Chapter 1

Information Technology Environment: Why Are Controls and Audit Important?

1. One reason why IT auditing evolved from traditional auditing was that
a. Auditors realized that computers had impacted their ability to perform the attestation
function
b. Computers and information processing were not a key resource
c. Professional associations such as AICPA and ISACA did not recognize the need
d. Government did not recognize the need
2. IT auditing may involve
a. Organizational IT audits
b. Application IT audits
c. Development/implementation IT audits
d. All of the above
3. The breadth and depth of knowledge required to audit IT and systems are extensive and may include
a. Application of risk-oriented audit approaches
b. Reporting to management and performing follow-up review to insure action taken
c. Assessment of security and privacy issues that can put the organization at risk
d. All of the above
4. COBIT stands for
a. A computer language
b. A federal agency
c. Control Objective for Information and Related Technology
d. None of the above
5. ISACA stands for
a. Information Systems Security Association
b. Institute of Internal Auditors
c. Information Systems Audit and Control Association
d. International Association for Computer Educators
6. ISO is
a. A government organization
b. A private company
c. The International Organization for Standardization
d. None of the above
7. The federal government plan for improving security on the Internet is called
a. FIP 102 Computer Security and Accreditation
b. National Strategy for Securing Cyberspace
c. Computer Abuse Act of 1984
d. Privacy Act of 1974
8. The SarbanesOxley Act of 2002
a. Does not affect the attestation function
b. Applies only to the Big Four accounting firms
c. Requires auditor rotation
d. Does not apply to small accounting/audit firms
9. Which is the most recent federal law that addresses computer security or privacy
a. Computer Fraud and Abuse Act
b. Computer Security Act
c. Homeland Security Act
d. Electronic Communications Privacy Act
 10. Which act has a provision where punishment can be up to life in prison if electronic hackers are found
guilty of causing death to others through their actions?
a. Computer Fraud and Abuse Act
b. Freedom of information Act
c. Communications Decency Act
d. Homeland Security Act

Chapter 2
The Legal Environment and Its Impact on Information Technology

1. According to a recent CSI and FBI study

a. 90 percent of respondents have detected computer security breaches within the last 12 months
b. 74 percent cited their Internet connection as the frequent point of attack
c. 80 percent acknowledged financial losses due to computer security breaches
d. All of the above
2. Cyberlaw is
a. State law
b. Federal law
c. Law governing use of the computer and the Internet
d. International law
3. Software Piracy costs the computer industry more than
a. $1 billion per year
b. $4 billion per year
c. $9 billion per year
d. More than $10 billion dollars per year
4. The CFAA covers
a. Fraudulent trespass
b. Intentional destructive trespass
c. Reckless destructive trespass
d. All of the above
5. The SarbanesOxley Act requires that the board of an organization must
a. Register public accounting firms
b. Establish or adopt, by rule, auditing, quality control, ethics, independence, and other standards
related to preparation of the audit reports for issuers
c. Conduct inspections of accounting firms
d. All of the above
6. The Cyber Security Enhancement Act as incorporated into the Homeland Security Act of 2002
a. Demands life sentences for those hackers who recklessly endanger lives
b. Does not require ISPs to hand over records
c. Does not outlaw publications such as details of PGP
d. None of the above
7. Key areas to look at in IT contracts are
a. Vendor contract terms that limit vendor liability
b. Contract objectives and performance measurements to ensure objectives have been met
c. Review and inclusion in future contracts specific clauses for protecting customer interests
d. All of the above
 8. A federal agency that protects consumers and has increased its monitoring and review of the Internet
for consumer fraud and identity theft is the
a. NSA
b. CIA
c. FTC
d. None of the above
9. The National Strategy for Securing Cyberspace
a. Applies only to defense area
b. Applies only to medical records
c. Provides a framework for protecting the nations infrastructures that is essential to the economy,
security, and the way of life
d. None of the above
10. This Act is the first-ever federal privacy standard to protect patients medical records
a. Encrypted Communications Privacy Act of 1996
b. Privacy Act of 1974
c. HIPAA of 1996
d. All of the above

Chapter 3
Audit and Review: Its Role in Information Technology

1. Which of the following is not one of the 10 top reasons for the start-up of IT audit:
a. Auditing around the computer was becoming unsatisfactory for the purposes of database reliance
b. Accessibility of personal computers for office and home use
c. Very little advancement in technology
d. The growth of corporate hackers
2. Professional associations that have Standards of Practice:
a. IIA
b. ISACA
c. AICPA
d. All the above
3. A federal agency that develops and issues government auditing standards is
a. GSA
b. GAO
c. Federal Bureau of Investigation (FBI)
d. Federal Trade Commission (FTC)
4. A special condition where an auditor must be free of any bias or influence, and have
a. IT skills
b. Good writing skills
c. Professional development
d. Independence
5. Which federal law was developed and passed by the U.S. lawmakers in reaction to the recent financial
frauds such as Enron:
a. FCPA
b. SEC Act
c. SarbanesOxley Act
d. Computer Fraud and Abuse Act
 6. In the authors opinion, an auditor must have
a. High ethical standards
b. Limited training
c. Poor communication skills
d. Poor time management skills
7. GAAS was developed and issued by
a. NIST
b. AICPA
c. FTC
d. NSA
8. Certifications that may be helpful to an IT auditor:
a. CIA
b. CFE
c. CISSP
d. All of the above
9. An auditor who works for IBM directly and is on its audit staff is considered to be
a. An external auditor
b. An internal auditor
c. A consultant
d. None of the above
10. Computer forensic specialists are experts who
a. Investigate under extreme secrecy so that other individuals do not know exactly what they are
doing or what information they have gathered
b. May testify in court where an independent opinion is needed on complex technical issues
c. Have an extensive background working with computers and dealing with technical issues, and are,
of course, familiar with gathered information and the methods used to acquire that information
d. All of the above

Chapter 4
The Audit Process in an Information Technology Environment

1. Which audit area involves definition of audit scope, initial contacts and communication with auditees,
and audit team selection?
a. Fact gathering
b. Audit state
c. Audit preparation
d. Audit objectives
2. Which audit area involves a formal plan for reviewing and testing each significant audit subject area
disclosed during fact gathering?
a. Audit objectives
b. Audit program
c. Audit state
d. Use of audit tools
3. Which IT audit area involves formal statements that describe a course of action that should be
implemented to restore or provide accuracy, efficiency, or adequate control of audit subject?
a. Audit state
b. Findings of the audit reports
c. Recommendations of an audit report
d. Conclusion of an audit report
 4. At the minimum, an audit plan should include all but
a. Definition of scope
b. Objectives stated
c. An orderly, structured approach
d. A lack of flexibility in approach
5. The activities of a preliminary review may include
a. General data gathering
b. Identifying financial application areas
c. Preparing the audit plan
d. All of the above
6. The first step in conducting fieldwork and implementing audit methodology is
a. Design audit procedures
b. Define audit objectives
c. Evaluate results
d. Build a detailed understanding of area being audited
7. The purpose of follow up is to
a. Determine if the audit recommendations have been implemented
b. Determine the progress made in implementing the audit recommendations
c. Assess any potential savings/value added as a result of the recommendations
d. All of the above
8. The advantage of tying the audit universe to organization objectives is that it
a. Links the entire audit process to business objectives
b. Improves managements understanding of the audit process
c. Develops the communication plan for the audit
d. None of the above
9. Audit risk assessment is an important step in the audit process because
a. It leverages the abilities of audit staff and by minimizing redundant activity
b. It provides a framework for communicating the audit results
c. It provides a framework for allocating audit resources to achieve maximum benefit
d. None of the above
10. Auditing is a cyclical process because
a. Performing audit tests is an iterative process
b. Audit results are used in subsequent risk assessments
c. The audit universe is aligned to the business cycle
d. All of the above

Chapter 5
Auditing Information Technology Using Computer-Assisted Audit Tools and Techniques

1. Audit productivity tools can be used in

a. Planning and tracking
b. Documentation and presentations
c. Communications and data transfer
d. All of the above
2. Generalized audit software can
a. Validate calculations
b. Select specific records for examination
c. Analyze and compare fi les
d. All of the above
3. The task of examining a spreadsheet for reasonableness checks and comparison with known outputs
is
a. Documentation
b. Extent of training
c. Verification of logic
d. Support commitment

4. Which is not a database integrity control?

a. Value constraints
b. Biometrics
c. Backup and recovery protection
d. Referential integrity
5. A testing approach used to validate processing by setting up a fictitious company or branch in an
application for testing transaction processing is called
a. Snapshot
b. SARF
c. Integrated test facility
d. Transaction tagging
6. A technique used to follow a selected transaction through the entire application to verify the integrity,
validity, and reliability is called
a. Snapshot
b. Transaction tagging
c. SCARF
d. Test data
7. Which of the following are categories of computer audit functions?
a. Items of audit interest
b. Data analysis
c. Systems validation
d. All of the above
8. The histogram analysis technique allows the auditor to
a. Apply judgment in identifying and selecting appropriate testing techniques
b. Validate transmission of data
c. Prepare the audit plan
d. All of the above
9. Which automated technique can apply a sampling methodology to the collection of transactions or
records?
a. Test data
b. Snapshot
c. SARF
d. None of the above
10. Computer forensic tools are increasingly used to
a. Support law enforcement
b. Support computer security investigations
c. Support computer audit investigations
d. All of the above
Chapter 6
Managing IT Audit

1. Some of the following elements should be included in a career development plan:

a. Career path planning with management support
b. Definition of knowledge, skills, and abilities
c. Performance assessment and counseling
d. All of the above
2. Which professional certification can be helpful to an IT auditors career?
a. CISA
b. CISSP
c. CPA
d. All of the above
3. Which IT audit area involves audit selection, definition of audit scope, initial contacts and
communication with auditees and audit team selection?
a. Fact gathering
b. Audit state
c. Audit preparation
d. Audit objectives
4. Which IT audit area involves a formal plan for reviewing and testing each significant audit subject area
disclosed during the fact gathering?
a. Audit objectives
b. Audit program
c. Audit state
d. Use of audit tools
5. Which IT audit area involves formal statements that describe a course of action that should be
implemented to restore or provide accuracy, efficiency, or adequate control of an audit subject?
a. Audit state
b. Finding of an audit report
c. Recommendations of an audit report
d. Conclusion of an audit report
6. IT audit assessment is very important and, at a minimum, consists of reviewing
a. The completeness of the audit
b. The pertinence of the information presented
c. The accuracy of the audit work and supporting working papers
d. All of the above
7. Some of the areas that one can assess for the IT auditors individual performance are
a. Communication skills
b. Judgment
c. Auditing knowledge
d. All of the above
8. Why is it important to learn about best practices?
a. Efficiency
b. Add value to client/auditee or organization
c. Advancement in technology
d. All of the above
 9. This best practice consists of a document that sets the tone or course of action you plan to take with
your client/auditee:
a. Benchmarking
b. Planning memo
c. Risk analysis
d. None of the above
10. The reasons for risk analysis are
a. Loss or corruption of information and IS assets
b. Impaired and ineffective management decision making
c. Disruption to customer
d. All of the above

Chapter 7
IT Auditing in the New Millennium

1. IT auditing involves
a. People
b. Technology
c. Operations and systems
d. All of the above
2. COBIT was developed and issued by
a. AICPA
b. IIA
c. ISACA
d. ACFE
3. The SAC reports were issued by
a. IIA
b. ISSA
c. ISACA
d. AICPA
4. Information assurance is defined as
a. Information integrity
b. The level of confidence and trust that can be placed on the information
c. The level of trust and confidence that can be placed on service availability
d. All of the above
5. The following U.S. federal act has pledged almost a billion dollars toward curriculum, research, and
skill development in IT audit, control, security, and information assurances issues:
a. Computer Fraud and Abuse Act of 1984
b. Computer Security Act of 1987
c. Cyber Security Research and Development Act
d. HIPAA Act of 1996
6. Which organization operating under U.S. national authority and its initiatives provides the foundation
for a dramatic increase in the population of trained and professionalized security experts?
a. AICPA
b. ISACA
c. NIETP
d. None of the above
 7. Standards for information security officers have been issued by
a. CIA
b. FBI
c. GAO
d. NSTISSC
8. A new field of opportunity and career growth is
a. Business systems analyst
b. Computer forensic analyst
c. Network administrator
d. None of the above
9. The number of universities within the United States identified as centers of excellence in information
assurances is
a. 10
b. 25
c. 40
d. Greater than 49
10. The IT auditors role in IT governance can be as
a. A counselor
b. A partner of senior management
c. An educator
d. All of the above

Chapter 8
IT Governance

1. IT governance is
a. The process by which an enterprises IT is directed and controlled
b. The evaluation of computers and information processing not as key resources
c. Management that is only involved in making decisions
d. User dominance in IT decision making
2. IT governance is controlled through a series of processes and procedures that:
a. Determine how investments are managed
b. Identify who can make decisions
c. Determine how results are measured
d. None of the above
3. For IT to be an effective partner in organizational decision making, the CIO must
a. Offer proactive solutions to organizational needs
b. Get agreement on the measures of IT performance
c. Regularly attend board meetings
d. None of the above
4. Which of the following is not a main reason for ERM functions being established within organizations?
a. Increasing software patches
b. Magnitude of problem
c. Increasing business risks
d. Organizational oversight
5. Compliance with laws and regulations is a key business risk because of
a. The controls outlined in COBIT
b. The impact on security of an organization
c. The sheer number of laws and regulations
d. The automation of financial processes
 6. Continuous auditing is a technique used to
a. Create a sample of production data to test controls
b. Detect and report on control breakdowns as they occur
c. Provide a tool for business users to manage IT
d. All of the above
7. Measuring IT performance is dependent on
a. Delivering successful projects
b. Keeping operations running
c. Reducing operating costs
d. The strategy and objectives of the organization
8. Developing a successful measurement process requires
a. Alignment between IT and organization objectives
b. Mature measurement processes
c. Support from IT and organization management
d. Automated measurement tools to report accurate metrics
9. A successful measurement process includes all of the following, except
a. Ownership of the measurement process from the area to be measured.
b. Measure the effective use of resources and alignment with business objectives.
c. Measurement of events and processes rather than individuals.
d. Measurement must be meaningful, reliable, and accurately represent the area measured.
10. IT governance requires management action taken at all levels to
a. Decrease the probability of carelessness
b. Reduce outside threat and the probability of hostile penetration
c. Decrease fraud and corruption within the organization
d. All of the above

Chapter 9
Strategy and Standards

1. What is the purpose of developing an IS strategic plan?

a. Define the IT goals and objectives.
b. Guide the acquisition, allocation, and management of IT resources.
c. Define the technology to be used by the organization for the current year.
d. Provide a process for governing investments in IT.
2. The COBIT model is based on the following:
a. COSO model of internal controls
b. Capability Maturity Model
c. Project Management Body of Management
d. ISO 9000Quality Management and Quality Assurance Standards
3. The Planning and Organization domain includes all the following except
a. Project management standards
b. Architecture planning process
c. Strategic planning process
d. Operational readiness process
4. The FFIEC is made up of representatives from
a. FRB and FDIC
b. Office of Comptroller of the Currency
c. OTS and NCUA
d. All the above plus representatives from each bank regulatory council
 5. The Basel Committee believes
a. The board of directors must be involved with approval of the operational risk management plan,
which includes technology risk.
b. Senior management has responsibility for implementing the plan and spreading information about
the plan throughout the organization.
c. Processes must be in place to identify risks, measure them, monitor their occurrence, and control
or mitigate their occurrence.
d. All of the above.
6. One of the obstacles to the success of CRM has been
a. Project management standards
b. Lack of strategic plan
c. Strategic planning process
d. Architecture planning process
e. None of the above
7. Portfolio management processes are needed to
a. Ensure new technology is approved by the appropriate groups
b. Ensure projects are completed on time, on budget, and with full functionality
c. Ensure effective and efficient IT operations
d. Ensure the effective use of resources and alignment with business objectives
8. A technical review process helps ensure that
a. The project has included all the costs of the technology solution
b. The right solution is selected that integrates with other technology components
c. The current infrastructure is sufficient to support the new technology
d. The appropriate level of senior management approvals has been received
9. Architectural standards are needed to
a. Determine which vendor products to use
b. Simplify and standardize infrastructure costs
c. Communicate programming standards to software developers
d. Speed the implementation process for new technology
10. A technical steering committee provides
a. A control mechanism for evaluating and approving new technology solutions
b. A framework for organizing and assessing software development and maintenance
c. Leadership in advancing the practice of software engineering
d. Guidance in the acquisition, allocation, and management of IT resources

Chapter 10
Risk Management

1. NIST stands for which of the following?

a. National Information Security Test
b. National Institute of Standards and Testing
c. National Institute of Standards and Technology
d. National Institute of Security and Technology
2. The GAO conducts audits, surveys, investigations, and evaluations of
a. Federal agencies
b. Businesses
c. State agencies
d. All of the above
3. Which of the following organizations consists of representatives from industry, public accounting,
investment firms, and the New York Stock Exchange?
a. IIA
b. COSO
c. ISACA
d. AICPA
4. Risk retention (self-insurance) methods should meet all of the following criteria, except
a. Risk should be spread physically to distribute exposure across several locations
b. Determine whether a self-insurance reserve should be established to cover a possible loss
c. Develop an internal risk management group to monitor exposures
d. Determine the maximum exposure to loss
5. Threats to integrity and privacy from inside the organization include
a. Loss or destruction of assets by malicious acts
b. Errors from incompetence or carelessness
c. Deliberate exposure of private or privileged information
d. All of the above
6. The cost of risks includes all of the following, except
a. Cost of loss-prevention measures
b. Cost of security controls
c. Cost of losses sustained
d. Insurance premiums
7. Tools used to identify risks include all of the following, except
a. Risk analysis questionnaire
b. Flowchart of operations
c. Audit workflow software
d. Insurance policy checklist
8. IT risk evaluation involves
a. Ranking of the size and probability of potential loss
b. Evaluation of the level of risk of a given process or function
c. Ensuring that risk losses do not prevent organization management from meeting its objectives
d. Retaining a portion of the risk to reduce the insurance or premium costs
9. The reasons for risk analysis are
a. Loss or corruption of information and IS assets
b. Impaired and ineffective management decision making
c. Disruption to customer service or other critical operations
d. All of the above
10. Which of the following statements regarding the effect of insurance on risk is true?
a. Prevents loss or damage to the organization
b. Transfers risk of loss or damage to the insurance company
c. Risks are not managed when insured
d. None of the above