(1) Most important step in a risk analysis is to identify: A. competitors. Answer: C. vulnerabilities Explanation: If
vulnerabilities are not properly identified, controls and audit planning may not be (2) In a risk-based audit planning, an IS auditor's first step is to identify: A. responsibilities of stakeholders. Answer: B. high-risk areas within the organization. Explanation: The first and most critical step in the process is to identify high-risk areas within the (3) When developing a
risk-based audit strategy, an IS auditor should conduct a risk assessment to A. segregation of duties to mitigate risks is in place. Answer: B. all the relevant vulnerabilities and threats are identified. Explanation:
In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities (4) IS Auditor identified certain threats and vulnerabilities in a business process. Next, an IS auditor should: A. identify stakeholder for that business process. Answer: D. identifies and evaluates the existing controls. Explanation: Before reaching to any conclusion, IS Auditor should evaluate existing controls and its (5) Major advantage of risk-based approach for audit planning is: A. Audit planning can be communicated to client in advance. Answer: D. Appropriate utilization of resources for high risk areas. Explanation: The risk-based approach is designed to ensure audit time is spent on the areas of (6) While determining the appropriate level of protection for an information asset an IS auditor A. Criticality of information asset. Answer: A. Criticality of information asset. Explanation: The appropriate level of protection for an asset is determined based on the criticality (7) The decisions and actions of an IS auditor are MOST likely to affect which of the following A. Inherent Answer: B. Detection Explanation: Detection risks are directly affected by the auditor's selection of audit procedures and (8) The risk of an IS auditor certifying existence of proper system and procedures without using an A. inherent risk. Answer: C. detection risk. Explanation: This is an example of detection risk. Detection risk is the risk that the auditors fail to (9) Overall business risk for a particular threat can be expressed as: A. a product of the probability and impact. Answer: A. a product of the probability and impact. Explanation: Choice A takes into consideration the likelihood and magnitude of the impact and (10) An IS auditor is evaluating management's risk assessment of information systems. The
IS A. the controls already in place. Answer: D. the threats/vulnerabilities affecting the assets. Explanation: One of the key factors to be considered while
assessing the risks related to the use of (11) An IS Auditor is reviewing data center security review. Which of the following steps would an A. Evaluate physical access control. Answer: B. Determine the risks/threats to the data center site. Explanation: During planning, the IS auditor should get an overview of the functions being audited (12) Risk assessment approach is more suitable when determining the appropriate level of A. all information assets are protected. Answer: C. appropriate levels of protection are applied to information assets. Explanation: (13) In a risk-based audit approach, an IS auditor should FIRST complete a (n): A. inherent risk assessment. Answer: A. inherent risk assessment. Explanation: The first step in a risk-based audit approach is to gather information about the (14) In planning an audit, the MOST critical step is the identification of the: A. areas of high risk. Answer: A. areas of high risk. Explanation: When designing an audit plan, it is important to identify the areas of highest risk to (15) Risk assessment process is: A. subjective.
Answer: A. subjective. Explanation: Risk assessment is based on perception of risk officer. There is no defined (16) The result of risk management process is used for: A. forecasting profit Answer: C. designing controls Explanation: (17) Managing the risk up to acceptable level is the responsibility of: A. risk management team. Answer: B. senior business management. Explanation: (18) Evaluation of IT risks can be done by: A. finding threats/vulnerabilities associated with current IT assets. Answer: A. finding threats/vulnerabilities associated with current IT assets. Explanation: To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or (19) An IS auditor is reviewing payroll application. He identified some vulnerability in the system. What would be the next task? A. Report the vulnerabilities to the management immediately. Answer: C. Identify threats and likelihood of occurrence. Explanation: The IS auditor must identify the assets, look for
vulnerabilities, and then identify the (20) Absence of proper security measures represents a(n): A. threat. Answer: D. vulnerability. Explanation: (21) IS Auditor is developing a risk management program, the FIRST activity to be performed is A. vulnerability assessment. Answer: C. identification of assets Explanation:
Identification of the assets to be protected is the first step in the development of a risk (22) Benefit of development of organizational policies by bottom-up approach is that they: A. covers whole organization. Answer: B. is derived as a result of a risk assessment. Explanation: (23)Risk can be mitigated by: A. Implementing controls Answer: A. Security and control practices Explanation: (24) Most important factor while evaluating controls is to ensure that the controls: Answer: A. addresses the risk Explanation: (25) The susceptibility of a business or process to make an error that is material in nature, A. Inherent risk Answer: A. Inherent risk Explanation: (26) The risk that the controls put in place will not prevent, correct, or detect errors on a timely basis. A. Inherent risk Answer: B. Control risk Explanation: (27) Which of the following factors an IS auditor should primarily consider when
determining the A. Risk acceptance is the responsibility of senior management. Answer: C. Risks must be identified and documented in order to perform proper analysis on them. Explanation: When planning an audit the most critical step is the identification of the?In planning an audit, the MOST critical step is the identification of the: areas of high risk. The extent to which data will be collected during an IS audit should be determined based on the: purpose and scope of the audit being done.
Which of the following is a benefit of a risk based approach to audit planning?A risk-based approach to audits enables the internal auditors to identify risks correctly and allows management to put the right internal controls in place for the best performance. This provides you with a better understanding of the risks and enables your organization to better manage them.
Which of the following would prevent accountability for an action performed thus allowing nonrepudiation?Which of the following would prevent accountability for an action performed, thus allowing nonrepudiation? If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.
|