Information Technology Audit

  1. Which is not the purpose of Risk analysis?
    1. It supports risk based audit decisions
    2. Assists the Auditor in determining Audit objectives
    3. Ensures absolute safety during the Audit
    4. Assists the Auditor in identifying risks and threats
  2. Which term best describes the difference between the sample and the population in the sampling process?
    1. Precision
    2. Tolerable error rate
    3. Level of Risk
    4. Analytical Data
  3. Name one of the purposes of creating Business Continuity Plan
    1. To maximise the number of decisions made during an incident
    2. To minimise decisions needed during a crisis
    3. To lower business insurance premiums
    4. To provide guidance for federal regulations
  4. Failing to prevent or detect a material error would represent which type of risk?
    1. Overall Audit Risk
    2. Detection Risk
    3. Inherent Risk
    4. Control Risk
  5. Which is one of the bigger concerns regarding asset disposal?
    1. Residual Asset Value
    2. Employees taking disposed property home
    3. Standing data
    4. Environmental Regulations
  6. Who should issue ogranisational policies?
    1. Policies should originate from the bottom and move upto the middle management level for approval
    2. The policy should be issued in accordance with the approved standards by the middle management level
    3. Policy can be issued by any level of management based on a case to case basis
    4. The policy should be signed and enforced by the highest level of management
  7. A program check that ensures data entered by a data entry operator is complete is an example of a
    1. Detective Control
    2. Preventive Control
    3. Corrective Control
    4. Redundancy Control
  8. What is the primary objective in problem escalation?
    1. Improve customer satisfaction
    2. Optimise the number of skilled personnel
    3. Ensure the correct response
    4. Prove that the IT staff is competent
  9. Which of the following is LEAST important when Auditors review Internal Controls?
    1. The existence of an Audit Committee in the Organisation
    2. The Organisational structure and the Management style used by the Organisation
    3. The existence of a Budgeting System
    4. The number of Personnel working for the Organisation
  10. What is the best example of why plan testing is important?
    1. To prove the plan worked the first time
    2. To find the correct problems
    3. To show the team that is not pulling their own weight
    4. To verify that everyone shows up at the recovery site
  11. Continuity planners can create plans without the business impact analysis (BIA) process because
    1. Business Impact Analysis is not required
    2. Management already dictated all the key processes to be used
    3. Not possible, critical processes continuously changes
    4. Risk assessment is acceptable
  12. What are the three competing demands to be addressed by the Project Management?
    1. Scope, Authority and Availability of Resources
    2. Time, Cost and Scope
    3. Requirements, Authority and Responsibility
    4. Authority, Organisational Culture and Scope
  13. How should management act to best deal with emergency changes?
    1. Emergency changes can not be made without advanced testing
    2. All changes should still undergo review
    3. The changes control process does not apply to emergency conditions
    4. Emergency changes are not allowed under any condition
  14. Which is the following is not an objective of a control?
    1. Reduce expected losses from irregularities
    2. Reduce the probability of an error occurring
    3. Reduce the amount of loss if an occurs
    4. Provide for all the failures and to ensure that business is protected fully from such failures
  15. IT audit is the process of collecting and evaluating evidence to determine
    1. Whether a computer system safeguards assets
    2. Whether maintains data integrity
    3.  Whether allows organisational goals to be achieved effectively and uses resources efficiently
    4. All of the above
  16. The objectives of IT audit include
    1. Ensures asset safeguarding
    2. Ensures that the attributes of data or information are maintained
    3. Both (a) and (b)
    4. None of the above
  17. Which is not an attribute of data or information
    1. Compliance
    2. Integrity
    3. Confidentiality
    4. Technology
  18. Which among the following does not encompass organisational and management controls within the information processing facility (IPF)
    1. Sound human resource policies and management practices
    2. Methods to assess effective and efficient operations.
    3. The regulatory framework within which the business is carried out
    4. Separation of duties within the information processing environment
  19. The essential aspect to be understood about the organisation subject to IT audit is
    1. Organisation’s business and its strategic goals and objectives
    2. The number of operating units / locations and their geographic dispersion
    3. Major pending projects in progress
    4. All of the above
  20. While understanding the type of software used in the organisation the IT auditor has to
    1. See the policy decision on developing software inhouse or to buy commercial products.
    2. Collect details of operating systems, application system and database management system
    3. Collect information relating to network architecture and technology to establish connectivity.
    4. All of the above
  21. The security goals of the organisation does not cover
    1. Confidentiality
    2. Probability and impact of occurrence
    3. Availability
    4. Integrity
  22. Find out the incorrect statement with reference to Risk assessment
    1. The detailed audit is needed where the risk assessment is low and the risk management is high
    2. An independent assessment is necessary whether threats have been countered / guarded against effectively and economically
    3. The assessment of the soundness of IT system will necessarily have to study the policies and process of risk management
    4. None of the above
  23. Consider the following statement and find out the correct one w.r.t. IT audit
    1. In inherent risk there is an assumption that there are related internal controls.
    2. In control risk errors will not be prevented or detected and corrected by the internal control system.
    3. The control risk associated with computerised data validation procedures is ordinarily high.
    4. None of the above
  24. What is the characteristic of ‘detective control’
    1. Minimise the impact of a threat
    2. Use controls that detect and report the occurrence of an error, omission or malicious act.
    3. Detect problems before they occur
    4. None of the above
  25. Which among the following is not characteristic of ‘preventive control’
    1. Monitor both operation and imports
    2. Prevent error, omission or malicious act from occurring
    3. Correct errors from occurring
    4. None of the above
  26. IT access is not controlled or regulated though password it indicates
    1. Poor security control
    2. High risk of the system getting hacked
    3. High risk of the system getting breached
    4. All of the above
  27. Basic risk areas which the external Govt. auditor may come across when reviewing internal audit’s work include
    1. Availability of sufficient resources, in terms of finance, staff and skills required
    2. Involvement of internal audit with IT system and under development
    3. Management not required to act on internal audit’s recommendations
    4. None of the above
  28. Which is the common audit objectives for an IT audit
    1. Review of the security of the IT system
    2. Evaluation of the performance of a system
    3. Examination of the system development process and the procedures followed at various stages involved
    4. All of the above.
  29. The type of audit evidence which the auditor should consider using in IT audit includes
    1. Observed process and existence of physical items
    2. Documentary audit evidence excluding electronic records
    3. Analysis excluding IT enabled analysis using
    4. None of the above
  30. Match the following w.r.t interviews to be conducted with staff and purpose interviewing Kinds of staff / personnel Purpose of interview
  31. (A) System analysis of programmers (A) To determine whether any application system to consume abnormal amounts of resources.
    (B) Clerical / Data entry staff (B) To determine their perceptions of how the system has affected the quality of working life
    (C) Users of an application systems (C) To determine how they correct input data.
    (D) Operation staff(D) To obtain a better understanding of the functions and controls embedded with the system.
    1. A–B; B–A; C–D; D–C
    2. A–D; B–C; C–A; D–A
    3. A–C; B–D; C–A; D–B
    4. None of the above
  32. Which of the following type of questions need to be included in the questionnaire(s)
    1. Ambiguous questions
    2. Leading questions
    3. Presumptuous questions
    4. Specific questions
  33. Analytical procedures are useful in the following way in collecting audit evidence in IT audit
    1. Use comparisons and relationships to determine whether account balances appear reasonable
    2. To decide which accounts do not need further verification
    3. To decide which audit areas should be more thoroughly investigated
    4. All of the above
  34. What is the commonly used example of generalised audit software?
    1. CAAT
    2. IDEA
    3. COBIT
    4. None of the above
  35. A higher risk of system violation happens where
    1. The audit module is not operational
    2. The audit module has been disabled
    3. The audit module is not periodically reviewed
    4. All of the above
  36. Which among the following is not a compliance test as related to IT environment
    1. Determining whether passwords are changed periodically.
    2. Determining whether systems logs are reviewed
    3. Determining whether program changes are authorised.
    4. Reconciling account balances
  37. Substantive tests as they relate to the IT environment does not include
    1. Conducting system availability analysis
    2. Conducting system outage analysis
    3. Performing system storage media analysis
    4. Determining whether a disaster recovery plan was tested
  38. Find out the incorrect statement w.r.t. attribute sampling used by IT auditors
    1. Attribute sampling is used in substantive testing situations
    2. Attribute sampling deals with the presence or absence of the attribute
    3. It provides conclusions that are expressed in rates of incidence
    4. None of the above
  39. Variable sampling is used and deals with and provide
    1. Applied in substantive testing situations
    2. Deals with population characteristics that vary
    3. Provides conclusions related to deviations from the norm
    4. All of the above
  40. Which among the following is true as to Audit Reporting
    1. Normal reporting format is not adhered to in the case of IT Audit
    2. In IT audit, the base of the focus is the system
    3. In IT audit the audience for the report should normally be ignored
    4. None of the above
  41. The conclusions of the IT audit report does not include
    1. Sweeping conclusions regarding absence of controls and risks
    2. A mismatch between hardware procurement and software development in the absence of IT policy
    3. Haphazard development which cannot be ascribed to lack of IT policy
    4. All of the above
  42. Which among the following is not a limitation in IT Audit
    1. Data used not from production environment
    2. If these is only production environment and audit could not test dummy data
    3. “Read only Access” given to audit
    4. None of the above
  43. With the help of what tools, IT auditor can plan for 100% substantive testing
    1. CAATs tools
    2. CMM (Software)
    3. COBIT
    4. None of the above
  44. The reason for management’s failure to use information properly is
    1. Failure to identify significant information
    2. Failure to interpret the meaning and value of the acquired information
    3. Failure to communicate information to the decision maker
    4. All of the above
  45. Find out the incorrect statement
    1. Distributed networks may decrease the risk of data inconsistencies
    2. Application software developed inhouse may have lower inherent risk than vendor supplied software
    3. Peripheral access devices or system interfaces can increase inherent risk
    4. None of the above
  46. Categories of general control do not include
    1. Logical access controls
    2. Acquisition and program change controls
    3. Control over standing data and master files
    4. None of the above
  47. Application controls includes
    1. IT operational controls
    2. Control over processing
    3. Physical controls
    4. None of the above
  48. What legal protection is available to prevent theft illegal copying of software
    1. Computer misuse legislation
    2. Data protection and privacy legislation
    3. Copyright laws
    4. None of the above
  49. Match the following w.r.t. the following critical elements and its impact
  50. (A) Poor reporting structures (A) Cannot satisfactorily review the computer systems and associated controls
    (B) Inappropriate or no IT planning (B) Leads to security breaches, data loss fraud and errors
    (C) Security policies not in place or not enforced (C) Leads to business growth being constrained by a lack of IT resources
    (D) Ineffective internal audit function(D) Leads to inadequate decision making and affect the future as a going concern
    1. A–D; B–A; C–B; D–C
    2. A–D; B–C; C–B; D–A
    3. A–B; B–A; C–D; D–C
    4. None of the above
  51. The risk areas associated with poorly controlled computer operations include
    1. Applications not run correctly
    2. Loss or corruption of financial applications
    3. lack of backups and contingency planning
    4. All of the above
  52. In case of outsourcing IT activities the IT auditor should
    1. Review the policies and procedures which ensure the security of the financial data
    2. Obtain a copy of the contract to determine if adequate controls have been specified
    3. Ensure that audit needs are taken into account and included in the contracts
    4. All of the above
  53. While reviewing the network management and control the IT auditor is required to
    1. Review the security and controls in non-financial systems
    2. Review the security and controls in financial system’
    3. Either (a) or (b) depending upon scope of audit and SAI’s mandate
    4. None of the above
  54. Which among the following is not true w.r.t. logical access controls
    1. Logical access control usually depend on the in – built security facilities
    2. The importance of logical access controls is increased where physical access control is more effective
    3. logical access control exits at both an installation and application level
    4. None of the above
  55. Weak input control may increase the risk of
    1. Entry of an authorised data
    2. incomplete data entry
    3. Entry of duplicate / redundant data
    4. All of the above
  56. Weak process controls would lead to:
    1. Unauthorised changes or amendments to the existing data
    2. Absence of audit trial rendering, sometimes the application unauditable
    3. Inaccurate processing of transactions leading to wrong outputs / results
    4. All of the above


  1. Those rules moreover attempted to wind up plainly a decent approach to perceive that other individuals online have the indistinguishable enthusiasm like mine to get a handle on incredible arrangement more around this conditioninternal audit firms in dubai

  2. Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.professional auditing services in uae

  3. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article. esi registration in india

  4. Thanks for a great tips, This would be a different idea from the routine tips. As an ISO 9001 certified company with over 30 years international experience in accounting, VAT and technology, we have the unique capabilities to ensure you are fully compliant to the UAE legislation. See our range of articles, white papers and learning resources and self-study material to learn accounting, VAT and taxation at your own pace

  5. And indeed, I’m just always astounded concerning the remarkable things served by you. Some four facts on this page are undeniably the most effective I’ve had
    Project Management

  6. Informative post indeed, I’ve being in and out reading posts regularly. we provide smsf audit Australia at affordable prices. for more info visit our website.

  7. Which of the following statement is true:

    a) Carrying out audit using traditional substantive audit procedures may be difficult or even not feasible if the company prepares, records and conducts majority of business activities through IT systems only.

    b) Carrying out audit using traditional substantive audit procedures may not be difficult if the company prepares, records and conducts majority of business activities through IT systems only.

    c) Auditor can ignore substantive audit procedures where all business activities and reports are prepared only by using IT systems.

    d) It is enough for the auditor to test operating effectiveness of IT systems without further verification of transactions and account balances, in case of Automated Environment

  8. You can choose compliance management system over a compliance professionals because it will give you standard required output in less cost.

  9. Alas! IT auditing information in the form of questionnaire, this will help the readers to understand all about IT auditing. A worth reading and informative blog for people like me who are working in the field. Thanks for posting such blog on IT auditing. I often wonder how people confuse with IT auditing and Financial auditing which is not the same.

  10. We are fortunate to have an innovator like you amongst us.
    software service

  11. I got some wonderful knowledge from this post, as it contains some useful questions IT audit which is good for knowledge. Thanks for posting it. UPS Audit

  12. Interesting article. I have bookmarked your site for future reference. Please check my latest post on the audit companies in UAE and let me know what you think.

  13. Security audits are necessary, from security and vulnerability assessment to penetration test and compliance audit. Your article isn’t only useful but it is additionally really informative. As a cyber security company information security audit services, I am glad to come across this. Thank you for sharing this guide.

  14. I admire your unique way of writing especially the style of using the idioms and phrases which is mind-blowing. I hope you will not mind if I adopt this style of your. Many thanks.
    introduction to business law

  15. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.Iso 9001 Pennsylvania

  16. Thanks for giving us useful information about the Upcoming cars, if you see more check this site New Upcoming cars and bikes in India 2022 Best deal under your budget.

  17. I really appreciate your efforts. Great efforts towards the humanity. If anyone wants to get more knowledge or wants to learn SAS can contact me 9311002620 or visit our website-

  18. Thanks for your post. It's very helpful post for us. You can also visit UPS Audit for more Victor Steel related information. I would like to thanks for sharing this article here.

  19. IFO a hundred and eighty and 380 fees plenty much less than MDO, normally approximately 1/2 of the fee. Ships eat a number of gasoline. So gasoline price is a primary concern. I actually have a few suggestions.Shipping from china


Post a Comment