Sl.

1
2
3
4

7
8
9
10
11
12

13

14

15

16

17
18
19
20
21

22

23
24
25

26

27
28
29
30
31
32
33
34
35

36
37
38

39

40
41
42
43
44

45
46
47

48
49

50
51

52
53
54

55
56

57
58
59

60
61

62
63
64
65
66

67

68
69
70

71

72
73
74

75

76

77
78
79
80
81

82
83
84
85

86

87

88
89

90

91

92

93
 94
95
96
97
98
99

100

101

102
103
104

105
106

107

108
109

110
111

112
113

114
115

116

117
118

119

120

121
122
123
124
125

126
127
128
129

130

131
132

133

134
135

136
137
138
139

140
141

142

143

144

145

146

147

148

149
150

151
152

153

154
155
156

157

158
159

160

161

162

163
164

165

166

167

168

169
170

171

172

173

174

175

176

177

178

179
180

181

182
183

184
185

186

187

188
189

190

191

192
193
194

195

196

197
198
199

200

201
202

203
204

205

206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222

223
224
225
226
227
228
229

230

231

232

233
234

235
236

237

238

239

240

241

242

243
244
245
246

247
248
249

250
251
252

253
254

255

256
257

258

259

260

261
262

263

264
265

266

267

268

269

270

271
272

273

274

275

276

277

278

279

280

281

282
283
284

285

286

287
288

289
290

291

292

293

294

295

296
297

298

299

300

301

302

303
304

305

306

307
308

309

310

311

312

313

314

315

316

317

318

319

320

321
 QUESTION
Q. Self Service assistance to users provided by help desk such as resetting passwords etc. is considered which level
of assistence?
Q. Which of the following model user need to know URL to access the app?
Q. Who is responsible for classification of data in a Dept?
Q. Expert system is an example of-
Q. Which of the following interface testing approach, a tester may start at top or bottom level and depending on
Situation move downward or upward?
Q.Which of the following tool is considered useful for comparing processing output with independentlycalculated
data?

Q. The practice of limiting permissions to the minimal level that will allow users to perform their jobs. It is known as
Q. Which of the following is an example of external schema in a database mgt system?
Q. Batch total is an example of_
Q. Which of the following is one of the imp operations performance metrics?
Q.Which of the following test is done by the programmer?
Q. Which of the following test checks whether programs do what they are supposed to do?

Q. Which of the following test is concerned with examining the internal processing logic of a software system?
Q. Users have more privileges than they need and may use them to perform actions outside of their job description.
It is known as_
Q. Which of the following relates to the accuracy and completeness of info as well as to its validity in accordance
with business values and expectations?
Q.Which of the following relates to the provision of appropriate info for mgt to operate the entity and exercise its
fiduciary and governance responsibilities?
Default settings are used by vendors to help users get the system up and running. What is the auditor's primary area
of interest regarding default settings?
Which of the following software developing methodology primarily focuses on risk avoidance?
Completeness and Accuracy of Data is assured by ?
Which of the following is the list of OSI Model levels from the top down ?
Performance, Security, user Interface are examples of which of the following testing ?

What is likely to be the biggest issue regarding log management ?

Which of the following parameters should not be considered for computing function points under function point
analysis?
Who amongst the following has the highest stake in benefit realization from the project ?
Which type of network device directs packets through the internet ?
Which of the following testing is used to identify any errors and improvements in the software by observing the
users through their usage and operation ?

A user account is terminated by the IT Department , only when the request is approved and sent by the_____
Which type of Control is representative of Exception Reporting ?
Which of the following is the role of IS Auditor in SDLC ?
Which of the following methods is designed to permanently destroy data on hard disk ?
Multinational organisation has decided to implement ERP solution across all geographical locations. The
Organisation shall initiate a
Tools not used by Project managers to control the projects
Arrange the following in the order of activities ?
which of the following protocols is likely to be used for monitoring the health of network ?
why ongoing system monitoring is important ?
which of the following categories of maintenance, changes are made to the program(s), when a defect or errors
arises in working of software?
Which of the following is the best definition of slack space on a hard disk?
Which of the following is not a function of the Operating System?

Which among the following is the function of quality assurance personnel

A critical function of a firewall is to act as a

arrange the following in the order of activities
what is security issue regarding packet analysers
What is the purpose of address resolution protocol?
what is the primary objective in problem escalation
in case of an organisation like a bank, which of the following would be the most appropriate software
implementation strategy
which of the following is not an input authorisation control
is a process of updating and existing system by reusing design and program components

which of the following methods is used to make a backup copy of all the data files for a forensic investigation
which of the following is a major issue facing incident response
when separation of duties is not possible, what would be the terminology for forcing employees to take vacation,
job rotation, reconciliation and supervision review
performance of a third party should be compared to agreed upon service level metrics and must be
an IS auditor is auditing controls related to an employee termination. which of the following is the most important
aspect to be reviewed
Q.A MN org. has decided to implement an ERP soln across all geolocations. The org shall initiate a-
Q. A user Account is terminated by the IT dept, only when the request is approved and sent by the-
Q. Which of the following categories of maintanance, changes are made to the program(s), when a defect or error
arises in working of softwae?
Q.Completeness and accuracy of accumulated data is ensured by_

The practice of limiting permissions to the minimal level that will alow users to perform their jobs. It is known as ?
Who is responsible for classification of data in a department?
Which of the following is the best definition of stack space on a hard disk ?
Which of the following relates to the provision of appropriate information for management to operate the entity
and exercise its fiduciary and governance responsibilities ?
Batch total is an example of ?
Self Service Assisstance to users provided by help-desk such as resetting passwords etc is considered which level of
assisstance ?
Criticial function is to be frewall is to act a
QIA Personnel
Which of following may help to establish accuracy and completeness of data?
Which of following types of attacks may be prevented by input validation?
Which of following is central storage for all kinds of structured, semi structured or unstructured raw data collected
from multiple sources?
After major earthquake a business decides to shift to location of data center from earthquake zone 5 to earthquake
zone 2 which type of risk respond option it has exercise?
Which of following is not example of ai platform?
Which of following is a cloud deployment model is highly scalable?
Use of license software, patch updates, disabling default users and using anti-malware software are the control
against?
Which of the following types of attacks may be prevented by using anti-malware and application from trusted
source?
At that strives for natural, human like interaction with machine is known as?
Which of the following provides secure connection between two end points?

Which of the block chain principals state that each node stores and forwards information to all other nodes?
Which of the following types of smart card enables card reader to send the card in possession of user in the general
area and allow access?
Which of the following is a type of malware that takes control of administrative rights for execution of malicious
codes?
Which of the following is example of robotic process automation?
Which of the following is a sense of minor attacks those together results in larger attack?
Which of the following enable hackers to exploit system vulnerabilities including human element?
Which of the following cloud deployment model, customer hold the control of operating system?
Which of the following analytics assist in identifying the best option to choose to achieve the desire out come
through optimization techniques and machine learning?
which of the following is primary requirement of granting users access to information asset?
Primary purpose of access control dead man door, turnstile, mantrap is to?
The Most significant level of effort for the BCP is generally required during the -
Which of the following test an IS auditor is most likely to perform if, after evaluation he she consludes that the
control environment is poor ---
While reviewing the BCP plan of an organisation , an IS auditor observed that the orgn data and software files are
backed up on a peridoic ---
While Reviewing the IT security process. IS Auditor observed taht some of the sub poicies were not approved but
employees strictly followed the policies. ---
Which of the following is a benefit of using callback services ---
WHich of the name of the decentralised control method enabling someone to mae the decison based on their own
options ----
Which of the followng funciton is primary responsible to support value creation by reducing the risl of IT to an
acceptable level ----
Which of the folloiwng seciotn of IT act 2000 demands for appropriate documented procedure to complyu with the
CERT-

Which of the following must exist to ensure the viability of a duplicate information processing facility ----
IT BSC priorities and objectives set by
BPR risk in design phase
Auditor identifes weakness which is out of scope
IS Auditor and management disagreement for selecting system
Sequence of BPR
which of the following should be done first when preparing a disaster recovery plan
an offiste information processing facility having electrical wiring air conditioning and flooring but no computer or
communications equipment is a

which of the following must exist to ensure the viability of a duplicate information processing facility
during the course of an application software review, an IS auditor identified minor weaknesses in a relevant
database environment that is out of scope for the audit. The best option is to
which of the following phase starts with damage assessment
which of the following business process reengineering risks are likely to occur during the design phase
which of the following section of IT act 2000 demands the appropriate documented procedure to comply with the
request of CERT-IN regarding cyber security incidents
which of the following is not considered a control failure
which of the following helps to gain clear understanding of the business process while developing a business
continuty plan
which of the following audit's primary purpose is the development of evidence for review by law enforcement and
judicial authorities
what is the best way to ensure that organizational polocies comply with the legal requirements
which of the following disaster recovery/ continuity plan components provides the greatest assurance of recovery
after a disaster
who sets the priorities and objectives of the IT balanced scorecard

which of the following is the primary requirement in reporting results of and IS audit? The report should be
why is change control considered a governanec issue
which of the following function is primarily responsible to support value creation by reducing the risk of IT to
acceptable level
which of the following is the primary reason for periodic review of risk? The change in

which of the following aims to sustain critical business process during an unplanned interruption period

which of the following risk treatment options enables implementation of control to reduce level of risk
which of the following is a benefit of using callback devices

which of the following data validation edits is effective in detecting transposition and transcrption errors

while reviewing the IT security policies, IS auditor observed that some of the sub-plicies were not approved by the
management but employees striclty follows the policies. What should IS auditor to do first
which of the following is the most useful for business decisions making and framing policies based on actual
transactional data
which of the following statements is true concerning the steering committee
which of the following audit tools is most useful to an IS auditor when only select transactions or processes need to
be examined
IT department more than one role
Prioritization of IT initiatives
When an individual in an IT department perform more than one role, which one of the following poses the greatest
risk?
As per IATF, which standard is a standard under "IS Audit and assurance standard"?
Who are responsible for ensuring IT enabled investments provide business value?
Which of the following is known as conditions that affect the risk profile of the organizations_____
which of the following standard on internal auditing (SIA) defines fraud and lays the responsility for prevention and
detection of frauds on the mangement and those charges with governance?

In which of the following types of evidence, the IS Auditor's independent tests of client accounting procedures or
controls that were originally done as part of the entity's accounting and internal control systems.
While planning an audit M/s InfoTech Solutions should have FIRST identified:

M/s InfoTech Solutions has decided to Skip Risk Assessment Process. What is the Primary Risk involved here?
The decisions and actions of Senior Auditor of M/s InfoTech Solutions are MOST likely to affect which of the
following risks?
The primary purpose and existence of an audit charter is to:

Which of the following control classifications identify the cause of a problem and minimize the impact of threat?
To conduct a system audit, the IS auditor should
Which of the following are most commonly used to mitigate risks discovered by organizations?
The rate of change in technology increases the importance of:

What means the rate at which opinion of the IS Auditor would change if he selects a larger sample size?
Which of the following cannot be classified as Audit Risk?
After you enter a purchase order in an on-line system, you get the message, “The request could not be processed
due to lack of funds in your budget”. This is an example of error?

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:

Reviewing management's long-term strategic plans helps the IS auditor:

What should an IS Auditor do FIRST, when he observed that two users are constantly trying to access some external
sources?
An IS Auditor found one security loophole in the System. However, when the IT Management got to know about it,
immediately corrected it. The IS Auditor should:
IS Auditor rightly found one weakness in the Firewall implementation and he recommended the name of sister
concern to address the weakness. The IS Auditor has failed to maintain:

Which of the following forms of evidence would be considered to be the most reliable when assisting an IS Auditor
develop audit conclusion?
During a review of the controls over the process of defining IT service levels, an IS auditor would most likely
interview the:
Which of the following procedures would an IS Auditor not perform during pre-audit planning to gain an
understanding of the overall environment under review?

The first step IS Auditor should take when preparing the annual IS audit plan is to:
The purpose of compliance tests is to provide reasonable assurance that:
IS Auditors being most likely to perform tests of internal controls if, after their evaluation of such controls, they
conclude that:
Which of the following is the least important factor in determining the need for an IS Auditor to be involved in a
new system development project?
Each of the following is a general control concern EXCEPT:
Which of the following types of audits requires the highest degree of data processing expertise?

A manufacturing company has implemented a new client/server system enterprise resource planning (ERP) system.
Local branches transmit customer orders to a central manufacturing facility. Which of the following controls would
BEST ensure that the orders are accurately entered and the corresponding products produced?

What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?
Find out the best process carried out using Computer Assisted Audit Tools (CAATs)?
What can be ideally carried out using Computer Assisted Audit Tools (CAATs)?What can be ideally carried out using
Computer Assisted Audit Tools (CAATs)?

What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?

What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?

What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?
Which is one of the most effective tools and techniques to combat fraud?

An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices,
decided to review the data processing files for possible duplicate payments. Which of the following
techniques/tools would be useful to the IS Auditor?
Many automated tools are designed for testing and evaluating computer systems. Which one of the following such
tools impact the systems performance with a greater load and stress on the system?
The most appropriate type of CAAT tool the auditor should use to test security configuration settings for the entire
application systems of any organization is:
Application controls shall include all except

As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of banks need to submit their PAN or form
60/61(a form as per Income Tax Act/Rules). A bank in its account opening form, has not updated the need for form
60/61 in case PAN is not there. This defines which control lapse as per COBIT.
In a public sector bank while updating master data for advances given, the bank employee does not update
“INSURANCE DATA”. This includes details of Insurance Policy, Amount Insured, Expiry Date of Insurance and other
related information. This defines which control lapse as per COBIT.

An IS Auditor observed that users are occasionally granted the authority to change system data. The elevated
system access is not consistent with company policy yet is required for smooth functioning of business operations.
Which of the following controls would the IS Auditor most likely recommend for long term resolution?

An IS Auditor, processes a dummy transaction to check whether the system is allowing cash payments in excess of
Rs.20,000/-. This check by auditor represents which of the following evidence collection technique?

An IS Auditor is performing a post implementation review of an organisation’s system and identified output errors
within an accounting application. The IS Auditor determined that this was caused by input errors. Which of the
following controls should the IS Auditor recommend to management?
RBI instructed banks to stop cash retraction in all ATMs across India from April 1, 2013. This was result of few ATM
frauds detected. This action by RBI can be best classified as:

A central antivirus system determines whether each personal computer has the latest signature files and installs the
latest signature file before allowing a PC to connect to the network. This is an example of a:
Company’s billing system does not allow billing to those dealers who have not paid advance amount against
proforma invoice. This check is best called as
While posting message on FACEBOOK, if user posts the same message again, FACEBOOK gives a warning. The
warning indicates which control.

Which of the following business purposes can be met by implementing Data warehouse in an organisation?

Which of the following is a characteristic of a decision support system (DSS)?

Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?

A retail company recently installed data warehousing client software in multiple, geographically diverse sites. Due to
time zone differences between the sites, updates to the warehouse are not synchronized. This will affect which of
the following most?
The cashier of a company has rights to create bank master in TALLY. This error is a reflection of poor definition for
which type of control:
An employee has left the company. The first thing to do is to

As part of auditing Information Security of a multinational bank, an auditor wants to assess the security of
information in ATM facilities. Under which privacy policy should he look for details pertaining to security guards and
CCTV surveillance of ATM’s?
Neural Networks and Fuzzy Logics are classified under which category of Artificial intelligence?

In an inter school competition on Artificial Intelligence, four children develop software which performs the following
different functions respectively. Which of them is a correct example of the use of basic Artificial Intelligence?

Which are the business activities which are strong contenders for conversion to ecommerce?
Which of the following factors should not be considered in establishing the priority of audits included in an annual
audit plan?
Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application systems?
An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the
password, inside his/her desk drawer. The IS auditor should conclude that the:

Which of the following situations would increase the likelihood of fraud?

Neural networks are effective in detecting fraud, because they can:

The FIRST step in managing the risk of a cyber-attack is to:
Which of the following refers to imaging of original media in presence of an independent third party?
As a measure of IT General controls, an organization decides to separate those who can input data from those that
can reconcile or approve data. Is this a good move? Why?

A holistic approach to deterrence & prevention of fraud would be:

After initial investigation, IS auditor has reasons to believe that there is possibility of fraud, the IS auditor has to:
Who is responsible for establishing right structure of decision-making accountabilities
The MOST important benefit of implementing Governance of Enterprise IT is:

The primary objective of Corporate Governance is:

The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an enterprise are directed and
controlled to achieve business objectives for meeting the needs of:
Which of the following is a key component of Corporate Governance?

Effective Governance of Enterprise IT requires processes to ensure that:

Business Governance helps the Board by enabling them to understand:

The effectiveness of the IT governance structure and processes are directly dependent upon level of involvement of

Which of the following is one of the key benefits of EGIT?

Which of the following is the primary objective for implementing ERM?
The most important requirement for IT governance function to be effective is:
The MOST important benefit of implementing IT risk management process is that it helps in:
Which of the following is a major risk factor?
The level to which an enterprise can accept financial loss from a new initiative is:
Designing and implementing a control to reduce the likelihood and/or impact of risk materializing is a:
Which of the following is a valid risk statement?
Which of the following is primary reason for periodic review of risk? The changes in:
Which of the following is a strategic IT risk?
Which of the following is the most essential action after evaluation of inherent risks?
Which of the following is most important resource of the organization?
Which of the following is most important characteristic of policies?
Primary function of a process is to:
Effective organizational structure focuses on:
Prioritization of IT initiatives within organization is primarily based on:
Primary objective of IT steering committee is to:

Which of the following is best control for building requisite skills and competencies within organization?
Which of the following is best approach for monitoring the performance of IT resources?
Performance monitoring using balance score card is most useful since it primarily focuses on:
Which of the following is considered as an example of a lead indicator?
The PRIMARY objective of base lining IT resource performance with business process owners is to:
Which of the following is BEST measure to optimize performance of skilled IT human resources?
IT resource optimization plan should primarily focus on:

The PRIMARY objective of implementing performance measurement metrics for information assets is to:

Which of the following is the PRIMARY purpose of optimizing the use of IT resources within an enterprise?

While monitoring the performance of IT resources the PRIMARY focus of senior management is to ensure that:
Organization considering deploying application using cloud computing services provided by third party service
provider. The MAIN advantage of this arrangement is that it will:
Which of the following is MOST important to have in a disaster recovery plan?

Which of the following BEST describes difference between a DRP and a BCP? The DRP:
The MOST significant level of BCP program development effort is generally required during the:

An advantage of the use of hot sites as a backup alternative is:

All of the following are security and control concerns associated with disaster recovery procedures EXCEPT:

As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a
hard copy transaction log. At the end of the day, the order entry files are backed up onto tape. During the backup
procedure, the disk drive malfunctions and the order entry files are lost. Which of the following are necessary to
restore these files?

An IS auditor reviewing an organisation's information systems disaster recovery plan should verify that it is:
Which of the following offsite information processing facility conditions would cause an IS auditor the GREATEST
concern?
Which of the following methods of results analysis, during the testing of the business continuity plan (BCP), provides
the BEST assurance that the plan is workable

The MOST significant level of effort for business continuity planning (BCP) generally is required during the:
Which of the following is not a function of the operating system?
Which of the following represents the hierarchy of controls from highest level to lowest level?
Q4. Which of the following is a benefit of using callback devices?

Q5. Which of the following is the best choice to ensure that internal control objectives are met?
Q6. Which of the following is not one of the three major control types?
Q7. What is the correct sequence for benchmark processes in business process reengineering (BPR) projects?
Q8. When an individual in an IT department perform more than one role, which one of the following poses the
greatest risk?
Q9. Who is responsible for designating the appropriate information classification level?
Q10. Which of the following protocols is likely to be used for monitoring the health of the network?

Q11. Which of the following data validation edits is effective in detecting transposition and transcription errors?
Q12. Which type of network device directs packets through the Internet?
Q13. Which of the following helps to gain a clear understanding of the business process while developing a business
continuity plan
Q14. An offsite information processing facility having electrical wiring, air conditioning and flooring, but no
computer or communications equipment is a:
Q15. What is the best way to ensure that organizational policies comply with the legal requirements?

Q16. Which of the following is a list of OSI model levels from the top down?
Q17. Which is the name of the decentralized control method enabling someone to make a decision based on their
own options?

Q18. Which of the following is the MOST important element for the successful implementation of IT governance?
Q19. Using public-key interchange (PKI) encryption, which key is used by the sender for authentication of the
receiving party?
Q20. What is the purpose of the Address Resolution Protocol (ARP)?

Which of the following control classifications identify the cause of a problem and minimize the impact of threat

Which of the following is NOT generally considered a category of Audit Risk?

Which of the following are most commonly used to mitigate risks discovered by organizations?
Which of the following is not a type of internal controls

What means the rate at which opinion of the IS Auditor would change if he selects a larger sample size?

Which of the following cannot be classified as Audit Risk?

After you enter a purchase order in an on-line system, you get the message, “The request could not be processed
due to lack of funds in your budget”. This is an example of error?

Q.9. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that

Reviewing management's long-term strategic plans helps the IS auditor:

Which of the following forms of evidence would be considered to be the most reliable when assisting an IS Auditor
develop audit conclusion?

During the review of the controls over the process of defining IT service levels an IS Auditor would most likely
interview the

Which of the following procedures would an IS Auditor not perform during pre-audit planning to gain an
understanding of the overall environment under review

The first step the IS Audit Manager should take when preparing the annual IS audit plan is to:
The purpose of compliance tests is to provide reasonable assurance that:

IS Auditors are most likely to perform tests of internal controls if, after their evaluation of such controls, they
conclude that:

Which of the following is the least important factor in determining the need for an IS Auditor to be involved in a
new system development project?
Q. 8.Each of the following is a general control concern EXCEPT:

Q.9. Which of the following types of audits requires the highest degree of data processing expertise

A manufacturing company has implemented a new client/server system enterprise resource planning (ERP) system.
Local branches transmit customer orders to a central manufacturing facility. Which of the following controls would
BEST ensure that the orders are accurately entered and the corresponding products produced?

Q.1. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?
Q.2. Find out the best process carried out using Computer Assisted Audit Tools (CAATs)?
Q.3. What can be ideally carried out using Computer Assisted Audit Tools (CAATs)?

Q.4. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools?

Q.5. What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?

What is one of the key tests which can be ideally carried out using Computer Assisted Audit Tools (CAATs)?
Q.7. Which is one of the most effective tools and techniques to combat fraud?

Q.8. An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices,
decided to review the data processing files for possible duplicate payments. Which of the following
techniques/tools would be useful to the IS Auditor?
Q.9. Many automated tools are designed for testing and evaluating computer systems. Which one of the following
such tools impact the systems performance with a greater load and stress on the system?
The most appropriate type of CAAT tool the auditor should use to test security configuration settings for the entire
application systems of any organization is:

. Application controls shall include all except

Q.2. As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of bank need to submit their PAN or
form 60/61(a form as per Income Tax Act/Rules). Bank in its account opening form, has not updated the need for
form 60/61 in case PAN is not there. This defines which control lapse as per COBIT.

Q.3. In a public sector bank while updating master data for advances given, the bank employee does not update
“INSURANCE DATA”. This includes details of Insurance Policy, Amount Insured, Expiry Date of Insurance and other
related information. This defines which control lapse as per COBIT.

Emailed purchase order for 500 units was received as 5000 units. This defines which control lapse as per COBIT.

An IS Auditor, processes a dummy transaction to check whether the system is allowing cash payments in excess of
Rs.20,000/-. This check by auditor represents which of the following evidence collection technique?
While auditing e-commerce transactions, auditor’s key concern includes all except:
RBI instructed banks to stop cash retraction in all ATMs across India from April 1, 013. This was result of few ATM
frauds detected. This action by RBI can be best classified as:

Non – repudiation relates to all terms except one:

Company’s billing system does not allow billing to those dealers who have not paid advance amount against
proforma invoice. This check is best called as:

While posting message on FACEBOOK, if user posts the same message again, FACEBOOK gives a warning. The
warning indicates which control.

Which of the following business purposes can be met by implementing Data warehouse in an organisation?

Which of the following is a characteristic of a decision support system (DSS)?

Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?

A retail company recently installed data warehousing client software in multiple, geographically diverse sites. Due to
time zone differences between the sites, updates to the warehouse are not synchronized. This will affect which of
the following most?
The cashier of a company has rights to create bank master in TALLY. This error is a reflection of poor definition for
which type of control:

An employees has left the company. The first thing to do is to:

As part of auditing Information Security of a multinational bank, an auditor wants to assess the security of
information in ATM facilities. Under which privacy policy should he look for details pertaining to security guards and
CCTV surveillance of ATM’s?

Neural Networks and Fuzzy Logics are classified under which category of Artificial intelligence?

In an inter school competition on Artificial Intelligence, four children develop software which performs the following
different functions respectively. Which of them is a correct example of the use of basic Artificial Intelligence?

Which are the business activities which are strong contenders for conversion to e-commerce?

Which of the following factors should not be considered in establishing the priority of audits included in an annual
audit plan?

Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application systems?

An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the
password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that
the:

Which of the following situations would increase the likelihood of fraud?

Neural networks are effective in detecting fraud, because they can:

Q.6. The FIRST step in managing the risk of a cyber- attack is to

What generally includes the imaging of original media in presence of an independent third party?

As a measure of IT General controls, an organization decides to separate those who can input data from those that
can reconcile or approve data. Is this a good move? Why?

9.What is also performed to assess the overall objectives within an organization, related to financial information
and assets safeguarding, efficiency and compliance? holistic approach to deterrence & prevention of fraud would
be:

After initial investigation, IS auditor has reasons to believe that there is possibility of fraud, the IS auditor has to:
 ANSWER

Ans. Level 0
Ans. Web based application deveopment.
Ans. Data owner
Ans. Knowledge Software.

Ans. Sandwich Approach

Ans. Integrated Test facility

Ans. Least privileges

Ans. User views.
Data entry control
Ans. Incident.
Ans. Unit test.
Ans. Functional test

Ans. Structural test

Ans. Privilege creep

Ans. Integrity

Ans. Reliability.

indicate well known settings published by vendor

Sprial
Processing Control Procedures
Application , Presentaion, Session
Non Functional
System needs to be configured and then someone needs to read the
logs and respond

number of source lines of code

Project Sponsor
Routers

Usability Testing

Human Resource Department

Processing
All of the above
Disk Wiping / Risk Wiping
Program
Software Size Estimation
Plan Risk, Identify Risk, Analysis Risk, Plan Risk Response
SNMP
to find inconsistencies and errors

corrective maintenance
Unused space leftover after disk formatting
Detection of system penetration
Responsible to handle the integrity and security of information
stored in data base

Device for preventing authorized users from accessing the LAN

plan risk, identify risk, analyse risk,plan risk response,
viewing passwords
find the MAC address
ensure the correct response

pilot changeover
management review
software re engineering

bitstream image backup

possibility of the location being a technology crime scene

compensating control
reviewed by the management

all login accounts of the employee are terminated

Ans. Program
Ans. HR dept

Ans. Correcrive maintance

Ans. Processing control Procedures

Least Privileges
Data owner
Unused space leftover after disk formating

Reliability
Processing Total

level 0
Sevice used to connect
Responsible to handle the I ntegrity
Ans : Hash Value
Ans : SQL injection

Ans : Data Lake

Ans : Avoid
Ans : Microsoft power bi
Ans : Public

Ans : Back Door

Ans : Logic bomb

Ans : Cognitive computing

Ans : Transport mode

Ans : Peer to Peer

Ans : Wireless proximity reader

Ans : Trojan
Ans : Cross application macros
Ans : salami theft
Ans : Attack vector
Ans : Iaas

Ans : prescriptive analytics

Ans : Identification
Ans : prevent unauthorized entry
Early Stages of planning

Substantive test

Recovery

Recommend immediate approval of the policies in the management.

Allow call forwarding

Discretionary

IT Risk management

70B
the work load of the primary site is montiored to ensure adequate
backup as available
CIO
Scope,skill,political
Formally report the weakness
Select the system with highest risk and plan acc
NA
perform a business impact analysis

cold site
the workload of primary site is monitored to ensure adequate
backup is available

formally report the weaknesses as observed

Restoration Phase
scope risk, skill risk, political risk

Sec. 70B
Testing to discover how many poicy viloation have occured.

Business contuinity Strategy

forensic audit
NA
the alternate facility will be available until the original information
processing facility is restored
chief information officer (CIO)

backed by sufficient and appropriate audit evidences

Proper Implementation of change control

IT risk management
risk factors

business continuity plan

mitigate
can be used in switchboard enviornment

check digit

NA

executive inforation system

the steering committee foucses on the agenda on IT issues
audit hooks
Devoloper have access and can migrate
Expected Benefit Realization
Developers have access and can migrate data to the production
enviornment
Control Standard
chief information officer (CIO)
risk factors

SIA 11

Performance
Areas of High risk.

Resources may not be allocated to the areas of highest concern.

Detection
Formally document the audit department’s plan of action

Corrective Controls
Be able to understand the system that is being audited
Controls
Implementing and enforcing good processes

Audit Risk
Administrative Risk

Prevention

Vulnerabilities and threats are identified

Gains an understanding of an organization's goals and objectives

A) Inform the management and expand the sample to get further
evidences.

Report the same in his Audit Report if the finding is material.

Professional Independence

A confirmation letter received from a third party for the verification

of an account
balance.

Business Unit Manager

Perform compliance tests to determine if regulatory requirements
are met

Perform a risk ranking of the current and proposed application

systems to prioritize
the IS audits to be conducted.
Controls are working as prescribed.

The control environment is poor

The number of lines of code to be written

Balancing of daily control totals
Systems software audits

Verifying production to customer orders

Identification of exceptional transactions based upon set criteria

Identify potential areas of fraud

Identify data which is inconsistent or erroneous

Perform various types of statistical analysis

Establishing whether the set controls are working as prescribed

Establishing relationship between two or more areas & identify

duplicate
transactions
Computer Assisted Audit Techniques (CAAT)

Generalized audit software.

Statistical software packages

Utility Software

It is part of the IS Auditor’s responsibility to implement the same

Source Data Preparation and Authorisation

Accuracy, Completeness and Authenticity Checks

Review policy to see if a formal exception process is required

Re-performance

Reconciliation

B. Rectification

B. Corrective Control

B. Dependency Check

D. Duplicate Check
D. Business decisions can be taken and future policies can be framed
based on actual transactional data.
B. DSS combines the use of models with non-traditional data access
and retrieval functions.
D. Snapshots

B. Data completeness

A. User Controls
B. Disable his/her access rights.

A. Physical Access and Security Policy

A. Cognitive Science

A. Predictive & self-learning word-processing software

A. Those that are paper-based, time consuming & inconvenient for
customers

D. Use of audit software

B. Likelihood of error

B. Perpetrator cannot be established beyond doubt.

A. Application programmers are implementing changes to
production programs.
C. Attack problems that require consideration of a large number of
input variables.
C. Identify critical information assets.
B. Preserve
A. Yes, it is a good move; it can help prevent unauthorised data
entry.

A. Strengthening of Governance and Management framework

A. Expand activities to determine whether an investigation is
warranted.
A. Senior management
D. Ensure strategic alignment of IT with business

C. Implement security policies and procedures using best practices.

B. Stakeholders
C. Transparency
D. the IT strategy extends the organization's strategies and
objectives.
C. key performance drivers

D. Board/senior management
B. Improved transparency and understanding of IT’s contribution to
business
A. Implement right level of controls.
C. Directing
B. ensuring residual risk is at acceptable level.
D. Change in government post elections.
C. Risk appetite
C. Risk treatment
D. Delay in servicing customers due to network congestion.
A. risk factors
D. Defer replacement of obsolete hardware.
A. Evaluate implemented controls.
C. Information and data
D. Non-intrusive and logical.
A. Act on input and generate output.
B. Delegating responsibility.
B. Expected benefit realization
A. Align IT initiatives with business

C. Conducting skill enhancement training

B. Monitor lead indicators with industry best practices
C. Customer perspectives
A. Number of gaps with respect to industry standard.
D. benchmark expected performance measurement.
A. Include personal development plan in job description.
B. Ensuring availability

C. determine contribution of assets to achievement of process goals.

A. To increase likelihood of benefit realization.

D. resources are allocated in accordance with expected
performance.

B. help in optimizing resource utilization.

A. Backup of compiled object programs

C. defines all needed actions to restore to normal operation after an

un-planned incident whereas BCP only deals with critical operations
needed to continue working after an un-planned incident.
A. Early stages of planning.
D. That hot sites can be made ready for operation within a short
span of time.

D. Inability to resolve system deadlock.

A. The previous day's backup file and the current transaction tape

B. Regularly reviewed and updated.

A. Company name is clearly visible on the facility.

A. Quantitatively measuring the results of the test

4. Early stages of planning

2. Detection of system penetration
1. General, pervasive, detailed, application
1. Provide an audit trail

3. Suitable systems for tracking and reporting incidents are used

2. Deterrent
1. Plan, research, observe, analyze, adapt, improve

2. Business analysts are doing software functional testing

3. Data owner
2. SNMP

2. Check digit
2. Routers

1. Business continuity strategy

1. Cold site
4. Conduct compliance test regularly
3. Application, Presentation, Session, Transport, Network, Data-Link,
Physical

2. Discretionary

1. Identification of organizational strategies

3. Recipient’s public key

3. Find the MAC address

Corrective Controls

Scoping Risk

Controls
Administrative

Audit Risk
Administrative Risk

Prevention

vulnerabilities and threats are identified.

Gains an understanding of an organization's goals and objectives.

A confirmation letter received from a third party for the verification
of an account balance.

Business Unit Manager

Perform compliance tests to determine if regulatory requirements

are met

Perform a risk ranking of the current and proposed application

systems to prioritize the IS audits to be conducted

Controls are working as prescribed

The control environment is poor.

The potential benefits of the system.

Balancing of daily control totals.

Systems software audits

Verifying production to customer orders

Identification of exceptional transactions based upon set criteria

Identify potential areas of fraud

Identify data which is inconsistent or erroneous

Perform various types of statistical analysis

Establishing whether the set controls are working as prescribed

Establishing relationship between two or more areas & identify

duplicate transactions
.Computer Assisted Audit Techniques (CAAT)

Generalized audit software

Statistical software packages

Test Data

It is part of the of IS Auditor’s responsibility to implement the same.

Source Data Preparation and Authorisation:

Source Data Preparation and Authorisation:

Transaction Authentication and Integrity

Re-performance
Confirmation

.Rectification

Right to deny withdrawn.

Digital Signatures.
E-commerce
None of above-----------------correct

Dependency Check

Duplicate Check
Business decisions can be taken and future policies can be framed
based on actual transactional data.
.DSS combines the use of models with non-traditional data access and
retrieval functions.
Snapshots

.Data completeness
User Controls

Disable his/her access rights.

Physical Access and Security Policy

Cognitive Science

Predictive & self-learning word-processing software

Those that are paper-based, time consuming & inconvenient for

customers

Use of audit software

Likelihood of error

Perpetrator cannot be established beyond doubt.

Application programmers are implementing changes to production

programs.

Attack problems that require consideration of a large number of

input variables.

Identify critical information assets.

Preserve

Yes, it is a good move; it can help prevent unauthorised data entry.

Strengthening of Governance and Management framework

Expand activities to determine whether an investigation is

warranted.