PRACTICE QUIZ CHAPTER 1

1) In sampling, which of the following is a measure of central tendency? A. Variance B. Range C. Mode D. Standard deviation 2) A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: A. ability, as an IS auditor, to be independent of existing IS relationships. B. age as training in audit techniques may be impractical. C. the length of service since this will help ensure technical competence. D. IS knowledge since this will bring enhanced credibility to the audit function. 3) Each of the following is a general control concern EXCEPT: A. documentation procedures within the IS Department. B. physical access controls and security measures. C. organization of the IS Department. D. balancing of daily control totals. 4) Which of the following online auditing techniques is most effective for the early detection of errors or irregularities? A. Embedded audit module B. Audit hooks C. Integrated test facility D. Snapshots 5) In a review of the IS resource management function, the IS Auditor finds that no computer routines were developed or acquired to read and take extracts from the mainframe systems job accounting software facility. Instead, the complete log record of system activity is printed out on a daily basis and distributed to several responsible managers in the IS department. The most reasonable interpretation of this situation by the IS Auditor is that: A. Managements review of systems activity is unusually thorough; control in this area is probably strong. B. IS management makes little real use of this system facility, control in this area is probably weak. C. IS Management is probably concerned over the high cost of developing or acquiring programs of this type. D. Operations management has decided to take this approach in the interest of maximizing systems efficiency. 6) Which of the following would an Information Systems Auditor consider most important in selecting an application for audit? A. The IS Auditors level of experience. B. The applications degree of exposure. C. The results of previous audits. D. Whether or not the system is a financial one. 7) The primary purpose of an audit charter is to: A. describe the authority and responsibilities of the audit department. B. formally document the audit department's plan of action. C. document a code of professional conduct for the auditor. D. document the audit process used by the enterprise.

PRACTICE QUIZ CHAPTER 1

8) Which of the following is an advantage of an integrated test facility (ITF)? A. It eliminates the need to prepare test data. B. Periodic testing does not require separate test processes. C. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. D. It validates application systems and tests the ongoing operation of the system. 9) Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application systems? A. Likelihood of error B. Value of transactions C. Volume of transactions D. Extent of existing controls 10) Which of the following criteria for selecting the applications to be audited is LEAST likely to be used? A. Sensitivity of transactions B. Technological complexity C. Regulatory agency involvement D. Materiality of audit risk 11) Which criteria is the most important in selecting an application for A. Impact of decision making B. Assets controlled by the system C. Cost of processing D. Importance of updated master files 12) Which of the following types of audits requires the highest degree of data processing expertise? A. Systems software audits B. Microcomputer application audits C. Mainframe application audits D. General controls reviews 13) An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: A. the effectiveness of the controls in place. B. the mechanism for monitoring the risks related to the assets. C. the threats/vulnerabilities affecting the assets. D. the controls already in place. 14) Which of the following factors should not be considered in establishing the priority of audits included in an annual audit plan? A. Auditee procedural changes B. The time period since the last audit C. Prior audit findings D. Use of audit software 15) At the completion of the general controls review, the IS Auditor should be able to answer which of the following questions? A. What controls are in place to assure that only authorized transactions are processed? B. Does the organization of the IS Department provide adequate separation of functions? C. Which user has access to create a purchase order? D. How do input controls provide reasonable assurance that rejected data is re-entered?

PRACTICE QUIZ CHAPTER 1

16) Which of the following would be the BEST population to take a sample from when testing program changes? A. Program change requests B. Test library listings C. Source program listings D. Production library listings 17) An IS Auditor using systematic sampling for a population of 10,000 items determines that a sample size of 200 would be sufficient to accomplish the test objectives. The sampling interval would be: A. 50 B. 200 C. 100 D. 500 18) The PRIMARY role of an IS auditor during the system design phase of an application development project is to: A. advise the development manager on adherence to the schedule. B. ensure all necessary controls are included in the initial design. C. ensure the design accurately reflects the requirement. D. advise on specific and detailed control procedures. 19) The first step the IS Audit Manager should take when preparing the annual IS audit plan is to: A. begin with the prior year's IS audit plan and carry over any IS audits that had not been accomplished. B. meet with the audit committee members to discuss the IS audit plan for the upcoming year. C. ensure that the IS audit staff is competent in areas that are likely to appear on the plan and provide training as necessary. D. perform a risk ranking of the current and proposed application systems to prioritize the IS audits to be conducted. 20) Which of the following is the least important factor in determining the need for an IS Auditor to be involved in a new system development project? A. The number of lines of code to be written B. The potential benefits of the system C. The value of the system to the organization D. The cost of the system 21) Which statement is true concerning transaction selections that use generalized audit software: A. It requires a highly technical auditor to install an maintain the generalized audit software all year B. It is not practical for sampling of transactions in complex computer application systems C. It requires alteration of the production computer application system D. It employs an independent computer program to monitor and select transactions for internal audit review 22) Reviewing management's long-term strategic plans helps the IS auditor: A. assess the organization's reliance on information systems. B. test the enterprise's internal controls. C. gain an understanding of an organization's goals and objectives. D. determine the number of audit resources needed. 23) IS Audit Managements most important function is to: A. Maintain the quality of the departments written communications to management. B. Encourage the use of the computer-assisted audit techniques to reduce audit cost. C. Maintain the level of technical competence in the department.

PRACTICE QUIZ CHAPTER 1

D. Ensure that the department functions as a component of the overall audit effort.

24) An audit charter should: A. document the audit procedures designed to achieve the planned audit objectives. B. be dynamic and change often to coincide with the changing nature of technology and the audit profession. C. clearly state audit objectives for and the delegation of authority to the maintenance and review of internal controls. D. outline the overall authority, scope and responsibilities of the audit function. 25) While reviewing internal controls in a microcomputer environment, an IS auditor recommends that duties should be regularly rotated. The effect of implementing this recommendation would ensure which of the following controls? A. Compensating B. Detective C. Preventative D. Corrective

PRACTICE QUIZ CHAPTER 1

1) In sampling, which of the following is a measure of central tendency? A. Variance B. Range * C. Mode D. Standard deviation Answer C is correct. Mode identifies the number of times a particular number is duplicated more than once. For example, in the following list of numbers find the mode: 01483873263. The mode is 3. 2) A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: * A. ability, as an IS auditor, to be independent of existing IS relationships. B. age as training in audit techniques may be impractical. C. the length of service since this will help ensure technical competence. D. IS knowledge since this will bring enhanced credibility to the audit function. Answer: A Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure credibility. The audit department's needs should be defined and any candidate should be evaluated against those requirements. In addition, the length of service will not ensure technical competency, and evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world. 3) Each of the following is a general control concern EXCEPT: A. documentation procedures within the IS Department. B. physical access controls and security measures. C. organization of the IS Department. * D. balancing of daily control totals. Answer "D" is the BEST answer because balancing of daily control totals relates to specific applications and is not considered an overall general control concern. Answer "A" is NOT the best answer since documentation procedures within the IS Department is an important general control concern. Answer "B" is NOT the best answer since organization of the IS Department is an important general control concern. Answer "C" is NOT the best answer since physical access controls and security measures are important general control concerns. 4) Which of the following online auditing techniques is most effective for the early detection of errors or irregularities? A. Embedded audit module * B. Audit hooks C. Integrated test facility D. Snapshots The audit hook technique involves embedding code in application systems for the examination of selected transactions. This helps the IS auditor to act before an error or an irregularity gets out of hand. An embedded audit module involves embedding specially written software in the organization's host application system so that application systems are monitored on a selective basis. An integrated test facility is used when it is not practical to use test data, and snapshots are used when an audit trail is required. 5) In a review of the IS resource management function, the IS Auditor finds that no computer routines were developed or acquired to read and take extracts from the mainframe systems job accounting software facility. Instead, the complete log record of system activity is printed out on a daily basis and distributed to several responsible managers in the IS department. The most reasonable interpretation of this situation by the IS Auditor is that: A. Managements review of systems activity is unusually thorough; control in this area is probably strong.

PRACTICE QUIZ CHAPTER 1

* B. IS management makes little real use of this system facility, control in this area is probably weak. C. IS Management is probably concerned over the high cost of developing or acquiring programs of this type. D. Operations management has decided to take this approach in the interest of maximizing systems efficiency. Answer B is correct. The system log from any moderately used computer will be abundant and labor intensive to interpret at a meaningful level. It could be reasonable to assume and easy to verify that management makes little real use of this system. It would be prudent of the IS Auditor to recommend the development of programs to summarize and provide management with meaningful reports. 6) Which of the following would an Information Systems Auditor consider most important in selecting an application for audit? A. The IS Auditors level of experience. * B. The applications degree of exposure. C. The results of previous audits. D. Whether or not the system is a financial one. Answer B is correct. The degree of exposure or audit risk should always be the key criteria for selecting candidates for an audit. 7) The primary purpose of an audit charter is to: * A. describe the authority and responsibilities of the audit department. B. formally document the audit department's plan of action. C. document a code of professional conduct for the auditor. D. document the audit process used by the enterprise. Answer: A The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process which is usually part of annual audit planning, nor does it describe a code of professional conduct since such conduct is set by the profession and not by management. 8) Which of the following is an advantage of an integrated test facility (ITF)? A. It eliminates the need to prepare test data. * B. Periodic testing does not require separate test processes. C. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. D. It validates application systems and tests the ongoing operation of the system. An integrated test facility creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is necessary, and test data must be isolated from production data. 9) Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application systems? * A. Likelihood of error B. Value of transactions C. Volume of transactions D. Extent of existing controls Answer A is correct. An error is the least likely element to contribute to the potential for fraud. Answer A and C are incorrect since volume times value of transactions gives an indication of the maximum potential loss through fraud. Answer D is incorrect since gross risk less existing control gives net risk. 10) Which of the following criteria for selecting the applications to be audited is LEAST likely to be used? A. Sensitivity of transactions * B. Technological complexity C. Regulatory agency involvement D. Materiality of audit risk

PRACTICE QUIZ CHAPTER 1

Answer "B" is the BEST choice because technical complexity of an application is not as important as the materiality of the audit risk associated with an application or sensitivity of the transactions. Regulatory agency requirements also play an important role in determining what to audit. Answer "A" is NOT the best choice because sensitivity of transactions would be an exposure to a company and should be considered in determining which applications should be audited. Answer "C" is NOT the best choice because the measurement of audit risk is an important component when determining the scope of an audit plan. The materiality of the audit risk associated with specific application would have an impact on whether the application is included in the audit scope. Answer "d" is NOT the best choice because applications may relate to operational areas of the Company where regulatory agencies have required audits. 11) Which criteria is the most important in selecting an application for A. Impact of decision making * B. Assets controlled by the system C. Cost of processing D. Importance of updated master files Answer b is correct. The assets controlled by the system will always indicate how strategic a system is to the continuous functioning of the business. The other criteria naturally follow in order of importance. 12) Which of the following types of audits requires the highest degree of data processing expertise? * A. Systems software audits B. Microcomputer application audits C. Mainframe application audits D. General controls reviews Answer "a" is the BEST because the IS Auditor needs specialized education in hardware and operating systems software. Answers b, c, and d can be performed when an IS Auditor has a basic level of data processing technical knowledge and usually requires no special training. Answer "b" is NOT correct because general controls reviews typically do not require as technical a level of knowledge as an audit of systems software. Answer "c" is NOT correct because microcomputer application reviews generally do not require as technical a background as an audit of systems software. Answer "d" is NOT correct because mainframe application audits typically do not require special training or as technical level of knowledge as system software reviews. 13) An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: A. the effectiveness of the controls in place. B. the mechanism for monitoring the risks related to the assets. * C. the threats/vulnerabilities affecting the assets. D. the controls already in place. One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase. 14) Which of the following factors should not be considered in establishing the priority of audits included in an annual audit plan? A. Auditee procedural changes B. The time period since the last audit C. Prior audit findings * D. Use of audit software Answer d is correct. Use of audit software merely refers to a technique that can be used in performing an audit. It has no relevance to the development of the annual audit plan. 15) At the completion of the general controls review, the IS Auditor should be able to answer which of the following questions?

PRACTICE QUIZ CHAPTER 1

A. What controls are in place to assure that only authorized transactions are processed? * B. Does the organization of the IS Department provide adequate separation of functions? C. Which user has access to create a purchase order? D. How do input controls provide reasonable assurance that rejected data is re-entered? Answer "B" is the best answer. Answers a, c, and d all deal with questions that are normally addressed during the completion of an application review. Answer "a" is the best answer because it deals with a question that IT Auditors would ask at a high level review or a general controls review. 16) Which of the following would be the BEST population to take a sample from when testing program changes? A. Program change requests B. Test library listings C. Source program listings * D. Production library listings The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be time intensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables. 17) An IS Auditor using systematic sampling for a population of 10,000 items determines that a sample size of 200 would be sufficient to accomplish the test objectives. The sampling interval would be: * A. 50 B. 200 C. 100 D. 500 Answer "a" is CORRECT! 10,000 divided by 200 equals 50. In population of 10,000 selecting every 50th item would produce a sample of 200. Answer "b" is NOT correct because 10,000 divided by 200 equals 50. In a population of 10,000 selecting every 100th item would produce a sample of 100. Selecting every 50th item would produce a sample. Answer "c" is NOT correct because 10,000 divided by 200 equals 50. In a population of 10,000 selecting every 200th item would produce a sample of 50 items. Selecting every 50th item would produce a sample of 200 items. Answer "d" is NOT correct because 10,000 divided by 200 equals 50. In a population of 10,000 selecting every 500th item would produce sample of 20 items. Selecting every 50th item would produce a sample of 200 items. 18) The PRIMARY role of an IS auditor during the system design phase of an application development project is to: A. advise the development manager on adherence to the schedule. * B. ensure all necessary controls are included in the initial design. C. ensure the design accurately reflects the requirement. D. advise on specific and detailed control procedures. The duty of the IS auditor is to ensure that required controls are included. Unless specifically present as a consultant, the IS auditor should not be involved in detailed designs. During the design phase, the IS auditor's primary role is to ensure controls are included. Unless there is potential slippage to report, the IS auditor is not concerned with project control at this stage. 19) The first step the IS Audit Manager should take when preparing the annual IS audit plan is to: A. begin with the prior year's IS audit plan and carry over any IS audits that had not been accomplished. B. meet with the audit committee members to discuss the IS audit plan for the upcoming year. C. ensure that the IS audit staff is competent in areas that are likely to appear on the plan and provide training as necessary. * D. perform a risk ranking of the current and proposed application systems to prioritize the IS audits to be conducted. Answer "d" is BEST because IS audit services should be expended only if the risk warrants it. Answers a, b, and c occur after c has been completed. Answer "b" is NOT correct because the IS Audit Manager does not know what areas are to appear on the IS audit

PRACTICE QUIZ CHAPTER 1

plan until a risk analysis is completed and discussions are held with the audit committee members. Answer "a" is NOT correct because the IS Audit Manager would not meet with the audit committee until a risk analysis of areas of exposure has been completed. Answer "c" is NOT correct because a risk analysis would be the first step before any IS audit services are expended. 20) Which of the following is the least important factor in determining the need for an IS Auditor to be involved in a new system development project? * A. The number of lines of code to be written B. The potential benefits of the system C. The value of the system to the organization D. The cost of the system Answer a is correct. The size of the system is the least important of the factors listed. All other factors have specific financial implications and an IS Auditor can be used to help mitigate the risk to the corporation with the development of a new system. 21) Which statement is true concerning transaction selections that use generalized audit software: A. It requires a highly technical auditor to install an maintain the generalized audit software all year B. It is not practical for sampling of transactions in complex computer application systems C. It requires alteration of the production computer application system * D. It employs an independent computer program to monitor and select transactions for internal audit review Answer d is correct. Generalized audit software should run independent of production computer application systems 22) Reviewing management's long-term strategic plans helps the IS auditor: A. assess the organization's reliance on information systems. B. test the enterprise's internal controls. * C. gain an understanding of an organization's goals and objectives. D. determine the number of audit resources needed. Strategic planning sets corporate or departmental objectives into motion. Strategic planning is time- and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans would not achieve the objectives expressed by the other choices. 23) IS Audit Managements most important function is to: A. Maintain the quality of the departments written communications to management. B. Encourage the use of the computer-assisted audit techniques to reduce audit cost. C. Maintain the level of technical competence in the department. * D. Ensure that the department functions as a component of the overall audit effort. Answer d is correct. IS Audit Managements primary function is to ensure that audit resources are expended such that the greatest return to the company is achieved. The return to the company will be in the value that the management and the company derive from the audit process. Therefore, it is essential that IS Auditing functions in concert with the overall audit effort. 24) An audit charter should: A. document the audit procedures designed to achieve the planned audit objectives. B. be dynamic and change often to coincide with the changing nature of technology and the audit profession. C. clearly state audit objectives for and the delegation of authority to the maintenance and review of internal controls. * D. outline the overall authority, scope and responsibilities of the audit function. An audit charter should state management's objectives for and delegation of authority to IS audit. This charter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.

PRACTICE QUIZ CHAPTER 1

25) While reviewing internal controls in a microcomputer environment, an IS auditor recommends that duties should be regularly rotated. The effect of implementing this recommendation would ensure which of the following controls? A. Compensating B. Detective * C. Preventative D. Corrective Answer c is correct. A small institution may find that separation of duties (which is a preventative control) may not be practical since there are too few employees. In such a circumstance, it may be possible to establish an acceptable control environment by instituting compensating measures such as rotation of job duties.