1.

The Primary objectives for auditing IT change management is to ensure that

a. Only Approved Changes were made
b. All changes are documented
c. Changes control Procedure variance are recorded and accounted
d. Latest Version of Software is used

The Most Appropriate answer is A Only Approve changes were made

2. In auditing outsourcing, which of the following is the IS auditor most likely to consider for
formulating scope and objectives
a. Benefit of Outsourcing
b. Technical skills of service providers
c. Service Level Agreements
d. Quality of services provided

The most appropriate answer is C Service Level Agreements as it the document which defines the scope of work
as well the intended quality and objectives of outsourcing.

3. The most critical factor to be considered in segregation of duties in IT Environment is :

a. Business Operation
b. Security Policy
c. Organization Structure
d. IT Resources

The most appropriate answer is C Organization Structure as it defines the position of an individual in the
organization and duties should be assigned on the basis of authority given to him

4. Which of the following is most likely to be the result of inadequate IT policies and standards?
a. Absence of Guidelines and Benchmarks
b. Security and control may be compromised
c. Audit opinion on quality of control and security will be open to question.
d. Time required for audit will be higher.

The most appropriate answer is B Security and control may be compromised

5. Which of the following additional duties performed by the Information Security manager poses the
greatest risk to the organization
a. Maintaining Custody of documents
b. Operating computer hardware
c. Entering data for processing
d. Programming

The Most Appropriate answer is C Entering data for processing because if he enters the Data himself and he will
be the data custodian then management will not be able to determine the security level.

6. The most critical consideration in preparing a security policy is the :

a. Analysis of the Assets
b. Analysis of the Perceived Risk
c. Review of Intellectual property to be safeguarded
d. Availability of tools to monitor security
The most appropriate answer is B Analysis of the Perceived Risk as the security level will be determined on the
basis of Involved Risk.

7. The most critical consideration for an IS auditor in reviewing access Authorization is to understand
the :
a. Security Policies
b. IT Resources
c. Functionalities
d. Organisation Structure

The Most appropriate answer is Organisation Structure

8. In review of Job description, IS Auditor’s concern from control prospective is :

a. Are Current, documented and readily available to the employee
b. Establish Instructions on how to do the job and policies define authority of Staff
c. Establish responsibilities and the accountability of the employee’s function
d. Communicate management’s specific expectations for job performance.

The Most Appropriate answer is “C” Establish responsibilities and the accountability of the employee’s function

9. The Greatest risk on account of inadequate IT policies and standards is

a. Lack of Benchmarks for evaluating the operations
b. Security and control may be compromised’
c. Audit opinion on quality of control and security will be open to question.
d. Time required for audit will be higher

The most appropriate answer is Lack of Benchmarks for evaluating the operations

10. In addition to defining the policy objective, which of the following is most critical to ensure
implementation of Policy?
a. Provide adequate allocation of resources
b. Establish clear cut responsibilities
c. Commitment from Senior Management
d. Monitors changes required on a regular basis

The most appropriate answer is B Establish clear cut responsibilities

11. Which of the following is the most critical consideration in providing access to information in an
enterprise?
a. Job description,
b. Technical Skills
c. Work Experience
d. Security Policies

The most appropriate answer is A Job description

12. For IT Steering Committee to be effective, it’s member must necessarily include:
a. Users
 b. IT Head
c. Director
d. Functional Head

The most appropriate answer is IT Head as in Steering committee only higher management is involved and
strategic issues are discussed.

13. Which of the following is not a function of IT Steering committee?

a. Establish size and scope of the IT Function
b. Set priorities for IT projects
c. Formulate IT procedures and Practices
d. Review and approve standards, policies and Standards.

The Most Appropriate answer is “C” Formulate IT procedures and Practices.

14. Which of the following is the basis of providing authorization and access to the employee in an
enterprises :
a. Style of Management
b. Nature of Business Process
c. Type of technology
d. Organisation Structure

The Most appropriate answer is “d” Organisation Structure

15. The Most critical consideration in IT strategy Planning from perspective of IT governance is
a. Senior Management should formulate and implement long and short range plans
b. IT issues as well as opportunities are adequately assessed and reflected
c. It is aligned with the mission and business strategies of the enterprises
d. Strategic plan must address and help determine priorities to meet business needs.

The Most appropriate answer is “C” It is aligned with the mission and business strategies of the enterprises

16. The Primary objectives of segregation of duties is:

a. Distribution of work responsibilities as per experience
b. Prevention/monitoring of accidental or purposeful errors/omissions
c. Distribution of Work as per technical skills
d. Provide better services to the customers

The Most appropriate answer is Prevention/monitoring of accidental or purposeful errors/omissions

17. Which of the following relating to policies is incorrect

a. Provide management guidance and direction overall effective deployment of information and its
activities
b. Provide details of actions to be taken for preventing, detecting, correcting and reporting security
lapses
c. Refers to specific security rules for particulars systems
d. State the high level enterprises position and scope.

The most appropriate answer is C Refers to specific security rules for particulars systems

18. Which of the following is most critical for effective implementation of security?
 a. Defining and communicating individual roles, responsibilities and authority
b. Having regular external audit of security implementation
c. User training covering all aspects of security
d. Senior management is well versed with the technical aspects of security

The most appropriate answer is “A” Defining and communicating individual roles, responsibilities and authority

19. Which of the following statements relating to practices is correct

a. Refer to implementation aspects for various Information systems and related activities
b. Outline set of steps to be performed to ensure that a policy guideline is met
c. Provide management guidance and direction overall effective deployment of information and its
activities
d. Formulating by senior management and represents strategic philosophy.

The Most appropriate answer is “A” Refer to implementation aspects for various Information systems and related
activities

20. The most important resource for successful deployment of information technology in an enterprises is:
a. Effective Business processes
b. Trained human resources
c. Well defined organization structure
d. Implementing latest technology.

The most appropriate answer is “B” Trained human resources

21. Which among of the following combination of roles results has maximum risks
a. Data entry and operations
b. Librarian and Help desk
c. System Analysis and Quality assurance
d. Data base administration and Data entry

The most appropriate answer is “D” Data base administration and Data entry

22. During the preliminary stage of review of an IT strategic Plan, the most critical audit procedure is to
verify the existence of:
a. Documented long range plan for facilities, hardware and system and application software
b. Short range plans, which has been prepared outlining specific projects
c. Specific assignments for each IT managers that support completion of short range plans.\
d. Methodology for progress reporting and monitoring relating to adequacy of long/short range plans.

The Most Appropriate answer is “A” Documented long range plan for facilities, hardware and system and
application software

23. Security policy to be most effective has to be defined, based on:

a. Technology deployed
b. Risk Analysis
c. User Requirement
d. Security standards

The Most Appropriate answer is “B” Risk Analysis

 24. Two overall primary goals of IT Governance are:
a. Consider critical success factors that leverages IT resources and measure them
b. Ensure delivery of Information to business and measure using key goal Indicators
c. Create and Maintain system of Process/control excellence and monitor business value delivery of
IT.
d. Add value to business and balance risk versus return

The most appropriate answer is “D” Add value to business and balance risk versus return

25. The primary purpose in management implementing IT controls and IS auditor reviewing these control
is to :
a. Maintain Data Integrity
b. Safeguard computers
c. Provide assurance that business objectives are achieved
d. Provide proper segregation of duties

The most appropriate answer is “C” Provide assurance that business objectives are achieved

26. In Reviewing segregation of duties, the IS auditor as a measure of best control would review whether
the security administrator is :
a. Performing functions as defined
b. Well trained in business processes
c. Technically competent
d. Aware of the security policy

The most appropriate answer is “A” Performing functions as defined

27. Which of the following is the most critical consideration in segregation of duties?
a. The possibility for a single individual to subvert a critical process is prevented
b. Senior management ensures Implementation of division of roles and responsibilities
c. Staff is performing only those duties stipulated for their respective job and positions
d. Experience staff review all critical functions performed by the Junior Staff.

The most appropriate answer is ‘A” The possibility for a single individual to subvert a critical process is
prevented

28. In an Organisation providing services of outsourcing, the primary objectives of business continuity
plan is to ensure
a. Safeguard assets from a Disaster
b. Redundancy of IT resources
c. Continuity of critical business processes as per SLA
d. Identify single points of failures relating to technology
The most appropriate answer is “C” Continuity of critical business processes as per SLA