IS Audit Flashcards
1
Q
- What is the primary objective of Information Systems (IS) Audit?
A. To ensure software development
B. To examine the adequacy of controls in IS
C. To monitor internet speed
D. To develop new IS policies
A
B
2
Q
- Which phase involves understanding auditee systems and controls?
A. Reporting
B. Follow-up
C. Audit Planning
D. Execution
A
C
3
Q
- What does risk assessment in IS audit help in?
A. Avoiding audits altogether
B. Reducing audit cost
C. Identifying high-priority audit areas
D. Training staff in programming
A
C
4
Q
- Which of the following is not a typical stage of IS audit?
A. Planning
B. Coding
C. Execution
D. Reporting
A
B
5
Q
- The final stage of an IS audit is:
A. Risk assessment
B. Execution
C. Reporting
D. Follow-up
A
D
6
Q
- Which of the following best describes an IS control?
A. Tool for internet usage
B. Safeguard to ensure data integrity and security
C. A type of programming logic
D. A method of budget allocation
A
B
7
Q
- What is the primary output of the planning phase in IS audit?
A. Test scripts
B. Audit Plan
C. Audit Opinion
D. Control Matrix
A
B
8
Q
- The term ‘General Controls’ in IS audit refers to:
A. Hardware performance
B. Controls over data inputs
C. Controls over software development and maintenance
D. Virus detection tools
A
C
9
Q
- Application controls focus on:
A. Physical security
B. Data accuracy and integrity in applications
C. Firewall configuration
D. HR policies
A
B
10
Q
- Which tool is commonly used for data extraction in IS Audit?
A. Photoshop
B. ACL (Audit Command Language)
C. Excel Charts
D. Word Processor
A
B
11
Q
- Which of these is NOT a type of audit evidence?
A. Observations
B. Interviews
C. Audit Planning
D. System logs
A
C
12
Q
- Logical access controls primarily safeguard:
A. Furniture
B. Internet bandwidth
C. Unauthorized access to systems
D. Audit team travel
A
C
13
Q
- Which type of control ensures that transactions are properly authorized?
A. Preventive
B. Detective
C. Corrective
D. Compensating
A
A
14
Q
- A post-audit review is primarily aimed at:
A. Punishing staff
B. Promoting software vendors
C. Enhancing future audits
D. Modifying IT budgets
A
C
15
Q
- Firewalls are a part of:
A. Physical controls
B. Environmental controls
C. Network security controls
D. Human resource controls
A
C
16
Q
- What does a vulnerability assessment help identify?
A. Staff morale
B. Programming languages
C. System weaknesses
D. Budget shortfall
A
C
17
Q
- One of the key benefits of IS audit is:
A. Software promotion
B. Eliminating all risks
C. Improving governance and accountability
D. Increasing hardware cost
A
C
18
Q
- IS audit trail refers to:
A. Roadmap for data transfer
B. Historical logs of user/system activities
C. Backup file
D. Travel plan of auditors
A
B
19
Q
- Segregation of duties helps prevent:
A. Software installation
B. Errors and fraud
C. Audit planning
D. Training delays
A
B
20
Q
- Which of the following is NOT a preventive control?
A. Password policy
B. Encryption
C. Antivirus software
D. Audit report
A
D
21
Q
- The purpose of system development audit is to:
A. Monitor sales
B. Evaluate controls in SDLC
C. Recruit developers
D. Review UI designs only
A
B
22
Q
- An example of a detective control is:
A. Access restriction
B. Password encryption
C. Log review
D. Biometric authentication
A
C
23
Q
- What does COBIT stand for?
A. Control Objectives for Information and Related Technology
B. Computer Based IT
C. Central Organization of Bureau for IT
D. Control and Operations for Big IT
A
A
24
Q
- In IS auditing, walkthroughs are used to:
A. Train staff physically
B. Understand processes and controls
C. Evaluate network speed
D. Promote IT vendors
A
B
25
Q
- The purpose of audit documentation is to:
A. Show appreciation to staff
B. Promote audit firm
C. Provide evidence and support conclusions
D. Replace reports
A
C
26
Q
- Which of the following is a key feature of an effective IS control environment?
A. High hardware costs
B. Management’s commitment to control
C. Employee travel frequency
D. Use of open-source software
A
B
27
Q
- What is the primary purpose of audit sampling?
A. To review every transaction
B. To select representative transactions
C. To avoid documentation
D. To simplify software development
A
B
28
Q
- IS audit checklist is primarily used for:
A. Employee evaluation
B. Ensuring completeness of audit procedures
C. Marketing IT tools
D. Preparing financial statements
A
B
29
Q
- Which of the following best defines a control weakness?
A. Use of licensed software
B. Lack of adequate controls to mitigate risk
C. System upgrades
D. Open internet access
A
B
30
Q
- Data integrity in IS refers to:
A. Amount of data stored
B. Accuracy and reliability of data
C. Software version control
D. Use of cloud backups
A
B
31
Q
- Which audit technique is used to test the logic of an application program?
A. System review
B. Test data method
C. Control charting
D. Flowcharting
A
B
32
Q
- In IS audit, an ‘incident response plan’ relates to:
A. Hardware failure
B. Budget estimates
C. Procedures to respond to security breaches
D. Audit closure
A
C
33
Q
- Which type of audit is performed without prior notice?
A. Internal audit
B. Surprise audit
C. Statutory audit
D. Concurrent audit
A
B
34
Q
- Access controls can be categorized into:
A. Legal and procedural
B. Logical and physical
C. Visual and auditory
D. Online and offline
A
B
35
Q
- Control self-assessment (CSA) is primarily conducted by:
A. External auditors
B. Government departments
C. Organizational staff
D. Software vendors
A
C
36
Q
- Encryption is an example of a:
A. Logical control
B. Physical control
C. Managerial control
D. Environmental control
A
A
37
Q
- In audit terminology, a ‘finding’ is:
A. A note of appreciation
B. A conclusion based on evidence
C. A suggestion from vendors
D. A procurement issue
A
B
38
Q
- The IS control that checks input data before processing is called:
A. Output control
B. Processing control
C. Input control
D. Backup control
A
C
39
Q
- Audit evidence should be:
A. Minimal and verbal
B. Sufficient and appropriate
C. Confidential and withheld
D. Expensive to collect
A
B
40
Q
- A major challenge in IS audit is:
A. High internet speed
B. Rapid technological changes
C. Manual data entry
D. Software design
A
B
41
Q
- IS audit is applicable to:
A. Only IT firms
B. All organizations using information systems
C. Government only
D. Public companies
A
B
42
Q
- Backup policies are considered part of:
A. Financial controls
B. Environmental controls
C. Business continuity planning
D. Marketing strategy
A
C
43
Q
- What does ‘segregation of duties’ aim to prevent?
A. Teamwork
B. Project overlap
C. Fraud and error
D. System upgrades
A
C
44
Q
- Configuration management in IS ensures:
A. Aesthetic user interface
B. Proper control of system changes
C. Outsourced IT functions
D. Use of free tools
A
B
45
Q
- Time-stamped logs in IS help in:
A. Data backup
B. Tracking user activity
C. Auditing HR policies
D. Preventing power outages
A
B
46
Q
- An audit trail helps ensure:
A. System redundancy
B. Traceability of transactions
C. Enhanced system speed
D. IT staffing
A
B
47
Q
- What is phishing?
A. Virus protection tool
B. Attempt to acquire sensitive information fraudulently
C. Software upgrade method
D. Data warehousing
A
B
48
Q
- Which of these is a physical security control?
A. Passwords
B. CCTV surveillance
C. Firewalls
D. Access logs
A
B
49
Q
- The term ‘patch management’ refers to:
A. Hardware repairs
B. Timely updates to fix software vulnerabilities
C. Database backups
D. Power supply maintenance
A
B
50
Q
- Which of the following helps in real-time detection of threats?
A. Encryption
B. Intrusion Detection Systems (IDS)
C. Audit plan
D. Policy documents
A
B
51
Q
- IS audit can assess:
A. IT staff salaries
B. Integrity of information
C. Marketing performance
D. Capital budgeting
A
B
52
Q
- The risk of a system being accessed by unauthorized users is called:
A. Availability risk
B. Confidentiality risk
C. Access risk
D. Integrity risk
A
C
53
Q
- A business continuity plan is tested using:
A. Real-time failures
B. Simulation and drills
C. Data deletion
D. Annual audits
A
B
54
Q
- Which of the following is not a part of general controls?
A. Backup procedures
B. User training
C. Logical access control
D. Transaction edit checks
A
D
55
Q
- What is the role of an IS auditor in SDLC?
A. Project execution
B. Code optimization
C. Control evaluation and assurance
D. System deployment
A
C
56
Q
- Data warehouse is used for:
A. Transaction processing
B. Data storage for analysis and reporting
C. Programming only
D. Email services
A
B
57
Q
- What is a major risk with BYOD (Bring Your Own Device)?
A. Low hardware cost
B. Security and control issues
C. Improved speed
D. Centralized data
A
B
58
Q
- Authentication is:
A. Proof of employment
B. Verifying the identity of a user or system
C. Password resetting
D. File transfer method
A
B
59
Q
- What does ISO 27001 focus on?
A. Programming languages
B. Information security management systems
C. Database designs
D. Cloud hosting
A
B
60
Q
- A key element of audit planning is:
A. Network testing
B. Understanding auditee environment
C. Code documentation
D. Backup design
A
B
61
Q
- What does GIGO stand for in computing?
A. Great Input Great Output
B. Garbage In Garbage Out
C. General Input General Output
D. Grouped Internet Gateway Options
A
B
62
Q
- Which system is used for monitoring and managing network devices?
A. HRMS
B. ERP
C. NMS (Network Management System)
D. CRM
A
C
63
Q
- What is the most common attack on passwords?
A. SQL injection
B. Brute-force attack
C. DDoS
D. Spoofing
A
B
64
Q
- Redundancy in IT systems ensures:
A. Job rotation
B. System availability during failures
C. Training repetition
D. Data duplication
A
B
65
Q
- Cloud computing introduces risks related to:
A. Transparency and control
B. Physical damage
C. USB devices
D. Manual logs
A
A
66
Q
- Data classification helps in:
A. Labeling backups
B. Determining appropriate security levels
C. Grouping network cables
D. Sorting emails
A
B
67
Q
- Change management ensures:
A. Permanent system settings
B. Controlled IT environment
C. Frequent staff transfers
D. Default passwords
A
B
68
Q
- Which of the following is NOT an IS audit objective?
A. Confidentiality of information
B. Availability of systems
C. Promotion of IT vendors
D. Integrity of data
A
C
69
Q
- Who is responsible for data accuracy in an organization?
A. IT vendor
B. Internal auditor
C. Data owner
D. Programmer
A
C
70
Q
- IS audit recommendations should be:
A. Generic and lengthy
B. Specific and actionable
C. Verbal and informal
D. Avoided
A
B
71
Q
- The first step in performing an IS audit is:
A. Collecting evidence
B. Audit planning
C. Writing a report
D. Risk analysis
A
B
72
Q
- Spoofing is an attack in which:
A. Hardware is damaged
B. A person or program pretends to be another
C. Files are deleted randomly
D. Emails are blocked
A
B
73
Q
- A hashed password is:
A. Reversible
B. Encrypted with symmetric key
C. Stored as a one-way transformation
D. Saved in plain text
A
C
74
Q
- IS auditors must be independent to:
A. Save cost
B. Ensure objectivity and impartiality
C. Help IT department
D. Avoid HR conflict
A
B
75
Q
- Physical access to servers should be:
A. Open to all staff
B. Controlled and restricted
C. Time-based only
D. Documented yearly
A
B
76
Q
- What is a key purpose of IT Governance? A. Minimizing staff B. Aligning IT with business goals C. Upgrading hardware D. Enhancing software aesthetics
A
B
77
Q
- The term ‘Denial of Service’ (DoS) refers to: A. Granting access rights B. Network speed improvement C. Making a system unavailable D. Antivirus deployment
A
C
78
Q
- Risk assessment in IS audit involves: A. Counting users B. Evaluating potential threats and impacts C. Hiring new staff D. Reviewing architecture only
A
B
79
Q
- What is the full form of ITIL? A. Information Technology Infrastructure Library B. International Tech Integration Lab C. IT Internal Learning D. Integrated Technology Info Line
A
A
80
Q
- Which of these is a preventive control? A. System log analysis B. Password enforcement policy C. Audit report D. Physical inventory check
A
B
81
Q
- A vulnerability in IS refers to: A. Security patch B. Weakness exploitable by threats C. Employee vacation D. Software license
A
B
82
Q
- Which is NOT a feature of a strong password? A. Long length B. Personal names C. Use of symbols D. Upper and lower case mix
A
B
83
Q
- What does the term ‘zero-day’ refer to in cybersecurity? A. Day of attack B. Software release C. Previously unknown vulnerability D. Patch installation
A
C
84
Q
- What is two-factor authentication? A. Using two computers B. Use of password and biometric/OTP C. Sharing credentials D. Encrypting passwords twice
A
B
85
Q
- A firewall operates at which level? A. Physical B. Application and network layers C. Hardware D. HR policies
A
B
86
Q
- What is social engineering in cybersecurity? A. Engineering staff for social events B. Manipulating people to gain access C. System architecture redesign D. Data compression method
A
B
87
Q
- A data dictionary helps in: A. Translation B. Defining metadata about data elements C. Code debugging D. Document writing
A
B
88
Q
- The integrity of a database ensures: A. High cost B. Accurate and consistent data C. Frequent updates D. Limited access
A
B
89
Q
- A hot site is: A. Unused data center B. A backup facility with live systems ready C. Software plugin D. Vendor storage
A
B
90
Q
- A cold site provides: A. Instant backup B. Physical space without hardware C. Network design D. Auto patching
A
B
91
Q
- IT asset management includes: A. Hiring employees B. Tracking hardware/software lifecycle C. Training modules D. External audit
A
B
92
Q
- What is hashing used for? A. Data compression B. Data integrity verification C. System updates D. File organization
A
B
93
Q
- What is the function of an audit trail? A. Error rectification B. Tracking transaction history C. Employee behavior D. HR evaluation
A
B
94
Q
- System downtime primarily affects: A. Employee morale B. Business continuity C. Budget planning D. Travel policies
A
B
95
Q
- What is malware? A. A secure program B. Malicious software C. Encryption tool D. Firewall upgrade
A
B
96
Q
- Antivirus software is an example of: A. Managerial control B. Technical control C. Procedural control D. Visual control
A
B
97
Q
- Spoofing typically affects: A. Authentication processes B. Physical assets C. Budget calculations D. UI design
A
A
98
Q
- Remote desktop protocols can introduce: A. Training benefit B. Performance boost C. Security risks D. Encryption improvement
A
C
99
Q
- Which of the following is a real-time monitoring tool? A. IDS B. Audit log C. Email D. CMS
A
A
100
Q
- System logs provide: A. Backup files B. Records of events and activities C. Payroll data D. Antivirus
A
B
101
Q
- What is penetration testing? A. Data backup B. Simulated attack to find vulnerabilities C. Network optimization D. Software installation
A
B
102
Q
- What does ‘phishing’ refer to? A. Encrypting data B. Sending fraudulent emails to steal data C. Cleaning virus D. Network blocking
A
B
103
Q
- In IS Audit, the term ‘scope’ defines: A. Project cost B. Audit boundaries and areas covered C. Staff roles D. None of these
A
B
104
Q
- Backup frequency is determined based on: A. Software type B. Data criticality and RPO C. Number of users D. HR advice
A
B
105
Q
- What is the purpose of change management? A. Blocking access B. Control and track system changes C. Create passwords D. Format hard drives
A
B
106
Q
- Which type of audit checks system configuration? A. Financial B. Operational C. Technical IS Audit D. HR Audit
A
C
107
Q
- Role-based access control is based on: A. Department B. Designation and responsibilities C. Tenure D. Device used
A
B
108
Q
- Encryption helps in: A. Speeding processing B. Securing data confidentiality C. Generating reports D. Auditing
A
B
109
Q
- What is data mining used for? A. Destroying old files B. Discovering patterns in data C. Compressing data D. Encrypting tables
A
B
110
Q
- Segregation of duties helps to: A. Improve speed B. Reduce errors and fraud C. Reduce staff D. Increase licenses
A
B
111
Q
- Which of these is a post-implementation review activity? A. System design B. Assessing whether objectives were met C. Coding D. Procurement
A
B
112
Q
- Which is not a type of control in IS Audit? A. Preventive B. Detective C. Corrective D. Subjective
A
D
113
Q
- Which tool helps in analyzing system vulnerabilities? A. Paint B. Wireshark C. Excel D. WordPad
A
B
114
Q
- What is meant by RTO in disaster recovery? A. Real-Time Object B. Recovery Time Objective C. Remote Terminal Operation D. Restart Tool Option
A
B
115
Q
- The most secure form of authentication is: A. Password only B. Two-factor C. User ID D. Date of birth
A
B
116
Q
- A botnet is a: A. Network of infected computers B. Security device C. ISP tool D. Firewall command
A
A
117
Q
- What is SQL injection? A. Data entry tool B. Cyberattack using malicious queries C. Database format D. Audit tool
A
B
118
Q
- A digital signature is used for: A. Password reset B. Authenticating the source of data C. UI design D. Cookie tracking
A
B
119
Q
- The key objective of a firewall is to: A. Store logs B. Filter unauthorized traffic C. Encrypt data D. Log passwords
A
B
120
Q
- What is a honeypot in cybersecurity? A. Backup server B. Decoy system to detect attacks C. Encryption program D. Data cleaner
A
B
121
Q
- IT General Controls include: A. Payroll validation B. Change management, backup, access controls C. Hardware only D. Cleaning utilities
A
B
122
Q
- What is the first step in an IS Audit? A. Submit report B. Planning and risk assessment C. Approve budget D. Add users
A
B
123
Q
- Configuration management ensures: A. No version tracking B. Consistency of system settings and software versions C. High energy usage D. Employee exit tracking
A
B
124
Q
- What is the primary objective of IS audit? A. Promote sales B. Assess system integrity and controls C. Develop software D. Conduct HR reviews
A
B
125
Q
- Who is responsible for data confidentiality? A. System vendor B. Data owner C. Intern D. Government
A
B
126
Q
- What does “least privilege” mean? A. Full access to all users B. Restricting access to minimum required C. Outsourcing access D. Open network
A
B
127
Q
- What is penetration testing? A. User login testing B. Simulated cyber attack to test security C. Server update D. Software demo
A
B
128
Q
- What is an example of logical access control? A. Security guards B. Biometric login C. Desk locks D. Fire extinguisher
A
B
129
Q
- Which tool is used to scan network vulnerabilities? A. MS Word B. Nessus C. Excel D. Paint
A
B
130
Q
- What is backup rotation? A. Rotating system fans B. Scheduling backups to avoid data loss C. Changing office seats D. Restarting daily
A
B
131
Q
- Which law governs electronic records in India? A. RTI Act B. IT Act 2000 C. IPC D. Companies Act
A
B
132
Q
- What is phishing? A. Legal notice B. Fraudulent attempt to obtain data C. Data encryption D. System upgrade
A
B
133
Q
- What is a key element in disaster recovery planning? A. Marketing goals B. Risk identification C. Hiring engineers D. Installing games
A
B
134
Q
- Data integrity ensures: A. Format change B. Accuracy and trustworthiness C. Access control D. Color settings
A
B
135
Q
- In IS audit, sampling is used to: A. Train auditors B. Evaluate a subset of data C. Encrypt reports D. Prepare software
A
B
136
Q
- What is an audit evidence? A. Guess B. Observation, document or record C. Prediction D. Advertisement
A
B
137
Q
- Separation of duties is implemented to: A. Save cost B. Reduce conflict of interest and fraud C. Increase redundancy D. Reduce staff
A
B
138
Q
- What does an incident response plan address? A. System updates B. Responding to security breaches C. Hiring process D. User guides
A
B
139
Q
- Encryption ensures: A. Faster processing B. Confidentiality of data C. UI consistency D. Marketing
A
B
140
Q
- What is business continuity planning? A. Office party B. Ensuring critical operations continue during disruption C. Designing banners D. Server formatting
A
B
141
Q
- Who should approve access rights? A. Peers B. Data owner or manager C. Admin alone D. New employee
A
B
142
Q
- An IS auditor should maintain: A. Bias B. Independence and objectivity C. Marketing skills D. Coding knowledge only
A
B
143
Q
- What is Trojan Horse in IT? A. Antivirus B. Malware disguised as legitimate software C. Encryption tool D. Server cooling system
A
B
144
Q
- What does vulnerability management involve? A. Ignoring threats B. Identifying and fixing weaknesses C. Buying new PCs D. Data entry
A
B
145
Q
- What is a checksum used for? A. Pricing B. Verifying data integrity C. Network speed D. Password storage
A
B
146
Q
- Access control matrices are used to: A. Track time B. Define user permissions C. Create reports D. Update OS
A
B
147
Q
- Why are logs archived? A. Save photos B. Legal and forensic purposes C. Reduce costs D. Staff reference
A
B
148
Q
- Rootkits are used by attackers to: A. Cook data B. Gain stealthy admin access C. Format drives D. Backup files
A
B
149
Q
- The goal of patch management is: A. Add features B. Fix vulnerabilities C. Improve UI D. Increase costs
A
B
150
Q
- An IS auditor’s final report should be: A. Casual B. Objective and fact-based C. Only technical D. One-liner
A
B
151
Q
- COBIT is a: A. Web browser B. Framework for IT governance C. Virus scanner D. ISP
A
B
152
Q
- What is the principle of “accountability” in IS? A. Blaming others B. Responsibility for actions C. Avoiding audits D. Ignoring logs
A
B
153
Q
- What is biometric authentication? A. OTP B. Using unique physical traits C. Password D. Token sharing
A
B
154
Q
- Why are default passwords risky? A. Easy to remember B. Widely known and easily guessed C. Costly D. Secure
A
B
155
Q
- The principle of “auditability” ensures: A. Complex code B. Activities are traceable C. Data deletion D. Process blocking
A
B
156
Q
- Why is role-based access control used? A. Easy layout B. Assign permissions based on job role C. UI testing D. Max access to all
A
B
157
Q
- What is a sandbox environment? A. Playground B. Isolated testing area C. Audit report D. Server room
A
B
158
Q
- In IS auditing, evidence must be: A. Available on request B. Relevant and reliable C. Imaginary D. Pre-planned
A
B
159
Q
- What is digital signature used for? A. Aesthetic purpose B. Authenticate identity and integrity of message C. Design D. Hardware access
A
B
160
Q
- Why are audit trails important? A. Party records B. Evidence of activity for accountability C. Backup music D. Training
A
B
161
Q
- What is phishing aimed at? A. UI testing B. Stealing sensitive user data C. Software update D. Data formatting
A
B
162
Q
- What does IDS stand for? A. Internet Drive Storage B. Intrusion Detection System C. Internal Design System D. Input Debug System
A
B
163
Q
- What is change management? A. Currency exchange B. Control over modifications in systems C. Staff hiring D. Expense tracking
A
B
164
Q
- The goal of IS audit planning is: A. Write code B. Define scope, risks, and objectives C. Recruit testers D. Encrypt logs
A
B
165
Q
- What is uptime? A. Error count B. Time a system is operational C. Report date D. Audit gap
A
B
166
Q
- Data classification helps in: A. Cleaning B. Determining protection level required C. Staff scheduling D. Costing
A
B
167
Q
- Cybersecurity primarily focuses on: A. Staff training B. Protecting systems from digital threats C. Marketing D. HR
A
B
168
Q
- Which one is a detective control? A. Firewall B. IDS C. Password policy D. Training
A
B
169
Q
- IT asset disposal policy helps in: A. Asset buying B. Secure and compliant retirement of assets C. Printing D. Asset increase
A
B
170
Q
- What is authentication? A. Guessing identity B. Verifying user identity C. Encrypting passwords D. Backup files
A
B
171
Q
- Audit documentation should be: A. Destroyed post audit B. Clear and complete C. Rough notes D. Not recorded
A
B
172
Q
- IS audit universe refers to: A. Space research B. All auditable units C. Employee database D. HR unit
A
B
173
Q
- Business impact analysis helps in: A. Marketing B. Identifying critical functions and impacts of disruption C. HR planning D. Layout design
A
B
