IT Audit Manual-Volume.

1. The term ICT stands for

a. Information and Computer Technology b. International Communication Technology
c. International Communication Technology d. Information and Communication Technology

2. IT Audit is a process of collecting and evaluating evidence to determine whether a computer system has
been designed to
a. maintain data integrity b. safeguard assets
c. allows organisational goals to be achieved effectively and uses resources efficiently
d. All of the above

3. While evaluating the effectiveness of any system, IT auditors must know

i. his/her professional acquaintance
ii. the characteristics of users of the information system
iii. the decision making environment in the auditee organisation
iv. target group of the computer system

a. i and ii b. ii and iii

c. ii and iv d. All of the above

4. Pick the incorrect one regarding

a. Use of computer facilities has brought about radically different ways of processing, recording
and controlling information and has combined many previously separated functions.
b. The potential for material systems error has thereby been greatly decreased resulting
into saving great costs
c. Increasing use of computers for processing organisational data has added new scope to the
review and evaluation of internal controls for audit purposes
d. IT auditors need to evaluate the adequacy of internal controls in computer systems to mitigate
the risk of loss due to errors, fraud and other acts and disasters or incidents that cause the system to be
unavailable

5. Management’s goals and objectives in utilising technology to support business processes include
i. Confidentiality ii. Integrity
iii. Applicability iv. Reliability

a. i, ii and iii b. i, iii and iv

c. i, ii and iv d. All of the above

6. The protection of sensitive information from unauthorised disclosure is known

a. Confidentiality b. Reliability
c. Integrity d. Compliance

7. Stringent controls over access to the computer system depends upon

a. level of sensitivity to the data b. level of integrity of the data
c. both a&b d. None of the given

8. Pick the correct one

i. Integrity refers to ‘the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations
1
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 ii. Availability relates to information being available when required by the business process now and in the
future
iii. Reliability refers to the degree of consistency of a system or the ability of a system (or component)
to perform its required function under stated condition
iv. Compliance deals with complying with those laws, regulations and contractual obligations to which
the business process is subject, that is, externally imposed business criteria.

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above

9. There is a potential risk that the organisation could incur penalties should
a. confidentiality of data not protected
b. integrity of data not observed
c. legal and regulatory procedures not be enforced.
d. in all the cases stated above.

10. A framework for all audits and auditors and define the mandatory requirements of the audit is
provided by the
a. professional standards b. auditors professional knowledge
c. legal and professional mandate d. computer system

11. Pick the correct one

i. The professional standards are a broad statement of auditors’ responsibilities and ensure that
auditors have the competence, integrity, objectivity and independence in planning, conducting
and reporting on their work.
ii. The guidelines supporting the professional standards assist the auditor to apply the
standards and provide examples that an IT Auditor might follow to meet these standards.
Iii. In addition to IT auditing standards, IT auditors need to be alert to other laws, regulations,
or other authoritative sources that may impact upon the conduct of an IT audit
iv. When determining the scope of issues to be addressed in any review of computer related
controls, IT auditors should consider issues of electronic data confidentiality, integrity, availability
and reliability

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above

12. In the context of IT Audit CIS stands for

a. Centralised Information System b. Central Information System
c. Computerised Information system d. Computerised Inquiry System

13. Pick the correct one with respect to the objectives of undertaking an IT audit as a component
of a financial statement audit include to
i. understand how well management capitalises on the use of information technology to
improve its important business processes
ii. understand the pervasive effect of information technology on the client’s important
business processes, including the development of the financial statements and the business
risks related to these processes.
iii understand how the client’s use of information technology for the processing, storage and
communication of financial information affects the internal control systems and our consideration
of inherent risk and control risk

2
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 iv. understand the effectiveness of controls over the information technology processes that
have a direct and important impact on the processing of financial information and suggest
alternative information technology platform for better business output

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above

14. State whether true or false

The focus of the IT audit with respect to Performance Audit is to provide assurance that the IT
systems can be relied upon to help deliver those services. The efficiency and effectiveness of those
services are then examined from a non-IT perspective after considering the impact that IT has on the
ability of the organization to deliver those services
a. True b. False

15. IT controls involve

i. an entity’s board of directors ii. entity’s management
iii. entity’s top personnel iv. targeted beneficiaries

a. i, iii and iv b. ii, iii and iv

c. i, ii and iii d. All of the above

16. The objectives of IT audit include assessment and evaluation of processes that
a. Ensures asset safeguarding b. Ensures maintenance of requisite data or information
c. both d. None

17. Assets in IT Audit has been categorised into

i. Data b. People
c. User-friendly d. Facilities

a. i, ii and iii b. i, ii and iv

c. ii, iii and iv d. All of the above

18. Application system is

a. manual procedure b. programmed procedure
c. manual procedure minus programmed procedure
d. sum of manual and programmed procedures

19. Staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor
information systems and services are come under which category of assets?
a. Facilities b. People
c. Resources d. Application System

20. Key attributes to data or information are

a. four b. five
c. six d. seven

21. Which of the following are key attributes of data or information

i. effectiveness b. efficiency
iii. availability d. conclusive

3
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 a. i, ii and iii b. ii, iii and iv
c. i, ii and iv d. All of the above

22. IT Audit is all about examining whether the IT processes and IT Resources combine together to fulfil
the intended objectives of the organization while complying with the extant rules to ensure
i. Effectiveness ii. Efficiency
iii. Economy iv. Easiness

a. ii, iii and iv b. i, iii and iv

c. i, ii and iii d. All of the above
23. State whether true or false
The mandate of CAG of India for Systems Audit is governed under Sections 13 to 22 as the case may
be, read with Section 23 of this Act.
a. True b. False

24. Pick the incorrect one

a.CoBIT: Control Objectives for Information and Related Technologies
b.IFAC: International Federation of Accountants
c.ISACA: Information Systems Audit and Control Association
d.IIA: Institute of International Auditors

25. IT Controls in a computer system are

a. all the manual methods, policies and procedures that ensure the protection of the entity’s assets, the
accuracy and reliability of its records, and the operational adherence to the management standards.
b. all the programmed methods, policies and procedures that ensure the protection of the entity’s
assets, the accuracy and reliability of its records, and the operational adherence to the management
standards.
c. all the manual and programmed methods, policies and procedures that ensure the protection of the
entity’s assets, the accuracy and reliability of its records, and the operational adherence to the
management standards.
d. None of the given

26. When performing IT Control Audit, types of testing involved would be

i. compliance testing ii. Descriptive testing
iii. subjective testing iv. substantive testing

a. i and ii b. i and iv
c. ii, iii and iv d. All of the above

27. CAATs stands for

a. Computer Aided Audit Tools b. Computer Aided Audit Tests
c. Computer Audit & Accounts Tools d. Computer Audit & Accounts Tests

28. With the help of CAATs tools, IT auditor can plan for
a. 100 per cent compliance testing of auditee’s data.
b. 100 per cent substantive testing of auditee’s data.
c. 100 per cent both compliance and substantive testing of auditee’s data.
d. 100 per cent of either compliance or substantive testing of auditee’s data.

4
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
29. Application software and transaction data should be protected from unauthorised alteration by the use
of appropriate
i. physical access control ii. logical access control
iii. system access control iv. resource access control

a. i and ii b. i, ii and iii

c. ii and iv d. All of the above

30. Statement I-Once an application goes into production, programmers should no longer have access to
programs and data.
Statement II-If programmers are provided access, all activity should be logged, reported, and reviewed by an
independent group.
a. Only Statement I is correct b. Only Statement II is correct
c. Both Statement I and II are correct d. Neither Statement I nor Statement II is correct

31. Pick the correct one

a. Physical access controls include the installation of physical barriers to restrict access to the
organisation’s site, buildings, computer rooms and each piece of IT hardware.
b. Logical access controls are restrictions imposed by the computer software.
c. According to a survey conducted by the Institute of Internal Auditors, forty six percent of the
respondents indicated that one of the highest risks in IT systems relate to unauthorised access or
changes to data or systems
d. All of the above

32. Which demonstrates how a specific transaction was initiated, processed, and summarised?
a. Audit trail b. Audit log
c. transaction trail d. transaction log

33. Pick the incorrect one

a. The type of computer processing i.e. on-line, batch oriented, or distributed presents different levels
of inherent risk.
b. Dial-up access to a system increases the system's accessibility to additional persons and therefore
increases the risk of unauthorised access to computer resources.
c. Applications software developed in-house may have lower inherent risk than vendor-supplied
software that has been thoroughly tested and is in general commercial use.
d. Vendor-supplied software new to commercial use may not have been thoroughly tested or
undergone client processing to a degree that would encounter all existing flaws.

34. A forum of developers and users to exchange testing and acceptance criteria on new IT security
products has created by
a. National Institute of Design and Framework
b. National Institute of Standards and Technology
c. Indian Institute of Information and Technology
d. Indian Institute of Mass Level Communication

35. State whether true or false

Independent testing is important to identify design flaws that may have been overlooked by the
developer of a system.
a. True b. False

5
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
36. Statement I-Self-training is an efficient measure from the standpoint that end users tend to ask their
colleagues for help, which results in the saving of entity’s money and time
Statement II- An effective training program enhances support cost by a factor of three to six
comparing to self-training.
a. Only Statement I is correct b. Only Statement II is correct
c. Both Statement I and II are correct d. Neither Statement I nor Statement II is correct
.
37. Information Technology controls are used to mitigate the risks associated with
a. application systems b. IT environment
c. Both a & b d. Neither a nor b.
38. IT controls can be classified into two categories pick the correct one
a. General and Specific control b. General and Application controls
c. System and Application controls d. System and Environment controls

39. Pick the incorrect one regarding the components of General Controls
a. controls over data centre operations, system software acquisition and maintenance, access security,
and application system development and maintenance
b. IT policies, standards, and guidelines pertaining to IT security and information protection,
application software development and change controls, segregation of duties, business continuity
planning, IT project management, etc.
c. General IT controls are concerned with the organisation’s IT infrastructure, including any IT related
policies, procedures and working practices
d. controls that help to ensure the proper authorisation, completeness, accuracy, and validity of
transactions, maintenance, and other types of data input.
40. Pick the correct one regarding the categories of General Control
i. Organisation and management controls i.e.IT policies and standards
ii. IT operational controls iii. Physical controls (access and environment)
iv. Logical access controls

a. i and ii b. iii and iv

c. ii, iii and iv d. All of the above

41. Application controls pertain to specific computer applications. Application controls are closely related
to individual transactions. Pick the correct ones regarding components of Application controls
i. controls over the input of transactions ii. controls over processing
iii. controls over output iv controls over standing data and master files

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above.

6
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 IT Audit Manual Volume. I
Audit of General Controls

1. The major categories of general controls that an auditor should consider

i. controls for IT acquisition ii. program change controls
iii. business continuity and disaster recovery controls
iv. Master/Standing Data File controls

a. i, ii and iii b. i, ii and iv

c. ii, iii and iv d. All of the above

2. While conducting the audit of Organisational and Management Controls, in order to determine whether
the controls that the auditee organisation has put in place are sufficient to ensure that the IT activities are
adequately controlled, the IT auditor should ensure
i. IT planning and senior management involvement
ii. Personnel and training policies iii. People’s participation
iv. Internal audit involvement

a. i, iii and iv b. i, ii and iv

c. ii, iii and iv d. All of the above

3. Risk areas pertaining to Organisational and Management Controls are

i. Inadequate management involvement ii. Poor reporting structures
iii. Inappropriate or no IT planning iv. Ineffective internal audit function

a. i, iii and iv b. i, ii and iv

c. ii, iii and iv d. All of the above

4. Which shortcoming or risk area of Organisational and Management Controls affects the Principle of Going
Concern?
a. poor reporting structures b. Ineffective staff who do not understand their jobs
c. Inadequate management involvement d. All of the above

5. The ultimate responsibility for the safeguarding of the organisation’s assets rests with
a. Staff using the assets b. management
c. auditor d. beneficiary group.

6. Pick the correct one

(i) Management are responsible to the stakeholders, taxpayers, and citizens in the public sector.
(ii) Management sets policies to ensure that the risks to the assets are identified and adequately
managed. (iii) Management establishes and approves the policies. The policies are usually high level
statements of intent. The policies may feed into standards. Detailed procedures (and controls) flow from
the standards.
(iv) IT auditor may assess whether the entity’s organisational structure and the place of IT within the
structure is appropriate.

a. i, ii and iii b. ii, iii and iv

7
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 c. i, iii and iv d. All of the above

7. To ensure that in IT Planning and implementation, there exists an active involvement of Senior Level
Management so that IT is given the proper recognition, attention or resources it requires to meet business
objectives. Also there exists a formal organisational IT structure with all staff knowing their roles and
responsibilities, preferably by having written down and agreed job descriptions. Pick the correct where the
involvement of senior level management is desired
i. Proposal approval ii. Analysis of design and development
iii Selection of product and supplier iv. Implementation and Post implementation review.

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above

8. Pick the incorrect one

a. There should be a steering committee comprised of user representatives from all areas of the business,
including the IT department. The Steering Committee would be responsible for the overall direction of IT.
b. The IT Steering Committee would be responsible for issues beyond just the accounting and financial
systems
c. To be effective, the IT Steering Committee should draw its members from senior and middle
management. Membership should be drawn from all user departments within an organisation.
d. The future direction agreed by the IT Steering Committee is normally set out in a document known as
the IT tactical plan.

9. Statement I-The IT strategic plan is likely to affect current year’s audit to a minimum.
Statement II- A review of an organisation’s IT strategic plan could forewarn the IT auditor of problems
which may arise in later years

a. Statement I alone is correct b. Statement II alone is correct

c. Both the Statements a & b are correct d. Neither of the statement is correct

10. The organisation should develop information technology plans which reflect its corporate strategy and
match its information technology needs for a given future period. Notwithstanding the uniqueness of a business
perspective, an information technology plan must be based on the following
i. It should support and complement the business direction of an organisation.
ii. A planning horizon should be formulated that provides long-term direction and short-to-medium term
deliverables in a manner consistent with the business strategy.
iii. The planning process should recognize the capability and capacity of the organisation to deliver
solutions within the stated planning timeframe.
iv. It should provide a basis for measuring and monitoring performance

a. All of the above b. ii, iii and iv

c. i, iii and iv d. i, ii and iv

11. The organisation should develop information technology plans which reflect its corporate strategy and
match its information technology needs for a given future period. Notwithstanding the uniqueness of a business
perspective, an information technology plan must be based on the following
i. The scope of the plan should be established to facilitate formulation of effective strategies.
ii. Costs of implementation should be justified through tangible and intangible benefits that can be
realised.
8
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 iii. It should be reassessed periodically and disseminated widely.
iv. Responsibility for implementing the plan should be explicit and Management commitment in
implementing the plan should be exhibited

a. i, ii and iv b. i, iii and iv

c. ii, iii and iv d. All of the above

12. A structured acquisition process provides a framework for ensuring that

i. there are no major omissions from a business, technical or legal standpoint
ii. the costs and resources for the acquisition process are appropriate and are efficiently deployed
ii. the validity of the business case in support of the acquisition is reaffirmed prior to selecting a solution
iv. there is no progressive buy-in to the new system as a result of user group involvement throughout the
acquisition process.

a. i, ii and iii b. i, iii and iv

c. ii, iii and iv d. All of the above

13. Critical risk elements involved in the process of acquisition of IT assets are as follows
i. In IT systems, the scale, cost and impact of an acquisition may have a strategic significance well beyond
the acquisition itself.
ii. Any serious misjudgement in the acquisition decision will impair not only the success of the underlying
IT project but, in addition, the potential business benefits that are anticipated.
iii. Acquisitions frequently involve a significant capital investment for an organisation.
iv. In addition to the investment, the opportunity cost of the capital employed and the time/resources
expended in the acquisition process add to the importance of the acquisition.

a. i, ii and iii b. i, iii and iv

c. ii, iii and iv d. All of the above

14. The importance of IT related acquisitions is usually directly proportional to their post, scale and
complexity. In general, the larger and more complex the acquisition, the higher will be its impact on, and
importance to, the business. In addition, the acquisition may be important to the business due to its
interrelationships with other IT projects. Accordingly, an IT auditor must see that the process adopted for
acquisition of IT Assets should encompass the following elements:
i. adherence to a structured approach, comprising all the key acquisition activities and deliverables,
timelines and milestones, project organisation and resources
ii. enunciation of objectives, including a concise statement of the business expectations from the
acquisition, detailed requirements, and specification of overall scope
iii. defined evaluation and selection criteria, particularly measurement scale, relative weights of all
criteria and the manner in which acquisition and project risks will be minimised
iv. commitment and support of executive management through a senior level project sponsor and, if
appropriate, the establishment of an acquisition steering committee

a. i, ii and iii b. i, iii and iv

c. ii, iii and iv d. All of the above

15. An IT auditor must see that the process adopted for acquisition of IT Assets should encompass the
following elements:

9
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 a. participation from IT, users, consultants, legal and other interested parties, each with a defined set of
responsibilities with respect to the acquisition
b. compatibility with the organisation’s acquisition policies and procedures, including any applicable
regulatory guidelines.
c. both of the above
d. none of the above

16. Unauthorised working practices being adopted by IT staff, increase in the number of errors being made by
IT staff and the risk of system unavailability in case the system is complex and there is no technical
documentation are the control risk categorised under
a. Documentation and Document Retention Policies
b. Internal audit involvement
c. Personnel and Training
d. None of the given

17. Types of documentation an IT auditor should consider according to the audit approach
a. four b. two
c. three d. five

18. Pick the correct one

a. Controls reliant audit approach: evidence relating to individual transactions
b. Substantive testing: reconciliations, signatures, reviewed audit logs etc.
c. Both
d. None

19. Pick the incorrect non-audit requirement that should be taken into account by the organisation while
formulating documentation retention policies
a. end-user requirement b. import regulations
c. taxation regulations d. company legislation requirements The

20. Where the organisation summarises transactions into balances the auditor will need to
a. trace transactions from initiation through to their summarisation in the accounts
b. find or request an alternative audit trail, e.g. asking the organisation to produce a hard copy of the
transactions which make up the summarised balances.
c. either a or b
d. neither a or b

21. Who has the ultimate responsibility of ensuring that an adequate system of internal controls is in place?
a. Stakeholder b. User or beneficiary
c. Government d. Management

22. Risk areas associated with internal audit control perspective are
i. nor reporting to senior management ii. hiring and firing policies
iii. insufficient availability of resources iv. restriction on the scope of work

a. i, ii and iii b. i, iii and iv

c. ii, iii and iv d. All of the above

23. Pick the correct ones

10
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 i. The external auditor may assess about the quality of internal audit’s work acceptable, in terms of
planning, supervision, review and documentation. This assessment will enable the auditor to decide if he
can use or place reliance on internal audit’s work.
ii. The external auditor can view the organisation’s internal audit function as part of the overall control
structure
iii. Internal audit staff shall not be used to provide direct audit assistance even under the supervision of
the external auditor.
iv. The external auditor should consider whether the IT audit department has the staff necessary to carry
out competent reviews on the organisation’s computer systems

a. All of the above b. ii, iii and iv

c. i, ii and iv d. i, ii and iii

24. Data protection and privacy legislation, computer misuse legislation to make attempted computer
hacking and unauthorised computer access a criminal offence, banking and finance regulations and copyright laws
to prevent theft & illegal copying of computer software are important compliance legal and regulatory provision
i. The legal and regulatory requirements will vary from one country to another.
ii. The legal and regulatory requirements will be uniform across the border.
iii. Non-compliance shall result into closure of the activity being undertaken by the entity.
iv. IT auditor should assess whether the organisation is aware of local requirements and have taken
appropriate measures to ensure compliance.

a. i and iv b. ii and iv
c. i, iii and iv d. All of the above

25. In the absence of strong personnel and training control mechanism, following risks are anticipated except
a. Outsourcing of works b. Fraud
c. Hardware/software failure d. Errors and omissions caused by people

26. The key ingredients of personnel policies and procedures are

i. a clear organisational structure supported by reporting lines/ charts
ii. job descriptions, staff planning and training and staff development
iii. hiring/firing policies (including codes of conduct)
iv. staff assessments (promotion/demotion)

a. ii, iii and iv b. i, ii and iv

c. i, iii and iv d. All of the above

27. When hiring new members of IT staff, the organisation would be expected to take account of
a background checks including taking up references and police verification
b. confidentiality agreements and codes of conduct
c. both a & b
d. None of the given

28. Pick the incorrect one

a. Staff assessment policies and procedures should be seen to be fair and equitable and understood by
all employees. The policies should be based on objective criteria and consideration should be given to
achievement, and conduct.

11
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 b. Job rotation acts as a preventive control. Staff is less inclined to adopt unapproved working practices
or commit frauds if they know that their job are subject to rotation and taken over by someone else.
c. Segregation of duties ensures that transactions are properly authorised, recorded, and that assets are
safeguarded and activities are checked.
d. It should be ensured that computer systems may be able to enforce separation of duties through the
use of pre-programmed user and group security profiles

29. The ability to apply and enforce adequate separation of duties is largely dependent upon
i. the size of the IT department
ii. the number of computer staff involved
iii. the nature of work of the IT department
iv. the financial resources of the organisation

a. All of the above b. i and ii

c. iii and iv d. i, iii and iv

30. The desired segregation of duties in a large IT department includes

i. system design and programming ii. systems support
iii. routine IT operations iv. change management.

a. i, iii and iv b. i, ii and iv

c. ii, iii and iv d. All of the above
31. Statement I- The computer department should be physically and managerially separate from end users,
such as finance and personnel.
Statement II- It should be ensured that there is staff with dual IT department and finance department
duties to facilitate expeditious acquisition, support and review of performance on both the count

a. Statement I alone is correct b. Statement I alone is correct

c. Both the Statement I & II are correct d. Neither of Statements is correct

32. Separation of duties applies to

a. general controls environment b. specific applications or programs
c. both the general controls environment and to specific applications or programs
d. Neither the general controls environment and to specific applications or programs

33. Pick the correct ones

i. In many cases, the IT department will be divided into three broad types of activity-acquisition,
programming (systems and applications) and computer operations
ii. Staff should not have duties which fall into any of activity. Programming staff should not be allowed
access to live data files and programs.
iii. With the pressure to reduce the cost of IT functions, staff numbers are often reduced. This limits the
scope for segregated duties. If this is the case, then the auditor should adopt a pragmatic approach to
identifying weaknesses and providing recommendations
iv. Where the scope for segregated duties is limited the auditor should look for the existence of
compensating controls such as strong computer security and end user reconciliations

a. i, and ii b. ii, iii and iv

c. i, iii and iv d. All of the above

12
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
34. Computer operations refers to
a. the logistic and infrastructure aspects of hardware
b. the logistic and infrastructure aspects of software
c. the logistic and infrastructure aspects of hardware and software
d. None of the given

35. The roles of IT operations include the

i. capacity planning i.e. ensuring that the computer systems will continue to provide a satisfactory level of
performance in the longer term. This will involve IT operation staff having to make estimates of future
CPU requirements, disk storage capacity and network loads capacity.
ii. performance monitoring i.e. monitoring the day to day performance of the system in terms of
measures such as response time.
iii. initial program loading i.e. booting up the systems, or installing new software.
iv. help desk and problem management i.e. help desks are the day-to-day link between users with IT
problems and the IT department.

a. i, ii and iii b. i, ii and iv

c. ii, iii and iv d. All of the above

36. Poorly controlled computer operations are associated with the risks of
i. running of the programme in an incorrect manner
ii. loss or corruption to data files
iii. no-or minimum delay and disruption in processing
iv. lack of backups and contingency planning

a. i, iii and iv b. ii, iii and iv

c. i, ii and iii d. i, ii and iv

37. Service Level Agreement is

a. The structure and level of service agreement to drawn up by the IT department and enter into with
sub-departments of IT departments performing different functions
b. The structure and level of service agreement to drawn up by the IT department and enter into with rest
of the organisation i.e. user departments.
c. The structure and level of service agreement to drawn up by the IT department and enter into with the
targeted beneficiaries i.e. consumers
d. The structure and level of service agreement to drawn up by the IT department and enter into with
stakeholder of the organisation.

38. The structure and level of service specified in a Service Level Agreement will depend upon
i. the working practices ii. the competency of staff
iii. the nature of duties of IT department iv. requirements of each organisation

a. i and iii b. i and iv

c. i, ii and iii d. All of the above

39. A typical SLA would contain

i. general provisions including the scope of the agreement, its signatories, date of next review
ii. brief description of services i.e. functions applications and major transaction types
iii. maximum number of service failures and the maximum downtime per failure
13
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 iv. compensatory provision when service failure and maximum downtime per failure exceed the agreed
level.

a. ii, iii and iv b. All of the above

c. i, ii and iii d. i, iii and iv

40. A typical SLA would contain

i. user support levels such as help desk details
ii. performance such as response times, turnaround times
iii. contingency such as brief details of plans
iv. security including compliance with the organisation’s IT security policy and restrictions i.e. maximum
number of transactions, users etc.

a. ii, iii and iv b. i, iii and iv

c. i, ii and iii d. All of the above

41. Statement I- There is an increasing trend for IT services to be delivered by third party service providers.
This is termed as outsourcing of the IT services
Statement II- This has arisen because IT is being seen as a core business activity.

a. Statement I alone is correct b. Statement II alone is correct

c. Both the Statement I & II are correct d. Neither of Statements is correct

42. Pick the incorrect one

a. Outsourcing allows management to concentrate their efforts on the main business activities as the
need for developing and maintaining the IT Systems are taken care of by the IT expert third
parties/agencies.
b. Outsourcing furthers safeguards from unauthorised access to the business secrets, important data and
other related facts.
c. The IT auditor should be concerned with reviewing the policies and procedures which ensure the
security of the organisation’s financial data by obtaining a copy of the contract.
d. None of the given

43. While conducting the audit of outsourcing of the services, the IT auditor should also focus on issues
related to IPR (Intellectual Property Rights) and evaluate
a. whether the programs etc. developed by outsourcing components to a third party are duly protected as
per contract terms
b. whether the programs etc. developed by outsourcing components to a third party are not prone to
outside use by other organisations.
d. whether the programs etc. developed by outsourcing components to a third party are duly protected
as per contract terms and are not prone to outside use by other organisations
c. whether the programs etc. developed by outsourcing components to a third party are compatible with
the requirement of the business objective and are not prone to outside use by other organisations.

44. Operations staff should be supervised by

a. the management b. the stakeholder
c. the legal and Government organisation d. All of the above

14
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
45. The organisation should have clear, documented operating procedures for all computer systems to
ensure their correct, secure operation. The documented procedures should be available for the detailed
execution of each job, and should include
i. the incorrect handling of data files
ii. scheduling requirements to ensure best use of IT resources
iii. instructions for handling errors or other exceptional conditions which might arise when jobs are run
iv. support contacts in the event of unexpected operational or technical difficulties

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above

46. Documentation can be used by operations staff when they are

a. sure about how to carry out a procedure
b. required to perform the task on a voluminous level.
c. required to perform something not assigned before
d. unsure about how to carry out a procedure.

47. The IT auditor should be aware that the level and detail of documentation will vary from one organisation
to another, and will depend on factors such as
i. the size of the organisation ii. the type of hardware and software used
iii. the nature of the applications iv. the involvement of senior level management

a. ii, iii and iv b. i, iii and iv

c. i, ii and iii d. All of the above.

48. A range of controls is required where an organisation uses computer networks. Network managers should
ensure that there are appropriate controls to secure data in networks, and that the network is adequately
protected from unauthorised access. The controls may include
i. integration of duties of operators and network administrators
ii. establishment of responsibility for procedures and management of remote equipment
iii. monitoring of network availability and performance.
iv. requisite reports and utilities to measure system response time and down time

a. ii, iii and iv b. i, iii and iv

c. i, ii and iii d. All of the above

49. Risk areas of physical access control include

i. Fire/water damage or damage from other natural disasters
ii. Accidental or intentional damage by staff iii. Theft of computers or their individual components
iv. bypass of logical access controls e.g. having physical access to a fileserver can be exploited to bypass
logical controls such as passwords

a. i, ii and iii b. i, iii and iv

c. ii, iii and iv d. All of the above

50. Risk areas of environmental access control include

i. Power Cuts, leading to loss of data in volatile storage i.e. RAM
ii. Spikes: leading to system failures, processing errors, damage to components of equipment
iii. Static electricity: can damage delicate electrical components
15
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 iv. Failure of equipment due to temperature or humidity extremes

a. i, ii and iii b. i, iii and iv

c. ii, iii and iv d. All of the above

51. Newer devices such as biometric devices use voice recognition, facial features, hand geometry,
fingerprints, retina scan etc. to control physical access to the system. The process is of
a. four types-one to one, one to many, many to one and many to many
b. three types- one to one, one to many and many to one
c. two types- one to many and many to one
d. single type-many to one

52. Pick the correct one regarding the process of physical access using biometric devices, voice recognition
etc.
a. One to many- where the identity of the person is disclosed first and then the biometric input is
compared to the specific data relating to that identity.
b. Many to one- where the biometric input is compared with the data available in the system to recognize
the person and to give access.
c. both a & b.
d. None of the above.

53. Risk of water damage is largely dependent on the location of the computer facilities. Some of the water
risk areas are
i. Office located near river-side, lake side or sea-side has more water risk
ii. Computer equipment located in close proximity to pipes and water tanks are at increased water risk.
iii Computer equipment located in basements or on floors immediately below or in the vicinity of water
are at increased water risk
iv. Automatic moisture detectors may reduce the water risk by alerting IT staff of potential water ingress.

a. All of the above b. ii, iii and iv

c. i, ii and iii c. i, iii and iv

54. “A system of measures and procedures, both within an organisation and in the software products used,
aimed at protecting computer resources (data, programs and terminals) against unauthorised access attempts.” is
related to
a. Physical Access Control b. Logical Access Control
c. System Access Control d. Environmental Access Control

55. i. Logical access controls can exist at both an installation and application level. Controls within the
general IT environment restrict access to the operating system, system’s resources and applications,
whilst the application level controls restrict user activities within individual applications.
ii. The importance of logical access controls is increased where physical access controls are more
effective.
iii. Logical access controls usually depend on the in-built security facilities available under the operating
system or hardware in use. Additional access controls can be gained through the appropriate use of
proprietary security programs.
iv. The most common form of logical access control is login identifiers (ids) followed by password
authentication.

16
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 a. i, ii and iii b. ii, iii and iv
c. All of the above d. i, iii and iv

56. Where an organisation makes use of wide area networks and global facilities such as the Internet
a. logical access security is not desirable ii. logical access security is of less importance
c. logical access security is of particular importance
d. None of the given.

57. Pick the correct one

a. The Super User may reduce risks by a significant amount because they can by-pass established system
controls to undo any wrong doing.
b. Where the organisation’s systems are technically complex and the auditor does not have a working
knowledge of the organisation’s particular systems, the IT auditor may rely upon the mechanism of
internal control and help of super user may be sought.
c. Both a & b
d. None of the above

58. The critical elements of an access control mechanism should include

i. Classification of information resources according to their criticality and sensitivity
ii. Maintenance of a current list of authorised users and their access privileges
iii. Monitoring access, investigating apparent security violations, and take appropriate remedial action.
Resources
iv. Use of latest version by periodical up-gradation of system hardware and software in a timely manner

a. i, iii and iv b. i, ii and iii

c. ii, iii and iv d. All of the above

59. i. Any files containing master file or standing data information should also be protected.
ii. Unauthorised access to the source code of an application could be used to make amendments in the
programming logic leading to fraud, data loss, and corruption.
iii. Inadequate protection to password files may cause to leaking of logon identification and password and
considerable damage to the entity.
iv. System Software and Utilities consist of software such as editors, compilers, program debuggers.
Access to these should not be restricted as these tools could be used to guard against any amendments to
data files and application software is made.

a. i, ii and iii b. i, ii and iv

c. ii, iii and iv d. All of the above

60. Files used to record the actions of users and hence provide the system administrators and organisation
management with a form of accountability are called
a. System Files b. Action Files
c. Log Files d. Business Files

61. Which can be used to record changes to financial data i.e. who changed what data, from what to what
and when?
a. System Log b. Application Log
c. Transaction Log d. Report Log

17
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
62. Pick the incorrect one
a. The IT auditor should review of the change controls in order to gain assurance that the systems
continue to do what they are supposed to do and the controls continue to operate as intended.
b. Change refers to changes to the system software (operating system and any utilities) and individual
applications.
c. The scale of change can vary considerably and accordingly effect that a change has on the operation of
the system may be out of proportion to the size or scale of the change made.
d. None of the above

63. Which of the following is not reason for change

a. to enhance functionality b. to make systems operations easier, more efficient
c. to make income of entity judicially applied d. capacity planning

64. Which of the following are the reason for change

i. Problem rectification ii. Routine update
ii. Security improvement iv. Change in business, legal requirement

a. ii, iii and iv b. i, iii and iv

c. i, ii and iii d. All of the above

65. An adequate change control should be

i. authorised ii. Tested
iii. undocumented iv. un-intended to operate as desired

a. i and ii b. iii and iv

c. ii and iii d. i and iv

66. Risks associated with inadequate change control are

i. unauthorised changes be it accidental or deliberated
ii. Implementation problem iii. Error-free processing
iv. users’ dissatisfaction and problems in maintenance

a. i, ii and iii b. i,ii and iv

c. ii, iii and iv d. All of the above

67. The term RFC used in IT Audit Manual stands for

a. Reason for Change b. Reason for Computerisation
c. Request for Change d. Reliability for Change

68. It may be ensured in IT audit that the organisation’s procedures to control changes should include
i. Procedures for management authorisation
ii. Thorough testing after amended software is used in the live environment.
iii. The amended software is transferred or “transported” to the live environment authorised by
operations management
iv. The establishment of procedures for making emergency changes.

a. i, iii and iv b. i, ii and iii

c. ii, iii and iv d. All of the above

18
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
69. It may be ensured in IT audit that the organisation’s procedures to control changes should include
a. Management review of the effects of any changes and the preparation of fall-back plans (just in case
anything goes wrong)
b. Maintenance of adequate records
c. Both a & b
d. None of the above.

70. Pick the incorrect one

a. There should be procedures for recording all requests for change (RFC), preferably in a standard format
and/or data input screens.
b. The requests for changes should be logged and given a unique reference number based on the
sensitivity of the changes.
c. All RFCs should be allocated a priority rating to indicate the urgency with which the change should be
considered and acted upon.
d. None of the above

71. Pick the incorrect one

a. The task of determining change priority is normally the responsibility of a change control board or IT
steering committee.
b. The change board and steering committee make their views known via the Management.
c. The priority of changes is determined by assessing the cost of the change and impact on the business
and its resources.
d. None of the given

72. The objective of having a Business Continuity and Disaster Recovery Plan and associated controls is to
ensure
a. that the organisation can accomplish its mission and it would not lose the capability to process,
retrieve and protect information maintained in the event of an interruption or disaster leading to
temporary loss of computer facilities
b. that the organisation can accomplish its mission and it would not lose the capability to process,
retrieve and protect information maintained in the event of an interruption or disaster leading to
permanent loss of computer facilities
c. that the organisation can accomplish its mission and it would not lose the capability to process,
retrieve and protect information maintained in the event of an interruption or disaster leading to
temporary or permanent loss of computer facilities
d. None of the given.

73. The absence of a well-defined Business Continuity and Disaster Recovery Plan may pose risk and hamper
i. The organisation’s ability to accomplish its mission after re-starting its operations
ii. To retrieve and protect the information maintained.
iii. To keep intact all the organisational activities after the disaster.
iv. To start its operations on full scale at the earliest to minimise the business loss in terms of money,
goodwill, human resources and capital assets

a. i, ii and iii b. ii, iii and iv

c. i, iii and iv d. All of the above

74. The IT auditor while assessing the adequacy of business continuity and disaster recovery plan should
consider:
19
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
i. Evaluating the financial and other resources to determine to legality and competency of the business
continuity and disaster recovery plan documented by the business.
ii. Verifying that the business continuity and disaster recovery plans are effective to ensure that
information processing capabilities can be resumed promptly after an unanticipated interruption by
reviewing the results from previous tests performed, if any, by the IT organisation and the end users.
iii. Evaluating off site storage to ensure its adequacy by inspecting the facility and reviewing its contents
and security and environmental controls. It may be ascertained whether backups taken earlier have ever
been tested for data recovery by the auditee organisation.
iv. Evaluating the ability of IT and user personnel to respond effectively in emergency situations by
reviewing emergency procedures, employee training and results of their drills.

a. All of the above b. i, ii and iii

c. ii, iii and iv d. i, ii and iv

20
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 IT Audit Manual Volume. I
Audit of Application Control

1. The controls that provide assurance that all transactions are valid, authorised, complete and recorded are
a. General Controls b. Application Controls
c. Utility Controls d. All of the above

2. Application controls are

a. general to computer system and does not have a direct impact on the processing of an individual
transactions
b. particular to an application and but does not have a direct impact on the processing of individual
transactions
c. general to computer system and have a direct impact on the processing of an individual
transactions
b. particular to an application and have a direct impact on the processing of individual transactions

3. Before getting on to evaluation of application controls, it will be necessary for an IT auditor to secure a
reasonable understanding of the system by preparing a brief including the following
i. indicating the major transactions ii. describing the transaction flow and main output
iii. list of the IT personnel given with logical access to application
iv. indicating the major data files maintained

a. i, ii and iv b. i, ii and iii

c. ii, iii and iv d. All of the above

4. Application controls may be divided into

i. Start-up controls ii. Processing controls
iii. Finish controls iv. Master/Standing Data File controls

a. iii and iv b. i and iii

c. ii and iv d. All of the above

5. The objective of Input control is to ensure that the procedures and controls reasonably guarantee that
i. the data received for processing are genuine, complete, not previously processed, accurate and
properly authorised
ii. data are entered accurately and without duplication.
iii. data are entered timely and punctually.
iv. data entered are duly filtered by IT Steering Committee

a. i and ii b. iii and iv

c. i, ii and iii d. All of the above
21
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
6. Weak input control may increase the risk of
i. entry of unauthorised data ii. data entered in to the application may be irrelevant
iii. complete data entry iv. entry of duplicate/redundant data.

a. ii, iii and iv b. i, iii and iv

c. i, ii and iv d. All of the above

7. While evaluating the input control mechanism, the IT auditor should ensure that
i. all prime input, including changes to standing data, is appropriately authorised.
ii. for on-line systems, the ability to enter data from a terminal is adequately restricted and controlled.
iii. if there is a method to prevent and detect duplicate processing of a source document.
iv. all authorised input has been submitted or, in an on-line system transmitted and there are procedures
for ensuring correction and resubmission of rejected data.

a. i, ii and iv b. ii, iii and iv

c. i, ii and iii d. All of the above

8. To place reliance on the automated controls the IT auditor would need to determine that the appropriate
levels of authority have been set up and that they have been working for the whole accounting period /
transaction cycle. This would involve except
a. looking at access matrices b. obtaining printout of user permissions
c. reviewing audit logs of changes in permissions
d. reviewing the output data to determine the genuineness of input data

9. The control mechanism to ensure completeness of input data are

i. manual procedures ii. the use of pre-numbered data input forms
iii. use of batch totals
iv establishing a routine tour to user department to verify the records

a. All of the above b. i, ii and iii

c. ii, iii and iv d. i, iii and iv

10. A collection of input documents which are treated as one group is called
a. Block b. Batch
c. Class d. Bunch

11. Statement I- Where it is possible to by-pass input control mechanism by entering or altering data from
outside the application, there should be automatic application integrity checks which would detect and
report on any external changes to data.
Statement II-The results of the installation review should be reviewed to ensure that the use of system
amendment facilities, such as editors, is properly controlled

a. Only Statement I is correct b. Only Statement II is correct

c. Both Statement I and II are correct d. Neither Statement I nor Statement II is correct

12. Pick the correct ones

22
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 i. IT applications may have in-built controls which automatically check that data input is accurate and
valid. Validation may also be achieved by manual procedures such as double checking input
documents or review by a supervisor.
ii. The accuracy of data input to a system cannot be controlled by imposing a number of computerised
validity checks on the data presented to the system
iii. Automated validation checks should be sufficient to ensure that all data accepted into the system is
capable of acceptance by all subsequent processes, including acceptance into other systems where there
is an automatic transfer of data.
iv. Validation checks can reduce the risk of an application crashing because of logic errors arising when
attempting to process input data with values outside pre-defined limits

a. i, iii and iv b. ii, iii and iv

c. i, ii and iv d. All of the above

13. Format checks, validity checks, range checks, limit checks, check digits, compatibility checks, etc. are
some of programmed application controls pertaining to
a. Authorisation of input data b. Completeness of data input
c. validation of input data d. Matching of input data

14. Exception Report is

a. a computer report when one transaction record against data contained in another related transaction
is mismatched.
b. a manual report when one transaction record against data contained in another related transaction is
mismatched.
c. a computer report when one transaction record against data contained in another related transaction
is matched.
d. a manual report when one transaction record against data contained in another related transaction is
matched.

15. While checking the rejected input, the IT auditor should ensure
i. that all data rejected will be subsequently corrected, re-input to and accepted by the system.
ii. that whether individual transactions or complete batches should be rejected will be determined by IT
auditor during the course of the audit.
iii. that placing of rejected items in suspense is in existence as it overcomes the possibility of rejected
items being lost
iv. Where items are held in suspense the auditor should review the procedures for identifying, correcting
and clearing these transactions.

a. i, ii and iii b. i, iii and iv

c. i, ii and iv d. All of the above

16. Processing controls ensure complete and accurate processing of input and generated data. This objective
is achieved by providing controls for
i. adequately validating input and generated data,
ii. processing correct files
iii. detecting and rejecting errors during processing and thrashing them
iv. proper transfer of data from one processing stage to another

a. i, ii and iii b. i, iii and iv

23
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 c. i, ii and iv d. All of the above

17. The objectives for processing controls are to ensure that

i. transaction’s processing is accurate ii. Transaction’s processing is complete
iii. transactions are unique (no duplicates)
iv. all transactions are valid and the computer processes are auditable.

a. i, ii and iii b. i, iii and iv

c. i, ii and iv d. All of the above

18. Pick the incorrect one

a. Output controls are incorporated to ensure that computer output is complete, accurate and correctly
distributed.
b. Weakness in processing may sometimes be compensated by strong controls over output. A well-
controlled system for input and processing is likely to be completely undermined if output is
uncontrolled.
c. Reconciliation carried out in the beginning of the output stage can provide very considerable assurance
over the completeness and accuracy of earlier stages in the complete cycle
d. None of the above

19. Objectives of Output controls are to ensure that

i. all output is produced and distributed on time
ii. fully reconciled with pre input control parameters
iii. physically controlled at all times, depending on the confidentiality of the document
iv errors and exceptions are properly investigated and acted upon

a. i, ii and iii b. i, iii and iv

c. i, ii and iv d. All of the above

20. If output controls prevailing in the application are weak or are not appropriately designed these may lead
to risks of
i. repeated errors in the output generated leading to loss of revenue, loss of creditability of the system as
well as that of the organisation.
ii. availability of the data at the time when it is desired.
iii. availability of the data to an authorised person/user.
iv. even sometimes, the information which may be of very confidential nature may go to the wrong
hands.

a. I and ii b. iii and iv

c. i and iv d. All of the above

21. Information stored in master and standing data files is usually critical to the processing and reporting of
financial and operational data. Information on master files can affect many related transactions and must
therefore be adequately protected. Weak Control in the system in maintenance of Master/Standing Data Files
may lead to except
a. unauthorised and uncontrolled amendments to the standing data as well as Master data files.
b. unrestricted and uncontrolled physical and logical access to the application data files.
c. poor documentation of the amendment procedures, etc.
d. none of the above
24
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
22. While checking the integrity and accuracy of Master Files and Standing Data, the IT auditor should ensure
that
i. amendments to standing data are properly authorised and controlled.
ii. integrity of Master and Standing Files is verified by checking, control totals and periodic reconciliation
with independently held records.
iii. amendment procedures are properly documented and controlled by management authorisation and
subsequent review
iv. physical and logical access to application data files are restricted and controlled.

a. i, ii and iii b. i, iii and iv

c. i, ii and iv d. All of the above

23. End User computing is

a. the ability of end users to design and implement their own information system, utilizing computer
hardware products.
b. the ability of end users to design and implement their own information system, utilizing computer
software products.
c. is the ability of end users to design and implement their own information system, utilizing computer
hardware and software products.
d. is the ability of service provider to design and implement their own information system for the users,
utilizing computer hardware and software products.

24. The use of networks is increasing and bringing organisations the following benefits
i. ability to create beneficiaries
ii. the ability to use and share data and other peripherals
ii. to leave system administration to a central team
iv. allow users to send almost instantaneous messages and allow users to access the systems from
remote locations

a. ii, iii and iv b. i, ii and iv

c. i, iii and iv d. All of the above

25. Networks open up an organisation’s computer systems to a wide, potentially anonymous user base.
Where the organisation’s systems are connected to networks, there is potentially a greater risk of unauthorised
access by outsiders i.e. hackers and non-authorised employees, leading to
i. loss and corruption of data whether intentionally or in transmission
ii. fraud from internal as well as external sources
iii. system unavailability due to damage of network links, servers and communication lines etc.
iv. accidental and deliberate disclosure of confidential information

a. i, ii and iii b. i, iii and iv

c. All of the above d. i, ii and iv

26. The links tend to have a higher capacity and they don’t require modems and do not suffer from digital to
analog conversion errors are
a. Analog links b. Digital link
c. Hybrid links d. None of the above
25
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
27. A modem that instead of answering an incoming call, requires the caller to enter a touch-tone code and
hang-up so that modem can return the call. When the modem receives the caller’s code against a stored set of
phone number. If the code matches an authorised number, the modem dials the number and then opens a
connection for the original caller is
a. Digital Modem b. Hybrid Modem
c. Call Back Modem d. Interactive Modem

28. Pick the correct one

i. The dedicated lines to network communications have a lower risk of data interception
ii. The dedicated lines are also normally able to carry more data
iii. The dedicated lines are less likely to result in data transmission errors
iv. The dedicated lines cost less as well.

a. i, ii and iii b. i, ii and iv

c. ii, iii and iv d. All of the above

29. The IT auditor should ensure that safety policy on network focuses on
i. physically isolate the machine from the main information system
ii. assign an experienced and trusted administrator to look after the Internet machine
iii. avoid anonymous access to the machine or, if it must be allowed, avoid setting up directories that can
be both read and written to
iv. close all necessary logical ports on the Internet server

a. i, ii and iii b. i, ii and iv

c. I, iii and iv d. All of the above

30. Pick the incorrect element of safety policy on network

a. monitor attempts to log in to the machine
b. transfer files between the main information system and the Internet machine only when they have
been carefully checked and remembering that programs can be transferred in the body of mail messages
c. have as few user accounts as possible on the Internet machine and change their passwords regularly.
d. None of the above

31. Firewalls consist of a

a. routers b. gateways
c. both routers and gateways d. none

32. i. firewall aims to help control traffic between the corporate network and the Internet
ii. A router can be set up to allow only specific Internet services between the gateway and other specified
Internet hosts.
iii. Software on the gateway host may provide additional services such as logging, authentication and
encryption, and packet filtering
iv. It is possible for an external computer on the Internet to pretend to be one of the computers on the
corporate network. One particular function of the firewall is to allow any external packets that claim to be
coming from the corporate network

a. i, ii and iii b. i, ii and iv

c. I, iii and iv d. All of the above
26
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
33. Pick the incorrect ones
a. Symmetric encryption uses the same key for encryption and decryption. It is fast and does not suffer
key distribution
b. Asymmetric encryption involves generating a pair of keys which are known as the public and private
keys. It is slow and also suffer key distribution
c. both a & b
d. None

34. Pick the incorrect one

a. IDEA-Interactive Data Extraction & Analysis b. ACL-Audit Control Language
c. SQL-Structured Query Language d. None of the given

Answers

Q. Ans. Remarks/Additional Information, if any

No.
1. D ICT is the core of e-Governance and clouding.
2. D
3. B
4. B Potential for material error has been increased and resulting in costing more.
5. C 5 goals and objectives are-1.Confidentiality 2. Integrity 3. Availability 4. Reliability and 5. Compliance
6. A Reliability refers to the degree of consistency of a system or the ability of a system (or
component) to perform its required function under stated conditions
Integrity refers to ‘the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations
Availability relates to information being available when required by the business process now and in
the future
Compliance deals with complying with those laws, regulations and contractual obligations to
which the business process is subject, that is, externally imposed business criteria
7. A Integrity refers to ‘the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations
8. D
9. C
10. A
11. C IT auditors need to be alert to other laws, regulations, or other authoritative sources that may
impact upon the conduct of an IT audit.
12. B
13. A Other components are-
iv. Identify and understand the controls that management uses to measure, manage and control the
information technology processes; and
v. Conclude on the effectiveness of controls over the information technology processes that have a
direct and important impact on the processing of financial information
14. A
15. C It does not include targeted beneficiaries.
16. C
17. B Assets five classes-other two are-Application system and Technology
27
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
18. D
19. B
20. D 1. Effectiveness 2. Efficiency 3. Confidentiality 4. Integrity 5. Availability 6. Compliance and 7.
Reliability
21. A
22. C
23. B 13, 14, 16, 17, 18, 19 and 20, as the case may be, read with Section 23 of this Act.
24. D IIA- Institute of Internal Auditors
25. C
26. B Compliance test determines if controls are being applied in a manner that “complies with”
management policies and procedures
Substantive audit “substantiates” the adequacy of existing controls in protecting the
organisation from fraudulent activity and encompasses substantiating the reported results of
processing transactions or activities
27. A
28. B
29. A There are only two types of access control-Physical and Logical Control.
30. C
31. D
32. A A series of records either in hard copy or in electronic format that provide a chronological record
of user activity and other events that show the details of user and system activity. Audit trails
can be used to document when users log in, how long they are engaged in various activities, what
they were doing and whether any actual or attempted security violations occurred
33. C Applications software developed in-house may have higher inherent risk than vendor-supplied
software that has been thoroughly tested and is in general commercial use
34. B The Computer Security Resource Center (CSRC) of the National Institute of Standards and
Technology (NIST), a department of the US Department of Commerce has published Generally
Accepted Principles and Practices for Securing Information Technology Systems, a collection of
principles and practices to establish and maintain system security.
35. A
36. D Self-training is inefficient from the standpoint that end users tend to ask their colleagues for help,
which results in the loss of more than one individual's time, and they may also be learning
inappropriate or inefficient techniques.
Studies also showed that an effective training program reduces support cost by a factor of three
to six, because end users who have been trained properly make fewer mistakes and have fewer
questions.
37. C These controls are broadly classified into 2 categories-General and Application Controls.
38. B
39. D Option D pertains to Application Control
40. D In addition to the given, parts of the General Control are
Acquisition and program change controls and Business continuity and disaster recovery controls
41. D

Answer
Audit of General Controls

Q. Ans. Remarks/Additional Information, if any

No.
1. A Option D i.e. Master/Standing Data File controls come under Application Control. Other control
under General Controls are (i) organisational and management controls (ii) IT operational controls
(iii) physical controls (access and environment) and (iv) logical access controls;
2. B Other areas of control under Organisational and Management Controls are
28
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 (i) Documentation and document retention policies (ii) Legal and regulatory compliance and (iii)
Segregation of duties
3. D Other associated risks are
Inappropriate or no IT planning (ii) Disgruntled staff being able to sabotage the system (iii) Loss of
Audit trails and (iv) Security policies not in place or not enforced
4. A It leads to inadequate decision making. This may affect the organisation’s ability to deliver its
services and may affect its future
5. B
6. C Option D is the duty of IT auditor to assess.
7. D
8. D The document setting future plans and decisions is known as Strategic Plan. Tactical plan is flew
from strategic plan to cater current plans and decisions.
9. B Strategic plan affects current year’s plan minimally.
10. A In addition
(i) Justification of cost of implementation (ii) Periodical reassessment (iii) Wide publicity (iv)
Formulation of strategies (v) Explicit responsibility for implementation and (vi) Management
Commitments
11. D
12. A There is progressive buy-in to the new system as a result of user group involvement throughout
the acquisition process
13. D
14. C
15. C
16. A
17. B Controls reliant audit approach and Substantive testing
18. D Under controls reliant audit approach the auditor would require evidence of controls in operation
during the accounting period.
Substantive testing: assurance may require the auditor to examine evidence relating to individual
transactions.
19. A
20. B
21. D
22. B Hiring and firing policies is an area related to Personnel and Training Control
23. C internal audit staff can be used to provide direct audit assistance, if necessary under the
supervision of the external auditor
24. A The legal and regulatory requirements will vary from one country to another
Non-compliance may not always result into closure rather other legal and financial penalties may
be levies.
25. A
26. D
27. C Confidentiality agreements state that the employee will not reveal confidential information to
unauthorised third parties
Codes of conduct, including contractual relationships with relatives, the acceptance of gifts,
conflicts of interest etc.
28. A Consideration should be given to all relevant factors, which may include: the staff member’s
education, training, experience, level of responsibility, achievement, and conduct.
29. B
30. D Other items are (i) data input (ii) system administration (iii) system security (iv) database
administration.
31. A Statement II is just contradictory of Statement I. Segregation of duties reduces the risk of fraud
since collusion would be required to bypass the control.
32. C

29
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
33. B Two broad types of activity: programming (systems and applications) and computer operations
34. C
35. D Other areas (i) media management (ii) job scheduling (iii) back-ups and disaster recovery (iv)
maintenance (vi) network monitoring and administration:
36. D Poorly controlled IT operation may lead to frequent and maximum disruption in processing.
37. B
38. B
39. C Other provisions are-Service hours (ii) User support level (iii) Performance i.e. response times,
turnaround times (iv) Contingency (v) Security and (vi) Restriction.
40. A IT is not seen as being a core business activity that’s why being outsourced.
41. B
42. B Outsourcing involves the risk of allowing a third party to have access to the business secrets,
important data and other related facts
43. C
44. A
45. B Correct and not-incorrect handling of data
46. D
47. C
48. A Separation of duties and not integration be done.
49. C Fire/water damage or damage from other natural disasters are environmental issues
50. D
51. C
52. D One to many, where the biometric input is compared with the data available in the system to
recognize the person and to give access
Many to one, where the identity of the person is disclosed first and then the biometric input is
compared to the specific data relating to that identity
53. B It depends on the location of computer system and not the office.
54. B
55. D The importance of logical access controls is increased where physical access controls are less
effective.
56. C
57. D Super-users enhance the risk and so management needs to have proper control of them.
In second case, the IT auditor may need to obtain additional support and assistance from an IT
auditor with the relevant skills and experience instead of relying upon Internal mechanism and
super-users
58. B Use of latest version tested periodically is an area associated with change control.
59. A System Software and Utilities consist of software such as editors, compilers, program debuggers.
Access to these should be restricted as these tools could be used to make amendments to data files
and application software.
60. C
61. B A system log can record who logged onto the system and what applications, data files or utilities
they used whilst logged on
62. D
63. C Other requirements-(i) Problem rectification (ii) to improve security (iii) Routine updates (iv)
Changes in requirements
64. D
65. A All changes to systems configurations are authorised, tested, documented, controlled, the systems
operate as intended and that there is an adequate audit trail of changes
66. B It will lead to erroneous processing and not error-free processing. Other risk areas
(i) Maintenance difficulties (ii) Use of unauthorised hardware and software (iii) Problems with
emergency changes.
67. C
30
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
68. A Thorough testing before and not after amended software is used in the live environment. In
addition it should also be ensured (i) Management review of the effects of any changes (ii)
Maintenance of adequate records and (iii) The preparation of fall-back plans
69. C
70. B All the RFC should be given a unique chronological reference number and not on the based on
sensitivity.
71. B The change board and steering committee make their views known via an individual given the
role of the change manager and not via Management.
72. C
73. D
74. D

Answer
Audit of Application Controls

Q. Ans. Remarks/Additional Information, if any

No.
1. B
2. D
3. A In addition it should provide approximate figures for transaction volumes
4. C Application controls are categorised into (i) Input controls (ii) Processing controls (iii) Output
controls (iv) Master/Standing Data File controls
5. A
6. C It will be incomplete and not complete data entry.
7. D
8. D
9. B establishing a routine or expectation of data input e.g. if data entry staff expect to receive input
documents from all 10 departments on a particular day and they only receive 9 sets, they would
chase up the missing set of input documents.
10. B
11. C
12. A The accuracy of data input to a system can be controlled by imposing a number of computerised
validity checks on the data presented to the system.
13. C
14. A
15. B It is system rules and not the auditor will determine whether individual transactions or complete
batches should be rejected
16. C detecting and rejecting errors during processing and referring them back to the originators for re-
processing and not thrashing them.
There should checking control totals (established prior to processing) during or after processing
17. D
18. C Reconciliation at the end and not in the beginning.
19. D
20. C availability of the data at the time when it is desired and availability of the data to an authorised
person/use are positive aspects. Non-availability of the data at the time when it is desired and

31
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)
 availability of the data to an unauthorised person/use are the risks.
21. D
22. D
23. B
24. A
25. C Other risk areas are virus and worm infections and contravention of copyright, data protection
(privacy) legislation,
26. B
27. C
28. A
29. A Close all unnecessary logical ports and not necessary ones.
30. D
31. C Firewalls consist of a combination of intelligent routers and gateway hosts. A router can be set
up to allow only specific Internet services between the gateway and other specified Internet
hosts. Software on the gateway host may provide additional services such as logging,
authentication and encryption, and packet filtering
32. D
33. C Symmetric encryption uses the same key for encryption and decryption. It is fast but makes key
distribution hard
Asymmetric encryption involves generating a pair of keys which are known as the public and
private keys. It is slow but does not suffer from the key distribution problems
34. B Audit Command Language. Notable audit software are-Applaud, Prospector, Sage Sterling and
CA Panaudit Plus.

32
Prepared by Deepak Kumar Rahi, AAO (LAD/Patna)