Information Technology Audit

  1. Which is not the purpose of Risk analysis?
    1. It supports risk based audit decisions
    2. Assists the Auditor in determining Audit objectives
    3. Ensures absolute safety during the Audit
    4. Assists the Auditor in identifying risks and threats
  2. Which term best describes the difference between the sample and the population in the sampling process?
    1. Precision
    2. Tolerable error rate
    3. Level of Risk
    4. Analytical Data
  3. Name one of the purposes of creating Business Continuity Plan
    1. To maximise the number of decisions made during an incident
    2. To minimise decisions needed during a crisis
    3. To lower business insurance premiums
    4. To provide guidance for federal regulations
  4. Failing to prevent or detect a material error would represent which type of risk?
    1. Overall Audit Risk
    2. Detection Risk
    3. Inherent Risk
    4. Control Risk
  5. Which is one of the bigger concerns regarding asset disposal?
    1. Residual Asset Value
    2. Employees taking disposed property home
    3. Standing data
    4. Environmental Regulations
  6. Who should issue ogranisational policies?
    1. Policies should originate from the bottom and move upto the middle management level for approval
    2. The policy should be issued in accordance with the approved standards by the middle management level
    3. Policy can be issued by any level of management based on a case to case basis
    4. The policy should be signed and enforced by the highest level of management
  7. A program check that ensures data entered by a data entry operator is complete is an example of a
    1. Detective Control
    2. Preventive Control
    3. Corrective Control
    4. Redundancy Control
  8. What is the primary objective in problem escalation?
    1. Improve customer satisfaction
    2. Optimise the number of skilled personnel
    3. Ensure the correct response
    4. Prove that the IT staff is competent
  9. Which of the following is LEAST important when Auditors review Internal Controls?
    1. The existence of an Audit Committee in the Organisation
    2. The Organisational structure and the Management style used by the Organisation
    3. The existence of a Budgeting System
    4. The number of Personnel working for the Organisation
  10. What is the best example of why plan testing is important?
    1. To prove the plan worked the first time
    2. To find the correct problems
    3. To show the team that is not pulling their own weight
    4. To verify that everyone shows up at the recovery site
  11. Continuity planners can create plans without the business impact analysis (BIA) process because
    1. Business Impact Analysis is not required
    2. Management already dictated all the key processes to be used
    3. Not possible, critical processes continuously changes
    4. Risk assessment is acceptable
  12. What are the three competing demands to be addressed by the Project Management?
    1. Scope, Authority and Availability of Resources
    2. Time, Cost and Scope
    3. Requirements, Authority and Responsibility
    4. Authority, Organisational Culture and Scope
  13. How should management act to best deal with emergency changes?
    1. Emergency changes can not be made without advanced testing
    2. All changes should still undergo review
    3. The changes control process does not apply to emergency conditions
    4. Emergency changes are not allowed under any condition
  14. Which is the following is not an objective of a control?
    1. Reduce expected losses from irregularities
    2. Reduce the probability of an error occurring
    3. Reduce the amount of loss if an occurs
    4. Provide for all the failures and to ensure that business is protected fully from such failures
  15. IT audit is the process of collecting and evaluating evidence to determine
    1. Whether a computer system safeguards assets
    2. Whether maintains data integrity
    3.  Whether allows organisational goals to be achieved effectively and uses resources efficiently
    4. All of the above
  16. The objectives of IT audit include
    1. Ensures asset safeguarding
    2. Ensures that the attributes of data or information are maintained
    3. Both (a) and (b)
    4. None of the above
  17. Which is not an attribute of data or information
    1. Compliance
    2. Integrity
    3. Confidentiality
    4. Technology
  18. Which among the following does not encompass organisational and management controls within the information processing facility (IPF)
    1. Sound human resource policies and management practices
    2. Methods to assess effective and efficient operations.
    3. The regulatory framework within which the business is carried out
    4. Separation of duties within the information processing environment
  19. The essential aspect to be understood about the organisation subject to IT audit is
    1. Organisation’s business and its strategic goals and objectives
    2. The number of operating units / locations and their geographic dispersion
    3. Major pending projects in progress
    4. All of the above
  20. While understanding the type of software used in the organisation the IT auditor has to
    1. See the policy decision on developing software inhouse or to buy commercial products.
    2. Collect details of operating systems, application system and database management system
    3. Collect information relating to network architecture and technology to establish connectivity.
    4. All of the above
  21. The security goals of the organisation does not cover
    1. Confidentiality
    2. Probability and impact of occurrence
    3. Availability
    4. Integrity
  22. Find out the incorrect statement with reference to Risk assessment
    1. The detailed audit is needed where the risk assessment is low and the risk management is high
    2. An independent assessment is necessary whether threats have been countered / guarded against effectively and economically
    3. The assessment of the soundness of IT system will necessarily have to study the policies and process of risk management
    4. None of the above
  23. Consider the following statement and find out the correct one w.r.t. IT audit
    1. In inherent risk there is an assumption that there are related internal controls.
    2. In control risk errors will not be prevented or detected and corrected by the internal control system.
    3. The control risk associated with computerised data validation procedures is ordinarily high.
    4. None of the above
  24. What is the characteristic of ‘detective control’
    1. Minimise the impact of a threat
    2. Use controls that detect and report the occurrence of an error, omission or malicious act.
    3. Detect problems before they occur
    4. None of the above
  25. Which among the following is not characteristic of ‘preventive control’
    1. Monitor both operation and imports
    2. Prevent error, omission or malicious act from occurring
    3. Correct errors from occurring
    4. None of the above
  26. IT access is not controlled or regulated though password it indicates
    1. Poor security control
    2. High risk of the system getting hacked
    3. High risk of the system getting breached
    4. All of the above
  27. Basic risk areas which the external Govt. auditor may come across when reviewing internal audit’s work include
    1. Availability of sufficient resources, in terms of finance, staff and skills required
    2. Involvement of internal audit with IT system and under development
    3. Management not required to act on internal audit’s recommendations
    4. None of the above
  28. Which is the common audit objectives for an IT audit
    1. Review of the security of the IT system
    2. Evaluation of the performance of a system
    3. Examination of the system development process and the procedures followed at various stages involved
    4. All of the above.
  29. The type of audit evidence which the auditor should consider using in IT audit includes
    1. Observed process and existence of physical items
    2. Documentary audit evidence excluding electronic records
    3. Analysis excluding IT enabled analysis using
    4. None of the above
  30. Match the following w.r.t interviews to be conducted with staff and purpose interviewing Kinds of staff / personnel Purpose of interview
  31. (A) System analysis of programmers (A) To determine whether any application system to consume abnormal amounts of resources.
    (B) Clerical / Data entry staff (B) To determine their perceptions of how the system has affected the quality of working life
    (C) Users of an application systems (C) To determine how they correct input data.
    (D) Operation staff(D) To obtain a better understanding of the functions and controls embedded with the system.
    1. A–B; B–A; C–D; D–C
    2. A–D; B–C; C–A; D–A
    3. A–C; B–D; C–A; D–B
    4. None of the above
  32. Which of the following type of questions need to be included in the questionnaire(s)
    1. Ambiguous questions
    2. Leading questions
    3. Presumptuous questions
    4. Specific questions
  33. Analytical procedures are useful in the following way in collecting audit evidence in IT audit
    1. Use comparisons and relationships to determine whether account balances appear reasonable
    2. To decide which accounts do not need further verification
    3. To decide which audit areas should be more thoroughly investigated
    4. All of the above
  34. What is the commonly used example of generalised audit software?
    1. CAAT
    2. IDEA
    3. COBIT
    4. None of the above
  35. A higher risk of system violation happens where
    1. The audit module is not operational
    2. The audit module has been disabled
    3. The audit module is not periodically reviewed
    4. All of the above
  36. Which among the following is not a compliance test as related to IT environment
    1. Determining whether passwords are changed periodically.
    2. Determining whether systems logs are reviewed
    3. Determining whether program changes are authorised.
    4. Reconciling account balances
  37. Substantive tests as they relate to the IT environment does not include
    1. Conducting system availability analysis
    2. Conducting system outage analysis
    3. Performing system storage media analysis
    4. Determining whether a disaster recovery plan was tested
  38. Find out the incorrect statement w.r.t. attribute sampling used by IT auditors
    1. Attribute sampling is used in substantive testing situations
    2. Attribute sampling deals with the presence or absence of the attribute
    3. It provides conclusions that are expressed in rates of incidence
    4. None of the above
  39. Variable sampling is used and deals with and provide
    1. Applied in substantive testing situations
    2. Deals with population characteristics that vary
    3. Provides conclusions related to deviations from the norm
    4. All of the above
  40. Which among the following is true as to Audit Reporting
    1. Normal reporting format is not adhered to in the case of IT Audit
    2. In IT audit, the base of the focus is the system
    3. In IT audit the audience for the report should normally be ignored
    4. None of the above
  41. The conclusions of the IT audit report does not include
    1. Sweeping conclusions regarding absence of controls and risks
    2. A mismatch between hardware procurement and software development in the absence of IT policy
    3. Haphazard development which cannot be ascribed to lack of IT policy
    4. All of the above
  42. Which among the following is not a limitation in IT Audit
    1. Data used not from production environment
    2. If these is only production environment and audit could not test dummy data
    3. “Read only Access” given to audit
    4. None of the above
  43. With the help of what tools, IT auditor can plan for 100% substantive testing
    1. CAATs tools
    2. CMM (Software)
    3. COBIT
    4. None of the above
  44. The reason for management’s failure to use information properly is
    1. Failure to identify significant information
    2. Failure to interpret the meaning and value of the acquired information
    3. Failure to communicate information to the decision maker
    4. All of the above
  45. Find out the incorrect statement
    1. Distributed networks may decrease the risk of data inconsistencies
    2. Application software developed inhouse may have lower inherent risk than vendor supplied software
    3. Peripheral access devices or system interfaces can increase inherent risk
    4. None of the above
  46. Categories of general control do not include
    1. Logical access controls
    2. Acquisition and program change controls
    3. Control over standing data and master files
    4. None of the above
  47. Application controls includes
    1. IT operational controls
    2. Control over processing
    3. Physical controls
    4. None of the above
  48. What legal protection is available to prevent theft illegal copying of software
    1. Computer misuse legislation
    2. Data protection and privacy legislation
    3. Copyright laws
    4. None of the above
  49. Match the following w.r.t. the following critical elements and its impact
  50. (A) Poor reporting structures (A) Cannot satisfactorily review the computer systems and associated controls
    (B) Inappropriate or no IT planning (B) Leads to security breaches, data loss fraud and errors
    (C) Security policies not in place or not enforced (C) Leads to business growth being constrained by a lack of IT resources
    (D) Ineffective internal audit function(D) Leads to inadequate decision making and affect the future as a going concern
    1. A–D; B–A; C–B; D–C
    2. A–D; B–C; C–B; D–A
    3. A–B; B–A; C–D; D–C
    4. None of the above
  51. The risk areas associated with poorly controlled computer operations include
    1. Applications not run correctly
    2. Loss or corruption of financial applications
    3. lack of backups and contingency planning
    4. All of the above
  52. In case of outsourcing IT activities the IT auditor should
    1. Review the policies and procedures which ensure the security of the financial data
    2. Obtain a copy of the contract to determine if adequate controls have been specified
    3. Ensure that audit needs are taken into account and included in the contracts
    4. All of the above
  53. While reviewing the network management and control the IT auditor is required to
    1. Review the security and controls in non-financial systems
    2. Review the security and controls in financial system’
    3. Either (a) or (b) depending upon scope of audit and SAI’s mandate
    4. None of the above
  54. Which among the following is not true w.r.t. logical access controls
    1. Logical access control usually depend on the in – built security facilities
    2. The importance of logical access controls is increased where physical access control is more effective
    3. logical access control exits at both an installation and application level
    4. None of the above
  55. Weak input control may increase the risk of
    1. Entry of an authorised data
    2. incomplete data entry
    3. Entry of duplicate / redundant data
    4. All of the above
  56. Weak process controls would lead to:
    1. Unauthorised changes or amendments to the existing data
    2. Absence of audit trial rendering, sometimes the application unauditable
    3. Inaccurate processing of transactions leading to wrong outputs / results
    4. All of the above


  1. Those rules moreover attempted to wind up plainly a decent approach to perceive that other individuals online have the indistinguishable enthusiasm like mine to get a handle on incredible arrangement more around this conditioninternal audit firms in dubai

  2. Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.professional auditing services in uae

  3. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks! A very nice guide. I will definitely follow these tips. Thank you for sharing such detailed article. esi registration in india

  4. And indeed, I’m just always astounded concerning the remarkable things served by you. Some four facts on this page are undeniably the most effective I’ve had
    Project Management

  5. Informative post indeed, I’ve being in and out reading posts regularly. we provide smsf audit Australia at affordable prices. for more info visit our website.

  6. Which of the following statement is true:

    a) Carrying out audit using traditional substantive audit procedures may be difficult or even not feasible if the company prepares, records and conducts majority of business activities through IT systems only.

    b) Carrying out audit using traditional substantive audit procedures may not be difficult if the company prepares, records and conducts majority of business activities through IT systems only.

    c) Auditor can ignore substantive audit procedures where all business activities and reports are prepared only by using IT systems.

    d) It is enough for the auditor to test operating effectiveness of IT systems without further verification of transactions and account balances, in case of Automated Environment

  7. You can choose compliance management system over a compliance professionals because it will give you standard required output in less cost.

  8. Alas! IT auditing information in the form of questionnaire, this will help the readers to understand all about IT auditing. A worth reading and informative blog for people like me who are working in the field. Thanks for posting such blog on IT auditing. I often wonder how people confuse with IT auditing and Financial auditing which is not the same.

  9. We are fortunate to have an innovator like you amongst us.
    software service

  10. I got some wonderful knowledge from this post, as it contains some useful questions IT audit which is good for knowledge. Thanks for posting it. UPS Audit

  11. Security audits are necessary, from security and vulnerability assessment to penetration test and compliance audit. Your article isn’t only useful but it is additionally really informative. As a cyber security company information security audit services, I am glad to come across this. Thank you for sharing this guide.

  12. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much.Iso 9001 Pennsylvania

  13. Thanks for your post. It's very helpful post for us. You can also visit UPS Audit for more Victor Steel related information. I would like to thanks for sharing this article here.

  14. IFO a hundred and eighty and 380 fees plenty much less than MDO, normally approximately 1/2 of the fee. Ships eat a number of gasoline. So gasoline price is a primary concern. I actually have a few suggestions.Shipping from china

  15. Quality Metal Roofing Crew of St. Petersburg is the leading and the undisputed top Metal Roofing Contractor in Gandy, Florida, including other locations and other towns in and around St. Petersburg.metal roofing gandy fl

  16. You are doing excellent work. You have posted such a great article. It is thoroughly informative and knowledgeable.Industrial Hardware Supplier Dubai UAE. Back message.

  17. Epoxy countertops are an alternative to natural stone and other artificial stones. There are several design choices available, including those that look stone-like. This is an excellent option for resurfacing the old countertops to give them a new look. With the same properties as concrete, you will have the same longevity as granite and experience years of serviceability.

    epoxy countertop coatings broward county

  18. Six Sigma is a system that provides companies with the resources they need to improve their business processes. This approach improves efficiency and reduces process deviation, resulting in fewer errors, greater sales, higher employee retention, and enhanced product and service quality.

    lean six sigma california

  19. Thanks for sharing the best information and suggestions, it is very nice and very useful to us. I appreciate the work that you have shared in this post. Keep sharing these types of articles here. Equine Assisted Therapy Australia

  20. When you work with us here at Lean Six Sigma Curriculum Experts, you will get the opportunity to work with the best and the most successful, providing a whole wide spectrum of lessons and training programs that would point directly to the Lean Six Sigma Yellow Belt Training and Certification that you’ve been looking for.roi consultant

  21. A majority of working professionals who are tenured are looking for ways how they can get a Lean Six Sigma Certification – and they end up not doing so because they think it’s a hassle to takehow to receive a lean six sigma certification

  22. Thanks for sharing the best information and suggestions. popcorn removal pahokee fl

  23. This is actually good to read content of this blog. A is very general and huge knowledgeable platform has been known by this blog. I in reality appreciate this blog to have such kind of educational knowledge. Horse Therapy Sunshine Coast

  24. One of the most common misconceptions about ISO’s standards is that it’s only effective and efficient when done in real-life scenarios. It’s relatively true but the power and the backing of documentation can actually resonate that effectiveness and efficiency more.iso 9001 florida

  25. This is actually good to read content of this blog. as9100 teterboro nj

  26. Since it is a mandatory standard, it does need to be implemented for every medical company involved in the supply chain, even if it isn’t a direct manufacturer.cmmc certification harrisburg pa

  27. Wow, What an Excellent post. I really found this to much informative. It is what I was searching for. I would like to suggest you that please keep sharing such type of info.Sophos XG Firewall for next generation firewall protection

  28. Hello sir,
    I really admire your efforts of explaining It security audit in detailed. Cyber crime has become threat in our life so cyber security services are become most important to tackle the problems.

  29. I am very thankful to you that you have shared this information with us. Read more info about SMSF Audit Software. I got some different kind of knowledge from your web page, and it is really helpful for everyone. Thanks for share it.

  30. This comment has been removed by the author.

  31. Great info to read for marketing students.. i am also in this field did my PG course from distance learning center and I found this info very useful.

  32. You are providing good knowledge. It is really helpful and factual information for us and everyone to increase knowledge.about Hardware Supplier. Continue sharing your data. Thank you.

  33. I am truly impressed by this post It is an interesting post for me as well as for others. Thanks for sharing such articles here. You can also check this one and can share your opinions: Super Audits Australia

  34. The two most dominant methods of patrol are by automobile and by foot. Controversy exists concerning the use of one-person or two-person patrol cars. Studies indicate that one-person cars made more arrests, filed more formal crime reports, received fewer citizen complaints, and were less expensive.
    see security patrol services near me

  35. Wow, your post is really very useful thanks for sharing FOR Security Companies Near Me . It's really informative. keep sharing more with us.

  36. Wow, your post is really very useful thanks for sharing for WB Sales and Service . It's really informative. keep sharing more with us.

  37. Wow, your post is really very useful thanks for sharing about Commercial Security London. It's really informative. keep sharing more with us.

  38. This blog is excellent ..keep sharing this article.
    Plumber Wembley

  39. Hello!
    this is very informative thanks for sharing this article.
    Ducted Split System Melbourne

  40. You have given us very important data. It is excellent and informative for everyone. Keep posting always. I am heartily thankful to you. Residential Metal Roofing

  41. Racing car games for everyone - and many more games.

  42. Nice to read your blog! Further if someone is looking for business setup consultant in Dubai he may visit here

  43. I found decent information in your article.White Label Identity Protection I am impressed with how nicely you described this subject, It is a gainful article for us. Thanks for share it.

  44. This comment has been removed by the author.

  45. You've provided quite good information here. This is fantastic since it expands our knowledge and is also beneficial to us. Thank you for sharing this piece of writing. whole house water filter installation

  46. This is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you. Financial Filings

  47. This comment has been removed by the author.

  48. This comment has been removed by the author.

  49. Excellent Post! For more information Visit Here...lean six sigma arizona

  50. When you're ready for a change in your office cleaning service, reach out to Austin's top professionals. From deep-cleaning to window cleaning, our team will take care of everything for you. Plus, we offer a variety of packages to fit your needs. Contact us today to learn more! office cleaning service austin

  51. Excellent and great job, You are providing excellent knowledge. Thank you so much. Automated Regression testing company in India

  52. Thank you for sharing such a valuable topic.Auditor Office in Chennai services are essential for any business or organisation. Our auditors are trained professionals who can perform financial and accounting audits as well as review and analyse financial records.

  53. it was very informative blog.

  54. this is very informative content.

  55. thankyou for sharing this informative blog.

  56. Great blog ! I am impressed with suggestions of author.
    best perfume offers uk

  57. I got some valuable points through this blog. Thank you sharing this blog.
    Summer camps: language stays for children and teenagers

  58. When deciding where to purchase foreign Industrial SIM Card in advance of your trip, there are a few considerations to bear in mind if you want to remain connected while travelling.

  59. It was written in a simple and attractive style. The blog was fantastic and unique. The article's conclusion was both interesting and impressive. So please continue to share your lovely and considerate crafts with us. custom erp software development


Post a Comment