1.

When performing a review of the structure of an electronic funds transfer (EFT)

system, an IS auditor observes that the technological infrastructure is based on a
centralized processing scheme that has been outsourced to a provider in another country.
Based on this information, which of the following conclusions should be the main concern
of the IS auditor?
A. There could be a question with regards to the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distances.
D. There could be different auditing norms.

2. When segregation of duties concerns exist between IT support staff and end users, what
would be a suitable compensating control?
A. Restricting physical access to computing equipment
B. Reviewing transaction and application logs
C. Performing background checks prior to hiring IT staff
D. Locking user sessions after a specified period of inactivity

3. When developing a risk management program, the FIRST activity to be performed is

a(n):
A. threat assessment.
B. classification of data.
C. inventory of assets.
D. criticality analysis.

4. Which of the following goals would you expect to find in an organization's strategic
plan?
A. Test a new accounting package.
B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.

5. Assessing IT risks is BEST achieved by:

A. evaluating threats associated with existing IT assets and IT projects.
B. using the firm's past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.

6. An IS auditor was hired to review e-business security. The IS auditor's first task was to
examine each existing e-business application looking for vulnerabilities. Which would be
the next task?
A. Report the risks to the CIO and CEO immediately.
B. Examine e-business application in development.
C. Identify threats and likelihood of occurrence.
D. Check the budget available for risk management.

7. The lack of adequate security controls represents a(n):

A. threat.
B. asset.
C. impact.
D. vulnerability.

8. Which of the following IT governance best practices improves strategic alignment?

A. Supplier and partner risks are managed.
B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information.
D. Top management mediate between the imperatives of business and technology

9. Which of the following would be a compensating control to mitigate risks resulting

from an inadequate segregation of duties?
A. Sequence check
B. Check digit
C. Source documentation retention
D. Batch control reconciliations