Exam Questions Flashcards
One reason why IT auditing evolved from traditional auditing was that:
A. Auditors realized that computers had impacted their ability to perform the attestation function.
B. Computers and information processing were not a key resource.
C. Professional Associations such as AICPA and ISACA did not recognize the need.
D. Government did not recognize the need.
A. Auditors realized that computers had impacted their ability to perform the attestation function.
IT auditing may involve:
A. Organizational IT audits
B. Application IT audits
C. Development / implementation IT audits
D. All of the above.
D. All of the above
Breadth and depth of knowledge required to audit IT and systems are extensive and may include:
A. Application of risk-oriented audit approaches
B. Reporting to management and performing follow-up review to insure action taken
C. Assessment of security and privacy issues that can put the organization at risk
D. All of the above
D. All of the above
COBIT stands for:
A. A computer language
B. A derafel agency
C. Control Objective for Information and Related Technology
D. None of the above
C. Control Objective for Information and Related Technology.
ISACA stands for:
A. Information Systems Security Association
B. Institute of Internal Auditors.
C. Information Systems Audit and Control Association.
D. International Association for Computer Educators.
C. Information Systems Audit and Control Association
ISO is:
A. A government organization
B. A private company
C. International Organization for Standardization
D. None of the above
C. International Organization for Standardization
Federal government plan for improving security on the Internet is called:
A. FIP 102 Computer Security and Accreditation
B. National Strategy for Securing Cyberspace
C. Computer Abuse Act of 1984
D. Privacy Act of 1974
B. National Strategy for Securing Cyberspace
Sarbanes-Oxley Act of 2002:
A. Does not affect the attestation function
B. Applies only to the Big Four accounting firms
C. Requires auditor rotation
D. Does not apply to small accounting / audit firms
C. Requires auditor rotation.
Which is the most recent federal law that addresses computer security or privacy?
A. Computer Fraud and Abuse Act
B. Computer Security Act
C. Homeland Security Act
D. Electronic Communications Privacy Act
C. Homeland Security Act.
Which act has a provision where punishment can be up to life in prison if electronic hackers are found guilty of causing death to others through their actions/
A. Computer Fraud and Abuse Act
B. Freedom of Information Act
C. Communications DeenDcey Ac
D. Homeland Security Act
D. Homeland Security Act.
According to a recent CSI and FBI study:
A. 90 percent of respondents have detected computer security breaches within the last 12 months
B. 74 percent cited their Internet connection as the frequent point of attack
C. 80 percent acknowledged financial losses due to computer security breaches
D. All of the above
D. All of the above
Cyber law is:
A. State law
B. Federal law
C. Law governing use of the computer and the internet
D. International law
C. Law governing use of the computer and the internet
Software piracy costs the computer industry more than
A. $1 billion per year
B. $4 billion per year
C. $9 billion per year
D. More than $10 billion per year
D. More than $10 billion per year
CFAA covers:
A. Fraudulent trespass
B. Intentional destructive trespass
C. Reckless destructive trespass
D. All of the above
D. All of the above
Sarbanes-Oxley Act requires that the board of an organization must:
A. Register public accounting firms
B. Establish or adopt, by rule, auditing, quality control, ethics, independence, and other standards related to preparation of the audit report for issuers
C. Conduct inspections of accounting firms
D. All of the above
D. All of the above
Cyber Security Enhancement Act as incorporated into the Homeland Security Act of 2002.
A. Demands life sentences for those hackers who recklessly endanger lives
B. Does not require ISPs to hand over records
C. Does not outlaw publications such as details of PGP
D. None of the above
A. Demands life sentences for those hackers who recklessly endanger lives
Key areas to look at in IT contracts are:
A. Vendor contract terms that limit vendor liability
B. Contract objectives and performance measurements to ensure objectives have been met
C. Review and inclusion in future contracts specific clauses for protecting customer interests
D. All of the above.
D. All of the above.
A federal agency that protects consumers and has increased its monitoring and review of the Internet for customer and identity theft is the:
A. NSA
B. CIA
C. FTC
D. None of the above
C. FTC
National Strategy for Securing Cyberspace:
A. Applies only to defense area
B. Applies only to medical records
C. Provides a framework for protecting the nation’s infrastructures that is essential to the economy, security, and the way of life
D. None of the above
C. Provides a framework for protecting the nation’s infrastructures that is essential to the economy, security, and the way of life
Which act is the first ever federal privacy standard to protect patients’ medical records
A. Encrypted Communications Privacy Act of 1966
B. Privacy Act of 1974
C. HIPAA of 1996
D. All of the above
C. HIPAA of 1996
Which of the following is not one of the 10 top reasons for the start up of IT audit?
A. Auditing around the computer was becoming unsatisfactory for the purposes of database reliance
B. Accessibility of personal computers for office and home use
C. Very little advancement in technology
D. Growth of corporate hackers
C. Very little advancement in technology
Professional associations that have Standards of Practice:
A. IIA
B. ISACA
C. AICPA
D. All of the above
D. All of the above
A federal agency that develops and issues government auditing standards is:
A. GSA
B. GAO
C. Federal Bureau of Investigation (FBI)
D. Federal Trade Commission (FTC)
B. GAO
A special condition where an auditor must be free of any bias or influence, and have
A. IT skills
B. Good writing skills
C. Professional development
D. Independence
D. Independence.
I’m not sure of the context of this question, it will be interesting to actually see if it’s on the exam.
Which federal law was developed and passed by the U.S. lawmakers in reaction to recent financial frauds such as Enron?
A. FCPA
B. SEC Act
C. Sarbanes-Oxley Act
D. Computer Fraud and Abuse Act
C. Sarbanes-Oxley Act
In the author’s opinion, an auditor must have:
A. High ethical standards
B. Limited training
C. Poor communication skills
D. Poor time management skills
A. High ethical standards
GAAS was developed and issued by:
A. NIST
B. AICPA
C. FTC
D. NSA
B. AICPA
Certifications that may be helpful to an IT auditor are:
A. CIA
B. CFE
C. CISSP
D. All of the above
D. All of the above
An auditor who works for IBM directly and is on its audit staff is considered to be:
A. An external auditor
B. An internal auditor
C. A consultant
D. None of the above
B. An internal auditor
Computer forensic specialists are experts who:
A. Investigate under extreme secrecy so that other individuals do not know exactly what they are doing or what information they have gathered
B. May testify in court where an independent opinion is needed on complex technical issues
C. Have an extensive background working with computers and dealing with technical issues and are, of course, familiar with gathered information and the methods used to acquire that information
D. All of the above
D. All of the above
Which audit area involves definition of audit scope, initial contacts and communication with auditees, and audit team selection?
A. Fact gathering
B. Audit tests
C. Audit preparation
D. Audit objectives
C. Audit preparation
Which audit area involves a formal plan for reviewing and testing each significant audit subject area disclosed during fact gathering?
A. Audit objectives
B. Audit program
C. Audit tests
D. Use of audit tools
C. Audit tests
Which IT audit area involves formal statements that describe a course of action that should be implemented to restore or provide accuracy, efficiency, or adequate control of an audit subject?
A. Audit tests
B. Findings of the audit reports
C. Recommendations of an audit report
D. Conclusion of an audit report
D. Conclusion of an audit report
At the minimum, an audit plan should include all but:
A. Definition of scope
B. Objectives stated
C. An orderly, structured approach
D. A lack of flexibility in approach
D. A lack of flexibility in approach
Activities of a preliminary review may include:
A. General data gathering
B. Identifying financial application areas
C. Preparing the audit plan
B. All of the above
B. Identifying financial application areas
The first step in conducting fieldwork and implementing audit methodology is:
A. Design audit procedures
B. Define audit objectives
C. Evaluate results
D. Build a detailed understanding of the area being audited
B. Define audit objectives
Purpose of follow up is to:
A. Determine if the audit recommendations have been implemented
B. Determine the progress made in implementing the audit recommendations
C. Assess any potential savings / value added as a result of the recommendations
D. All of the above
D. All of the above
The advantage of tying the audit universe to organization objectives is that:
A. Links the entire audit process to business objectives
B. Improves management’s understanding of the audit process
C. Develops the communication plan for the audit
D. None of the above
A. Links the entire audit process to business objectives
Audit risk assessment is an important step in the audit process because:
A. It leverages the abilities of the audit staff by minimizing redundant activity
B. It provides a framework for communicating audit results
C. It provides a framework for allocating audit resources to achieve maximum benefit
D. None of the above
C. It provides a framework for allocating audit resources to achieve maximum benefit
Auditing is a cyclical process because
A. Performing audit tests is an iterative process
B. Audit results are used in subsequent risk assessments
C. The audit universe is aligned to the business cycle
D. All of the above
B. Audit results are used in subsequent risk assessments
Audit productivity tools can be used in:
A. Planning and tracking
B. Documentation and presentations
C. Communications and data transfer
D. All of the above
D. All of the above
Generalized audit software can:
A. Validate calculations
B. Select specific records for examination
C. Analyze and compare files
D. All of the above
D. All of the above
The task of examining a spreadsheet for reasonableness checks and comparison with known outputs is:
A. Documentation
B. Extent of training
C. Verification of logic
D. Support commitment
C. Verification of logic
Which is not a database integrity control?
A. Value constraints
B. Biometrics
C. Backup and recovery protection
D. Referential integrity
B. Biometrics
A testing approach used to validate processing by setting up a fictitious company or branch in an application for testing transaction processing is called
A. Snapshot
B. SARF
C. Integrated test facility
D. Transaction tagging
C. Integrated test facility
WHY? I’m not sure of this answer - google it
A technique used to follow a selected transaction through the entire application to verify the integrity, validity, and reliability is called:
A. Snapshot
B. Transaction tagging
C. SCARF
D. Test data
B. Transaction tagging
Which of the following are categories of computer audit functions?
A. Items of audit interest.
B. Data analysis
C. Systems validation
D. All of the above
D. All of the above
Histogram analysis technique allows the auditor to:
A. Apply judgment in identifying and selecting appropriate testing techniques
B. Validate transmission of data
C. Prepare the audit plan
D. All of the above.
A. Apply judgment in identifying and selecting appropriate testing techniques
Which automated technique can apply a sampling methodology to the collection of transaction or records?
A. Test data
B. Snapshot
C. SARF
D. None of the above
C. SARF
Computer forensic tools are increasingly used to:
A. Support law enforcement
B. Support computer security investigations
C. Support computer audit investigations
D. All of the above
D. All of the above
Some of the following elements should be included in a career development plan:
A. Career path planning with management support
B. Definition of knowledge, skills, and abilities
C. Performance assessment and counseling
D. All of the above
D. All of the above
Which professional certification can be helpful to an IT auditor’s career?
A. CISA
B. CISSP
C. CPA
D. All of the above
D. All of the above
Which IT audit area involves audit selection, definition of audit scope, initial contacts and communication with auditees and audit team selection?
A. Fact gathering
B. Audit tests
C. Audit preparation
D. Audit objectives
C. Audit preparation
Which IT audit area involves a formal plan for reviewing and testing each significant audit subject area disclosed during the fact gathering?
A. Audit objectives
B. Audit program
C. Audit tests
D. Use of audit tools
B. Audit program
Which IT audit area involves formal statements that describe a course of action that should be implemented to restore or provide accuracy, efficiency, or adequate control of an audit subject?
A. Audit status
B. Finding on an audit report
C. Recommendations of an audit report
D. Conclusion of an audit report
C. Recommendations of an audit report
IT audit assessment is very important and, at a minimum, consists of reviewing:
A. Completeness of the audit
B. Pertinence of the information presented
C. Accuracy of the audit work and supporting work papers
D. All of the above
D. All of the above
Some of the areas that one can assess for the IT auditor’s individual performance are:
A. Communication skills
B. Judgment
C. Auditing knowledge
D. All of the above
D. All of the above
Why is it important to learn about best practices?
A. Efficiency
B. Add value to client/auditee or organization
C. Advancement in technology
D. All of the above
D. All of the above.
“A” is the best practice that consists of a document that sets the tone or course of action you plan to take with your client / auditee:
A. Benchmarking
B. Planning memo
C. Risk analysis
D. None of the above
B. Planning memo
Reason for risk analysis are:
A. Loss or corruption of information and IS assets
B. Impaired and ineffective management decision making
C. Disruption to customer service or other critical operations
D. All of the above
D. All of the above
IT auditing involves:
A. People
B. Technology
C. Operations and systems
D. All of the above
D. All of the above
COBIT was developed and issued by
A. AICPA
B. IIA
C. ISACA
D. ACFE
C. ISACA
SAC reports were issued by
A. IIA
B. ISSA
C. ISACA
D. AICPA
A. IIA
Information assurance is defined as
A. Information integrity
B. Level of confidence and trust that can be placed on the information
C. Level of trust and confidence that can be placed on service availability
D. All of the above
D. All of the above
Which of the following US federal act has pledged almost a billion dollars toward curriculum, research, and skill development in IT audit, control, security, and information assurances issues:
A. Computer Fraud and Abuse Act of 1984
B. Computer Security Act of 1987
C. Cyber Security Research and Development Act
D. HIPAA Act of 1996
C. Cyber Security Research and Development Act
Which organization operating under U.S. national authority and its initiatives provides the foundation for a dramatic increase in the population of trained and professionalized security experts?
A. AICPA
B. ISACA
C. NIETP
D. None of the above
C. NIETP
Standards for information security officers have been issued by
A. CIA
B. FPI
C. GAO
D. NSTISSC
D. NSTISSC
A new field of opportunity and career growth is
A. Business systems analyst
B. Computer forensic analyst
C. Network administrator
D. None of the above
B. Computer forensic analyst
The number of universities within the United States identified as centers of excellence in information assurances is:
A. 10
B. 25
C. 40
D. Greater than 49
D. Greater than 49
An IT auditor’s role in IT governance can be as
A. A counselor
B. A partner of senior management
C. An educator
D. All of the above
D. All of the above
IT governance is
A. A process by which an enterprise’s IT is directed and controlled
B. An evaluation of computers and information processing not as key resources
C. Management that is only involved in making decisions
D. User dominance in IT decision making
A. A process by which an enterprise’s IT is directed and controlled
IT governance is controlled through a series of processes and procedures that:
A. Determine how investments are managed
B. Identify who can make decisions
C. Determine how results are measured
D. None of the above
D. None of the above
For IT to be an effective partner in organizational decision making, the CIO must
A. Offer proactive solutions to organizational needs
B. Get agreement on the measures of IT performance
C. Regularly attend board meetings
D. None of the above
A. Offer proactive solutions to organizational needs
Which of the following is not a main reason for ERM functions being established within organizations?
A. Increasing software patches
B. Magnitude of problem
C. Increasing business risks
D. Organizational oversight
A. Increasing software patches
Compliance with laws and regulations is a key business risk because of
A. Controls outlined in COBIT
B. Impact on security of an organization
C. Sheer number of laws and regulations
D. Automation of financial processes
C. Sheer number of laws and regulations
Continuous auditing is a technique used to
A. Create a sample of production data to test controls
B. Detect and report on control breakdowns as they occur
C. Provide a tool for business users to manage IT
D. All of the above
B. Detect and report on control breakdowns as they occur
Measuring IT performance is dependent on
A. Delivering successful projects
B. Keeping operations running
C. Reducing operating costs
D. Strategy and objectives of the organization
D. Strategy and objectives of the organization
Developing a successful measurement process requires
A. Alignment between IT organization objectives
B. Mature measurement processes
C. Support from IT and organizational management
D. Automated measurement tools to report accurate metrics
C. Support from IT and organizational management
A successful measurement process includes all of the following, except
A. Ownership of the measurement process from the area to be measured
B. Measure the effective use of resources and alignment with business objectives
C. Measurement of events and processes rather than individuals
D. Measurement must be meaningful, reliable, and accurately represent the area measured
B. Measure the effective use of resources and alignment with business objectives
IT governance requires management action taken at all levels to
A. Decrease the probability of carelessness
B. Reduce outside threat and the probability of hostile penetration
C. Decrease fraud and corruption within the organization
D. All of the above
D. All of the above
What is the purpose of developing an IS strategic plan?
A. Define the IT goals and objectives.
B. guide he acquisition, allocation, and management of IT resources.
C. Define the technology to be used by the organization for the current year.
D. Provide a process for governing investments in IT.
B. guide he acquisition, allocation, and management of IT resources.
COBIT model is based on the following:
A. COSO model of internal controls
B. Capability Maturity Model
C. Project Management Body of Management
D. ISO 9000 - Quality Management and Quality Assurance Standards
A. COSO model of internal controls
Planning and Organization domain includes all of the following except
A. Project management standards
B. Architecture planning process
C. Strategic planning process
D. Operational readiness process
D. Operational readiness process
FFIEC is made up of representatives from
A. FRB and FDIC
B. Office of Comptroller of the currency
C. OTS and NCUA
D. All of the above plus representatives from each bank regulatory council
C. OTS and NCUA
Basel Committee believes
A. Board of directors must be involved with approval of the operational risks management plan, which includes technology risk.
B. Senior management has responsibility for implementing the plan and spreading information about the plan throughout the organization
C. Processes must be in place to identify risk, measure them, monitor their occurrence, and control or mitigate their occurrence.
D. All of the above.
D. All of the above
One of the obstacles to the success of CRM has been:
A. Project management standards B. Lack of strategic plan C. Strategic planning process D. Architecture planning process E. None of the above
D. Architecture planning process
Portfolio management processes are needed to
A. Ensure new technology is approved by appropriate groups
B. Ensure projects are completed on time, on budget, and with full functionality
C. Ensure effective and efficient IT operations
D. Ensure the effective use of resources and alignment with business objectives
D. Ensure the effective use of resources and alignment with business objectives
A technical review process helps ensure that:
A. Project has included all of the costs of the technology solution
B. Right solution is selected that integrates with other technology components
C. Current infrastructure is sufficient to support the new technology
D. Appropriate level of senior management approvals has been received
B. Right solution is selected that integrates with other technology components
Architectural standards are needed to:
A. Determine which vendor products to use
B. Simplify and standardize infrastructure costs
C. Communicate programming standards to software developers
D. Speed the implementation process for new technology
B. Simplify and standardize infrastructure costs
A technical steering committee provides:
A. A control mechanism for evaluating and approving new technology solutions
B. A framework for organizing and assessing software development and maintenance
C. Leadership in advancing the practice of software engineering
D. Guidance in the acquisition, allocation, and management of IT resources
A. A control mechanism for evaluating and approving new technology solutions
NIST stands for which of the following?
A. National Information Security Test
B. National Institute of Standards and Testing
C. National Institute of Standards and Technology
D. National Institute of Security and Technology
C. National Institute of Standards and Technology
GAO conducts audits, surveys, investigation’s and evaluations of
A. Federal agencies
B. Businesses
C. State agencies
D. All of the above
D. All of the above
Which of the following organizations consists of representatives from industry, public, accounting, investment firms, and the New York Stock Exchange?
A. IIA
B. COSO
C. ISACA
D. AICPA
B. COSO
Risk retention (self-insurance) methods should meet all of the following criteria, except:
A. Risk should be spread physically to distribute exposure across several locations
B. Determine whether a self-insurance reserve should be established to cover a possible loss
C. Develop an internal risk management group to monitor exposures
D. Determine the maximum exposure to loss
C. Develop an internal risk management group to monitor exposures
A threat to integrity and privacy from inside the organization include:
A. Loss or destruction of assets by malicious acts
B. Errors from incompetence or carelessness
C. Deliberate exposure of private or privileged information
D. All of the above
D. All of the above
Cost of risks include all of the following, except:
A. Cost of loss-prevention measures
B. Cost of security controls
C. Cost of losses sustained
D. Insurance premiums
B. Cost of security controls
Tools used to identify risks include all of the following except:
A. Risk analysis questionnaire
B. Flowchart of operations.
C. Audit workflow software
D. Insurance policy checklist
C. Audit workflow software
IT risk evaluation involves:
A. Ranking of the size and probability of potential loss.
B. Evaluation of the level of risk of a given process or function
C. Ensuring that risk losses do not prevent organization management from meeting its objectives.
D. Retaining a portion of the risk to reduce the insurance or premium costs.
A. Ranking of the size and probability of potential loss.
“Size” and “Probability” are the same thing as “Significance” and “Likelihood”
Reasons for risk analysis are:
A. Loss or corruption of information and IS assets
B. Impaired and ineffective management decision making
C. Disruption of customer service or other critical operations.
D. All of the above.
D. All of the above
Which of the following statements regarding the effect of insurance on risk is true?
A. Prevents loss or damage to the organization
B. Transfers risk of loss or damage to the insurance company
C. Risks are not managed when insured.
D. None of the above
B. Transfers risk of loss or damage to the insurance company
Advantages of a centralized organization model include all of the following, except:
A. Ability to leverage scale for pricing concessions
B. Flexibility and responsiveness to customer needs
C. Shared services only add incremental costs to increased volumes.
D. Centrally located server environment.
B. Flexibility and responsiveness to customer needs
To ensure consistent and effective implementation of technology, IT management should be responsible for:
A. Information systems strategy
B. Standards
C. User support
D. All of the above.
D. All of the above.
Resource management ensures:
A. IT has the right resources at the right time
B. Appropriate organizational structure is selected
C. Quality assurance processes are followed.
D. None of the above.
A. IT has the right resources at the right time
Quality Management Standards include;
A. National Strategy for Securing Cyberspace
B. ISO 9000
C. ISACA
D. All of the above
B. ISO 9000
Which of the following is not true about ISO 9001 certification?
A. Accreditation is accomplished after being certified by a notified body.
B. All organizations can establish ISO 9001 compliance.
C. A most important benefit from the registration is access to markets such as the EC that require compliance.
D. The NACCB approves an organization to operate an assessment and registration or certification scheme.
B. All organizations can establish ISO 9001 compliance.
All of the following are CMM key processes, except:
A. Requirements management
B. Subcontract management
C. Asset classification and control
D. Software configuration management
C. Asset classification and control
A process framework is needed to:
A. Ensure noncompliance issues are addressed with senior management
B. Ensure all critical processes are defined, reviewed, validated and maintained
C. Describe the steps that a person is directed to perform
D. None of the above
B. Ensure all critical processes are defined, reviewed, validated and maintained
Which of the following is not true about well-documented policies and procedures?
A. Describe the function of activities.
B. Define interrelationships with other departments
C. Ensure quality systems are implemented.
D. Should tie directly to goals and objectives of the organization
C. Ensure quality systems are implemented.
Objectives of a quality assurance audit include all of the following, except:
A. Satisfies performance guidelines
B. Adherence of project activities to standards and procedures.
C. All impacted groups cooperate with quality assurance activities.
D. Quality assurance activities are planned and documented.
A. Satisfies performance guidelines
The purpose of a procedure is to:
A. Describe steps that a person is directed to perform
B. Describe steps to achieve some objective
C. Describe how to produce a product
D. All of the above
D. All of the above
IT asset management delivers the following benefit(s):
A. More accurate cost assignments for computer assets
B. Improved planning for future acquisitions.
C. Better purchase and deployment decisions.
D. Better use of warranty and service contracts.
E. All of the above
E. All of the above
Project capital budget requests should include:
A. Business benefits of the proposed solution
B. Financial impact on the operating budget
C. Total development costs and infrastructure costs.
D. Project staffing and schedule.
E. All of the above
E. All of the above
An investment approval request should include all of the following, except:
A. Business issues and assumptions B. Financial return and contingencies C. SLAs D. Resources required and proposed technology E. None of the above
C. SLAs
Service Level Agreements
Project benefits should be stated in measurable terms:
A. To audit the investment approval request
B. To determine the financial impact on the operating budget
C. To provide a means for validating the benefits
D. To determine the resources required for the project
E. None of the above
C. To provide a means for validating the benefits
Approaches to developing a pricing model include:
A. IT-based consumption model B. Business-based consumption model C. Fee-based chargeback D. Profit-oriented chargeback model E. All of the above
E. All of the above
Developing a pricing model requires knowledge of:
A. Security requirements B. Tax and regulatory requirements C. Third party charging models D. Project pricing model E. All of the above
B. Tax and regulatory requirements
Steps to successfully implement a new pricing model include all of the following except:
A. Gain an understanding of the underlying costs structure
B. Benchmark existing services to the industry
C. Compare the new to the old pricing model
D. Develop SLAs
E. Gather IT measurements
B. Benchmark existing services to the industry
Project cost estimate should include:
A. Alignment to enterprise architecture standards
B. Financial return and contingencies
C. The total development and infrastructure costs.
D. The business benefits of the proposed solution.
E. All of the above
C. The total development and infrastructure costs.
Financial planning in IT begins with an understanding of:
A. Business volume growth projections B. Enterprise architecture standards C. IT organizational model D. Regulatory compliance requirements E. None of the above
A. Business volume growth projections
Managing demand and service levels:
A. Is a prerequisite to implementing a pricing model
B. Ensures performance meets expectations
C. Aligns demand with service offerings
D. Keeps costs from running out of control
E. None of the above
D. Keeps costs from running out of control
PMLC:
A. Provides a structure for defining requirements and developing applications
B. Is focused on project scope, schedule and budget
C. Is focused on the analysis, construction and testing of applications
D. Provides a structure for evaluating IT investments
B. Is focused on project scope, schedule and budget
Effective project management ensures that:
A. Processes are explicitly defined, managed, measured, controlled, and effective
B. Applications are designed, developed, and implemented
C. Project tasks are defined, and resources are available and completed on time and within budget
D. Project has included all the costs of the technology solution
C. Project tasks are defined, and resources are available and completed on time and within budget
During the planning phase, the auditor can:
A. Review project deliverables to identify control weaknesses
B. Review project management processes for appropriateness
C. Facilitate communication between the project team and senior management.
D. Facility communication between functions and raise issues.
D. Facility communication between functions and raise issues.
A project management process review would:
A. Assess the adequacy of the control environment for managing projects.
B. Ensure the right solution is selected that integrates with other technology components.
C. Ensure clearly defined requirements in the request for proposal.
D. Ensure projects are completed on time, on budget, and with full functionality
A. Assess the adequacy of the control environment for managing projects.
Project management tools allow the user to:
A. Track metrics for measuring third-party vendors
B. Helpdetermine which vendor products to use
C. Provide a process for governing investments in IT
D. Define tasks, dependencies, and track progress
D. Define tasks, dependencies, and track progress
Key tasks during a project management review are:
A. Check project management tools for proper usage
B. Assess readiness for implementation
C. Maintain independence to remain objective
D. All of the above
D. All of the above
Which of the following is not a process risk?
A. Processes are explicitly defined, managed, measured, controlled, and effective.
B. Lack of strategic direction
C. Lack of project management standards
D. Negative organizational climate
A. Processes are explicitly defined, managed, measured, controlled, and effective.
Which of the following is not a project risk?
A. Review of project deliverables to identify control weaknesses
B. Inexperienced staff
C. Lack of management commitment
D. Project complexity and magnitude
A. Review of project deliverables to identify control weaknesses
One of the biggest obstacles in implementation is:
A. Adequacy of the control environment for managing projects.
B. User resistance
C. Clearly defined requirements in the request for proposal
D. Ensure projects are staffed
B. User resistance
Project management tools could be:
A. Microsoft Project
B. Open Plan
C. CPM or PERT
D. All of the above
D. All of the above
A well-controlled implementation minimizes the following risks, except:
A. Staff turnover
B. System bugs
C. Misaligned staff
D. Performance issues
A. Staff turnover
Which of the following is not a test event?
A. Functional testing
B. Negative testing
C. Unit testing
D. Acceptance testing
B. Negative testing
Risks associated with prototypes and RAD are:
A. Incomplete system design
B. Inefficient processing performance
C. Inadequate documentation
D. All of the above
D. All of the above
All of the following are examples of EUD, except:
A. Mainframe-based query tools
B. Vendor packages that automate a generic business process
C. Operating systems
D. End-user developed applications
C. Operating systems
Which of the following risk is associated with end-user computing?
A. Weak security
B. Inadequate support
C. Inadequate training
D. All of the above
D. All of the above
Testing, which verifies that the application can be implemented without interruption to business and there is enough capacity is:
A. Unit testing
B. Functional testing
C. Technical stintge
D. Performance and load testing
D. Performance and load testing
End-user acceptance testing ensures that the system:
A. Fulfils the agreed-upon functional expectations B. Meets established usability C. Satisfies performance guidelines D. Meets state regulations E. Answers a, b and c
E. Answers a, b and c
Conversion is defined as the process of:
A. Cleaning data in the legacy system
B. Testing data
C. Transferring data from the legacy system to the new system
D. Testing data during an implementation
C. Transferring data from the legacy system to the new system
What is not considered a form of documentation in a system implementation?
A. Sequence of programs and steps to be taken in case of processing failure
B. Code with comments embedded
C. IS Strategy
D. Pseudo-code and flowcharts
C. IS Strategy
Key tasks an auditor might perform during systems development are:
A. Reviewing user requirements
B. Checking all technical specifications for compliance with organizational standards
C. Reviewing test plans
D. All of the above
D. All of the above
One of the basic steps in the software acquisition process is:
A. Identifying a single alternative
B. Defining the information and system requirements
C. Performing user and site surveys
D. Replacing existing hardware platforms
B. Defining the information and system requirements
What is the most important step in the software acquisition process?
A. Defining information requirements
B. Identifying alternatives
C. Performing the feasibility analysis
D. Conducting risk analysis
A. Defining information requirements
As a means of increasing user support, many projects are now including as part of their project plans:
A. Infrastructure diagrams
B. Outsourcing
C. Communication and business change management
D. Sales and marketing
C. Communication and business change management
Gathering information and systems requirements can be accomplished by all of the following, except:
A. Interviewing those expected to use the information produced by the system as well as those expected to produce the information input into the system
B. Interviewing the software supplier to find the best-selling software in the market
C. Developing a prototype of the proposed system
D. Researching other companies
B. Interviewing the software supplier to find the best-selling software in the market
A document that specifies the minimal acceptable requirements as well as the evaluation criteria for a solution is called a:
A. Request for bid
B. Request for information
C. Request for proposal
D. Request for quote
C. Request for proposal
Participants in the selection process may not include representatives from:
A. Management
B. Anticipated users
C. IT department
D. Supplier
D. Supplier
Contract terms and conditions normally do not include the following:
A. An organizational chart of the customer’s IT department
B. A functional definition of the work to be performed
C. Supplier staffing and specified qualifications
D. Methods of providing progress reports
A. An organizational chart of the customer’s IT department
What is not an advantage of purchasing off-the-shelf solutions?
A. Shorter implementation time
B. Ability to use the company’s existing IT infrastructure
C. Use of proven technology
D. Easier to define costs
B. Ability to use the company’s existing IT infrastructure
When selecting a supplier package, organizations should consider all of the following, except:
A. Stability of the supplier company
B. Supplier’s ability to provide support
C. Required modifications to the base software
D. Sales and marketing literature
D. Sales and marketing literature
Effective supplier management is based on:
A. SLAs with contract penalties
B. Clearly defined requirements in the RFP
C. Measurable service levels and regular monitoring
D. Strong negotiation skills of the procurement team
C. Measurable service levels and regular monitoring
All of the following are examples of application risks, except:
A. Inaccurate data
B. Incomplete data
C. Repeated data
D. Duplicate data
C. Repeated data
Within a convenient store register system used to total orders and receive payment from customers, which of the following has the highest risk?
A. Duplicate transactions
B. Communications failure
C. Unauthorized remote access
D. Misuse by authorized users
D. Misuse by authorized users
All of the following are examples of application controls, except:
A. Testing the data-entry screen
B. User ergonomic requirements
C. Documentation of the backup procedures
D. A list of valid sources of input
B. User ergonomic requirements
A company allows data from their sales tracking system to be extracted to spreadsheets by all users. Which of the following is the highest risk associated with this practice?
A. Copyright violations
B. Inefficient use of resources
C. Unauthorized access to data
D. Incompatible systems
C. Unauthorized access to data
Which of the following is an example of a risk associated with EUC?
A. Employees make copies of software to work at home
B. Employees enter time into company time sheet system
C. Employees can view all sales data within the company’s sales tracking system
D. Employee can modify his time sheet data after he has entered it into the time sheet system
A. Employees make copies of software to work at home
All of the following are examples of misuse of resources associated with EUC, except:
A. Employees can purchase their own computer equipment for work
B. Employees can purchase their own software to be used at work
C. Employees can purchase their own computer training
D. Employees create their own end-user procedure manuals
C. Employees can purchase their own computer training
A department employee creates and maintains a spreadsheet for the employees in that department to enter hours they worked. Spreadsheets are subsequently used to load the employees’ working time into the system. Which of the following is the highest risk associated with the specific use of the spreadsheet?
A. Time sheet does not accurately compute the total time worked
B. Employees may see the time worked by their fellow employees
C. Employees do not enter their time correctly
D. Spreadsheets are not signed by the employee
A. Time sheet does not accurately compute the total time worked
Viruses pose all of the following risks, except:
A. Loss of data
B. Loss of paper documents
C. Loss of hardware
D. Loss of performance
B. Loss of paper documents
Interfaces are another form of:
A. Output
B. Report
C. Input
D. Processing
C. Input
Which form of documentation would be the most critical to an applications programmer?
A. Procedures
B. Flowcharts
C. Report layout
D. Processing logic
D. Processing logic
In classifying the importance of each of the goals for change management, which one is the most important?
A. Identification
B. Categorization
C. Prioritization
D. Authorization
D. Authorization
In the change request process, the following information should be obtained, except:
A. User contact and responsibility
B. List of future changes
C. IT contact and responsibility
D. Management approval
B. List of future changes
In an emergency change control process, which of the following is the highest risk?
A. Unauthorized changes re made
B. Emergency change introduces performance problems
C. Changes are approved after they are implemented
D. Lack of analysis
A. Unauthorized changes re made
In the following list of criteria for approving changes, select the one that is most important:
A. Criticality
B. State of the production environment
C. Resource availability
D. Effect of all proposed changes
B. State of the production environment
Following a change, the condition of which of the following should be evaluated?
A. Requestor
B. Change objectives
C. Technical support
D. Staffing
B. Change objectives
All of the following are components of organizational culture that affect the success of IT, except:
A. Incentives
B. Company politics
C. Inter-organizational relationships
D. Government politics
D. Government politics
Managing organizational change would include all of the following, except:
A. Marketing plans
B. Training and professional development plans
C. User involvement in design
D. Communication plans
A. Marketing plans
Business process review sessions review:
A. Requests for systems changes
B. Requests for business process changes
C. Changes introduced by the new system
D. Training requests
C. Changes introduced by the new system
An IT system that now allows the corporate office to view data from their individual sales offices introduces the most change to:
A. Social relationships
B. Technical support
C. Inter-organizational relationships
D. Company politics
D. Company politics
In auditing an automated change control system, an auditor would review all of the following, except:
A. License agreements
B. Rules
C. Access lists
D. Log files
A. License agreements
Formal service-level agreements are required when:
A. Services are provided across tax jurisdictions
B. Charging for IT services
C. Applications share the same processor
D. None of the above
A. Services are provided across tax jurisdictions
Service-level agreements should include:
A. Definition of services
B. Service quality
C. Roles and responsibilities
D. All of the above
Answer: A, C
A. Definition of services
C. Roles and responsibilities
Customer service-level agreements:
A. Define services from the customer’s perspective
B. Describe operating platform availability
C. List key applications
D. All of the above
A. Define services from the customer’s perspective
Operating-level agreements are used to:
A. Measure platform availability
B. Set expectations between application and operations groups
C. Define application development and maintenance services
D. All of the above
B. Set expectations between application and operations groups
Supplier service-level agreements:
A. Define services and quality
B. Help manage third-party services
C. Align to customer service-level agreements
D. All of the above
D. All of the above
Service design and pricing requires:
A. Allocation of overhead to all services
B. Inclusion of disaster recovery
C. Aggregation of the underlying process costs.
D. All of the above
C. Aggregation of the underlying process costs.
Service provisioning processes are needed to:
A. Crete user information for security
B. Create asset information for inventory
C. Create usage information for finance
D. All of the above
D. All of the above
A relationship manager’s role is to:
A. Develop and maintain a close relationship with the customer
B. Ensure that IT services are aligned with customer needs
C. Influence the strategic direction of IT investments to maximize future benefits
D. All of above
D. All of above
Service measurement should be:
A. Coordinated with IT process improvement and governance metrics
B. Frequent and detailed
C. Based on peak usage
D. None of the above
A. Coordinated with IT process improvement and governance metrics
A customer is responsible for:
A. Reporting issues
B. Following procedures
C. Defining requirements
D. All of the above
D. All of the above
Providing end users with training is important because users:
A. Make fewer calls to the help desk
B. Will use applications more effectively
C. Make few mistakes and have fewer questions
D. All of the above
D. All of the above
Responsibilities of the service desk include all of the following, except:
A. Log and route service requests
B. Handle problem calls
C. Provide desk-side support
D. Prepare standard monthly reports
C. Provide desk-side support
Information gathered by the service desk can be used by the following process:
A. Asset management
B. Change management
C. Service management
D. All of the above
D. All of the above
Specialized service support groups provide:
A. Resolution of more complex issues
B. Primary diagnosis and resolution of common problems
C. Support for more knowledgeable users
D. None of the above
A. Resolution of more complex issues
Advantages of outsourcing the service desk include:
A. Quicker implementation time
B. Lower customer satisfaction
C. More comprehensive training
D. None of the above
A. Quicker implementation time
Knowledge management includes:
A. Documenting how-to-use applications
B. Sharing information on problems and fixes
C. Making information available to users
D. All of the above
D. All of the above
An objective of incident management is to:
A. Minimize the adverse impact of incidents and problems
B. Restore operations as soon as possible
C. Develop a workaround
D. Resolve problems
B. Restore operations as soon as possible
Problem severity is an important aspect of problem management needed to:
A. Prioritize problem resolution
B. Determine the cost / benefit of resolving individual problems
C. Identify regulatory compliance issues
D. All of the above
D. All of the above
Problem management tools should be part of a common toolset integrated with:
A. Asset management
B. Change management
C. Service desk
D. All of the above
D. All of the above
A problem reporting process is needed to:
A. Measure against SLAs
B. Identify the root cause of problems
C. Follow upon action responses
D. All of the above
A. Measure against SLAs
ISO 17799 covers:
A. Security policy
B. Security organization
C. Asset classification and control
D. All of the above
D. All of the above
An information security policy provides all of the following, except:
A. Guide to decision making about information security
B. High-level statements of security objectives
C. Instructions for implementing security attributes
D. Ways to prevent and respond to threats
C. Instructions for implementing security attributes
According to the CERT, what percent of actual security incidents goes unreported?
A. 20 percent
B. 40 percent
C. 60 percent
D. 80 percent
D. 80 percent
Information security requires participation and support from which one of the following groups:
A. Local system administrators
B. Department managers
C. Contractors
D. All of the above
D. All of the above
Vulnerability management includes which one of the following processes:
A. Inventory of physical assets
B. Change management
C. Virus protection software
D. None of the above
B. Change management
Implementing identity management can result in all of the following benefits, except:
A. Reduced help desk call volume
B. Consistent security and accountability
C. Improved password selection
D. Improved turnaround time for adding users
C. Improved password selection
Encryption technologies electronically store information in an encoded form that can only be decoded by an authorized individual who has the appropriate decryption technology and a:
A. Private key
B. Public key
C. Authorization to decrypt
D. Ability to decrypt
C. Authorization to decrypt
To be effective, which one of the following groups must support a contingency and disaster recovery plan to offer a business the best chance to survive?
A. Auditors and management
B. Technical personnel and management
C. Management and staff
D. Auditors and security officers
C. Management and staff
To be usable, a disaster recovery plan must be:
A. Written
B. Approved
C. Tested
D. Enforced
C. Tested
Which of the following would not be included in a companywide policy on end-user computing (EUC)?
A. Wireless encryption standards
B. Appropriate documentation
C. Segregation of duties
D. Backup procedures
A. Wireless encryption standards
