1. Which of the following statements are true?

I. At all cases, accounting firms could not provide advisory services or non-audit services upon the passage of SOX.
II. An internal audit is typically conducted by auditors who work for the organization, but this task may not be outsourced
to other organizations.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

2. Which of the following statements are true?

I. To achieve independence, internal audit departments should report to the controller or its equivalent.
II. At all times, external auditors may cooperate with and rely on work performed by internal auditors.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

3. Which of the following statements are true?

I. Audit committee is a subcommittee of the board of directors who usually consists of three people who should be out-
siders.
II. The auditor’s expresses an opinion as to whether the FS are in conformity with GAAS.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

4. Which of the following statements are true

I. Assertions are used by auditors to develop their audit objectives and design audit procedures
II. Audit risk the probability that the auditor will render an unqualified opinion on financial statements that are, in fact, ma -
terially misstated.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

5. Which of the following statements are true?

I. Errors are intentional misinterpretations.
II. Inherent risk and planned detection risk are inversely related; i.e., as inherent risk increases, planned detection risk
should decrease.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

6. Which of the following statements are true?

I. The most important element of the audit risk model is control risk.
II. The weaker the internal control structure, the greater the control risk and the more substantive testing the auditor must
perform.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

7. Which of the following statements are true?

I. The establishment and maintenance of an internal control is an important management obligation.
II. The internal control system should achieve the four broad objectives irregardless of the data processing method used.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

8. Which of the following statements are true?

I. Prior to the passage of SOX, external auditors were not required to test internal controls as part of their attest function.
II. COSO identifies two broad groupings of IT controls: application controls and general controls.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

9. Which of the following statements are true?

I. The purpose of access controls is to ensure that only authorized personnel have access to the firm’s assets.
II. Organization must maintain audit trails.

a. Both I and II
b. I only
c. II only
d. Both statements are false.
10. Which of the following statements are true?
I. In small organizations that lack sufficient personnel, management must compensate for the absence of segregation
controls with close supervision.
II. Segregation of incompatible tasks should be physical as well as organizational.

a. Both I and II
b. I only
c. II only
d. Both statements are false.

11. Auditing standards differ from auditing procedures in that procedures relate to
a. Measure of performance.
b. Audit principles.
c. Acts to be performed.
d. Audit judgments.

12. The first general standard of generally accepted auditing standards which states, in part, that the examination is to be performed
by a person or persons having adequate technical training, requires that an auditor have
a. Education and experience in the field of auditing.
b. Ability in the planning and supervision of the audit work.
c. Proficiency in business and financial matters.
d. Knowledge in the areas of financial accounting.

13. The first standard of field work, which states that the work is to be adequately planned, and assistants, if any, are to be properly
supervised, recognizes that
a. Early appointment of the auditor is advantageous to the auditor and the client.
b. Acceptance of an audit engagement after the close of the client's fiscal year is generally not permissible.
c. Appointment of the auditor subsequent to the physical count of inventories requires a disclaimer of opinion.
d. Performance of substantial parts of the examination is necessary at interim dates.

14. Which of the following best describes the reason why an independent auditor reports on financial statements?
a. A management fraud may exist and is more likely to be detected by independent auditors.
b. Different interests may exist between the company preparing the statements and the persons using the state -
ments.
c. A misstatement of account balances may exist and is generally corrected as the result of the independent auditor's work.
d. Poorly designed internal control may exist.

15. What is the general character of the three generally accepted auditing standard classified as general standards?
a. Criteria for content of the F/S and the auditor's report.
b. Criteria of audit planning and supervision and evidence gathering.
c. The need to maintain an independence in mental attitude in all matters relating to the assignments.
d. Criteria for competence, independence and professional care of individuals performing the audit.

16. Proper segregation of functional responsibilities calls for separation of the

a. Authorization, approval and execution functions.
b. Authorization, execution and payment functions.
c. Receiving, shipping and custodial functions.
d. Authorization, recording and custodial functions.

17. The definition of internal control developed by the Committee of Sponsoring Organizations (COSO) and included in the profes -
sional standards includes the reliability of financial reporting, the effectiveness and efficiency of operations and
a. Compliance with applicable laws and regulations.
b. Effectiveness of prevention of fraudulent occurrences.
c. Safeguarding of entity assets.
d. Incorporation of ethical business practice standards.

18. Which of the following is not a factor included in the control environment?
a. Integrity and ethical values.
b. Risk assessment.
c. Commitment to competence.
d. Organizational structure.

19. Monitoring is considered

a. A component of internal control.
b. An element of the control environment.
c. The primary asset safeguarding technique.
d. A portion of information and communication.

20. Which statement is correct concerning the definition of internal control developed by the Committee of Sponsoring Organizations
(COSO)?
a. Its applicability is largely limited to internal auditing applications.
b. It is recognized in the Statement on Auditing Standards.
c. It emphasizes the effectiveness and efficiency of operations rather than the reliability of financial reporting.
d. It suggests that it is important to view internal control as an end product as contrasted to a process or means to obtain an
end.

21. The independent auditor selects several transactions in each functional area and traces them through the entire system, paying
special attention to evidence about whether or not the control features are in operation. This is an example of a
a. Control test.
b. Tests of controls
c. Substantive test
d. Functional test.

22. Which of the following most likely would give the most assurance concerning the valuation assertion of accounts receivable?
a. Tracing amounts in the subsidiary ledger to details on shipping documents.
b. Comparing receivable turnover ratios to industry statistics for reasonableness.
c. Inquiring about receivables pledged under loan agreements.
 d. Assessing the reasonableness of the allowance for doubtful accounts.

23. In auditing accounts payable, an auditor's procedures most likely would focus primarily on management's assertion of
a. Existence or occurrence.
b. Presentation and disclosure.
c. Completeness.
d. Valuation or allocation.
24. Which of the following is an inherent limitation in internal control?
a. Incompatible duties.
b. Lack of segregation of duties.
c. Faulty human judgment.
d. Lack of an audit committee.

25. Which of the following statements is correct regarding internal control?

a. A well-designed internal control environment ensures the achievement of an entity's control objectives.
b. An inherent limitation to internal control is the fact that controls can be circumvented by management override.
c. A well-designed and operated internal control environment should detect collusion perpetrated by two people.
d. Internal control is a necessary business function and should be designed and operated to detect all errors and fraud.

26. IT governance is:

a. The process by which an enterprise’s IT is directed and controlled
b. The evaluation of computers and information processing not as key resources
c. Management only involved in making decisions
d. User dominance in IT decision making

27. Which of the following is not a category of an application control?

a. Processing controls.
b. Output controls.
c. Hardware controls.
d. Input controls.

28. Which recent federal law was developed and passed by U.S. lawmakers in reaction to the recent financial frauds such as Enron,
World-Com, and others:
a. Foreign Corrupt Practices Act
b. Security and Exchange Commission Act
c. Sarbanes–Oxley Act
d. Computer Fraud and Abuse Act

29. Governance processes are needed to:

a. Ensure new technology is approved by the appropriate groups.
b. Ensure projects are completed on time, on budget, and with full functionality.
c. Ensure effective and efficient information technology operations.
d. Ensure the effective use of resources and alignment with business objectives.

30. A disadvantage of distributed data processing is

a. The potential for hardware and software incompatibility among users
b. The increased time between job request and job completion
c. That users are not likely to be involved.
d. That data processing professionals may not be properly involved.

31. Which of the following is not a control implication of DDP?

a. Redundancy
b. User satisfaction
c. Incompatibility
d. Lack of standards

32. Which of the following disaster recovery techniques may be least optimal in the case of a disaster?
a. Empty shell
b. Mutual aid pact
c. Internally provided backup
d. They are all equally beneficial

33. Which of the following is a feature of fault tolerance control?

a. Interruptible power supplies
b. DDP
c. RAID
d. MDP

34. Which of the following disaster recovery techniques is has the least risk associated with it?
a. Empty shell
b. Internally provided backup
c. ROC
d. They are all equally risky

35. Which of the following is not a potential threat to computer hardware and peripherals?
a. Carbon dioxide fire extinguishers
b. Low humidity
c. Water sprinkler fire extinguishers
d. High humidity

36. The following are examples of commodity assets except

a. Network management
b. Systems development
c. Systems operations
d. Server maintenance

37. Which of the following is true?

a. Core competency theory argues that an organization should outsource specific core assets
b. Core competency theory argues that an organization should focus exclusively on its core business competencies
c. Core competency theory argues that an organization should not outsource specific commodity assets
 d. Core competency theory argues that an organization should retain certain specific non core assets in house

38. The following are examples natural disaster except

a. Fire
b. Flood
c. Tornado
d. Sabotage

39. Which of the following would strengthen organizational control over a large-scale data processing center?
a. Having the database administrator report to the manager of computer operations
b. Assigning maintenance responsibility to the original system designer who best knows its logic
c. Require systems development group to run the applications and enter data.
d. Require corporate group to establish and distribute to user areas appropriate standards.

40. Which of the following organizational functions is not included in data processing?
a. Conversion
b. Computer operation
c. Data library
d. Data dictionary

41. To determine that user ID and password controls are functioning, an auditor would most likely:
a. Attempt to sign on to the system invalid user identification and passwords.
b. Write a computer program that simulates the logic of the client’s access control software.
c. Extract a random sample of processed transactions and ensure that the transactions were appropriately authorized.
d. Examine statements signed by employees stating they have not divulged their user identifications and password to any
other person.

42. Which of the following is a computer program that appears to be legitimate but performs some illicit activity when it is run?
a. Hoax virus.
b. Logic bomb.
c. Worm.
d. Trojan horse.

43. An audit trail

a. Is used to make backup copies
b. Is the recorded history of operations performed on a file
c. Can be used to restore lost information
d. none of the above

44. Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network and produce a
denial of service attack by excesiively utilizing system resources?
a. Worm.
b. Logic bomb.
c. Trojan horse.
d. Virus.

45. Which of the following risks is not greater in an EDI environment than in a manual system using paper transactions?
a. Inadequate backup and recovery capabilities.
b. Duplicate transaction processing.
c. Unauthorized access and activity.
d. Higher cost per transaction.

46. An overall description of a database, including the names of data elements, their characteristics, and their relationship to each
other would be defined by using a:
a. Data command interpreter language.
b. Data manipulation language.
c. Data definition language
d. Data control language

47. Which of the following is likely to be a benefit of EDI?

a. Decreased requirements for backup and contingency planning.
b. Improved business relationships with trading partners.
c. Increased transmission speed of actual documents.
d. Decreased liability related to protection of proprietary business data.

48. A device used to connect dissimilar networks is a:

a. Wiring concentrator.
b. Router.
c. Gateway.
d. Bridge.

49. Which of the following statements are correct regarding the internet as a commercially viable network?
I. Organizations must use firewalls if they wish to maintain security over internal data.
II. Companies must apply to the Internet to gain permission to create a Home Page to engage in electronic commerce.
III. Companies that wish to engage in electronic commerce on the Internet must meet required security standards estab-
lished by the coalition of Internet providers.

a. I and III.
b. II only.
c. III only.
d. I only.

50. Encryption protection is least likely to be used in which of the following situations:
a. When transactions are transmitted over local area networks.
b. When wire transfers are made between banks.
c. When financial data are send over dedicate, leased lines.
d. When confidential data are sent by satellite transmission.

51. Passwords for personal computer software programs are designed to prevent
a. Incomplete updating of data files.
 b. Unauthorized use of software.
c. Inaccurate processing of data.
d. Unauthorized access to the computer.

52. Use of unlicensed software in an organization

I. Increase the risk of introducing viruses into the organization.
II. Is not a serious exposure if only low-cost software is involved.
III. Can be detected by software checking routines that run from a network server.

a. I only.
b. I and II only.
c. I, II, and III.
d. I and III only.

53. There are several kinds of hardware and software for connecting devices within a network and for connecting different networks
to each other. The kind of connection often used to connect similar networks is a:
a. Wiring concentrator.
b. Router.
c. Bridge.
d. Gateway.

54. Query facilities for a database system would most likely include all of the following, except:
a. a data validity checker
b. a query by-example interface.
c. Data dictionary access.
d. Graphical output capability

55. A company with several hundred stores has a network for the stores to transmit sales data to headquarters. In order to accom -
modate the large volume of transmission, large stores have their own satellite receiving/transmitting stations. Small stores use
leased lines. The information systems and audit directors agreed on the need to maintain security and integrity of transmissions
and the data they represent. The best means to ensuring the confidentiality of satellite transmission of satellite transmissions
would be:
a. Cyclic redundancy checks.
b. Virtual private network.
c. Encryption.
d. Firewall.

56. A department store company with stores in 11 cities is planning to install a network so that stores can transmit daily sales by item
to headquarters and store salespeople can fill customer orders from merchandise held at the nearest store. Management be -
lieves that having daily sales statistics will permit better inventory management than is the case now with weekly deliveries of
sales report on paper. Salespeople have been asking about online inventory availability as a way to retain the customers that
now go to another company’s stores when merchandise is not available. The planning committee anticipates many more applica -
tions so that in a short time the network would be used at or near its capacity.
The best kind of network for this application is:

a. Private branch exchange.

b. Wide area network.
c. Local area network.
d. Value added network

57. The best preventive measure against a computer virus is to

a. Compare software in use with authorized versions of the software.
b. Prepare and test a plan for recovering from the incidence of a virus.
c. Execute virus exterminator programs periodically on the system.
d. Allow only authorized software from known sources to be used on the system.

58. An insurance firm uses a WAN to allow agents away from the home to home office to obtain current rates and client information
and to submit approved claims using notebook computers and dial-in modems. In this situation, which of the following methods
would provide best security?
a. Dedicated phone lines.
b. Call-back features.
c. Frequent changes of user IDs and passwords.
d. End-to-end data encryption.

59. In addition to controls over access, processing, program changes and other functions, a computerized system needs to establish
an audit trail of information. Which of the following would generally not be included in an audit trail log designed to summarize
unauthorized system access attempts?
a. A list of authorized users.
b. The terminal used to make the attempt.
c. The data in the program sought.
d. The type of event or transaction attempted.

60. A company uses a local area network (LAN) to connect its four city area sales offices to the headquarters to the office. Sales in -
formation such as credit approval and other customer information, prices, account information, etc. is maintained at headquar-
ters. This office also houses the inventory and shipping functions. Each area office is connected to the headquarters’ office com-
puter, and messages/information between the area offices pass through the headquarters’ computer. This communication config-
uration allows for real-time confirmations of shipments as well as billing and account status. The LAN described above is an ex-
ample of which of the following LAN topology?
a. Ring.
b. Hierarchical.
c. Fully interconnected.
d. Star

61. Which of the following operating procedures increases an organization’s exposure to computer viruses?
a. Frequent backup of files.
b. Encryption of data files.
c. Downloading public-domain software from websites.
d. Installing original copies of purchased software on hard disk drives.
62. An assault on Web server to prevent it from servicing to its legitimate users is particularly devastating. Which of the following are
the most difficult to counter?
a. DDos
b. Dos
c. Smurf attack
d. SYN flood attack

63. Involves the receiver of the message returning the message of returning the message to the sender.
a. Request-response technique
b. Call-back devices
c. Echo check
d. None of the above.

64. Hackers can disguise their message packets to look as if they came from an authorized user and gain access to the host’s net-
work using a technique called
a. Spoofing
b. Dual-homed
c. IP spooling
d. Screening

65. A ping signal is used to initiate

a. URL masquerading.
b. DDos
c. SYN flood attack
d. Smurf attack

66. This is the lowest level of the database and the only level that exists in physical form.
a. Physical view
b. Database table
c. Physical database
d. Schema

67. Which of these levels deals with entire database?

a. External level
b. Conceptual level
c. Internal level
d. schema

68. SQL stands for

a. Structured Query Language.
b. Sequential Query Language.
c. Structured Question Language.
d. Sequential Question Language

69. What are the key elements of database environment?

a. User, DBA, database schema, DBMS model, DMBS.
b. User, DBMS model, DBMS, physical database
c. User, DBMS, physical database, DBA, DBMS model.
d. User, DBA, physical database, DBMS, model,

70. If database has integrity, the

a. Software was implemented after extensive acceptance testing.
b. Database has only consistent data.
c. Database is secure from accidental entry.
d. Database and system have been reviewed by an external auditor.

71. Which of the following should not be the responsibility of a database administrator?
a. Develop applications to access the database.
b. Monitor and improve the efficiency of the database.
c. Protect the database and its software.
d. Design the content and organization of the database.

72. What language interface would a database administrator use to establish the structure of database tables?
a. Data control language.
b. Data manipulation language.
c. Data query language.
d. Data definition language.

73. To trace data through several application programs, an auditor needs to know what programs use the data, which files contain
the data, and which printed reports display the data. If data exist only in a database system, the auditor could probably find all of
this information in a
a. Database authorization table.
b. Data dictionary.
c. Data encryptor.
d. Database schema.

74. Partitioned databases are most effective when

a. Users require minimal data sharing among their distributed IT units.
b. Transaction processing time is improved.
c. Read-only access is needed at each site.
d. Can reduce the potential effects of a disaster.

75. For those instances, where individual users may be granted summary and statistical query access to confidential data to which
they normally are denied access, which type of control is most suitable?
a. User-defined procedure.
b. Inference controls.
c. Data encryption.
d. Biometric devices.

76. The functions of database administrator are, among others:

 a. Database planning, data input preparation and database operation.
b. Database input preparation, database operation and database design.
c. Database design, database operation and equipment operations.
d. Database design, database implementation and database planning.

77. Data can be corrupted and destroyed by malicious acts from external hackers, disk failure, program error and among others. To
recover from such, organizations’ must provide backup copies of critical files. Which of the following is not a flat-file backup con -
trol?
a. GPC backup technique.
b. Checkpoint feature.
c. Direct access file backup
d. Off-site storage.

78. The following is not a database model

a. Network.
b. Relational.
c. Hierarchical.
d. None of the above.

79. A database language concerned with the definition of the whole database structure and schema is:
a. Data control language
b. Data manipulation language
c. Data definition language
d. Data dictionary

80. A top-to-bottom relationship among the items in a database is established by a

a. hierarchical schema
b. network schema.
c. relational schema.
d. all of the above.