticity Checks
3 In a public sector bank while updating master data for advances
given, the bank employee does not update “INSURANCE DATA”. This
includes details of Insurance Policy, Amount Insured, Expiry Date of
Insurance and other related information. This defines which control
lapse as per COBIT.
A. Accuracy, Completeness and Authenticity Checks

4 An IS Auditor observed that users are occasionally granted the

authority to change system data. The elevated system access is not
consistent with company policy yet is required for smooth functioning
of business operations. Which of the following controls would the IS
Auditor most likely recommend for long term resolution?

A. Review policy to see if a formal exception process is required

5 An IS Auditor, processes a dummy transaction to check whether the

system is allowing cash payments in excess of Rs.20,000/-. This
check by auditor represents which of
the following evidence collection technique?
Re-performance
6 An IS Auditor is performing a post implementation review of an
organisation’s system and identified output errors within an
accounting application. The IS Auditor determined that this was
caused by input errors. Which of the following controls should the IS
Auditor recommend to management?

A. Reconciliation

7 RBI instructed banks to stop cash retraction in all ATMs across

India from April 1, 2013. This was result of few ATM frauds
detected. This action by RBI can be best classified as:

A. Rectification

8 A central antivirus system determines whether each personal

computer has the latest signature files and installs the latest
signature file before allowing a PC to connect to the network. This
is an example of a:

A. Corrective Control
9 Company’s billing system does not allow billing to those dealers who
have not paid advance amount against proforma invoice. This
check is best called as:
Dependency Check
10 While posting message on FACEBOOK, if user posts the same
message again, FACEBOOK gives a warning. The warning indicates
which control.
Duplicate Check

1 Which of the following business purposes can be met by

implementing Data warehouse in an organisation?
Business decisions can be taken and future policies can be
framed based on actual transactional data.
2 Which of the following is a characteristic of a decision support system
(DSS)?
DSS combines the use of models with non-traditional data
access and retrieval functions.
3 Which of the following audit tools is MOST useful to an IS auditor
when an audit trail is required?
Snapshots
4 A retail company recently installed data warehousing client
software in multiple, geographically diverse sites. Due to time zone
differences between the sites, updates to the warehouse are not
synchronized. This will affect which of the following most?
Data completeness
5 The cashier of a company has rights to create bank master in TALLY.
This error is a reflection of poor definition for which type of
control:
User Controls
6 An employee has left the company. The first thing to do is to:
Disable his/her access rights.
7 As part of auditing Information Security of a multinational bank, an
auditor wants to assess the security of information in ATM facilities.
 Under which privacy policy should he look for details pertaining to
security guards and CCTV surveillance of ATM’s?
Physical Access and Security Policy
8 Neural Networks and Fuzzy Logics are classified under which category
of Artificial intelligence?
Cognitive Science
9 In an inter school competition on Artificial Intelligence, four children
develop software which performs the following different functions
respectively. Which of them is a correct example of the use of
basic Artificial Intelligence?
Predictive & self-learning word-processing software
10 Which are the business activities which are strong contenders for
conversion to e- commerce?
Those that are paper-based, time consuming & inconvenient for
customers
1 Which of the following factors should not be considered in establishing
the priority of audits included in an annual audit plan?
Use of audit software
2 Which of the following is LEAST likely to be included in a review to
assess the risk of fraud in application systems?
Likelihood of error
3 An IS auditor discovers evidence of fraud perpetrated with a
manager's user id. The manager had written the password, inside
his/her desk drawer. The IS auditor should conclude that the:
Perpetrator cannot be established beyond doubt.
4 Which of the following situations would increase the likelihood of fraud?
Application programmers are implementing changes to production
programs.
5 Neural networks are effective in detecting fraud, because they can:
Attack problems that require consideration of a large number of
input variables.
6 The FIRST step in managing the risk of a cyber-attack is to:
Identify critical information assets.
7 Which of the following refers to imaging of original media in
 presence of an independent third party?
Preserve
8 As a measure of IT General controls, an organization decides to
separate those who can input data from those that can reconcile or
approve data. Is this a good move? Why?
Yes, it is a good move; it can help prevent unauthorised data entry.
9 A holistic approach to deterrence & prevention of fraud would be:
Strengthening of Governance and Management framework
10 After initial investigation, IS auditor has reasons to believe that
there is possibility of fraud, the IS auditor has to:
Expand activities to determine whether an investigation is
warranted.