Review 4

Question 1

Which type of sampling is best when dealing with population characteristics such as dollar amounts and weights?

A. Attribute sampling
B. Variable sampling
C. Stop-and-go sampling
D. Discovery sampling

Answer 1

B. Variable sampling

Question 2

Which of the following sampling techniques is generally applied to compliance testing?

A. Attribute sampling
B. Variable sampling
C. Stop-and-go sampling
D. Discovery sampling

Answer 2

A. Attribute sampling

Question 3

To guarantee the confidentiality of client information, an auditor should do which of the following when reviewing such information?

A. Contact the CEO or CFO and request what sensitive information
can and cannot be disclosed to authorities
B. Assume full responsibility for the audit archive and stored data
C. Leave all sensitive information at the owners’ facility
D. Not back up any of his or her work papers

Answer 3

C. Leave all sensitive information at the owners’ facility

Question 4

Which of the following best describes materiality?

A. An audit technique used to evaluate the need to perform an audit
B. The principle that individuals, organizations, and the community are responsible for their actions and might be required to explain them
C. The auditor’s independence and freedom from conflict of interest
D. An auditing concept that examines the importance of an item of information in regard to the impact or effect on the entity being audited

Answer 4

D. An auditing concept that examines the importance of an item of information in regard to the impact or effect on the entity being audited

Question 5

Which of the following sampling technique is best to use to prevent excessive sampling?

A. Attribute sampling
B. Variable sampling
C. Stop-and-go sampling
D. Discovery sampling

Answer 5

C. Stop-and-go sampling

Question 6

Which of the following descriptions best defines auditor independence?

A. The auditor has high regard for the company and holds several hundred shares of the company’s stock
B. The auditor has a history of independence and even though the auditor has a niece that is employed by the company, he has stated that this is not a concern
C. The auditor has previously given advice to the organization’s design staff while employed as the auditor
D. The auditor is objective, not associated with the organization, and free of any connections to the client

Answer 6

D. The auditor is objective, not associated with the organization, and free of any connections to the client

Question 7

Which of the following meets the description “the primary objective is to leverage the internal audit function by placing responsibility of control and monitoring onto the functional areas”?

A. Integrated auditing
B. Control self-assessment
C. Automated work papers
D. Continuous auditing

Answer 7

B. Control self-assessment

Question 8

Which of the following sampling techniques would be best to use if the expected discovery rate is extremely low?

A. Attribute sampling
B. Variable sampling
C. Stop-and-go sampling
D. Discovery sampling

Answer 8

D. Discovery sampling

Question 9

Which of the following offers how-to information?

A. Standards
B. Policy
C. Guidelines
D. Procedures

Answer 9

D. Procedures

Question 10

The type of risk that might not be detected by a system of internal controls is defined as which of the following?

A. Control risk
B. Audit risk
C. Detection risk
D. Inherent risk

Answer 10

A. Control risk

Question 11

Which of the following items makes computer-assisted audit techniques (CAAT) important to an auditor?

A. A large amount of information is obtained by using specific techniques to analyze systems.
B. An assistant or untrained professional with no specialized training can utilize CAAT tools, which frees up the auditor to participate in other activities.
C. CAAT requires more human involvement in the analysis than multifunction audit utilities.
D. CAAT requires the auditor to reduce the sampling rate and provides a more narrow audit coverage.

Answer 11

A. A large amount of information is obtained by using specific techniques to analyze systems.

Question 12

The risk that a material error will occur because of weak controls or no controls is known as which of the following?

A. Control risk
B. Audit risk
C. Detection risk
D. Inherent risk

Answer 12

D. Inherent risk

Question 13

You have been asked to audit a series of controls. Using Figure E.1 as your reference, what type of control have you been asked to examine?

Answer 13

?

Question 14

Which of the following is the best tool to extract data that is relevant to the audit?

A. Integrated auditing
B. Generalized audit software
C. Automated work papers
D. Continuous auditing

Answer 14

B. Generalized audit software

Question 15

You have been asked to perform an audit of the disaster-recovery procedures. As part of this process, you must use statistical sampling techniques to inventory all backup tapes. Which of the following descriptions best defines what you have been asked to do?

A. Continuous audit
B. Integrated audit
C. Compliance audit
D. Substantive audit

Answer 15

D. Substantive audit

Question 16

According to ISACA, which of the following is the fourth step in the risk based audit approach?

A. Gather information and plan
B. Perform compliance tests
C. Perform substantive tests
D. Determine internal controls

Answer 16

C. Perform substantive tests

Question 17

Which general control procedure most closely maps to the information systems control procedure that specifies, “Operational controls that are focused on day-to-day activities”?

A. Business continuity and disaster-recovery procedures that provide reasonable assurance that the organization is secure against disasters
B. Procedures that provide reasonable assurance for the control of database administration
C. System-development methodologies and change-control procedures that have been implemented to protect the organization and maintain compliance
D. Procedures that provide reasonable assurance to control and manage data-processing operations

Answer 17

D. Procedures that provide reasonable assurance to control and manage data-processing operations

Question 18

Which of the following is the best example of a detective control?

A. Access-control software that uses passwords, tokens, and/or
biometrics
B. Intrusion-prevention systems
C. Backup procedures used to archive data
D. Variance reports

Answer 18

D. Variance reports

Question 19

Which of the following is not one of the four common elements needed to determine whether fraud is present?

A. An error in judgment
B. Knowledge that the statement was false
C. Reliance on the false statement
D. Resulting damages or losses

Answer 19

A. An error in judgment

Question 20

You have been asked to implement a continuous auditing program. With this in mind, which of the following should you first identify?

A. Applications with high payback potential
B. The format and location of input and output files
C. Areas of high risk within the organization
D. Targets with reasonable thresholds

Answer 20

C. Areas of high risk within the organization

Question 21

Which of the following should be the first step for organizations wanting to develop an information security program?

A. Upgrade access-control software to a biometric or token system
B. Approve a corporate information security policy statement
C. Ask internal auditors to perform a comprehensive review
D. Develop a set of information security standards

Answer 21

B. Approve a corporate information security policy statement

Question 22

Which of the following is primarily tasked with ensuring that the IT department is properly aligned with the goals of the business?

A. Chief executive officer
B. Board of directors
C. IT steering committee
D. Audit committee

Answer 22

C. IT steering committee

Question 23

The balanced score card differs from historic measurement schemes, in that it looks at more than what?

A. Financial results
B. Customer satisfaction
C. Internal process efficiency
D. Innovation capacity

Answer 23

A. Financial results

Question 24

Which of the following is the purpose of enterprise architecture (EA)?

A. Ensure that internal and external strategy are aligned
B. Map the IT infrastructure of the organization
C. Map the IT infrastructure of the organization and ensure that its
design maps to the organization’s strategy
D. Ensure that business strategy and IT investments are aligned

Answer 24

D. Ensure that business strategy and IT investments are aligned

Question 25

Which of the following types of planning entails an outlook of greater than three years?

A. Daily planning
B. Long-term planning
C. Operational planning
D. Strategic planning

Answer 25

D. Strategic planning

Question 26

A new IT auditor has been asked to examine some processing, editing, and validation controls. Can you help define the control shown in Figure E.2?

A. Validity check
B. Reasonableness check
C. Existence check
D. Range check

Answer 26

C. Existence check

Question 27

Senior management needs to select a strategy to determine who will pay for the information system’s services. Which of the following payment methods is known as a “pay as you go” system?

A. Single cost
B. Shared cost
C. Chargeback
D. Sponsor pays

Answer 27

C. Chargeback

Question 28

Which of the following is the best method to identify problems between procedure and activity?

A. Policy review
B. Direct observation
C. Procedure review
D. Interview

Answer 28

B. Direct observation

Question 29

You are working with a risk-assessment team that is having a hard time calculating the potential financial loss to the company’s brand name that could result from a risk. What should the team do next?

A. Calculate the return on investment (ROI)
B. Determine the single loss expectancy (SLE)
C. Use a qualitative approach
D. Review actuary tables

Answer 29

C. Use a qualitative approach

Question 30

What operation-migration strategy has the highest possible level of risk?

A. Parallel
B. Hard
C. Phased
D. Intermittent

Answer 30

B. Hard

Question 31

Many organizations require employees to rotate to different positions. Why?

A. Help deliver effective and efficient services
B. Provide effective cross-training
C. Reduce the opportunity for fraud or improper or illegal acts
D. Increase employee satisfaction

Answer 31

C. Reduce the opportunity for fraud or improper or illegal acts

Question 32

The balanced score card looks at four metrics. Which of the following is not one of those metrics?

A. External operations
B. The customer
C. Innovation and learning
D. Financial data

Answer 32

A. External operations

Question 33

You have been assigned to a software-development project that has 80 linked modules and is being developed for a system that handles several million transactions per year. The primary screen of the application has data items that carry up to 20 data attributes. You have been asked to work with the audit staff to determine a true estimate of the development effort.
Which of the following is the best technique to determine the size of the project?

A. White-boxing
B. Black-boxing
C. Function point analysis
D. Source lines of code

Answer 33

C. Function point analysis

Question 34

Which of the following is the preferred tool for estimating project time when a degree of uncertainty exists?

A. Program Evaluation and Review Technique (PERT)
B. Source lines of code (SLOC)
C. Gantt
D. Constructive Cost Model (COCOMO)

Answer 34

A. Program Evaluation and Review Technique (PERT)

Question 35

Which of the following techniques is used to determine what activities are critical and what the dependencies are among the various tasks?

A. Compiling a list of each task required to complete the project
B. COCOMO
C. Critical path methodology (CPM)
D. Program Evaluation and Review Technique (PERT)

Answer 35

C. Critical path methodology (CPM)

Question 36

Which of the following is considered a traditional system development lifecycle model?

A. The waterfall model
B. The spiral development model
C. The prototyping model
D. Incremental development

Answer 36

A. The waterfall model

Question 37

You have been assigned as an auditor to a new software project. The team members are currently defining user needs and then mapping how the proposed solution meets the need. At what phase of the SDLC are they?

A. Feasibility
B. Requirements
C. Design
D. Development

Answer 37

B. Requirements

Question 38

Which of the following is not a valid output control?

A. Logging
B. Batch controls
C. Security signatures
D. Report distribution

Answer 38

B. Batch controls

Question 39

The following question references Figure E.3. Item A refers to which of the following?

A. Foreign key
B. Tuple
C. Attribute
D. Primary key
Figure E.3.

Answer 39

D. Primary key

Question 40

You have been asked to suggest a control that could be used to determine whether a credit card transaction is legitimate or potentially from a stolen credit card. Which of the following would be the best tool for this need?

A. Decision support systems
B. Expert systems
C. Intrusion-prevention systems
D. Data-mining techniques

Answer 40

D. Data-mining techniques

Question 41

You have been asked to suggest a control that can be used to verify that batch data is complete and was transferred accurately between two applications. What should you suggest?

A. A control total
B. Check digit
C. Completeness check
D. Limit check

Answer 41

A. A control total

Question 42

Which of the following types of programming language is used to develop decision support systems?

A. 2GL
B. 3GL
C. 4GL
D. 5GL

Answer 42

C. 4GL

Question 43

You have been asked to work with a new project manager. The project team has just started work on the payback analysis. Which of the following is the best answer to identify the phase of the system development lifecycle of the project?

A. Feasibility
B. Requirements
C. Design
D. Development

Answer 43

A. Feasibility

Question 44

In many ways, IS operations is a service organization because it provides services to its users. As such, how should an auditor recommend that the percentage of help-desk or response calls answered within a given time be measured?

A. Uptime agreements
B. Time service factor
C. Abandon rate
D. First call resolution

Answer 44

B. Time service factor

Question 45

What is the correct term for items that can occur without human interaction?

A. Lights out
B. Automated processing
C. “Follow the sun” operations
D. Autopilot operations

Answer 45

A. Lights out

Question 46

Which of the following is an example of a 2GL language?

A. SQL
B. Assembly
C. FORTRAN
D. Prolog

Answer 46

B. Assembly

Question 47

When discussing web services, which of the following best describes a proxy server?

A. Reduces load for the client system
B. Improves direct access to the Internet
C. Provides an interface to access the private domain
D. Provides high-level security services

Answer 47

C. Provides an interface to access the private domain

Question 48

Regarding cohesion and coupling, which is best?

A. High cohesion, high coupling
B. High cohesion, low coupling
C. Low cohesion, low coupling
D. Low cohesion, high coupling

Answer 48

B. High cohesion, low coupling

Question 49

Bluetooth class 1 meets which of the following specifications?

A. Up to 5 m of range and .5 mW of power
B. Up to 10 m of range and 1 mW of power
C. Up to 20 m of range and 2.5 mW of power
D. Up to 100 m of range and 100 mW of power

Answer 49

D. Up to 100 m of range and 100 mW of power

Question 50

When discussing electronic data interface (EDI), which of the following terms best describes the device that transmits and receives electronic documents between trading partners?

A. Value Added Network (VAN)
B. X12
C. Communications handler
D. Electronic Data Interchange For Administration Commerce And Transport (EDIFACT)

Answer 50

C. Communications handler

Question 51

What type of network is used to connect multiple servers to a centralized pool of disk storage?

A. PAN
B. LAN
C. SAN
D. MAN

Answer 51

C. SAN

Question 52

Which following question references Figure E.4. Item C refers to which of the following?

A. Foreign Key
B. Tuple
C. Attribute
D. Primary Key

Answer 52

C. Attribute

Question 53

Which layer in the CSI model is responsible for packet routing?

A. Application
B. Transport
C. Session
D. Network

Answer 53

D. Network

Question 54

Which of the following types of testing is usually performed at the implementation phase, when the project staff is satisfied with all other tests and the application is ready to be deployed?

A. Final acceptance testing
B. System testing
C. Interface testing
D. Unit testing

Answer 54

A. Final acceptance testing

Question 55

Which of the following devices can be on the edge of networks for basic packet filtering?

A. Bridge
B. Switch
C. Router
D. VLAN

Answer 55

C. Router

Question 56

MAC addresses are most closely associated with which layer of the OSI model?

A. Data Link
B. Network
C. Session
D. Physical

Answer 56

A. Data Link

Question 57

The IP address of 128.12.3.15 is considered to be which of the following?

A. Class A
B. Class B
C. Class C
D. Class D

Answer 57

B. Class B

Question 58

Which of the following statements is MOST correct? RIP is considered…

A. A routing protocol
B. A routable protocol
C. A distance-vector routing protocol
D. A link-state routing protocol.

Answer 58

C. A distance-vector routing protocol

Question 59

Which of the following test types used after a change to verify that inputs and outputs are correct?

A. Regression testing
B. System testing
C. Interface testing
D. Pilot testing

Answer 59

A. Regression testing