1. The susceptibility of a business or process to make an error that is material in nature, assuming there were no internal controls. A. B. C. D.

Inherent risk Control risk Detection risk Correction risk

Answer : A 2. The risk that the controls put in place will not prevent, correct, or detect errors on a timely basis. A. B. C. D. Inherent risk Control risk Detection risk Correction risk

Answer : B 3. The risk that the IS auditor's substantive procedures will not detect an erro r that could be material. A. B. C. D. Inherent risk Control risk Detection risk Material risk

Answer: B 4. Log reviews may not result in timely detection or correction of errors. This is an example of A. B. C. D. Inherent risk Control risk Detection risk Race condition risk

Answer: B 5. Controls that are designed to prevent an error, omission, or negative act fro m occurring are A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: A 6. Controls that are designed to predict potential problems before they occur A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: A 7. Employ only qualified personnel is a example of

A. B. C. D.

Preventive controls Detective controls Corrective controls Internal controls

Answer: A 8. Segregation of duties is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 9. Control access to physical facilities is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 10. Use well-designed documents to prevent errors is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 11. Establish suitable procedures for authorization of transactions is an exampl e of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 12. Use access control software that allows only authorized personnel to access sensitive files is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 13. Controls put in place to detect or indicate that an error or a bad thing has happened are A. Preventive controls B. Detective controls

C. Corrective controls D. Deterent controls Answer: B 14. Controls that enable a risk or deficiency to be corrected before a loss occu rs are A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: C 15. Controls that reduce the likelihood of a deliberate act to cause a loss or a n error are A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: D 16. Controls that indirectly mitigate a risk or the lack of controls directly ac ting upon a risk are A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: D 17. Locking the door is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 18. Taking positive actions and proactive steps based on previously identifying the risks are usually A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: A 19. An alarm on the door is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 20. A check subroutine that identifies an error and makes a correction before en abling the process to continue is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: C 21. Barriers or warning signs are example of A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: D 22. The process of paying someone else to assume the risk is A. B. C. D. Risk transference Risk mitigation Risk acceptance Inherent risk

Answer: A 23. An "Echo" message in telecommunications protocol is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 24. Making a duplicate checking of calculations is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 25. Check points in a production jobs are examples of A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 26. The analysis of periodic performance reports with variances is an example of

A. B. C. D.

Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 27. The analysis of Past-due account reports is an example of A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 28. The Internal Audit functions are examples of A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: B 29. Control that minimize the impact of a threat are A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: C 30. Controls that remedy problems discovered by detective controls are A. B. C. D. Preventive controls Detective controls Corrective controls Compensating controls

Answer: C 31. Controls that identify the cause of a problem are A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: C 32. Controls that modify the processing system(s) to minimize future occurrences of problems are A. B. C. D. Preventive controls Detective controls Corrective controls Deterent controls

Answer: C 33. A contingency planning is an example of A. B. C. D. Preventive control Detective control Corrective control Deterent control

Answer: C 34. A backup procedure is an example of A. B. C. D. Preventive control Detective control Corrective control Deterent control

Answer: C 35. A rerun procedure is an example of A. B. C. D. Preventive control Detective control Corrective control Compensating controls

Answer: C 36. Control objectives in an information systems environment compared from those of a manual environment : A. B. C. D. are totaly different. remain unchanged but features may be different should be changed but features are the same should not be changed as features are the same.

Answer: B 37. Evidence gathering to evaluate the integrity of individual transactions, dat a or other information is typical of which of the following? A. B. C. D. Substantive testing Compliance testing Detection testing Control testing

Answer: A Evidence gathering to evaluate the integrity of individual transactions, data or other information is called substantive testing whereas evidence gathering for the purpose of testing an organization's compliance with control procedures is c alled compliance testing. Detection and control tests are irrelevant. 38. What is the first action an IS auditor should take after identifying a weakn ess in a control? A. Suggest a corrective action B. Take the finding directly to the steering committee C. Try and find a compensating control for the identified weakness

D. Take note of it for inclusion in the final audit report Answer: C A control objective will not normally be achieved by considering one control ade quate. The IS auditor will rather perform a variety of testing procedures and ev aluate how these relate to one another. An IS auditor should always review for c ompensating controls prior to reporting a control weakness. 39. Whom of the following should an internal IS audit function report to in an o rganization? A. B. C. D. Senior management User management IS management Business units

Answer: A The audit function should normally report to senior management. The higher the r eporting relationship in an organization, the greater the importance attached to the audit function. This provides independence and protects the auditor from or ganizational pressures. 40. In a properly segregated environment, which of the following functions could be performed by the same person? A. B. C. D. Data entry and job scheduling Database administration and security administration Security administration and data entry Security administration and quality assurance

Answer: D Segregation of duties is an important means by which fraudulent and/or malicious acts can be discouraged and prevented. When duties are properly segregated, no one person has complete control over a transaction throughout its initiation, au thorization, recording, processing and reporting. In a properly segregated envir onment, quality assurance can be an additional responsibility of the security ad ministrator without violating the segregation of duties principle. Other functio ns are incompatible. Database administration and security administration are inc ompatible because of possible manipulation of access privileges and rules for pe rsonal gain. Data entry and job scheduling are incompatible because a data entry person could submit unauthorized jobs. Security administration is incompatible with data entry since the security administrator would be in a position to openl y introduce fraudulent data. 41. In a properly segregated environment, which of the following functions is NO T compatible with that of Quality Assurance? A. B. C. D. Systems analyst Data entry Security administrator Computer operator

Answer: A A proven method to ensure that transactions are properly authorized and recorded and that the company's assets are safeguarded is to structure separation of dut ies. Lack of proper separation of duties can result in potential damage to the o

rganization. When a proper separation of duties cannot be achieved, compensating controls must exist in order to mitigate the resulting risk. Nevertheless, some functions should not be combined since no compensating controls can mitigate th e separation of duties risk. In this case, the quality assurance function should not be performed by the systems analyst for the obvious reason that an evaluati on of a system's design quality might be biased. 42. Which of the following best describes a Trojan Horse? A. B. C. D. A A A A macro virus embedded in email malicious computer program embedded in an executable file computer program embedded in an authorized program malicious computer program embedded in an application program

Answer: C A Trojan horse is classified as a program that can be malicious or nonmalicious during execution. Thus, a malicious computer program embedded in an application program and a malicious computer program embedded in an executable file are inco rrect answers because they do not consider nonmalicious Trojan horses. A macro v irus embedded in email is incorrect because a Trojan horse may not have a virus element. 43. The IT steering committee's role in the IT planning process is to: A. B. C. D. document meeting notes. make presentations. conduct meetings regularly. approve meeting notes.

Answer: B Choices (A, C, and D) are the responsibility of the top IT executive who can sch edule, organize, and document meetings. It is important to have a business perso n from the IT steering committee who can make the majority of the presentations to the executive committee. This demonstrates business management's ownership, s upport, and commitment. The role of the executive committee in the planning proc ess is to provide IT with strategic business direction, to set priorities, and t o approve the expenditure of funds. 44. There are seven layers in the open system interconnection (OSI) reference mo del offering security services to enhance the security of information systems. W hich of the following OSI layers provides confidentiality, authentication, and d ata integrity services ? A. B. C. D. Network layer Presentation layer Session layer Physical layer

Answer: A The network layer is responsible for transmitting a message from source to desti nation. It provides routing (path control) services to establish connections acr oss communications networks. Achieving this goal requires confidentiality, authe ntication, and data integrity services. Presentation layer (choice B) is incorre ct because it provides authentication and confidentiality services, but not data integrity. The presentation layer defines and transforms the format of data to make it useful to the receiving application. Session layer (choice C) is incorre ct because it does not provide any security-related services. It establishes, ma

nages, and terminates connections between applications, and provides checkpointrecovery services. It helps users interact with the system and with other users. Physical layer (choice D) is incorrect because it provides confidentiality serv ice only. The physical layer provides for the transmission of unstructured bit s treams over the communications channel. It is the innermost software that handle s the electrical interface between a terminal and a modem. 45. Which of the following situations poses the least threat to ensuring the sec urity and integrity of alternative components used in telecommunications backup? A. B. C. D. Switching Switching Switching Switching from from from from fiber optics to wire pair digital to analog line analog to digital line dedicated to dial up line

Answer: C Choice (C) is the correct answer. Switching from analog to digital is more secur e and less prone to errors than other options. Digital lines are more reliable. Security and the data integrity of alternative components used must be considere d in the contingency plan. Switching from fiber optics to wire pair (choice A), dedicated to dial up line (choice D), or digital to analog (choice B) may make t he line more susceptible to a wiretap or to line noise, which can result in erro rs. Using dial up lines could facilitate access by the public. 46. Fire has swept through the premises of an organization's computer room. The company has lost its entire computer system. The best thing the organization cou ld have done is to: A. plan for cold-site arrangements. B. plan for mutual agreements-negotiate with other similar organizations to back each other. C. plan for warm-site arrangements since everything was ready to go. D. take daily backups to an off-site storage facility. Answer: D Choice (D) is the correct answer. Daily backups taken to off-site storage facili ties can minimize damage. A whole company can suffer when disaster strikes. Ther e is no room for complacency. Even hot/warm/cold sites and mutual agreements (ch oices A through C) require backups to continue with business operations. "No bac kup, no recovery" should be practiced. 47. In order for a system to provide for continuity and effective control over t he proposed IS activities, the system development process should be performed in a certain order. In which of the following sequences are the computer systems d evelopment phases listed in the order in which they should be performed? A. Implementation planning, development of user specifications, systems planning , and programming B. Development of user specifications, development of technical specifications, implementation planning, and programming C. Training of user department personnel, implementation planning, and system te sting D. Implementation planning, programming, conversion, and system testing Answer: B Choice (B) is the correct answer. Development of business/user specifications is followed by the development of technical specifications, requiring implementati

on planning, followed by programming, testing, and training. In other words, bus iness/user requirements drive the entire system development process. 48. The Annual Loss Expectancy (ALE) of a risk without controls is expected to b e $35,000 to a business process you are evaluating. You are recommending a cont rol that will save 80 percent of that loss at an annual cost of $20,000 over the life of the process. Is the control justifiable? A. No, the savings is insignificant and relative to the cost. B. Yes, 80 percent of the loss amounts to $28,000 per year, which exceeds the an nual cost by $8,000 per year. C. No, ALE is a subjective number and cannot be depended on to make this decisio n. D. Maybe, it depends on the managements appetite for risk and loss. Answer: B The correct answer is B. This is a justifiable control mechanism for management to consider for implementation. The significance of the savings compared to the cost (A) is a management decision and not one the IS auditor should be making. W hile ALE may be somewhat subjective (C), if its source and the method used to de rive it is objective and reliable, it is a valid way to determine potential savi ng or loss over time. While management does have the responsibility for making d ecisions related to implementing all controls (D), this is still a justifiable c ontrol, should management choose to implement it. 49. A risk assessment has determined that the losses that could be potentially i ncurred with the delivery system of a business may cost up to $10,000 per month. Preventive controls have been recommended that will save the company $7,000 per month but this control will take three months to implement at a cost of $100,00 0 and at an ongoing cost of $1,000 per month. The business process has a life sp an of five years and has been in production for one year. Is the control justifi ed? A. Yes, the savings over the remaining life of the process would be $315,000, th us justifying the expense. B. No, the $3,000 per month that will be missed over the life of the process ($1 44,000) exceeds the cost of the control. C. Yes, the total cost of the control over the remaining process life is $145,00 0, while the potential loss without the control would be $480,000. D. Maybe, if the potential savings over the remaining life of the process ($315, 000) minus the total cost of the control ($145,000) represents a material risk t o the companys management ($170,000), management may consider implementing the co ntrol and avoiding the risk. Answer: D The correct answer is D. This question is about potential loss not actual loss. The risk of loss is a management decision that must be weighed against the proba bility of occurrence (not referenced in the problem), and the appetite for risk by management. The cost of funds and other priorities may influence this decisio n as well. While control looks justifiable on paper (savings exceed cost over th e life of the process by a significant amount), the probability of that loss occ urring to the business needs to be factored into the decision process. 50. What is the primary difference to keep in mind when evaluating automated and manual controls? A. Automated controls can operate in an unattended fashion, which requires less testing and monitoring.

B. Manual controls require human interaction to be successfully deployed and mus t consider human fallibility as part of the accuracy assessment. C. Potential losses are more difficult to measure with manual controls because t he error rates are more difficult to measure. D. Training and documentation are required for manual controls while automated c ontrols do not require such documentation. Answer: B The correct answer is B. The human factor is the most important consideration wh en evaluating manual controls against automated controls. Training and documenta tion (D) is one aspect of this human interaction as a control mechanism, but the re are other aspects, such as human nature, which also play a part in this analy sis. Potential loss when using manual controls (C) may be a factor to consider i n this evaluation, but it is not the primary concern. Although the automated controls are automatic by design, they still must be moni tored and tested (A) commensurate with the risk they are put in place to control .