1. Some of the following elements should be included in a career development plan:

a. Career path planning with management support
b. Definition of knowledge, skills, and abilities
c. Performance assessment and counseling
d. All of the above

2. Which professional certification can be helpful to an IT auditor's career?

a. CISA
b. CISSP
c. CPA
d. All of the above

3. Which IT audit area involves audit selection, definition of audit scope, initial contacts and communication with auditees and audit team selection?

a. Fact gathering
b. Audit tests
c. Audit preparation
d. Audit objectives

4. Which IT audit area involves a formal plan for reviewing and testing each significant audit subject area disclosed during the fact gathering?

a. Audit objectives
b. Audit program
c. Audit tests
d. Use of audit tools

5. Which IT audit area involves formal statements that describe a course of action that should be implemented to restore or provide accuracy, efficiency, or adequate control of an audit subject?

a. Audit tests
b. Finding of an audit report
c. Recommendations of an audit report
d. Conclusion of an audit report

6. IT audit assessment is very important and, at a minimum, consists of reviewing

a. The completeness of the audit
b. The pertinence of the information presented
c. The accuracy of the audit work and supporting working papers
d. All of the above

7. Some of the areas that one can assess for the IT auditor's individual performance are

a. Communication skills
b. Judgment
c. Auditing knowledge
d. All of the above

8. Why is it important to learn about best practices?

a. Efficiency
b. Add value to client/auditee or organization
c. Advancement in technology
d. All of the above

9. This best practice consists of a document that sets the tone or course of action you plan to take with your client/auditee:

a. Benchmarking
b. Planning memo
c. Risk analysis
d. None of the above

10. The reasons for risk analysis are

a. Loss or corruption of information and IS assets
b. Impaired and ineffective management decision making
c. Disruption to customer service or other critical operations
d. All of the above

11. IT auditing involves

a. People
b. Technology
c. Operations and systems
d. All of the above

12. COBIT was developed and issued by

a. AICPA
b. IIA
c. ISACA
d. ACFE

13. The SAC reports were issued by

a. IIA
b. ISSA
c. ISACA
d. AICPA

14. Information assurance is defined as

a. Information integrity
b. The level of confidence and trust that can be placed on the information
c. The level of trust and confidence that can be placed on service availability
d. All of the above

15. The following U.S. federal act has pledged almost a billion dollars toward curriculum, research, and skill development in IT audit, control, security, and information assurances issues:

a. Computer Fraud and Abuse Act of 1984
b. Computer Security Act of 1987
c. Cyber Security Research and Development Act
d. HIPAA Act of 1996

16. Which organization operating under U.S. national authority and its initiatives provides the foundation for a dramatic increase in the population of trained and professionalized security experts?

a. AICPA
b. ISACA
c. NIETP
d. None of the above

17. Standards for information security officers have been issued by

a. CIA
b. FBI
c. GAO
d. NSTISSC

18. A new field of opportunity and career growth is

a. Business systems analyst
b. Computer forensic analyst
c. Network administrator
d. None of the above

19. The number of universities within the United States identified as centers of excellence in information assurances is

a. 10
b. 25
c. 40
d. Greater than 49

20. The IT auditor's role in IT governance can be as

a. A counselor
b. A partner of senior management
c. An educator
d. All of the above

21. IT governance is

a. The process by which an enterprise's IT is directed and controlled
b. The evaluation of computers and information processing not as key resources
c. Management that is only involved in making decisions
d. User dominance in IT decision making

22. IT governance is controlled through a series of processes and procedures that:

a. Determine how investments are managed
b. Identify who can make decisions
c. Determine how results are measured
d. None of the above

23. For IT to be an effective partner in organizational decision making, the CIO must

a. Offer proactive solutions to organizational needs
b. Get agreement on the measures of IT performance
c. Regularly attend board meetings
d. None of the above

24. Which of the following is not a main reason for ERM functions being established within organizations?

a. Increasing software patches
b. Magnitude of problem
c. Increasing business risks
d. Organizational oversight

25. Compliance with laws and regulations is a key business risk because of

a. The controls outlined in COBIT
b. The impact on security of an organization
c. The sheer number of laws and regulations
d. The automation of financial processes

26. Continuous auditing is a technique used to

a. Create a sample of production data to test controls
b. Detect and report on control breakdowns as they occur
c. Provide a tool for business users to manage IT
d. All of the above

27. Measuring IT performance is dependent on

a. Delivering successful projects
b. Keeping operations running
c. Reducing operating costs
d. The strategy and objectives of the organization

28. Developing a successful measurement process requires

a. Alignment between IT and organization objectives
b. Mature measurement processes
c. Support from IT and organization management
d. Automated measurement tools to report accurate metrics

29. A successful measurement process includes all of the following, except

a. Ownership of the measurement process from the area to be measured.
b. Measure the effective use of resources and alignment with business objectives.
c. Measurement of events and processes rather than individuals.
d. Measurement must be meaningful, reliable, and accurately represent the area measured.

30. IT governance requires management action taken at all levels to

a. Decrease the probability of carelessness
b. Reduce outside threat and the probability of hostile penetration
c. Decrease fraud and corruption within the organization
d. All of the above

31. What is the purpose of developing an IS strategic plan?

a. Define the IT goals and objectives.
b. Guide the acquisition, allocation, and management of IT resources.
c. Define the technology to be used by the organization for the current year.
d. Provide a process for governing investments in IT.

32. The COBIT model is based on the following:

a. COSO model of internal controls
b. Capability Maturity Model
c. Project Management Body of Management
d. ISO 9000-Quality Management and Quality Assurance Standards

33. The Planning and Organization domain includes all the following except

a. Project management standards
b. Architecture planning process
c. Strategic planning process
d. Operational readiness process

34. The FFIEC is made up of representatives from

a. FRB and FDIC
b. Office of Comptroller of the Currency
c. OTS and NCUA
d. All the above plus representatives from each bank regulatory council

35. The Basel Committee believes

a. The board of directors must be involved with approval of the operational risk management plan, which includes technology risk.
b. Senior management has responsibility for implementing the plan and spreading information about the plan throughout the organization.
c. Processes must be in place to identify risks, measure them, monitor their occurrence, and control or mitigate their occurrence.
d. All of the above.

36. One of the obstacles to the success of CRM has been

a. Project management standards
b. Lack of strategic plan
c. Strategic planning process
d. Architecture planning process
e. None of the above

37. Portfolio management processes are needed to

a. Ensure new technology is approved by the appropriate groups
b. Ensure projects are completed on time, on budget, and with full functionality
c. Ensure effective and efficient IT operations
d. Ensure the effective use of resources and alignment with business objectives

38. A technical review process helps ensure that

a. The project has included all the costs of the technology solution
b. The right solution is selected that integrates with other technology components
c. The current infrastructure is sufficient to support the new technology
d. The appropriate level of senior management approvals has been received

39. Architectural standards are needed to

a. Determine which vendor products to use
b. Simplify and standardize infrastructure costs
c. Communicate programming standards to software developers
d. Speed the implementation process for new technology

40. A technical steering committee provides

a. A control mechanism for evaluating and approving new technology solutions
b. A framework for organizing and assessing software development and maintenance
c. Leadership in advancing the practice of software engineering
d. Guidance in the acquisition, allocation, and management of IT resources

41. NIST stands for which of the following?

a. National Information Security Test
b. National Institute of Standards and Testing
c. National Institute of Standards and Technology
d. National Institute of Security and Technology

42. The GAO conducts audits, surveys, investigations, and evaluations of

a. Federal agencies
b. Businesses
c. State agencies
d. All of the above

43. Which of the following organizations consists of representatives from industry, public accounting, investment firms, and the New York Stock Exchange?

a. IIA
b. COSO
c. ISACA
d. AICPA

44. Risk retention (self-insurance) methods should meet all of the following criteria, except

a. Risk should be spread physically to distribute exposure across several locations
b. Determine whether a self-insurance reserve should be established to cover a possible loss
c. Develop an internal risk management group to monitor exposures
d. Determine the maximum exposure to loss

45. Threats to integrity and privacy from inside the organization include

a. Loss or destruction of assets by malicious acts
b. Errors from incompetence or carelessness
c. Deliberate exposure of private or privileged information
d. All of the above

46. The cost of risks includes all of the following, except

a. Cost of loss-prevention measures
b. Cost of security controls
c. Cost of losses sustained
d. Insurance premiums

47. Tools used to identify risks include all of the following, except

a. Risk analysis questionnaire
b. Flowchart of operations
c. Audit workflow software
d. Insurance policy checklist

48. IT risk evaluation involves

a. Ranking of the size and probability of potential loss
b. Evaluation of the level of risk of a given process or function
c. Ensuring that risk losses do not prevent organization management from meeting its objectives
d. Retaining a portion of the risk to reduce the insurance or premium costs

49. The reasons for risk analysis are

a. Loss or corruption of information and IS assets
b. Impaired and ineffective management decision making
c. Disruption to customer service or other critical operations
d. All of the above

50. Which of the following statements regarding the effect of insurance on risk is true?

a. Prevents loss or damage to the organization
b. Transfers risk of loss or damage to the insurance company
c. Risks are not managed when insured
d. None of the above