IS Audit Flashcards
(173 cards)
1
Q
- What is the primary objective of Information Systems (IS) Audit?
A. To ensure software development
B. To examine the adequacy of controls in IS
C. To monitor internet speed
D. To develop new IS policies
A
B
2
Q
- Which phase involves understanding auditee systems and controls?
A. Reporting
B. Follow-up
C. Audit Planning
D. Execution
A
C
3
Q
- What does risk assessment in IS audit help in?
A. Avoiding audits altogether
B. Reducing audit cost
C. Identifying high-priority audit areas
D. Training staff in programming
A
C
4
Q
- Which of the following is not a typical stage of IS audit?
A. Planning
B. Coding
C. Execution
D. Reporting
A
B
5
Q
- The final stage of an IS audit is:
A. Risk assessment
B. Execution
C. Reporting
D. Follow-up
A
D
6
Q
- Which of the following best describes an IS control?
A. Tool for internet usage
B. Safeguard to ensure data integrity and security
C. A type of programming logic
D. A method of budget allocation
A
B
7
Q
- What is the primary output of the planning phase in IS audit?
A. Test scripts
B. Audit Plan
C. Audit Opinion
D. Control Matrix
A
B
8
Q
- The term ‘General Controls’ in IS audit refers to:
A. Hardware performance
B. Controls over data inputs
C. Controls over software development and maintenance
D. Virus detection tools
A
C
9
Q
- Application controls focus on:
A. Physical security
B. Data accuracy and integrity in applications
C. Firewall configuration
D. HR policies
A
B
10
Q
- Which tool is commonly used for data extraction in IS Audit?
A. Photoshop
B. ACL (Audit Command Language)
C. Excel Charts
D. Word Processor
A
B
11
Q
- Which of these is NOT a type of audit evidence?
A. Observations
B. Interviews
C. Audit Planning
D. System logs
A
C
12
Q
- Logical access controls primarily safeguard:
A. Furniture
B. Internet bandwidth
C. Unauthorized access to systems
D. Audit team travel
A
C
13
Q
- Which type of control ensures that transactions are properly authorized?
A. Preventive
B. Detective
C. Corrective
D. Compensating
A
A
14
Q
- A post-audit review is primarily aimed at:
A. Punishing staff
B. Promoting software vendors
C. Enhancing future audits
D. Modifying IT budgets
A
C
15
Q
- Firewalls are a part of:
A. Physical controls
B. Environmental controls
C. Network security controls
D. Human resource controls
A
C
16
Q
- What does a vulnerability assessment help identify?
A. Staff morale
B. Programming languages
C. System weaknesses
D. Budget shortfall
A
C
17
Q
- One of the key benefits of IS audit is:
A. Software promotion
B. Eliminating all risks
C. Improving governance and accountability
D. Increasing hardware cost
A
C
18
Q
- IS audit trail refers to:
A. Roadmap for data transfer
B. Historical logs of user/system activities
C. Backup file
D. Travel plan of auditors
A
B
19
Q
- Segregation of duties helps prevent:
A. Software installation
B. Errors and fraud
C. Audit planning
D. Training delays
A
B
20
Q
- Which of the following is NOT a preventive control?
A. Password policy
B. Encryption
C. Antivirus software
D. Audit report
A
D
21
Q
- The purpose of system development audit is to:
A. Monitor sales
B. Evaluate controls in SDLC
C. Recruit developers
D. Review UI designs only
A
B
22
Q
- An example of a detective control is:
A. Access restriction
B. Password encryption
C. Log review
D. Biometric authentication
A
C
23
Q
- What does COBIT stand for?
A. Control Objectives for Information and Related Technology
B. Computer Based IT
C. Central Organization of Bureau for IT
D. Control and Operations for Big IT
A
A
24
Q
- In IS auditing, walkthroughs are used to:
A. Train staff physically
B. Understand processes and controls
C. Evaluate network speed
D. Promote IT vendors
A
B
25
25. The purpose of audit documentation is to:
A. Show appreciation to staff
B. Promote audit firm
C. Provide evidence and support conclusions
D. Replace reports
C
26
26. Which of the following is a key feature of an effective IS control environment?
A. High hardware costs
B. Management’s commitment to control
C. Employee travel frequency
D. Use of open-source software
B
27
27. What is the primary purpose of audit sampling?
A. To review every transaction
B. To select representative transactions
C. To avoid documentation
D. To simplify software development
B
28
28. IS audit checklist is primarily used for:
A. Employee evaluation
B. Ensuring completeness of audit procedures
C. Marketing IT tools
D. Preparing financial statements
B
29
29. Which of the following best defines a control weakness?
A. Use of licensed software
B. Lack of adequate controls to mitigate risk
C. System upgrades
D. Open internet access
B
30
30. Data integrity in IS refers to:
A. Amount of data stored
B. Accuracy and reliability of data
C. Software version control
D. Use of cloud backups
B
31
31. Which audit technique is used to test the logic of an application program?
A. System review
B. Test data method
C. Control charting
D. Flowcharting
B
32
32. In IS audit, an ‘incident response plan’ relates to:
A. Hardware failure
B. Budget estimates
C. Procedures to respond to security breaches
D. Audit closure
C
33
33. Which type of audit is performed without prior notice?
A. Internal audit
B. Surprise audit
C. Statutory audit
D. Concurrent audit
B
34
34. Access controls can be categorized into:
A. Legal and procedural
B. Logical and physical
C. Visual and auditory
D. Online and offline
B
35
35. Control self-assessment (CSA) is primarily conducted by:
A. External auditors
B. Government departments
C. Organizational staff
D. Software vendors
C
36
36. Encryption is an example of a:
A. Logical control
B. Physical control
C. Managerial control
D. Environmental control
A
37
37. In audit terminology, a 'finding' is:
A. A note of appreciation
B. A conclusion based on evidence
C. A suggestion from vendors
D. A procurement issue
B
38
38. The IS control that checks input data before processing is called:
A. Output control
B. Processing control
C. Input control
D. Backup control
C
39
39. Audit evidence should be:
A. Minimal and verbal
B. Sufficient and appropriate
C. Confidential and withheld
D. Expensive to collect
B
40
40. A major challenge in IS audit is:
A. High internet speed
B. Rapid technological changes
C. Manual data entry
D. Software design
B
41
41. IS audit is applicable to:
A. Only IT firms
B. All organizations using information systems
C. Government only
D. Public companies
B
42
42. Backup policies are considered part of:
A. Financial controls
B. Environmental controls
C. Business continuity planning
D. Marketing strategy
C
43
43. What does 'segregation of duties' aim to prevent?
A. Teamwork
B. Project overlap
C. Fraud and error
D. System upgrades
C
44
44. Configuration management in IS ensures:
A. Aesthetic user interface
B. Proper control of system changes
C. Outsourced IT functions
D. Use of free tools
B
45
45. Time-stamped logs in IS help in:
A. Data backup
B. Tracking user activity
C. Auditing HR policies
D. Preventing power outages
B
46
46. An audit trail helps ensure:
A. System redundancy
B. Traceability of transactions
C. Enhanced system speed
D. IT staffing
B
47
47. What is phishing?
A. Virus protection tool
B. Attempt to acquire sensitive information fraudulently
C. Software upgrade method
D. Data warehousing
B
48
48. Which of these is a physical security control?
A. Passwords
B. CCTV surveillance
C. Firewalls
D. Access logs
B
49
49. The term 'patch management' refers to:
A. Hardware repairs
B. Timely updates to fix software vulnerabilities
C. Database backups
D. Power supply maintenance
B
50
50. Which of the following helps in real-time detection of threats?
A. Encryption
B. Intrusion Detection Systems (IDS)
C. Audit plan
D. Policy documents
B
51
51. IS audit can assess:
A. IT staff salaries
B. Integrity of information
C. Marketing performance
D. Capital budgeting
B
52
52. The risk of a system being accessed by unauthorized users is called:
A. Availability risk
B. Confidentiality risk
C. Access risk
D. Integrity risk
C
53
53. A business continuity plan is tested using:
A. Real-time failures
B. Simulation and drills
C. Data deletion
D. Annual audits
B
54
54. Which of the following is not a part of general controls?
A. Backup procedures
B. User training
C. Logical access control
D. Transaction edit checks
D
55
55. What is the role of an IS auditor in SDLC?
A. Project execution
B. Code optimization
C. Control evaluation and assurance
D. System deployment
C
56
56. Data warehouse is used for:
A. Transaction processing
B. Data storage for analysis and reporting
C. Programming only
D. Email services
B
57
57. What is a major risk with BYOD (Bring Your Own Device)?
A. Low hardware cost
B. Security and control issues
C. Improved speed
D. Centralized data
B
58
58. Authentication is:
A. Proof of employment
B. Verifying the identity of a user or system
C. Password resetting
D. File transfer method
B
59
59. What does ISO 27001 focus on?
A. Programming languages
B. Information security management systems
C. Database designs
D. Cloud hosting
B
60
60. A key element of audit planning is:
A. Network testing
B. Understanding auditee environment
C. Code documentation
D. Backup design
B
61
61. What does GIGO stand for in computing?
A. Great Input Great Output
B. Garbage In Garbage Out
C. General Input General Output
D. Grouped Internet Gateway Options
B
62
62. Which system is used for monitoring and managing network devices?
A. HRMS
B. ERP
C. NMS (Network Management System)
D. CRM
C
63
63. What is the most common attack on passwords?
A. SQL injection
B. Brute-force attack
C. DDoS
D. Spoofing
B
64
64. Redundancy in IT systems ensures:
A. Job rotation
B. System availability during failures
C. Training repetition
D. Data duplication
B
65
65. Cloud computing introduces risks related to:
A. Transparency and control
B. Physical damage
C. USB devices
D. Manual logs
A
66
66. Data classification helps in:
A. Labeling backups
B. Determining appropriate security levels
C. Grouping network cables
D. Sorting emails
B
67
67. Change management ensures:
A. Permanent system settings
B. Controlled IT environment
C. Frequent staff transfers
D. Default passwords
B
68
68. Which of the following is NOT an IS audit objective?
A. Confidentiality of information
B. Availability of systems
C. Promotion of IT vendors
D. Integrity of data
C
69
69. Who is responsible for data accuracy in an organization?
A. IT vendor
B. Internal auditor
C. Data owner
D. Programmer
C
70
70. IS audit recommendations should be:
A. Generic and lengthy
B. Specific and actionable
C. Verbal and informal
D. Avoided
B
71
71. The first step in performing an IS audit is:
A. Collecting evidence
B. Audit planning
C. Writing a report
D. Risk analysis
B
72
72. Spoofing is an attack in which:
A. Hardware is damaged
B. A person or program pretends to be another
C. Files are deleted randomly
D. Emails are blocked
B
73
73. A hashed password is:
A. Reversible
B. Encrypted with symmetric key
C. Stored as a one-way transformation
D. Saved in plain text
C
74
74. IS auditors must be independent to:
A. Save cost
B. Ensure objectivity and impartiality
C. Help IT department
D. Avoid HR conflict
B
75
75. Physical access to servers should be:
A. Open to all staff
B. Controlled and restricted
C. Time-based only
D. Documented yearly
B
76
76. What is a key purpose of IT Governance? A. Minimizing staff B. Aligning IT with business goals C. Upgrading hardware D. Enhancing software aesthetics
B
77
77. The term 'Denial of Service' (DoS) refers to: A. Granting access rights B. Network speed improvement C. Making a system unavailable D. Antivirus deployment
C
78
78. Risk assessment in IS audit involves: A. Counting users B. Evaluating potential threats and impacts C. Hiring new staff D. Reviewing architecture only
B
79
79. What is the full form of ITIL? A. Information Technology Infrastructure Library B. International Tech Integration Lab C. IT Internal Learning D. Integrated Technology Info Line
A
80
80. Which of these is a preventive control? A. System log analysis B. Password enforcement policy C. Audit report D. Physical inventory check
B
81
81. A vulnerability in IS refers to: A. Security patch B. Weakness exploitable by threats C. Employee vacation D. Software license
B
82
82. Which is NOT a feature of a strong password? A. Long length B. Personal names C. Use of symbols D. Upper and lower case mix
B
83
83. What does the term 'zero-day' refer to in cybersecurity? A. Day of attack B. Software release C. Previously unknown vulnerability D. Patch installation
C
84
84. What is two-factor authentication? A. Using two computers B. Use of password and biometric/OTP C. Sharing credentials D. Encrypting passwords twice
B
85
85. A firewall operates at which level? A. Physical B. Application and network layers C. Hardware D. HR policies
B
86
86. What is social engineering in cybersecurity? A. Engineering staff for social events B. Manipulating people to gain access C. System architecture redesign D. Data compression method
B
87
87. A data dictionary helps in: A. Translation B. Defining metadata about data elements C. Code debugging D. Document writing
B
88
88. The integrity of a database ensures: A. High cost B. Accurate and consistent data C. Frequent updates D. Limited access
B
89
89. A hot site is: A. Unused data center B. A backup facility with live systems ready C. Software plugin D. Vendor storage
B
90
90. A cold site provides: A. Instant backup B. Physical space without hardware C. Network design D. Auto patching
B
91
91. IT asset management includes: A. Hiring employees B. Tracking hardware/software lifecycle C. Training modules D. External audit
B
92
92. What is hashing used for? A. Data compression B. Data integrity verification C. System updates D. File organization
B
93
93. What is the function of an audit trail? A. Error rectification B. Tracking transaction history C. Employee behavior D. HR evaluation
B
94
94. System downtime primarily affects: A. Employee morale B. Business continuity C. Budget planning D. Travel policies
B
95
95. What is malware? A. A secure program B. Malicious software C. Encryption tool D. Firewall upgrade
B
96
96. Antivirus software is an example of: A. Managerial control B. Technical control C. Procedural control D. Visual control
B
97
97. Spoofing typically affects: A. Authentication processes B. Physical assets C. Budget calculations D. UI design
A
98
98. Remote desktop protocols can introduce: A. Training benefit B. Performance boost C. Security risks D. Encryption improvement
C
99
99. Which of the following is a real-time monitoring tool? A. IDS B. Audit log C. Email D. CMS
A
100
100. System logs provide: A. Backup files B. Records of events and activities C. Payroll data D. Antivirus
B
101
101. What is penetration testing? A. Data backup B. Simulated attack to find vulnerabilities C. Network optimization D. Software installation
B
102
102. What does 'phishing' refer to? A. Encrypting data B. Sending fraudulent emails to steal data C. Cleaning virus D. Network blocking
B
103
103. In IS Audit, the term 'scope' defines: A. Project cost B. Audit boundaries and areas covered C. Staff roles D. None of these
B
104
104. Backup frequency is determined based on: A. Software type B. Data criticality and RPO C. Number of users D. HR advice
B
105
105. What is the purpose of change management? A. Blocking access B. Control and track system changes C. Create passwords D. Format hard drives
B
106
106. Which type of audit checks system configuration? A. Financial B. Operational C. Technical IS Audit D. HR Audit
C
107
107. Role-based access control is based on: A. Department B. Designation and responsibilities C. Tenure D. Device used
B
108
108. Encryption helps in: A. Speeding processing B. Securing data confidentiality C. Generating reports D. Auditing
B
109
109. What is data mining used for? A. Destroying old files B. Discovering patterns in data C. Compressing data D. Encrypting tables
B
110
110. Segregation of duties helps to: A. Improve speed B. Reduce errors and fraud C. Reduce staff D. Increase licenses
B
111
111. Which of these is a post-implementation review activity? A. System design B. Assessing whether objectives were met C. Coding D. Procurement
B
112
112. Which is not a type of control in IS Audit? A. Preventive B. Detective C. Corrective D. Subjective
D
113
113. Which tool helps in analyzing system vulnerabilities? A. Paint B. Wireshark C. Excel D. WordPad
B
114
114. What is meant by RTO in disaster recovery? A. Real-Time Object B. Recovery Time Objective C. Remote Terminal Operation D. Restart Tool Option
B
115
115. The most secure form of authentication is: A. Password only B. Two-factor C. User ID D. Date of birth
B
116
116. A botnet is a: A. Network of infected computers B. Security device C. ISP tool D. Firewall command
A
117
117. What is SQL injection? A. Data entry tool B. Cyberattack using malicious queries C. Database format D. Audit tool
B
118
118. A digital signature is used for: A. Password reset B. Authenticating the source of data C. UI design D. Cookie tracking
B
119
119. The key objective of a firewall is to: A. Store logs B. Filter unauthorized traffic C. Encrypt data D. Log passwords
B
120
120. What is a honeypot in cybersecurity? A. Backup server B. Decoy system to detect attacks C. Encryption program D. Data cleaner
B
121
121. IT General Controls include: A. Payroll validation B. Change management, backup, access controls C. Hardware only D. Cleaning utilities
B
122
122. What is the first step in an IS Audit? A. Submit report B. Planning and risk assessment C. Approve budget D. Add users
B
123
123. Configuration management ensures: A. No version tracking B. Consistency of system settings and software versions C. High energy usage D. Employee exit tracking
B
124
101. What is the primary objective of IS audit? A. Promote sales B. Assess system integrity and controls C. Develop software D. Conduct HR reviews
B
125
102. Who is responsible for data confidentiality? A. System vendor B. Data owner C. Intern D. Government
B
126
103. What does “least privilege” mean? A. Full access to all users B. Restricting access to minimum required C. Outsourcing access D. Open network
B
127
104. What is penetration testing? A. User login testing B. Simulated cyber attack to test security C. Server update D. Software demo
B
128
105. What is an example of logical access control? A. Security guards B. Biometric login C. Desk locks D. Fire extinguisher
B
129
106. Which tool is used to scan network vulnerabilities? A. MS Word B. Nessus C. Excel D. Paint
B
130
107. What is backup rotation? A. Rotating system fans B. Scheduling backups to avoid data loss C. Changing office seats D. Restarting daily
B
131
108. Which law governs electronic records in India? A. RTI Act B. IT Act 2000 C. IPC D. Companies Act
B
132
109. What is phishing? A. Legal notice B. Fraudulent attempt to obtain data C. Data encryption D. System upgrade
B
133
110. What is a key element in disaster recovery planning? A. Marketing goals B. Risk identification C. Hiring engineers D. Installing games
B
134
111. Data integrity ensures: A. Format change B. Accuracy and trustworthiness C. Access control D. Color settings
B
135
112. In IS audit, sampling is used to: A. Train auditors B. Evaluate a subset of data C. Encrypt reports D. Prepare software
B
136
113. What is an audit evidence? A. Guess B. Observation, document or record C. Prediction D. Advertisement
B
137
114. Separation of duties is implemented to: A. Save cost B. Reduce conflict of interest and fraud C. Increase redundancy D. Reduce staff
B
138
115. What does an incident response plan address? A. System updates B. Responding to security breaches C. Hiring process D. User guides
B
139
116. Encryption ensures: A. Faster processing B. Confidentiality of data C. UI consistency D. Marketing
B
140
117. What is business continuity planning? A. Office party B. Ensuring critical operations continue during disruption C. Designing banners D. Server formatting
B
141
118. Who should approve access rights? A. Peers B. Data owner or manager C. Admin alone D. New employee
B
142
119. An IS auditor should maintain: A. Bias B. Independence and objectivity C. Marketing skills D. Coding knowledge only
B
143
120. What is Trojan Horse in IT? A. Antivirus B. Malware disguised as legitimate software C. Encryption tool D. Server cooling system
B
144
121. What does vulnerability management involve? A. Ignoring threats B. Identifying and fixing weaknesses C. Buying new PCs D. Data entry
B
145
122. What is a checksum used for? A. Pricing B. Verifying data integrity C. Network speed D. Password storage
B
146
123. Access control matrices are used to: A. Track time B. Define user permissions C. Create reports D. Update OS
B
147
124. Why are logs archived? A. Save photos B. Legal and forensic purposes C. Reduce costs D. Staff reference
B
148
125. Rootkits are used by attackers to: A. Cook data B. Gain stealthy admin access C. Format drives D. Backup files
B
149
126. The goal of patch management is: A. Add features B. Fix vulnerabilities C. Improve UI D. Increase costs
B
150
127. An IS auditor’s final report should be: A. Casual B. Objective and fact-based C. Only technical D. One-liner
B
151
128. COBIT is a: A. Web browser B. Framework for IT governance C. Virus scanner D. ISP
B
152
129. What is the principle of “accountability” in IS? A. Blaming others B. Responsibility for actions C. Avoiding audits D. Ignoring logs
B
153
130. What is biometric authentication? A. OTP B. Using unique physical traits C. Password D. Token sharing
B
154
131. Why are default passwords risky? A. Easy to remember B. Widely known and easily guessed C. Costly D. Secure
B
155
132. The principle of “auditability” ensures: A. Complex code B. Activities are traceable C. Data deletion D. Process blocking
B
156
133. Why is role-based access control used? A. Easy layout B. Assign permissions based on job role C. UI testing D. Max access to all
B
157
134. What is a sandbox environment? A. Playground B. Isolated testing area C. Audit report D. Server room
B
158
135. In IS auditing, evidence must be: A. Available on request B. Relevant and reliable C. Imaginary D. Pre-planned
B
159
136. What is digital signature used for? A. Aesthetic purpose B. Authenticate identity and integrity of message C. Design D. Hardware access
B
160
137. Why are audit trails important? A. Party records B. Evidence of activity for accountability C. Backup music D. Training
B
161
138. What is phishing aimed at? A. UI testing B. Stealing sensitive user data C. Software update D. Data formatting
B
162
139. What does IDS stand for? A. Internet Drive Storage B. Intrusion Detection System C. Internal Design System D. Input Debug System
B
163
140. What is change management? A. Currency exchange B. Control over modifications in systems C. Staff hiring D. Expense tracking
B
164
141. The goal of IS audit planning is: A. Write code B. Define scope, risks, and objectives C. Recruit testers D. Encrypt logs
B
165
142. What is uptime? A. Error count B. Time a system is operational C. Report date D. Audit gap
B
166
143. Data classification helps in: A. Cleaning B. Determining protection level required C. Staff scheduling D. Costing
B
167
144. Cybersecurity primarily focuses on: A. Staff training B. Protecting systems from digital threats C. Marketing D. HR
B
168
145. Which one is a detective control? A. Firewall B. IDS C. Password policy D. Training
B
169
146. IT asset disposal policy helps in: A. Asset buying B. Secure and compliant retirement of assets C. Printing D. Asset increase
B
170
147. What is authentication? A. Guessing identity B. Verifying user identity C. Encrypting passwords D. Backup files
B
171
148. Audit documentation should be: A. Destroyed post audit B. Clear and complete C. Rough notes D. Not recorded
B
172
149. IS audit universe refers to: A. Space research B. All auditable units C. Employee database D. HR unit
B
173
150. Business impact analysis helps in: A. Marketing B. Identifying critical functions and impacts of disruption C. HR planning D. Layout design
B
