11.

A second site backup agreement between two or more firms with compatible computer facilities to assist each other
with data processing needs in an emergency is called
a.
internally provided backup
b.
recovery operations center
c.
empty shell
d.
mutual aid pact

b.
c.
d.
ANS:

an elaborate water sprinkler system

manual fire extinguishers in strategic locations
automatic and manual alarms in strategic locations
B

18.

12.

Which concept is not an integral part of an audit?

a.
evaluating internal controls
b.
preparing financial statements
The major disadvantage of an empty shell solution as a second site backup is
c.
expressing an opinion
a.
the host site may be unwilling to disrupt its processing needs to process the critical applications of the disaster stricken company
d.
analyzing financial data
b.
intense competition for shell resources during a widespread disaster
c.
maintenance of excess hardware capacity
d.
the control of the shell site is an administrative drain on the company
ANS:
B
ANS:

ANS:

19.
13.

An advantage of a recovery operations center is that

a.
this is an inexpensive solution
b.
the initial recovery period is very quick
c.
the company has sole control over the administration of the center
d.
none of the above are advantages of the recovery operations center

ANS:
20.

ANS:
14.

For most companies, which of the following is the least critical application for disaster recovery purposes?
a.
month-end adjustments
b.
accounts receivable
c.
accounts payable
d.
order entry/billing

15.

The least important item to store off-site in case of an emergency is

a.
backups of systems software
b.
backups of application software
c.
documentation and blank forms
d.
results of the latest test of the disaster recovery program

17.

Internal auditors assist external auditors with financial audits to

a.
reduce audit fees
b.
ensure independence
Some companies separate systems analysis from programming/program maintenance. All of the following are control
c.
represent the interests of management
weaknesses that may occur with this organizational structure except
d.
the statement is not true; internal auditors are not permitted to assist external auditors with financial audits
a.
systems documentation is inadequate because of pressures to begin coding a new program before documenting the current program
b.
illegal lines of code are hidden among legitimate code and a fraud is covered up for a long period of time
c.
a new systems analyst has difficulty in understanding the logic of the program
ANS:
A
d.
inadequate systems documentation is prepared because this provides a sense of job security to the programmer
23. Which statement is not correct?
a.
Auditors gather evidence using tests of controls and substantive tests.
ANS:
C
b.
The most important element in determining the level of materiality is the mathematical formula.
c.
Auditors express an opinion in their audit report.
All of the following are recommended features of a fire protection system for a computer center except
d.
Auditors compare evidence to established criteria.
a.
clearly marked exits
ANS:

16.

The fundamental difference between internal and external auditing is that

a.
internal auditors represent the interests of management and external auditors represent outsiders
b.
internal auditors perform IT audits and external auditors perform financial statement audits
c.
internal auditors focus on financial statement audits and external auditors focus on operational audits and financial statement
d.
external auditors assist internal auditors but internal auditors cannot assist external auditors
ANS:

22.

Typically, internal auditors perform all of the following tasks except

a.
IT audits
b.
evaluation of operational efficiency
c.
review of compliance with legal obligations
d.
internal auditors perform all of the above tasks
ANS:

21.
ANS:

Which statement is not true?

a.
Auditors must maintain independence.
b.
IT auditors attest to the integrity of the computer system.
c.
IT auditing is independent of the general financial audit.
d.
IT auditing can be performed by both external and internal auditors.

ANS:
ANS:

30.
24.

All of the following are steps in an IT audit except

a.
substantive testing
b.
tests of controls
c.
post-audit testing
d.
audit planning

All of the following tests of controls will provide evidence about the physical security of the computer center except
a.
review of fire marshal records
b.
review of the test of the backup power supply
c.
verification of the second site backup location
d.
observation of procedures surrounding visitor access to the computer center
ANS:

ANS:

When planning the audit, information is gathered by all of the following methods except
a.
completing questionnaires
b.
interviewing management
c.
observing activities
d.
confirming accounts receivable

All of the following tests of controls will provide evidence about the adequacy of the disaster recovery plan except
a.
inspection of the second site backup
b.
analysis of the fire detection system at the primary site
c.
review of the critical applications list
d.
composition of the disaster recovery team
ANS:

ANS:

Substantive tests include

a.
examining the safety deposit box for stock certificates
b.
reviewing systems documentation
c.
completing questionnaires
d.
observation

Which of the following is true?

a.
In the CBIS environment, auditors gather evidence relating only to the contents of databases, not the reliability of the comput
b.
Conducting an audit is a systematic and logical process that applies to all forms of information systems.
c.
Substantive tests establish whether internal controls are functioning properly.
d.
IT auditors prepare the audit report if the system is computerized.
ANS:

ANS:

Tests of controls include

a.
confirming accounts receivable
b.
counting inventory
c.
completing questionnaires
d.
counting cash

Inherent risk
a.
exists because all control structures are flawed in some ways.
b.
is the likelihood that material misstatements exist in the financial statements of the firm.
c.
is associated with the unique characteristics of the business or industry of the client.
d.
is the likelihood that the auditor will not find material misstatements.
ANS:

ANS:

All of the following are components of audit risk except

a.
control risk
b.
legal risk
c.
detection risk
d.
inherent risk

Attestation services require all of the following except

a.
written assertions and a practitioners written report
b.
the engagement is designed to conduct risk assessment of the clients systems to verify their degree of SOX compliance
c.
the formal establishment of measurements criteria
d.
the engagement is limited to examination, review, and application of agreed-upon procedures
ANS:

ANS:
29.

C
34.

28.

A
33.

27.

D
32.

26.

C
31.

25.

35. The financial statement of an organization reflects a set of management assertions about the financial health of the
Control risk is
business. All of the following described types of assertions except
a.
the probability that the auditor will render an unqualified opinion on financial statements that are materially misstated
a.
that all of the assets and equities on the balance sheet exist
b.
associated with the unique characteristics of the business or industry of the client
b.
that all employees are properly trained to carry out their assigned duties
c.
the likelihood that the control structure is flawed because controls are either absent or inadequate to prevent or detect errorsc.in the that all transactions on the income statement actually occurred
accounts
d.
that all allocated amounts such as depreciation are calculated on a systematic and rational basis
d.
the risk that auditors are willing to take that errors not detected or prevented by the control structure will also not be detected by the
auditor
ANS:
B