MULTIPLE CHOICE
1. All of the following are components of audit risk except
a. control risk
b. legal risk
c. detection risk
d. inherent risk
2. Which of the following is true?
a. In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of the computer system.
b. Conducting an audit is a systematic and logical process that applies to all forms of information systems.
c. Substantive tests establish whether internal controls are functioning properly.
d. IT auditors prepare the audit report if the system is computerized.
3. Attestation services require all of the following except
a. written assertions and a practitioner's written report
b. the engagement is designed to conduct risk assessment of the client's systems to verify their degree of SOX compliance
c. the formal establishment of measurements criteria
d. the engagement is limited to examination, review, and application of agreed-upon procedures
4. Which of the following is NOT an implication of section 302 of the Sarbanes-Oxley Act?
a. Auditors must determine, whether changes in internal control has, or is likely to, materially affect internal control over financial reporting.
b. Auditors must interview management regarding significant changes in the design or operation of internal control that occurred since the last audit.
c. Corporate management (including the CEO) must certify monthly and annually their organization's internal controls over financial reporting.
d. Management must disclose any material changes in the company's internal controls that have occurred during the most recent fiscal quarter.
5. Substantive tests include
a. examining the safety deposit box for stock certificates
b. reviewing systems documentation
c. completing questionnaires
d. observation
6. The order of the entries made in the ledger is by
a. transaction number
b. account number
c. date
d. user
7. In a computerized environment, a list of authorized suppliers would be found in the
a. master file
b. transaction file
c. reference file
d. archive file
8. Data flow diagrams
a. depict logical tasks that are being performed, but not who is performing them
b. illustrate the relationship between processes, and the documents that flow between them and trigger activities
c. represent relationships between key elements of the computer system
d. describe in detail the logic of the process
9. The type of transaction most suitable for batch processing is
a. airline reservations
b. credit authorization
c. payroll processing
d. adjustments to perpetual inventory
10 Which method of processing does not use the destructive update approach?
a. batch processing using direct access files
b. real-time processing
c. batch processing using sequential files
d. all of the above use the destructive update approach
11. All of the following are issues of computer security except
a. releasing incorrect data to authorized individuals
b. permitting computer operators unlimited access to the computer room
c. permitting access to data by unauthorized individuals
d. providing correct data to unauthorized individuals
12. Adequate backups will protect against all of the following except
a. natural disasters such as fires
b. unauthorized access
c. data corruption caused by program errors
d. system crashes
13. Which of the following is not an essential feature of a disaster recovery plan?
a. off-site storage of backups
b. computer services function
c. second site backup
d. critical applications identified
14. The least important item to store off-site in case of an emergency is
a. backups of systems software
b. backups of application software
c. documentation and blank forms
d. results of the latest test of the disaster recovery program
15. The following are examples of commodity assets except
a. network management
b. systems operations
c. systems development
d. server maintenance
16. Which control is not associated with new systems development activities?
a. reconciling program version numbers
b. program testing
c. user involvement
d. internal audit participation
17. Which control is not a part of the source program library management system?
a. using passwords to limit access to application programs
b. assigning a test name to all programs undergoing maintenance
c. combining access to the development and maintenance test libraries
d. assigning version numbers to programs to record program modifications
18. Which is not a level of a data flow diagram?
a. conceptual level
b. context level
c. intermediate level
d. elementary level
19. A cost-benefit analysis is a part of the detailed
a. operational feasibility study
b. schedule feasibility study
c. legal feasibility study
d. economic feasibility study
20. Which step is least likely to occur when choosing a commercial software package?
a. a detailed review of the source code
b. contact with user groups
c. preparation of a request for proposal
d. comparison of the results of a benchmark problem
21. Which characteristic is not associated with the database approach to data management?
a. the ability to process data without the help of a programmer
b. the ability to control access to the data
c. constant production of backups
d. the inability to determine what data is available
22. Users access the database
a. by direct query
b. by developing operating software
c. by constantly interacting with systems programmers
d. all of the above
23. In a hierarchical model
a. links between related records are implicit
b. the way to access data is by following a predefined data path
c. an owner (parent) record may own just one member (child) record
d. a member (child) record may have more than one owner (parent)
24. Which of the following is not a common form of conceptual database model?
a. hierarchical
b. network
c. sequential
d. relational
25. Data currency is preserved in a centralized database by
a. partitioning the database
b. using a lockout procedure
c. replicating the database
d. implementing concurrency controls
26. Audit trails cannot be used to
a. detect unauthorized access to systems
b. facilitate reconstruction of events
c. reduce the need for other forms of security
d. promote personal accountability
27. In an electronic data interchange environment, customers routinely access
a. the vendor's price list file
b. the vendor's accounts payable file
c. the vendor's open purchase order file
d. none of the above
28. Audit objectives in the electronic data interchange (EDI) environment include all of the following except
a. all EDI transactions are authorized
b. unauthorized trading partners cannot gain access to database records
c. a complete audit trail of EDI transactions is maintained
d. backup procedures are in place and functioning properly
29. All of the following are designed to control exposures from subversive threats except
a. firewalls
b. one-time passwords
c. field interrogation
d. data encryption
30. Transmitting numerous SYN packets to a targeted receiver, but NOT responding to an ACK, is
a. asmurf attack.
b. IP Spoofing.
c. an ACK echo attack
d. a ping attack.
e. none of the above