1. If complete separation of duties cannot be achieved in an on-line system, each of the following functions could be performed by the same individual without causing a major control violation EXCEPT transaction

A. origination

B. authorization

C. recording

D. correction

Answer: B

2. Which of the following data sources would be used to restore a data base to its initial state after an abnormal termination of an application program?

A. Transaction logs

B. The job accounting log

C. Before image copy

D. After image copy

Answer: C

3. A systems analyst should have access to each of the following EXCEPT

A. source codes

B. password identification tables

C. checkpoint/restart procedures

D. edit criteria

Answer: B

4. A password is best described as a method of user

A. identification

B. authorization

C. authentication

D. confirmation

Answer: C

5. It is generally agreed that which of the following should be held responsible for correction errors detected by an application system?

A. System designers

B. Users

C. Programmers

D. Computer operators

Answer: B

6. Which of the following represents the greatest source of losses in data processing?

A. Computer fraud

B. Theft of machine time

C. Errors and omissions

D. Machine-room fires

Answer: C

7. The most valuable information for detecting unauthorized input from a terminal would be provided by the

A. console log printout

B. transaction journal

C. automated suspense file listing

D. user error report

Answer: B

8. Which of the following is the most important factor to review during a business continuity audit?

A. A hot site is contracted for and available as needed.

B. Insurance coverage is adequate and premiums are current.

C. A business continuity manual is available and current.

D. Media backups are performed on a timely basis and stored off-site.

Answer: D

9. The best corrective control for dealing with a natural catastrophe is:

A. Proper design of the physical structure

B. Existence of a recovery plan

C. Adequate off-premises backup

D. Insurance coverage

Answer: C

10. Who has the ultimate responsibility in insuring that adequate contingency plans exist for the corporation?

A. Information Services manager

B. Disaster Recovery Coordinator

C. Computer Operations manager

D. Senior management

Answer: D

11. Identification of critical systems usually results from?

A. External Audit certification process

B. Corporate risk analysis

C. Internal Audit review

D. Systems Development Life Cycle process

Answer: B

12. An off-site backup facility that contains the basic environmental equipment and is ready for receipt of other components is known as a?

A. Hot site

B. Warm site

C. Cold site

D. In-house dual site

Answer: C

13. Extra expense insurance is designed to provide coverage for:

A. Physical damage to the information processing facility and owned equipment.

B. The extra costs of continuing operation following damage or destruction at the information processing facility.

C. The loss of net profits caused by computer or media damage.

D. Legal liability in the event that a professional commits an act, error, or omission that results in financial loss to a client.

Answer: B

14. A fully equipped processing site for a company to use while recovering from a disaster is called a:

A. Hot site

B. Shell site

C. Ready site

D. Load-and-go site

Answer: A

15. Which of the following is the most important item that should be included in a contract for the use of a hot site?

A. Test provisions

B. Off-site storage

C. Documentation

D. Hardware upgrades

Answer: A

16. In distributed data processing, a ring network

A. Has all computers linked to a host computer, and each linked computer routes all data through the host computer.

B. Links all communication channels to form a loop, and each link passes communications through its neighbor to the appropriate location.

C. Attaches all channel messages along one common line with communication to the appropriate location via direct access.

D. Organizes itself along hierarchical lines of communication usually to a central host computer.

Answer: B

17. Distributed computing provides several advantages over a centralized computer. Which of the following is not an advantage?

A. Communications costs are usually lower.

B. Alternate processing locations are available in case one site’s computer is not functioning.

C. Security measures are easier to provide.

D. Investment in hardware is smaller for each site than for a central site.

Answer: C

18. Which new issues, associated with rapidly advancing computer technology, create new risk exposures for organizations?

A. Changes in organizational reporting requirements and controls over computer abuse.

B. Controls over library tape procedures.

C. Complexity of operating systems and controls over privacy of data.

D. Changes in organizational behavior.

Answer: C

19. Scavenging for residual information in the main memory of a computer can be best prevented by

A. Resetting the values of memory locations to zero.

B. Requiring passwords for memory access.

C. Setting memory access for asynchronous control

D. Setting memory access for synchronous control

Answer: A

20. What specific audit test would be used to ensure that an update of a master file is performed accurately?

A. Reconcile computer-generated totals with totals on the update reports

B. Perform cutoff testing

C. Reconcile time cards with job cost sheets

D. Review update reports for proper authorization for processing

Answer: A

21. An ITF (Integrated test facility) is:

A. A sophisticated technique used in "auditing around the computer"

B. An audit approach utilizing test data in production systems with fictitious entities

C. A computerized test data file for use in testing and verifying the logic of applications programs

D. A training center for the culturally diverse

Answer: B

22. The major advantage of ITF over the test data audit method is that ITF:

A. Provides test results that are more quantifiable and predictive

B. Reduces the likelihood of contaminating live files

C. Provides significant cost savings by automating the audit process

D. Allows a system to to be tested while it operates

Answer: D

23. Examples of the use of CAATS?

A. Snapshot

B. System control audit review file

C. Test data generators

D. All of the above

Answer: D

24. CAATS offer the following advantages:

A. Reduces the level of audit risk

B. Allows more interaction with the auditee

C. Immediate cost savings

D. Narrower Audit Coverage

Answer: A

25. When requesting access to production data for use of CAATS, the IS auditor should request:

A. Access to data manipulation

B. Read-only access

C. Copies of production files

D. Ability to expose unauthorized updating

Answer: B

26. The purpose of a follow-up review after an audit is to:

A. Ensure corrective action is achieving desired results

B. Ensure that an auditor gets performance evaluation after each audit

C. Determine if inaccuracies exist in the auditor's assessment

D. Perform compliance testing of selected controls

Answer: D

27. Which of the following activities would least likely be performed during audit planning?

A. Determining risks

B. Obtaining a preliminary understanding of the system

C. Determining strategy for effective testing

D. Evaluating controls

Answer: D

28. An audit program would be least likely to help the IS auditor to :

A. Establish standards

B. Guide auditors in following planned procedures

C. Structure an audit

D. Document an audit for review and reference

Answer: A

29. The primary advantage of auditing around the computer is that it:

A. Takes less time

B. Is oriented towards results

C. Has no logical constraints

D. Requires little technical knowledge

Answer: D

30. Which of the following factors should not be considered in establishing the priority of audits included in the annual audit plan?

A. Prior audit findings

B. The time period since the last audit

C. Auditee procedural changes

D. Use of audit software

Answer: D

31. The distinguishing characteristic of a continuous audit approach is that:

A. The auditee collects evidence while processing takes place

B. The auditor consistently monitors a specific program without stopping to review other applications

C. A team of auditor and non-auditor perform a review of the computer system

D. The auditor comes back to look at the system under development on a consistent basis

Answer: A

32. Continuous audit techniques are particularly effective when:

A. There is a scarcity of auditors to perform all the reviews on the audit schedule

B. They are used in a time-sharing environment that processes a large number of transactions but leave a scarce paper audit trail

C. Trying to catch embezzlers rewriting program code

D. Trying to provide wide range assurance that the information processing systems are operating as they were intended to function.

Answer: B

33. SCARF/EAM refers to:

A. A continuous audit technique using audit software applied to specific accounts

B. Embedded generalized software in specific application packages

C. Embedded specifically written audit software in the organization's host application system

D. System control analytical remote file/encrypted analytical modules

Answer: C

34. Snapshots involve:

A. Matching user IDs against approved access tables

B. Tagging transactions by applying identifiers to input data and recording selected data on what occurs

C. Taking what might might be termed pictures of the application in a common operating system

D. Embedding audit hooks in application systems to function as red flags and to induce IS auditors to act before an error or irregularity gets out of hand

Answer: B

35. An IS auditor would be smart to use continuous and intermittent simulations (CIS) when:

A. An audit trail is required

B. Regular processing cannot be interrupted

C. He wants a fairly easy approach to review transactions that meet certain criteria

D. Only select transactions or processes need to be examined

Answer: C

36. Which of the following departments is most likely to be involved with strategic planning?

A. Finance

B. Accounting

C. Production Control

D. Personnel

Answer: A

37. The long-term overall objectives as set by management are referred to as?

A. Tactical Overview

B. Detailed Procedures

C. Strategic Plan

D. Targeted Goals

Answer: C

38. Who should write the job description for a programmer/analyst?

A. The MIS Director

B. The Supervisor with input from the P/A

C. The Operations Analyst

D. The Personnel Department

Answer: B

39. Which of the following managers has primary responsibility for security in a data processing department?

A. Systems Programming

B. Technical Services

C. Operations

D. Internal Audit

Answer: C

40. Which of the following Positions within the MIS department would most likely have primary responsibility over the computer hardware?

A. Field Engineer

B. Data Processing Manager

C. Computer Programmer

D. Systems Operator

Answer: B

41. The thing(s) that an organization must do well in order to thrive in business and industry are:

A. Creation of Policy and Procedures Manual

B. Critical Success Factors

C. Company Wide Goals

D. Strategic Goals

Answer: B

42. Information Resource Management Planning includes all of the following except:

A. Business Systems Plans

B. Management Interviews

C. PERT

D. Critical Success Factors

Answer: C

43. Which of the following is charged with the ultimate responsibility of data relationships?

A. DBA

B. User Community

C. Systems Analyst

D. Operations Manager

Answer: A

44. Which of the following would not be part of a formal management control process?

A. Programming

B. Hiring

C. Budgeting

D. Operating

Answer: A

45. Of the following, which one best describes the measurement of efficiency?

A. Return on Investment

B. Profitability

C. Input/Output

D. Percentage completion

Answer: C

46. Within an Organization which of the following is most effective in reducing theft?

A. Division of responsibility

B. Bonding

C. Physical Security

D.Polygraph

Answer: A

47. If a company has both a controller and an MIS manager that report to the CFO, internal control would not be strengthened by:

A. Assigning programming and operating of the computer to an independent control group that reports to the controller

B. Having an independent group maintain the input controls

C. Rotating the running of the applications among different operators

D.Providing for a review and distribution of computer output by an independent control group that reports to the controller

Answer: C

48. An internal control that is sometimes used to detect unauthorized or unexplained computer usage:

A. A computer tape library

B. Use of file access controls

C. Maintenance of a computer console log

D. Control over Program Tapes

Answer: C

49. The detection and correction of errors in the process of data should be the responsibility of:

A. The data processing manager

B. The Operator

C. The IS department control group

D. Internal Audit

Answer: C

50. The group that owns the data and should ultimately responsible for decisions relating to access to the data is:

A. The user department's management

B. The financial management of the company

C. The MIS department that processes the data

D. Internal Audit

Answer: A

51. What type of transmission requires modems in a network to be connected to terminals from the computer?

A. Encrypted

B. Digital

C. Analog

D. Modulated

Answer: C

52. Which of the following is not a common database structure?

A. Network

B. Sequential

C. Hierarchical

D. Relational

Answer: B

53. Which of the following is not related to file identification?

A. Periodic File Inventory

B. External Label Standards

C. Retention

D. High Level Qualifier Restrictions

Answer: C

54. The most common computer related problem confronting organizations is:

A. Hardware malfunction

B. Input errors and omissions

C. Disruption to computer processing caused by natural disasters

D. Fraud

Answer: B

55. Access time in relation to computer processing is the amount of time it takes to:

A. Transmit data from a remote terminal to a central computer.

B. Complete a transaction from initial input to output.

C. Perform a computer instruction

D. Retrieve data from memory

Answer: C

56. Which of the following measures would indicate the computational power of a microprocessor?

A. Capacity of the hard disk

B. Main memory storage capacity

C. Number of bits processed per second

D. Read only memory (ROM)

Answer: C

57. Hardware controls usually are those built into the equipment by the manufacturer. One such control, an echo check is best described as

A. A component that signals the control unit that an operation has been performed

B. Two units that provide read-after-write and dual read capabilities

C. Double wiring of the CPU and peripheral equipment to prevent malfunctioning

D. A device that prevents more than one peripheral unit from communicating with the CPU at the same time.

Answer: A

58. Advantages of using fiber optics are that 1. The signal is attenuated, 2. Data is transmitted rapidly, 3. Fiber optics cable is small and flexible, 4. They are unaffected by electrical interference

A. 1 & 3

B. 1 & 4

C. 1,2, & 3

D. 2,3 & 4

Answer: D

59. Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system using paper transactions?

A. Unauthorized access and activity

B. Duplicate transaction processing

C. Higher cost per transaction

D. Inadequate backup and recovery facilities

Answer: C

60. Your firm has recently converted its purchasing cycle from a manual process to an on-line computer system. Which of the following is a probable result associated with conversion to the new automatic system?

A. Processing errors are increased

B. The firms’ risk exposures are reduced

C. Processing time is increased

D. Traditional duties are less segregated

Answer: D

61. The use of external labels with floppy disks is least likely to prevent which of the following?

A. Formatting a disk that was used for a backup of hard disk files.

B. Using a version of a file that has been subsequently revised

C. Erasing an important file on a disk

D. Spilling liquid on a disk and losing the files.

Answer: D

62. After reviewing terminal security controls, the IS auditor concluded that the controls are insufficient. Which of the following audit techniques could the IS auditor have used to reach this conclusion? 1. Observation, 2. Generalized audit software, 3. Internal control questionnaire, 4. Control flowcharting

A. 1

B. 2 & 3

C. 1, 3, & 4

D. 1, 2, 3, & 4

Answer: C

63. Which of the following computer assisted auditing techniques allows fictitious and real transactions to be processed together without the knowledge of client operating personnel?

A. Integrated Test facility (ITF)

B. Input controls matrix

C. Parallel simulation

D. Data entry monitor

Answer: A

64. Which of the following types of transmission media are most secure against unauthorized access or tapping?

A. Copper wire

B. Twisted pair

C. Fiber optic cables

D. Coaxial cables

Answer: C

65. Why would the IS auditor of a company that is considering contracting its data processing needs to a service bureau request a copy of each candidate bureau’s financial statements?

A. To evaluate the fairness of each service bureau’s charges on the basis of relative profit margins.

B. To determine whether each service bureau is affiliated with a company that might represent a conflict of interests

C. To evaluate each service bureau’s financial stability and ability to fulfill the contract.

D. To obtain an understanding of the processing performed by each service bureau and the controls within the system

Answer: C

66. A detective control in the computer operations area is:

A. Policy

B. Log

C. Procedure

D. Standards

Answer: B

67. Help desk customers call the help desk to report operational problems and ask system related questions. Which of the following is the best source to obtain customer related information?

A. Automatic call distribution system

B. Asset management system

C. Employee database system

D. Call tracking system

Answer: C

68. Information availability controls include: 1. Backup and recovery, 2. Storage media, 3. Physical and logical security, 4. Alternate computer equipment and facilities

A. 1,2,3, & 4

B. 1 & 2

C. 1,2, & 3

D. 1,3, & 4

Answer: D

69. Which of the following is an inappropriate control over telecommunication hardware?

A. Logical access controls

B. Security over wiring closets

C. Contingency plans

D. Restricted access to test equipment

Answer: A

70. Your LAN is experiencing frequent data losses and network downtime. The LAN administrator is thinking about implementing a fault tolerant system using a server-mirroring concept. The cost of software is $4000. The cost of the server is $6000. A special cable is $500 and an interface adapter can cost another $1000. What is the total investment required for implementing the server-mirroring concept?

A. $19,000

B. $11,500

C. $7,500

D. $15,000

Answer: A

71. Which of the following factors would not normally be considered in determining the reliability of audit evidence?

A. Possibility of quantifying the audit trail

B. Qualification of the person providing the evidence

C. Objectivity of the evidence

D. Independence of the provider of the evidence

Answer: A

72. Which of the following are advantages of using CAATS? I Reduces the level of audit risk, IIProvides greater independence for the auditee, III Quantifies internal control weaknesses, IV Saves time for source data input, V Provides enhanced sampling and cost savings over time