standing orders cag Flashcards
(75 cards)
1
Q
- What does the Standing Order replace? A. Companies Act B. Chapter 22 of MSO (Audit) 2002 and 2006 IT Audit Manual C. Income Tax Rules D. GFR Guidelines
A
B. Chapter 22 of MSO (Audit) 2002 and 2006 IT Audit Manual
2
Q
- IT audit is required because even minor system errors can: A. Be ignored B. Self-correct C. Multiply quickly D. Require no documentation
A
C. Multiply quickly
3
Q
- Which is an example of an IT-assisted audit? A. Manual ledger checking B. Financial audit using SQL queries C. HR interview D. Internal control review
A
B. Financial audit using SQL queries
4
Q
- What is the purpose of IT Governance? A. Increase employee salaries B. Drive marketing goals C. Align IT with organizational goals D. Reduce tax
A
C. Align IT with organizational goals
5
Q
- The CoBIT framework was developed by: A. ISO B. NASSCOM C. ISACA D. UNDP
A
C. ISACA
6
Q
- What does ISO/IEC 38500:2013 emphasize in IT Governance? A. HR policy B. Security only C. Six governance principles D. Environmental checks
A
C. Six governance principles
7
Q
- Which is NOT a principle in ISO/IEC 38500? A. Strategy B. Acquisition C. Hiring D. Human behavior
A
C. Hiring
8
Q
- Efficiency in information means: A. Long reports B. Manual handling C. Optimal use of resources D. Heavy IT investment
A
C. Optimal use of resources
9
Q
- Which criterion ensures information is only accessed by authorized persons? A. Availability B. Confidentiality C. Integrity D. Compliance
A
B. Confidentiality
10
Q
- General controls typically do NOT include: A. IT Strategy B. Application testing C. Access control D. Change management
A
B. Application testing
11
Q
- Application controls are specific to: A. All systems B. Server rooms C. Each software application D. Vendor management
A
C. Each software application
12
Q
- Business Process Reengineering (BPR) ensures: A. Manual processes stay intact B. Inefficient processes are retained C. Review before automation D. HR efficiency
A
C. Review before automation
13
Q
- The ISMS framework is based on: A. COBIT 3 B. ISO/IEC 27000 series C. GFR D. CVC Manual
A
B. ISO/IEC 27000 series
14
Q
- Which is an example of a physical security control? A. Firewall B. Password C. Biometric entry D. Encryption
A
C. Biometric entry
15
Q
- What does the ‘Deliver and Support’ domain cover? A. Audit planning B. Service operations C. Hiring D. Feasibility studies
A
B. Service operations
16
Q
- IT continuity plans should be based on: A. Risk-free assumptions B. Risk assessment and BIA C. Software updates D. Staff turnover
A
B. Risk assessment and BIA
17
Q
- Application security controls ensure: A. Easy access to all B. Proper segregation of duties C. Open passwords D. No documentation
A
B. Proper segregation of duties
18
Q
- Input controls prevent: A. Reporting B. Duplication and unauthorized data C. Output delay D. None of the above
A
B. Duplication and unauthorized data
19
Q
- Referential integrity checks are part of: A. Input controls B. Output controls C. Processing controls D. Physical controls
A
C. Processing controls
20
Q
- Which is a key element of output control? A. Data labeling B. Source verification C. Budgeting D. Annual reporting
A
A. Data labeling
21
Q
- Traceability in applications is achieved through: A. Test accounts B. Access logs and unique user IDs C. External audits D. Antivirus
A
B. Access logs and unique user IDs
22
Q
- Which technique is used in substantive testing to analyze data comprehensively? A. Manual logs B. CAATs C. Office memos D. Excel graphs
A
B. CAATs
23
Q
- CAATs can be used for: A. Holiday management B. Marketing automation C. Duplicate checks and validations D. Pay slips
A
C. Duplicate checks and validations
24
Q
- Who is responsible for IT risk management framework implementation? A. Internal auditors B. Board only C. Organisation as per policy D. Vendors
A
C. Organisation as per policy
25
25. IT security audit includes review of: A. Annual audit plan B. Legal contracts C. Compliance with security policies D. Only financial records
C. Compliance with security policies
26
26. Which of the following is an example of a general control? A. Data field length check B. System edit checks C. IT Security Policy D. Range checks
C. IT Security Policy
27
27. Application controls include controls over: A. IT budgets B. Hardware installation C. Data input, processing, and output D. Server rooms
C. Data input, processing, and output
28
28. What does BCP stand for in IT auditing? A. Business Code Protection B. Business Continuity Planning C. Backup Control Program D. Budget Cost Plan
B. Business Continuity Planning
29
29. A service desk function in IT audit is part of which domain? A. Plan & Organize B. Acquire & Implement C. Deliver & Support D. Monitor & Evaluate
C. Deliver & Support
30
30. An IT system without proper audit trails may: A. Reduce costs B. Improve reporting C. Hinder auditing D. Enhance control
C. Hinder auditing
31
31. Which of the following is NOT a valid risk response? A. Avoidance B. Enhancement C. Reduction D. Sharing
B. Enhancement
32
32. Configuration management involves: A. Risk assessments B. Software upgrades only C. Managing all changes to system elements D. Backup scheduling
C. Managing all changes to system elements
33
33. Who typically manages configuration data integrity in an IT system? A. External vendor B. Risk Officer C. Configuration Manager D. Procurement Head
C. Configuration Manager
34
34. A repository of configuration items is used to: A. Store audit reports B. Monitor power usage C. Maintain system documentation D. Manage HR
C. Maintain system documentation
35
35. Proper segregation of duties helps prevent: A. Timely reporting B. Unauthorized activities C. Policy duplication D. Budget misalignment
B. Unauthorized activities
36
36. A key audit risk during IT system implementation is: A. User promotions B. Manual checks C. Inadequate vendor management D. Overtrained staff
C. Inadequate vendor management
37
37. What is the first step in auditing an application control? A. Check output reports B. Review budget C. Understand business process D. Examine HR files
C. Understand business process
38
38. Which of the following is an input control technique? A. Record archiving B. Range checks C. Vendor assessment D. Software licensing
B. Range checks
39
39. Output reconciliation ensures: A. Report duplication B. Data integrity C. Application speed D. Network coverage
B. Data integrity
40
40. Identity and access management is a part of: A. Output design B. Access control C. Software testing D. Procurement
B. Access control
41
41. What does CAAT stand for? A. Computer Access Audit Tool B. Computer Assisted Audit Techniques C. Code Assurance Analysis Tool D. Client Audit Access Terminal
B. Computer Assisted Audit Techniques
42
42. What is typically analyzed in a Business Impact Assessment? A. User complaints B. Financial data C. System failure impact D. IT budget allocation
C. System failure impact
43
43. Which software is commonly used in IA&AD for audit analytics? A. Canva B. SAP C. IDEA D. Tally
C. IDEA
44
44. Which technique ensures IT projects are aligned with strategic goals? A. Monitoring B. Cost control C. IT governance D. Training audits
C. IT governance
45
45. Proper IT documentation during acquisition helps: A. Shorten audit B. Ensure traceability and system maintenance C. Replace HR D. Lower passwords
B. Ensure traceability and system maintenance
46
46. Access control policies should ideally prevent: A. File storage B. Guest access to sensitive data C. Training delays D. Report generation
B. Guest access to sensitive data
47
47. During implementation audit, an important focus is: A. Server cooling B. Paper forms C. User training materials D. HR feedback
C. User training materials
48
48. Output review includes checking for: A. Payroll errors B. Correct extraction logic C. Job promotions D. None of the above
B. Correct extraction logic
49
49. Business rules are mapped in which control type? A. Output control B. Input control C. Processing control D. User access control
C. Processing control
50
50. Why is audit of IT security crucial? A. Reduces HR load B. Increases audit time C. Prevents legal, financial, reputational damage D. Automates pay slips
C. Prevents legal, financial, reputational damage
51
51. Which standard is referenced for Information Security Management Systems in this Standing Order? A. ISO 9001 B. ISO/IEC 27000 C. COBIT 5 D. ITIL
B. ISO/IEC 27000
52
52. What is a key objective of processing controls? A. Prevent data entry B. Maintain logs only C. Ensure accuracy and completeness D. Disable automation
C. Ensure accuracy and completeness
53
53. Cryptographic controls help in: A. Speeding up processes B. Reducing audit effort C. Securing information during transmission D. Running macros
C. Securing information during transmission
54
54. What is a risk if manual processes are directly replicated into IT systems? A. Increased security B. Inefficiency is automated C. User access improves D. No risk
B. Inefficiency is automated
55
55. Application controls are tested using: A. Meeting notes B. CAATs C. Email confirmations D. Performance reviews
B. CAATs
56
56. Input controls aim to ensure: A. Visual design quality B. Incomplete data entry C. Data is authorized, accurate, and complete D. Staff attendance
C. Data is authorized, accurate, and complete
57
57. Which of the following is an example of an application-level security control? A. Firewall B. Role-based access in software C. Physical locks D. CCTV
B. Role-based access in software
58
58. Which of the following best describes “non-repudiability”? A. Ability to reset passwords B. Denial of access C. Proof that data origin can't be denied D. Stopping edits
C. Proof that data origin can't be denied
59
59. Who should be involved in IT risk assessment processes? A. Only HR B. Only Finance C. Cross-functional teams D. Only legal experts
C. Cross-functional teams
60
60. The absence of proper access controls can lead to: A. Lower training cost B. Increased salaries C. Unauthorized system access D. Simplified audits
C. Unauthorized system access
61
61. What kind of risk response involves accepting the impact of a threat? A. Avoidance B. Transfer C. Mitigation D. Acceptance
D. Acceptance
62
62. What is one of the key purposes of output controls? A. Block data B. Print only confidential files C. Ensure data is complete and accurate D. Reduce costs
C. Ensure data is complete and accurate
63
63. What is the significance of a test environment in system development? A. Helps employees relax B. Ensures faster network C. Allows safe testing without affecting production D. Stores emails
C. Allows safe testing without affecting production
64
64. What does “traceability of transactions” require? A. Emailed memos B. Unique user IDs and logging C. HR confirmation D. Printed reports
B. Unique user IDs and logging
65
65. Audit of "Monitoring and Evaluation" of IT covers: A. Purchase decisions B. Logging hours C. IT performance and internal control compliance D. Holidays
C. IT performance and internal control compliance
66
66. Data backup and recovery fall under which domain? A. Acquire & Implement B. Deliver & Support C. Monitor & Evaluate D. Plan & Organize
B. Deliver & Support
67
67. Who is responsible for ensuring security of outsourced services? A. Vendor only B. Government C. Audited entity D. None
C. Audited entity
68
68. What is “configuration management” primarily concerned with? A. Password changes B. Physical layout C. Control of system documentation and changes D. Data inputs
C. Control of system documentation and changes
69
69. What is a risk of failing to define application output requirements? A. Better audit logs B. High-quality documentation C. Incomplete or unusable reports D. Strong encryption
C. Incomplete or unusable reports
70
70. Which role is typically NOT part of IT security management? A. Ensuring encryption policies B. Creating awareness C. Approving loans D. Monitoring vulnerabilities
C. Approving loans
71
71. What does “referential integrity” check? A. RAM usage B. Data consistency between tables C. Hardware compatibility D. Budget reports
B. Data consistency between tables
72
72. What is one risk associated with incomplete audit trails? A. Efficient backup B. Clear control mapping C. Difficulty in tracing transactions D. Timely reporting
C. Difficulty in tracing transactions
73
73. Which of these is a preventive control? A. Logging B. Antivirus C. Risk assessment report D. Staff survey
B. Antivirus
74
74. Risk assessment must consider: A. Asset inventory only B. Only encryption rules C. Likelihood and impact D. Software size
C. Likelihood and impact
75
75. Which of the following is NOT typically verified during user access control audit? A. Job termination procedures B. Encryption settings C. Privileged account use D. Access approval logs
B. Encryption settings
