CISA Flashcards
Common Control Considerations
What is Common Control Consideration 1?
A. Central Development and Implementation of Controls
B. This means that the rules or procedures for keeping our systems safe and working well are made by the main group in charge and have to be followed exactly the same way by everyone, no matter where they work. This means there’s a central place where we watch over things like who accesses what, how systems are managed, and if everything is secure.
C. Example 1: Let’s say the CIO make a rule about how we handle databases like Oracle, SQL, Progress, and DB2. They say everyone in every office has to follow this rule exactly as it is, without changing anything. So, whether you’re in New York, London, or Tokyo, everyone has to manage those databases in the same exact way according to the rule from headquarters.
D. All are exhibits of Common Control Consideration 1
D. All are exhibits of Common Control Consideration 1
Common Control Consideration 1:
A: Centeral Development and Implementation of Controls
This means that the rules or procedures for keeping our systems safe and working well are made by the main group in charge and have to be followed exactly the same way by everyone, no matter where they work. This means there’s a central place where we watch over things like who accesses what, how systems are managed, and if everything is secure.
Example 1: Let’s say the CIO make a rule about how we handle databases like Oracle, SQL, Progress, and DB2. They say everyone in every office has to follow this rule exactly as it is, without changing anything. So, whether you’re in New York, London, or Tokyo, everyone has to manage those databases in the same exact way according to the rule from headquarters.
What is Common Control Consideration 2?
A. Consideration 2: Consistency in Control Performance and Monitoring
B. This means that the people who check if our systems are working well and secure should have similar jobs and skills, no matter where they work in the company.
C. Example: Let’s say there’s a rule in place that says we need to regularly check if our computer systems are secure. The people responsible for doing this check should have similar roles and skills, whether they’re working in the main office, a branch office, or a warehouse. For instance, if we have IT specialists checking security in one office, we should have similar IT specialists doing the same job in all other locations. This ensures that the checks are done consistently and effectively everywhere in the company.
D. All are exhibits of Common Control Consideration 2- Consistency in Control Performance and Monitoring
D. All are exhibits of Common Control Consideration 2- Consistency in Control Performance and Monitoring
Consideration 2: Consistency in Control Performance and Monitoring
This means that the people who check if our systems are working well and secure should have similar jobs and skills, no matter where they work in the company.
Example: Let’s say there’s a rule in place that says we need to regularly check if our computer systems are secure. The people responsible for doing this check should have similar roles and skills, whether they’re working in the main office, a branch office, or a warehouse. For instance, if we have IT specialists checking security in one office, we should have similar IT specialists doing the same job in all other locations. This ensures that the checks are done consistently and effectively everywhere in the company.
What is Common Control Consideration 3?
A. Consideration 3: Consistency in Automated Control Configuration
B. Explanation: If we use computer programs or systems to manage certain tasks automatically, do we set up these programs the same way across all parts of the company?
C. Example: Imagine we have a program that automatically checks if people are using strong passwords to access our systems. If this program is used in different offices or departments, it should be set up in exactly the same way in each place. For instance, if we set the program to require passwords with a minimum of 8 characters and at least one number in the main office, the same rules should apply in all other locations. This ensures that the automated checks are consistent and reliable throughout the company.
D. All are exhibits of Common Control Consideration 2- Consistency in Control Performance and Monitoring
Consideration 3: Consistency in Automated Control Configuration
Explanation: If we use computer programs or systems to manage certain tasks automatically, do we set up these programs the same way across all parts of the company?
Example: Imagine we have a program that automatically checks if people are using strong passwords to access our systems. If this program is used in different offices or departments, it should be set up in exactly the same way in each place. For instance, if we set the program to require passwords with a minimum of 8 characters and at least one number in the main office, the same rules should apply in all other locations. This ensures that the automated checks are consistent and reliable throughout the company.
What is Common Control Consideration 4?
A. Consideration 4: Consistency in Automated Control Configuration
B. Explanation: If we’re using information from our computer systems to check if everything is running smoothly, are these systems the same in all parts of the company?
C. Example: Let’s say we have a system that keeps track of who accesses certain files on our company network. If we’re using this system to make sure only authorized people are accessing sensitive information, we need to ensure that the system is the same across all offices and departments. For instance, if one office uses a high-security access system while another office has a less secure one, the data we gather might not be reliable. So, we need to make sure that the systems generating this data are consistent everywhere to get accurate results and maintain security standards across the company.
D. All the Above
Consideration 4: Consistency in Automated Control Configuration
Explanation: If we’re using information from our computer systems to check if everything is running smoothly, are these systems the same in all parts of the company?
Example: Let’s say we have a system that keeps track of who accesses certain files on our company network. If we’re using this system to make sure only authorized people are accessing sensitive information, we need to ensure that the system is the same across all offices and departments. For instance, if one office uses a high-security access system while another office has a less secure one, the data we gather might not be reliable. So, we need to make sure that the systems generating this data are consistent everywhere to get accurate results and maintain security standards across the company.
What is Common Control Consideration 5?
A. Consideration Central Monitoring of Controls
B. Explanation: This means keeping an eye on important rules or procedures from one central place to ensure they’re followed consistently throughout the company.
C. Example: Imagine there’s a rule that says we need to regularly update our computer software to keep it secure. Instead of each department managing this on their own, there’s a central team responsible for making sure everyone follows the rule. They monitor updates across all departments to ensure nobody falls behind or skips updates, thus maintaining security across the organization.
D. All the Above
D. All the Above
Consideration 5: Central Monitoring of Controls
Explanation: This means keeping an eye on important rules or procedures from one central place to ensure they’re followed consistently throughout the company.
Example: Imagine there’s a rule that says we need to regularly update our computer software to keep it secure. Instead of each department managing this on their own, there’s a central team responsible for making sure everyone follows the rule. They monitor updates across all departments to ensure nobody falls behind or skips updates, thus maintaining security across the organization.
________ we’re basically looking at how your company manages any changes or updates to its computer systems. This can include: Application development, System development, and program change management.
To a business client, we’re focusing on how your company handles the development and management of software programs, overall computer systems, and changes within those programs. We want to make sure that these changes are managed effectively to minimize risks and ensure that your systems continue to work smoothly and securely.
A. System Change Control
B. IT Audit
C. Change Management
D. Physical Security
A. System Change Control
“system change control,” we’re basically looking at how your company manages any changes or updates to its computer systems.
To a business client, we’re focusing on how your company handles the development and management of software programs, overall computer systems, and changes within those programs. We want to make sure that these changes are managed effectively to minimize risks and ensure that your systems continue to work smoothly and securely.
_____ This refers to creating or updating software programs that your company uses for different tasks. For example, if you develop a new app for managing inventory or customer orders, that’s part of application development.
A. Application Development
B. IT Audit
C. Change Management
D. Physical Security
Application Development: This refers to creating or updating software programs that your company uses for different tasks. For example, if you develop a new app for managing inventory or customer orders, that’s part of application development.
Example: Let’s say your company decides to create a new mobile app for customers to place orders. The process of designing, coding, testing, and deploying this app is part of application development.
Another example could be updating your company’s website to include new features, such as an online chat support system. The team responsible for designing and implementing these new features is engaged in application development.
_____ This involves building or modifying the overall computer systems that your company relies on. It could include things like setting up new servers, upgrading network infrastructure, or integrating different software systems to work together smoothly.
A. Application Development
B. System Development
C. Change Management
D. Physical Security
System Development: This involves building or modifying the overall computer systems that your company relies on. It could include things like setting up new servers, upgrading network infrastructure, or integrating different software systems to work together smoothly.
Example: Your company decides to upgrade its entire network infrastructure to support higher bandwidth and better security. This involves installing new servers, routers, and switches, as well as configuring them to work together efficiently. This comprehensive upgrade process is part of system development.
Another example could be implementing a new Enterprise Resource Planning (ERP) system to streamline business processes across various departments. The planning, installation, customization, and integration of this new system into your company’s existing infrastructure constitute system development.
_______ This is about how changes are managed within the programs or software applications themselves. For instance, if you need to fix a bug in your accounting software or add new features to your customer relationship management system, that falls under program change management.
A. Application Development
B. System Development
C. Program Change Management
D. Physical Security
Program Change Management: This is about how changes are managed within the programs or software applications themselves. For instance, if you need to fix a bug in your accounting software or add new features to your customer relationship management system, that falls under program change management.
Example: Suppose there’s a bug in your company’s accounting software that causes incorrect calculations in financial reports. The process of identifying, fixing, and testing this bug, as well as deploying the updated version of the software, falls under program change management.
Another example could be adding new features to your company’s Customer Relationship Management (CRM) software based on user feedback. Managing the entire lifecycle of these changes, from requirements gathering to deployment, is part of program change management.
What is the Risk of Control (RAIT) of (LA4)- Provisioning?
A. Production systems, programs, and/or job results in inaccurate, incomplete, or unauthorized processing of data
B. Uses have access privliges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
C. Data cnversion from legacy systems indroduces errors
D, none of above
(LA4)- Provisioning-
The risk is:
B. Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
REASONING: mitigate the risks associated with excessive access privileges, improper segregation of duties, insider threats, compliance violations, and data loss or theft. By evaluating provisioning processes and access rights management, auditors help ensure that organizations maintain a secure and compliant environment for managing user access to systems and data.
What is the Control Description of (LA4)- Default Accounts on Provisioning?
A.User have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
B. Management approves the nature and extent of user-access privileges for new and modified user access, including standard application profiles roles, critical financial reporting transactions, and segregation of duties.
C. User access is periodically reviewed
D. Privileged level access is authorized and appropriately restriced.
B. Management approves the nature and extent of user-access privileges for new and modified user access, including standard application profiles roles, critical financial reporting transactions, and segregation of duties.
Control Description of (LA4)- Default Accounts of Provisioning
Management approves the nature and extent of user-access privileges for new and modified user access, including standard application profiles roles, critical financial reporting transactions, and segregation of duties.
What is the Control Description of (LA3)- PRIVILEGED ACCESS?
A.User have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
B. Management approves the nature and extent of user-access privileges for new and modified user access, including standard application profiles roles, critical financial reporting transactions, and segregation of duties.
C. User access is periodically reviewed
D. Privileged level access is authorized and appropriately restricted.
The Control Description of (LA3)- PRIVILEGED ACCESS
D. Privileged level access is authorized and appropriately restricted.
What is the Control Description of (LA2)- Passwords?
A.User have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
B. Access is authenticated through unique user IDs and passwords or other methods as a mechanism for validating that users are authorized to gain access to the system. Password parameters meet company and/or industry standards (e.g. password minimum length and complexity, expiration, account lockout).
Obtain evidence of authentication and security configurations to evaluate if they are implemented consistent with the control design.
C. User access is periodically reviewed
D. Privileged level access is authorized and appropriately restricted.
Control Description of (LA2)- Passwords
B. Access is authenticated through unique user IDs and passwords or other methods as a mechanism for validating that users are authorized to gain access to the system. Password parameters meet company and/or industry standards (e.g. password minimum length and complexity, expiration, account lockout).
Obtain evidence of authentication and security configurations to evaluate if they are implemented consistent with the control design.
What is the Risk of Control (RAIT) of (LA2)- Passwords?
A. Production systems, programs, and/or job results in inaccurate, incomplete, or unauthorized processing of data
B. Uses have access privliges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
C. Data cnversion from legacy systems indroduces errors
D, Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
Risk of Control (RAIT) of (LA2)- Passwords
D. Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
REASONING: mitigate the risks associated with unauthorized access, data breaches, insider threats, data integrity issues, compliance violations, and reputation damage. By evaluating password policies, enforcement mechanisms, and access controls, auditors help ensure that organizations maintain a secure and compliant IT environment.
What is the Risk of Control (RAIT) of (MC1)- Application Change Management?
A. Production systems, programs, and/or job results in inaccurate, incomplete, or unauthorized processing of data
B. Uses have access privliges beyond those necessary to perform their assigned duties, which may create improper segregation of duties.
C. Inappropriate changes are made to application systems or programs that contain relevant automated controls (i.e. configurable settings, automated algorithms, automated calculations, ad automated data extractions), and/or report logic
D, Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
Risk of Control (RAIT) of (MC1)- Application Change Management
C. Inappropriate changes are made to application systems or programs that contain relevant automated controls (i.e. configurable settings, automated algorithms, automated calculations, ad automated data extractions), and/or report logic
REASONING: help safeguard data integrity, operational continuity, and regulatory compliance within the organization.
What is the Risk of Control (RAIT) of (OP2)- Job Scheduler Access?
A. Production systems, programs, and/or job results in inaccurate, incomplete, or unauthorized processing of data
B. Production systems, programs, and/or jobs result in inaccurate, incomplete, or unauthorized processing of data.
C. Inappropriate changes are made to application systems or programs that contain relevant automated controls (i.e. configurable settings, automated algorithms, automated calculations, ad automated data extractions), and/or report logic
D, Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
Risk of Control (RAIT) of (OP2)- Job Scheduler Access
B. Production systems, programs, and/or jobs result in inaccurate, incomplete, or unauthorized processing of data.
REASONING: verifying the effectiveness of monitoring mechanisms in controlling access, detecting anomalies, and ensuring the accurate and secure execution of scheduled jobs. It helps in safeguarding data integrity, regulatory compliance, and overall IT risk management within the organization.
What is the Risk of Control (RAIT) of (MC6)- Job Data Conversions?
A. Production systems, programs, and/or job results in inaccurate, incomplete, or unauthorized processing of data
B. Production systems, programs, and/or jobs result in inaccurate, incomplete, or unauthorized processing of data.
C. Data converted from legacy systems or previous versions introduces data errors if the conversion transfers incomplete, redundant, obsolete, or inaccurate data.
D, Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
Risk of Control (RAIT) of (MC6)- Job Data Conversions
C. Data converted from legacy systems or previous versions introduces data errors if the conversion transfers incomplete, redundant, obsolete, or inaccurate data.
REASONING: Job Data Conversions is essential for verifying the effectiveness of monitoring systems in ensuring the accuracy, completeness, and integrity of converted data. It helps in detecting and correcting errors promptly, thereby safeguarding business operations, data reliability, and regulatory compliance.
Question: What is the Control Description of (OP3)-Job Monitoring?
A) Ensuring all employees have access to necessary job resources.
B) Regularly updating software applications to the latest versions.
C) Checking the temperature of the server room to prevent overheating.
D) Critical systems, programs, and/or jobs are monitored, and processing errors are corrected to ensure successful completion.
Control Description of (OP3)-Job Monitoring
D) Critical systems, programs, and/or jobs are monitored, and processing errors are corrected to ensure successful completion.
REASONING: Job Monitoring in IT audit is essential for verifying the effectiveness of systems and processes in detecting, correcting, and preventing errors during data processing. It ensures the reliability, integrity, and continuity of critical operations within the organization, contributing to overall business resilience and compliance with regulatory requirements.
Question: What is the Control Description of (MC1)-Application Change Management?
A) Ensuring employees attend regular training sessions on new software updates.
B) Allowing any employee to make changes to applications as needed.
C) Application changes are appropriately tested and approved before moved into the production environment.
D) Keeping a log of office supply purchases for inventory tracking.
The Control Description of (MC1)-Application Change Management
C) Application changes are appropriately tested and approved before moved into the production environment.
Reasoning: Change Management ensures that any changes made to the company’s software applications are properly vetted and verified before being implemented in the live environment, minimizing the risk of disruptions or errors that could impact operations.
What are risks for (MC1)-Application Change Management
A. Inappropriate Changes.
B. Improper Segregation of Duties
C. Data Integrity Compromise
D. All of the Above
D. All of the Above
risks for (MC1)-Application Change Management
-Inappropriate changes
-improper segregation of duties
-data integrity compromise
What is the risk for Provisioning Accounts (LA4)?
A. Excessive access privileges
B. Improper segregation of duties
C. Insider threats
D. Compliance Violations
E. Data Loss or Theft
F. All the Above
G. Only A through C.
F. All the Above
risk for Provisioning Accounts (LA4)
-Excessive access privileges
-Improper segreation of duties
-insider threats
-compliance violations
-data loss or theft
What is the risk for Passwords (LA2)?
A. Unauthorized access
B. Data Breaches
C. Insider Threats
D. Data Integrity Issues
E. Compliance Violations
F. Reputational Damage
G. All the Above
H. Only A, B, & E
G. All the Above
risk for Passwords (LA2)
-Unauthorized access
- Data Breaches
- Insider Threats
- Data Integrity Issues
- Compliance Violations
- Reputational Damage
_________ an account that is used by multiple individuals to access systems or data
a. shared account
b. service account
a. shared account
shared account that is used by multiple individuals to access systems or data
-WiFi
-Classrooms
-Computer Labs
-Additionals shared applications that require profile specific settings are all examples of:
a. shared account
b. service account
a. shared account
Shared account example include:
-WiFi
-Classrooms
-Computer Labs
-Additionals shared applications
_______ an account that is used by an automated process and is NOT used in an interactive way by a user. account is like a special user account for computers. It’s not for people to use directly, but rather for automated tasks or programs.
a. shared account
b. service account
b. service account
SERVICE account: account that is used by an automated process and is NOT used in an interactive way by a user.
service account is like a special user account for computers. It’s not for people to use directly, but rather for automated tasks or programs. So, it’s like a behind-the-scenes worker that computers use to get things done automatically without needing input from a person.
Question: In cases of service accounts, where must the password be kept?
A) Written on a sticky note attached to the computer monitor.
B) Shared among team members through email for easy access.
C) Stored in a secure password vault with auditing capabilities.
D) Memorized by all employees for quick retrieval.
C) Stored in a secure password vault with auditing capabilities.
Ex. of Auditing Capabilities
-Character length: 12-32 character length
-Complexity requirements: (upper case, lower case, number, symbol)
-Password lifespan (less than 72 hours of termination)
Question: IPE stands for:
A) International Privacy Encryption
B) Internal Policy Enforcement
C) Information Processing Efficiency
D) Information Produced by Entity
D) Information Produced by Entity
IPE = Information Produced by Entity
Question: What are all the forms of audit evidence?
A) Customer feedback and satisfaction surveys
B) Financial statements and balance sheets
C) Risk Assessment Procedures, Tests of Operating Effectiveness of Relevant Controls, Substantive Procedures outside the scope of the chapter (Correct Answer)
D) Employee attendance records and time sheets
Forms of audit evidence
C) Risk Assessment Procedures, Tests of Operating Effectiveness of Relevant Controls, Substantive Procedures outside the scope of the chapter
Question: What makes up an IT Infrastructure?
A) Software, Hardware, and Firmware
B) CPU, RAM, and Hard Drive
C) Database, Operating System, and Network
D) Keyboard, Mouse, and Monitor
C) Database, Operating System, and Network
IT Infrastructure is made up on:
-Database
-OS
-Network
Question: What is an Application System?
A) A collection of computer hardware components
B) A set of instructions that tell the computer how to perform a specific task
C) A group of related applications designed to allow a user to store/retrieve data in a logical and meaningful manner and apply predefined business rules to that data
D) A network of interconnected computers and devices
C) A group of related applications designed to allow a user to store/retrieve data in a logical and meaningful manner and apply predefined business rules to that data
Examples: SAP, Peoplesoft, JD Edwards, Oracle, Hyperion
Question: What example: SAP, PeopleSoft, JD Edwards, Oracle, and Hyperion are all examples of what form of technology element?
A) Operating Systems
B) Computer Hardware
C) Application Systems (Correct Answer)
D) Internet Browsers
C) Application Systems
An Application System - A group of related applications designed to allow a user to store/retrieve data in a logical and meaningful manner and apply predefined business rules to that data
Examples: SAP, Peoplesoft, JD Edwards, Oracle, Hyperion
What is the primary objective of IT audit?
A) Ensuring compliance with tax regulations
B) Evaluating the effectiveness of IT controls
C) Optimizing network performance
D) Conducting market research
B) Evaluating the effectiveness of IT controls
REASONING: The primary objective of IT audit is to assess the effectiveness of controls implemented within the IT environment to ensure that they are operating as intended and mitigating risks appropriately.
What is the purpose of risk assessment in IT audit?
A) Identifying vulnerabilities in software
B) Assessing the potential impact of security breaches
C) Estimating the budget for IT projects
D) Evaluating employee productivity
B) Assessing the potential impact of security breaches
REASONING: Risk assessment in IT audit involves identifying and evaluating potential threats and vulnerabilities to assess their potential impact on the organization’s information assets and operations.
Which of the following is an example of a general IT control?
A) Patch management
B) Employee training
C) Data encryption
D) Customer support
A) Patch management
REASONING: Patch management is an example of a general IT control that involves managing and applying updates to software systems to address known vulnerabilities and improve security.
What does the acronym “COSO” stand for in the context of IT audit?
A) Committee of Security Officers
B) Control Objectives for Information and Related Technologies
C) Committee of Sensitive Operations
D) Committee of Sponsoring Organizations of the Treadway Commission
D) Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO): COSO is a framework commonly referenced in IT audit that provides guidance on internal control, risk management, and governance.
In IT audit, what does the term “SOC” refer to?
A) System on Chip
B) Service Oriented Computing
C) Service Organization Control
D) System Operation Center
C) Service Organization Control
SOC reports are commonly used in IT audit to assess the effectiveness of controls at service organizations, particularly those that provide services relevant to financial reporting.
What is the purpose of segregation of duties in IT audit?
A) Reducing the risk of errors and fraud
B) Increasing employee collaboration
C) Enhancing system performance
D) Streamlining business processes
A) Reducing the risk of errors and fraud
Segregation of duties is a fundamental control principle aimed at reducing the risk of errors and fraud by separating key duties and responsibilities among different individuals.
Which of the following is NOT a phase of the IT audit process?
A) Planning
B) Execution
C) Monitoring
D) Reporting
C) Monitoring
Monitoring: Monitoring is a phase of the IT audit process where ongoing activities are observed and assessed to ensure that controls remain effective and operational.
What is the main objective of testing controls in IT audit?
A) Identifying vulnerabilities
B) Ensuring compliance with regulations
C) Evaluating the effectiveness of controls
D) Generating revenue for the organization
C) Evaluating the effectiveness of controls
Testing controls in IT audit involves assessing whether controls are operating effectively to mitigate risks and achieve desired outcomes.
Which of the following is an example of an IT governance framework?
A) ISO/IEC 27001
B) Windows Firewall
C) Microsoft Office Suite
D) Apache Web Server
A) ISO/IEC 27001
ISO/IEC 27001: ISO/IEC 27001 is a widely recognized standard for information security management systems, often used as a framework for implementing and auditing information security controls.
What is the purpose of a vulnerability assessment in IT audit?
A) Evaluating employee performance
B) Identifying weaknesses in IT systems
C) Assessing customer satisfaction
D) Calculating network bandwidth
B) Identifying weaknesses in IT systems
Vulnerability assessment is a process used in IT audit to identify weaknesses and vulnerabilities in IT systems that could be exploited by attackers.
What does the term “penetration testing” refer to in IT audit?
A) Assessing the market penetration of IT products
B) Testing the strength of physical barriers
C) Evaluating the security of IT systems by simulating cyberattacks
D) Analyzing the performance of computer processors
C) Evaluating the security of IT systems by simulating cyberattacks
Penetration testing involves simulating cyberattacks against IT systems to identify vulnerabilities and assess their security posture.
Which of the following is NOT an example of a control objective in IT audit?
A) Confidentiality
B) Availability
C) Reliability
D) Profitability
D) Profitability
Profitability: Control objectives in IT audit typically focus on ensuring the confidentiality, integrity, and availability of information assets, rather than profitability.
What is the purpose of an IT audit report?
A) Providing recommendations for improvement
B) Advertising IT products
C) Analyzing market trends
D) Promoting employee morale
A) Providing recommendations for improvement
REASONING: Providing recommendations for improvement: IT audit reports typically include findings and recommendations for improving controls and addressing identified risks.
What is the primary focus of an IT audit of financial systems?
A) Evaluating the efficiency of IT helpdesk services
B) Ensuring compliance with tax regulations
C) Assessing the accuracy and reliability of financial data
D) Testing network security protocols
C) Assessing the accuracy and reliability of financial data
REASONING:
IT audit of financial systems focuses on evaluating controls related to financial reporting processes to ensure the accuracy and reliability of financial data.
Which of the following is NOT a type of IT audit?
A) Compliance audit
B) Operational audit
C) Performance audit
D) Marketing audit
D) Marketing audit
What is the purpose of continuous monitoring in IT audit?
A) Generating quarterly financial reports
B) Identifying and addressing IT risks in real-time
C) Conducting employee performance evaluations
D) Upgrading software applications annually
B) Identifying and addressing IT risks in real-time
Continuous monitoring in IT audit involves ongoing surveillance of IT systems and processes to detect and respond to IT risks and security incidents in real-time.
Which of the following is an example of an IT control?
A) Employee dress code policy
B) Corporate social responsibility initiatives
C) Password complexity requirements
D) Marketing campaign strategy
C) Password complexity requirements
Password complexity requirements are an example of an IT control aimed at ensuring the security of user accounts and preventing unauthorized access.
What is the purpose of an IT audit program?
A) Installing antivirus software
B) Monitoring employee internet usage
C) Providing guidelines for conducting IT audits
D) Developing software applications
C) Providing guidelines for conducting IT audits
An IT audit program provides guidance and instructions for planning, executing, and reporting on IT audit activities.
What is the primary goal of IT risk management?
A) Eliminating all IT risks
B) Reducing the impact of IT risks on business objectives
C) Increasing IT complexity
D) Ignoring IT risks
B) Reducing the impact of IT risks on business objectives
The primary goal of IT risk management is to identify, assess, and mitigate IT-related risks to minimize their impact on business objectives.
What is the purpose of user access reviews in IT audit?
A) Ensuring compliance with environmental regulations
B) Reviewing employee performance
C) Evaluating the effectiveness of marketing campaigns
D) Assessing the appropriateness of user access rights
A) Ensuring compliance with environmental regulations
User access reviews are conducted in IT audit to ensure that user access rights are appropriate and comply with organizational policies and regulatory requirements, rather than environmental regulations.
What is the purpose of a disaster recovery plan in IT audit?
A) Enhancing customer service
B) Minimizing the impact of disruptive events on IT operations
C) Increasing corporate profits
D) Optimizing network bandwidth
B) Minimizing the impact of disruptive events on IT operations
A disaster recovery plan is specifically designed to minimize the impact of disruptive events, such as natural disasters, cyberattacks, or equipment failures, on IT operations. By outlining procedures for restoring critical systems and services, it helps ensure business continuity and reduces downtime during such events.
What is the purpose of IT controls testing in IT audit?
A) Evaluating employee satisfaction
B) Assessing the effectiveness of IT controls
C) Generating revenue for the organization
D) Increasing employee turnover
B) Assessing the effectiveness of IT controls
The primary purpose of IT controls testing in IT audit is to assess the effectiveness of existing controls in mitigating IT-related risks and achieving business objectives. By conducting tests such as walkthroughs, inquiries, and substantive testing, auditors evaluate whether controls are operating as intended and providing the desired level of assurance over IT processes and systems.
What is the primary objective of incident response in IT audit?
A) Monitoring employee attendance
B) Restoring IT services after disruptions
C) Conducting employee performance evaluations
D) Analyzing customer feedback
B) Restoring IT services after disruptions
Incident response in IT audit focuses on promptly detecting, responding to, and recovering from cybersecurity incidents, IT disruptions, or breaches to minimize their impact on business operations and data integrity. The primary objective is to restore IT services to normal operations as quickly as possible, thereby reducing downtime, financial losses, and reputational damage associated with incidents.
Which of the following is an example of an IT audit standard?
A) International Organization for Standardization (ISO) 9001
B) Generally Accepted Accounting Principles (GAAP)
C) Information Systems Audit and Control Association (ISACA) COBIT
D) American Institute of Certified Public Accountants (AICPA) Code of Professional Conduct
C) Information Systems Audit and Control Association (ISACA) COBIT
ISACA’s Control Objectives for Information and Related Technology (COBIT) is a globally recognized IT audit standard that provides a comprehensive framework for governing and managing enterprise IT environments. COBIT offers best practices, principles, and guidelines for aligning IT with business objectives, managing IT-related risks, and ensuring compliance with regulations and standards. It serves as a valuable resource for IT auditors in assessing the effectiveness of IT governance, control, and assurance processes within organizations.
What IT Audit Framework deals with Cybersecurity standards?
A) ISO/IEC 27001
B) COBIT (Control Objectives for Information and Related Technology)
C) HIPAA (Health Insurance Portability and Accountability Act)
D) National Institute of Standards and Technology (Correct Answer)
D) National Institute of Standards and Technology
What IT Audit Framework deals with Data Regulation and Protection?
A) ISO/IEC 27001
B) HIPAA (Health Insurance Portability and Accountability Act)
C) COBIT (Control Objectives for Information and Related Technology)
D) General Data Protection Regulation (GDPR) (Correct Answer)
D) General Data Protection Regulation (GDPR)
What framework system is used to establish integration of internal controls into business processes, such as over financial reporting and Section 404 of SOX Act?
A) PCI DSS (Payment Card Industry Data Security Standard)
B) HIPAA (Health Insurance Portability and Accountability Act)
C) COSO Framework
D) GDPR (General Data Protection Regulation)
C) COSO Framework
Question: Which objective of COSO deals with the effectiveness and efficiency of business operations?
A) COSO Objective 2 - Reporting
B) COSO Objective 3 - Compliance
C) COSO Objective 1 - Operation (Correct Answer)
D) COSO Objective 4 - Strategy and Objective Setting
C) COSO Objective 1 - Operation
Question: Which objective of COSO deals with reliable financial and non-financial reporting?
A) COSO Objective 1 - Operation
B) COSO Objective 3 - Compliance
C) COSO Objective 2 - Reporting (Correct Answer)
D) COSO Objective 4 - Strategy and Objective Setting
C) COSO Objective 2 - Reporting
Question: Which objective of COSO deals with compliance with laws and regulations and industry standards?
A) COSO Objective 1 - Operation
B) COSO Objective 2 - Reporting
C) COSO Objective 3 - Compliance (Correct Answer)
D) COSO Objective 4 - Strategy and Objective Setting
C) COSO Objective 3 - Compliance
Question: Which component of COSO deals with policies and procedures that guide the organization, such as how management assigns authority?
A) COSO Component 2 - Risk Assessment
B) COSO Component 3 - Control Activities
C) COSO Component 1 - Control Environment (Correct Answer)
D) COSO Component 4 - Information and Communication
C) COSO Component 1 - Control Environment
Question: Which component of COSO deals with the adoption of risk management plans?
A) COSO Component 1 - Control Environment
B) COSO Component 3 - Control Activities
C) COSO Component 2 - Risk Assessment
D) COSO Component 4 - Information and Communication
C) COSO Component 2 - Risk Assessment
Question: What component of COSO deals with internal controls in place and operation effectively over a period of time?
A) COSO Component 1 - Control Environment
B) COSO Component 2 - Risk Assessment
C) COSO Component 3 - Control Activities
D) COSO Component 4 - Information and Communication
C) COSO Component 3 - Control Activities (Correct Answer)
What component of COSO involves communicating expectations to internal and external users? Otherwords how is mgmt communicating with each other?
A) COSO Component 1 - Control Environment
B) COSO Component 2 - Risk Assessment
C) COSO Component 3 - Control Activities
D) COSO Component 4 - Information & Communication
D) COSO Component 4 - Information & Communication (Correct Answer)
Question: What framework system is used to design and implement a secure IT infrastructure related to business management and governance (This framework is a mixture of frameworks, resources, and standards)?
A) ISO/IEC 27001
B) HIPAA (Health Insurance Portability and Accountability Act)
C) COSO (Committee of Sponsoring Organizations of the Treadway Commission)
D) COBIT Framework (Correct Answer)
Which COBIT Framework 5 Key Principle advocates for separating governance implementation and management in your organization?
A) Meeting Stakeholder Needs
B) Covering the Enterprise End-to-End
C) Apply a Single Integrated Framework
D) Separating Governance from Management
D) Separating Governance from Management
Which COBIT Framework 5 Key Principle emphasizes that the entire organization should work as a single unit?
A) Meeting Stakeholder Needs
B) Covering the Enterprise End-to-End
C) Apply a Single Integrated Framework
D) Enabling a Holistic Approach
D) Enabling a Holistic Approach
Which COBIT Framework 5 Key Principle focuses on the integration of relevant frameworks and governance standards like COSO, ITIL, ISO, GDPR, etc.?
A) Meeting Stakeholder Needs
B) Covering the Enterprise End-to-End
C) Apply a Single Integrated Framework
D) Enabling a Holistic Approach
C) Apply a Single Integrated Framework
Question: What framework ensures that an organization’s IT system enhances and strengthens internal controls?
A) ISO/IEC 27001
B) HIPAA (Health Insurance Portability and Accountability Act)
C) COSO (Committee of Sponsoring Organizations of the Treadway Commission)
D) COBIT Framework
D) COBIT Framework (Correct Answer)
Question: What framework provides fraud prevention through implementing effective internal controls and risk management?
A) ISO/IEC 27001
B) HIPAA (Health Insurance Portability and Accountability Act)
C) COSO Framework (
D) COBIT (Control Objectives for Information and Related Technology) Framework
C) COSO Framework
Question: What type of audits are SOC - Service Organization Control?
A) Financial Audits
B) IT Audits
C) Operational Audits
D) Attestation Engagement
D) Attestation Engagement
Question: What type of audit evaluates process changes, procedures, pricing, resource allocation, and associated internal control activities to determine the impact on attaining organizational goals and objectives?
A) Financial Audit
B) IT Audit
C) Compliance Audit
D) Operational Audit
D) Operational Audit
Question: What type of audit ensures adherence to laws, regulations, internal and external policies, and terms of contracts?
A) Financial Audit
B) IT Audit
C) Operational Audit
D) Compliance Audit
D) Compliance Audit
Question: What type of audit examines information and transaction processing systems and how people use those systems?
A) Financial Audit
B) Compliance Audit
C) Operational Audit
D) Information Systems Audit
D) Information Systems Audit
Question: What type of audit identifies gaps in systems, internal controls, and processes before an external audit?
A) Financial Audit
B) Compliance Audit
C) Operational Audit
D) Audit Readiness
D) Audit Readiness
Question: What is a procedure or policy that provides reasonable assurance that an IT environment operates as intended, that data is reliable, and that the organization complies with applicable laws and regulations? Additionally, what is any action, policy, or procedure that helps mitigate risk?
A) Compliance Audit
B) Financial Audit
C) IT Control
D) Operational Audit
C) IT Control
Question: What type of control relates to the overall management of the information systems and processing environments?
A) Application Controls
B) Access Controls
C) IT General Controls
D) Security Controls
C) IT General Controls
Question: What type of control relates to specific computer software applications needed to manage an organization’s IT environment?
A) IT General Controls
B) Access Controls
C) Security Controls
D) IT Application Controls (ITAC)
D) IT Application Controls (ITAC)
Question: What term refers to the examination of IT General and Application Controls of an organization’s IT infrastructure to determine if those controls are designed appropriately and operating effectively?
A) Financial Audit
B) Compliance Audit
C) Operational Audit
D) IT Audit
D) IT Audit
Question: What should be included in access controls (both logical and physical ITGC) for them to be designed appropriately and operating effectively?
A) Ensuring all employees attend cybersecurity training sessions
B) Allowing unrestricted physical access to IT resources
C) Utilizing weak password parameters that are non-compliant with policies and best practices
D) Access provisioning and de-provisioning, restricting physical access to IT resources, monitoring logical access processes, ensuring password parameters are appropriate and compliant, determining if user access is authorized and appropriately established, and segregating incompatible duties within the access control environment
D) Access provisioning and de-provisioning, restricting physical access to IT resources, monitoring logical access processes, ensuring password parameters are appropriate and compliant, determining if user access is authorized and appropriately established, and segregating incompatible duties within the access control environment
Question: What should be included in Change Management- ITGC for the control to be designed appropriately and operating effectively?
A) All employees having unrestricted access to make changes
B) Skipping the testing and approval process for changes before deployment to the production environment
C) Ignoring vulnerability scans and not assessing vulnerabilities for remediation
D) Ensure changes are appropriately requested, authorized, tested and approved before deployment to production environment, and segregation of incompatible duties (SOD)
D) Ensure changes are appropriately requested, authorized, tested and approved before deployment to production environment, and segregation of incompatible duties (SOD)
Question: What is the main objective of Data Backups and Recovery Control?
A) Ensuring that information systems are always available
B) Storing backups in an easily accessible location
C) Only focusing on creating backups without considering recovery
D) Ensuring availability of information systems and testing the business’s ability to recover from backup data
D) Ensuring availability of information systems and testing the business’s ability to recover from backup data
Question: What should be included in Data Backups and Recovery- ITGC for the control to be designed appropriately and operating effectively?
A) Allowing unapproved and untested changes to be deployed
B) Not having a disaster recovery plan in place
C) Ignoring production errors and not resolving them
D) Ensuring data is appropriately backed up, having a disaster recovery plan, identifying and resolving production errors, and deploying only approved and tested changes
D) Ensuring data is appropriately backed up, having a disaster recovery plan, identifying and resolving production errors, and deploying only approved and tested changes
Question: What should be included in System Development Life Cycle (SDLC)- ITGC for the control to be designed appropriately and operating effectively?
A) Skipping the documentation of changes to systems
B) Allowing changes to systems without authorization or documentation
C) Ignoring testing and approval of changes before deployment to the production environment
D) Ensuring changes to systems are requested and documented, authorized and documented, tested and approved before deployment to the production environment, and monitoring and resolving issues encountered during program development
D) Ensuring changes to systems are requested and documented, authorized and documented, tested and approved before deployment to the production environment, and monitoring and resolving issues encountered during program development
Question: What is the main objective of System Development Life Cycle (SDLC)?
A) Speed up the development process regardless of quality
B) Ensure the development of new systems leads to data corruption
C) Prevent any changes to existing systems
D) Ensure development of new systems does not lead to data corruption
D) Ensure development of new systems does not lead to data corruption
Question: What type of IT Application Control (ITAC) authenticates information entered into a system?
A) Output Controls
B) Process Controls
C) Batch Controls
D) Input Controls
D) Input Controls
Question: What type of IT Application Control (ITAC) verifies information transmitted within the system?
A) Input Controls
B) Output Controls
C) Batch Controls
D) Processing Controls
D) Processing Controls
Question: What type of IT Application Control (ITAC) validates information being sent out of the system?
A) Input Controls
B) Processing Controls
C) Batch Controls
D) Output Controls
D) Output Controls
Question: What are examples of “Input Control - Check for Data Accuracy and Completeness”?
A) Ensuring all employees attend cybersecurity training sessions
B) Skipping the testing and approval process for changes before deployment to the production environment
C) Ignoring vulnerability scans and not assessing vulnerabilities for remediation
D) Data input authorization, data conversion, data editing, error handling (Correct Answer)
D) Data input authorization, data conversion, data editing, error handling
Question: In Input Controls- IT Application Control (ITAC), what do we check for?
A) Ensuring data is encrypted during transmission
B) Checking for outdated software versions
C) Verifying the authenticity of information entered into the system
D) Checking for data accuracy and completeness
D) Checking for data accuracy and completeness
Question: In Processing Controls- IT Application Control (ITAC), what do we check for?
A) Ensuring all employees attend cybersecurity training sessions
B) Ignoring the validation of data during processing
C) Verifying the authenticity of information entered into the system
D) Checking for data accuracy and completeness, and ensuring rules for processing data are followed
D) Checking for data accuracy and completeness, and ensuring rules for processing data are followed
Question: In Output Controls- IT Application Control (ITAC), what do we check for?
A) Ignoring the validation of data during processing
B) Ensuring data is encrypted during transmission
C) Verifying the authenticity of information entered into the system
D) Checking for data accuracy and completeness, and ensuring access authorization
D) Checking for data accuracy and completeness, and ensuring access authorization (Correct Answer)
Question: What is the 4th Step of the IT Audit Process?
A) Implementing controls
B) Reviewing previous audit reports
C) Reporting findings
D) Follow-Up
D) Follow-Up
Question: What is the 3rd Step of the IT Audit Process?
A) Planning
B) Fieldwork
C) Implementing controls
D) Reporting
D) Reporting
A) Analyzing findings
B) Reporting results
C) Reviewing previous audit reports
D) Fieldwork
D) Fieldwork
Question: What is the 1st Step of the IT Audit Process?
A) Implementing controls
B) Reviewing previous audit reports
C) Ignoring risk assessment
D) Planning
D) Planning
Question: What IT Audit Process deals with Notification & Request for Information Kick off Meeting?
A) Planning
B) Fieldwork
C) Reporting
D) Follow-Up
A) Planning
Question: What IT Audit Process deals with Walkthroughs, Test of Design, Test of Operating Effectiveness, and Status of Meetings / Issues?
A) Planning
B) Fieldwork
C) Reporting
D) Follow-Up
B) Fieldwork
Question: What IT Audit Process deals with Draft Report, Management Response, Closing Meeting, and Report Distribution?
A) Planning
B) Fieldwork
C) Reporting
D) Follow-Up
C) Reporting
Question: What IT Audit Process deals with determining the audit objective, scope, risk consideration, and evidence to be collected?
A) Fieldwork
B) Reporting
C) Follow-Up
D) Planning
D) Planning
Question: In the Planning Stage, what does the Objective ask, and what should the auditor consider?
A) Ensuring all employees attend cybersecurity training sessions
B) Reviewing previous audit reports
C) Identifying why are we conducting this review, considering Compliance with Policies, Achievement of Goals, Reliability of Data or Documents, Efficient use of Resources, and Safeguard of Assets
D) Conducting a risk assessment
C) Identifying why are we conducting this review, considering Compliance with Policies, Achievement of Goals, Reliability of Data or Documents, Efficient use of Resources, and Safeguard of Assets
Question: What does a server do?
A) Stores physical documents
B) Sends emails to clients
C) Manages data processing and serves files to clients
D) Controls network security measures
C) Manages data processing and serves files to clients
Question: What are the 3 types of ITAC (I.T. App Control)?
A) Data backups, password protection, and encryption
B) Firewalls, antivirus software, and intrusion detection systems
C) Input Controls, Process Controls, and Output Controls
D) User training, policy development, and incident response plans
E) All of the above
C) Input Controls, Process Controls, and Output Controls
3 Types of ITAC , IT App Control
1. Input Control
2. Process Control
3. Output Controls
Question: What are the 4 types of ITGC (IT General Controls)?
A) Email security, network monitoring, software updates, and data backups
B) User training, incident response, encryption, and firewalls
C) Access, Change Management, IT Operations, SDLC
D) Compliance audits, risk assessments, financial audits, and internal controls testing
E) All of the above
C) Access, Change Management, IT Operations, SDLC (Correct Answer)
4 Types of ITGC
1. Access
2. Change Management
3. IT Operations
4. SDLC
Question: What are the 3 types of Generic ID / Privilege Accounts?
A) User accounts, guest accounts, and service accounts
B) System Configuration, Application Configuration, and Administrator Actions
C) Database accounts, email accounts, and social media accounts
D) Standard accounts, privileged accounts, and guest accounts
E) All of the above
B) System Configuration, Application Configuration, and Administrator Actions
3 Types of Generic ID Privilege Accounts
1. System Configuration
2. Application Configuration
3. Administrator Actions
Question: What are the 3 Main Functions of SOD?
A) User access, network security, and data encryption
B) System Configuration, Application Configuration, and Administrator Actions
C) Having Custody of Assets, Authorize the Use of Assets, and Recordkeeping of Assets
D) Compliance audits, risk assessments, and internal controls testing
E) All of the above
C) Having Custody of Assets, Authorize the Use of Assets, and Recordkeeping of Assets
3 Functions of SOD
1. Having Custody of Asset
2. Authorize the Use of Assets
3. Recordkeeping of Assets
Question: Which Report deals with Internal Controls of Financial Reporting (ICFR)?
A) SOC 1 (Correct Answer)
B) SOC 2
C) SOC 3
D) ISO 27001
E) All of the above
A) SOC 1
SOC 1- ICFR, Internal Controls of Finances
Question: Which Report deals with Private Internal Controls (Security, Privacy, Confidentiality, and Integrity)?
A) SOC 2 (Correct Answer)
B) SOC 1
C) SOC 3
D) ISO 27001
E) All of the above
A) SOC 2
SOC 2- Private Internal Controls
Question: Which Report deals with Public Internal Controls (Security, Privacy, Confidentiality, and Integrity)?
A) SOC 3 (Correct Answer)
B) SOC 1
C) SOC 2
D) ISO 27001
E) All of the above
A) SOC 3
SOC 3- Public Internal Controls
Question: Which SOC Report Type deals with Suitability & Effectiveness of Controls?
A) Type 2
B) Type 1
C) Type 3
D) SOC 3
E) All of the above
A) Type 2
SOC Report Type 2- Suitability & Effectiveness
Question: Which are the 4 Sections of the SOC Report?
A) Period
B) Management Facts
C) Description of Systems
D) Testing of Controls
E) All of the above
E) All of the above
4 Sections of SOC
1. Period
2. Management Facts
3. Description of Systems
4. Testing of Controls
Question: Which Outcome is considered Passing?
A) No Control Gap
B) Control Design Appropriate
C) Control Operating Effectively
D) All of the above
D) All of the above (correct answer)
Outcome of Passing Controls
1. No Control Gap
2. Control Design Appropriately
3. Control Operating Effectively
Question: Which outcome is considered failing?
A) Control Gap
B) Not Designed Appropriately
C) Not Operating Effectively
D) All of the above
Outcome of Failing Control
- Control Gap
- Not Designed Appropriately
- Not Operatingly Effectively
Question: What is the process for User Access Authorization?
A) Step 1: New User Request Form
B) Step 2: Manager Approves
C) Step 3: IT Team grants access
D) All of the above
D) All of the above
User Process for Access Authorization
1. New User Request form
2. Manager Approves
3. IT Team grants access
Question: What is the process for Revoking Access?
A) Step 1: Manager Informs HR
B) Step 2: HR informs Tech Team
C) Step 3: IT Team removes Access
D) All of the above
D) All of the above
Revoking Access Process
1. Mgr. informs HR
2. HR informs Tech team
3. IT removes Access
Question: What do you do if Password Configuration Fails?
A) Contact the system owner to reset the configuration
B) Reset the configuration to the needed settings
C) Use a compensating control, such as having users sign in with their domain password
D) All of the above
D) All of the above
- Contact the system owner to reset the configuration
2 Reset the configuration to the needed settings
3 Use a compensating control, such as having users sign in with their domain password
Question: What steps are included in the Planning of IT Audit Process?
A) Review prior audit workpapers
B) Select team members and assign responsibilities
C) Create PBC (Prepare By Client List) - shows what controls are left
D) Conduct Kick Off Meeting
E) Have controls to be selected from Control Matrix
F) Determine audit objective, scope, considerations, and evidence to be collected
G) All of Above
G) All of Above
- Review prior audit workpapers
2 Select team members and assign responsibilities
3 Create PBC (Prepare By Client List) - shows what controls are left
4 Conduct Kick Off Meeting
5 Have controls to be selected from Control Matrix
6 Determine audit objective, scope, considerations, and evidence to be collected
Question: What steps are included in the Fieldwork stage of an IT Audit Process?
A) Schedule meetings with department personnel or head to discuss audit request
B) Conduct a walkthrough to understand the process/system
C) Test the design/controls
D) Test effectiveness of controls by selecting samples
E) Conduct status meetings with client or department (progress, delays, audit findings)
F) All of the Above
F) All of the Above
- Fieldwork Process
- Schedule meetings with department personnel or head to discuss audit request
- Conduct a walkthrough to understand the process/system
- Test the design/controls
- Test effectiveness of controls by selecting samples
- Conduct status meetings with client or department (progress, delays, audit findings)
Question: What steps are included in the Reporting stage of an IT Audit Process?
A) Prepare draft report, include list of audit findings
B) Conduct exit meeting/exit memo
C) Request response from management
D) Distribute final audit report
E) All of the Above
E) All of the Above
Reporting Stage
1. Prepare draft report, include list of audit findings
2. Conduct exit meeting/exit memo
3. Request response from management
4. Distribute final audit report
Question: What steps are included in the Follow-Up stage of an IT Audit Process?
A) Determine if control weaknesses are connected
B) Obtain evidence, or Retest control
C) Close deficiency
D) All of the Above
D) All of the Above
Follow-Up Stage
- Determine if control weaknesses are connected
- Obtain evidence, or Retest control
- Close deficiency
Question: Which control weakness means “No Control in place”?
A) Control Gap
B) Control Breach
C) Control Breach
D) Control Void
A) Control Gap
Control Gap- No Control in Place
Question: Which control weakness means “Control not operating effectively”?
A) Control Gap
B) Control Breakdown
C) Control Failure
D) Control Effectiveness
D) Control Effectiveness
Control Effectiveness-Control not operating effectively
Question: What means “Material Impact on the Financial Statement”?
A) Key Control
B) Financial Liability
C) Non-Financial Impact
D) Audit Finding
A) Key Control
Material Impact on the Financial Statement
Question: What means “Non-Material Impact on the financial statement”?
A) Non-Key Control
B) Financial Liability
C) Material Misstatement
D) Audit Finding
A) Non-Key Control
Non-Material Impact on the financial statement
Steps for Testing Revoking Access
Step 1 Request list of employees within audit period
Step 2 Select sample from population
Step 3 Large population 10% or 25
Step 4 Obtain access request of samples
Step 5 Verify employees were only granted access to systems / application in line with job function
Step 6 : Verify that access granted by system admin is in line with approval
Steps for Testing Revoking Access
Step 1 Request list of employees within audit period
Step 2 Select sample from population
Step 3 Large population 10% or 25
Step 4 Obtain access request of samples
Step 5 Verify employees were only granted access to systems / application in line with job function
Step 6 : Verify that access granted by system admin is in line with approval
Question: How do you Test for IT-Ops, Backups?
A) Review employee training records
B) Analyze customer feedback surveys
C) Confirm Backups are done, Determine frequency of backups, Completeness and Accuracy of data, Production errors are identified and resolved
D) Monitor network bandwidth usage
How to Test for IT-Ops / Backups
C) Confirm Backups are done, Determine frequency of backups, Completeness and Accuracy of data, Production errors are identified and resolved
Question: How do you Test for SDLC?
A) Review employee training records
B) Conduct market research surveys
C) Inquire about the process of the SDLC, Obtain requests, obtain evidence of testing and approval before migration and obtain evidence that the new system has the appropriate controls, obtain issues encountered, and obtain signoff before going live.
D) Monitor network bandwidth usage
How do you Test for SDLC?
C) Inquire about the process of the SDLC, Obtain requests, obtain evidence of testing and approval before migration and obtain evidence that the new system has the appropriate controls, obtain issues encountered, and obtain signoff before going live.
Question: How do you Test for Provisioning?
A) Review company financial statements
B) Conduct customer satisfaction surveys
C) Require list of employees within audit period, Select sample from population, Obtain access request evidence of samples, Verify employee samples were only granted access to systems / application in line with job functions, verify that access granted by system admin is in line with approval
D) Monitor server uptime statistics
How do you Test for Provisioning?
C) Require list of employees within audit period, Select sample from population, Obtain access request evidence of samples, Verify employee samples were only granted access to systems / application in line with job functions, verify that access granted by system admin is in line with approval
Question: How do you Test for Password Configuration?
A) Conduct interviews with company executives
B) Analyze customer feedback on the company website
C) Obtain screenshot of password configuration or password policy from system owner. Ensure that the password policy of the Application meets the minimum requirement of the organization
D) Review employee attendance records
Test for Password Configuration
C) Obtain screenshot of password configuration or password policy from system owner. Ensure that the password policy of the Application meets the minimum requirement of the organization
Question: How do you Test for Change Management?
A) Conduct interviews with department heads
B) Review the company’s financial statements
C) Obtain evidence of change request, obtain evidence of authorization and approval before changes into production migration, obtain evidence testing (UAT / QA signoff), Segregation of duties, Approval of change and change production
D) Review employee training records
How do you Test for Change Management?
C) Obtain evidence of change request, obtain evidence of authorization and approval before changes into production migration, obtain evidence testing (UAT / QA signoff), Segregation of duties, Approval of change and change production
