INFORMATION TECHNOLOGY GENERAL CONTROLS- MC QUESTIONS

GROUP 2
CIA and AICPA

1. ___________ refer to computer programs that manage the processing workload and
control user access to various resources of computer system.
a. General Control Review c. System Software
b. Application Controls d. System Hardware

2. Which is not one of the types of general information system controls

a. General Controls c. Modification Control
b. Organizational Controls d. Application Controls

3. Which of the following statements about general controls is not correct?

a. Backup and disaster recovery plans should identify alternative hardware to
process company data.
b. Successful IT development efforts require the involvement of IT and non-IT
personnel.
c. The chief information officer should report to senior management and the board.
d. Programmers should have access to computer operations to aid users in
resolving problems.

4. Which of the following is not a general control?

a. Separation of duties
b. Systems development
c. Output controls
d. Hardware controls

5. General controls include all of the following except:

a. Systems development
b. Online security
c. Check digit
d. Hardware controls

6. Which of the following is not a general control?

a. Computer performed validation test of input accuracy
b. Equipment failure causes error messages on monitor
c. Separation of duties between programmer and operators
d. Adequate program run instructions for operating the computer

7. Some CIS control procedures relate to all CIS activities (general controls) and some
relate to specific tasks (application controls). General controls include
 a. Controls designed to ascertain that all data submitted to CIS for processing have
been properly authorized.
b. Controls that relate to the correction and resubmission of data that were initially
incorrect
c. Controls for documenting and approving programs and changes to programs
d. Controls designed to assure the accuracy of the processing results.

8. Which of the following statements is correct?

a. Auditors should evaluate application controls before evaluating general controls.
b. Auditors should evaluate application controls and general controls
simultaneously.
c. Auditors should evaluate general controls before evaluating application
controls.
d. None of this statement is correct.

9. Which of the following is a component of general controls?

a. Processing controls
b. Output controls
c. Back-up and contingency planning
d. Input controls

10. Which of the following is least likely to be a general control over computer activities?
a. Procedures for developing new programs and systems
b. Requirements for system documentation
c. An access controls
d. A control totals

11. Which of the following is a category of general controls?

a. Processing controls.
b. Output controls.
c. Physical and online security.
d. Input controls.

12. Which of the following is least likely to be used in obtaining an understanding of client
general controls?
a. Examination of system documentation
b. Inquiry of client personnel (e.g., key users)
c. Observation of transaction processing
d. Reviews of questionnaires completed by client IT personnel

13. Auditors usually evaluate the effectiveness of:

a. hardware controls before general controls.
b. sales-cycle controls before application controls.
 c. general controls before applications controls.
d. applications control before the control environment
14. General CIS Controls may include, except:
a. Organization and management controls
b. Delivery and support controls
c. Development and maintenance controls
d. Controls over computer data files

15. General controls include controls

a. For developing, maintaining and modifying computer programs
b. That relate to the correction and resubmission of erroneous data
c. Designed to provide reasonable assurance that only authorized users receive
output from processing.
d. Designed to provide reasonable assurance that all data submitted for processing
have been properly authorized

16. Certain general CIS Controls that are particularly important to on-line processing least
likely include
a. Access controls
b. System development and maintenance controls
c. Edit, reasonableness and other validation test
d. Use of anti-virus software program

17. Which of the following best provides access control to payroll data being processed on a
local server?
a. Logging of access to personal information
b. Separate password for sensitive transactions
c. Software restricts access rules to authorized staff
d. System access restricted to business hours

18. An IS auditor performing a telecommunication access control review should be

concerned primarily with the:
a. Maintenance of access logs of usage of various system resources
b. Authorization and authentication of the user prior to granting access to
system resources
c. Adequate protection of stored data on servers by encryption or other means
d. Accountability system and the ability to identify any terminal accessing system
resources

19. Auditor's usually obtain information about general and application controls through:
a. Interviews with IT personnel
b. Examination of systems documentation
 c. Reading program change requests
d. All of the above methods
20. Which of the following is not a general control?
a. Reasonableness test for unit selling price of a sale.
b. Equipment failure causes error messages on monitor.
c. Separation of duties between programmer and operators.
d. Adequate program run instructions for operating the computer

CPA & CISA

21. Which of the following outcomes is a likely benefit of information technology used for
internal control?
a. Processing of unusual or nonrecurring transactions.
b. Enhanced timeliness of information.
c. Potential loss of data.
d. Recording of unauthorized transactions.

22. Which of the following factors is most likely to affect the extent of the documentation of the
auditor's understanding of a client's system of internal controls?
a. The industry and the business and regulatory environments in which the client
operates.
b. The degree to which information technology is used in the accounting function.
c. The relationship between management, the board of directors, and external
stakeholders.
d. The degree to which the auditor intends to use internal audit personnel to perform
substantive tests.

23. Which of the following statements accurately describes the impact that automation has on the
controls normally present in a manual system?
a. Transaction trails are more extensive in a computer-based system than in a manual
system because there is always a one-for-one correspondence between data entry and
output.
b. Responsibility for custody of information assets is more concentrated in user
departments in a computer- based system than it is in a manual system.
c. Controls must be more explicit in a computer-based system because many
processing points that present opportunities for human judgment in a manual
system are eliminated.
d. The quality of documentation becomes less critical in a computer-based system than
itis in a manual system because data records are stored in machine-readable files.

24. Control objectives regarding effectiveness and efficiency, reliability, and compliance are the
basis of which control framework?
 a. GTAG
b. eSAC
c. COBIT
d. COSO
25. Which of the following would not be in scope in a general computer control review?
a. Change Management
b. The Financial Statement Close Process
c. Physical Security
d. Operating System Security

26. All of the following are true about general control except:
a. General controls, in nature, cannot be automated, manual or hybrid, where in
the case of an automated and/or hybrid control
b. General controls are defined as controls, other than application controls, that relate to
the environment within which computer-based application systems are developed,
maintained and operated, and that is therefore applicable to all applications
c. General controls apply to all areas of the organization including IT infrastructure and
Support services
d. None of the above

27. Which of the following best describes Physical and Logical access management?
a. The objective of this control is to verify that the expected level of service, promised
to the business, will be delivered through the day to day activities of the organization.
b. The objective of this control is to verify the key components which affect the
confidentiality, integrity and availability of information systems.
c. The objective of this control is to provide appropriate degree of assurance over the
changes implemented on the Information Systems.
d. The objective of this control is to gain an overall impression on the controls
surrounding the information systems within the environment in order to provide
assurance of leadership, organizational structure and processes existence

28. IS auditor is reviewing the internal control of an application software. The sampling
method that will be MOST useful when testing for compliance is:
a. Attribute sampling
b. Variable sampling
c. Discovery sampling
d. Stop or go sampling

29. Each of the following is a general control concern EXCEPT:

A. Documentation procedures within the IS Department.
B. Physical access controls and security measures.
C. Organization of the IS Department
D. Balancing of daily control totals
 30. Information security (IS) management is responsible for ensuring the accessibility,
integrity, and confidentiality of an organization's information. There are several key
elements involved in IS management. Which of the key elements of information security
acts as a foundation for an organization's IS management efforts? Choose the best
option(s) from those listed below.
a. Policies and procedures
b. Monitoring and compliance
c. Senior management support
d. Security awareness and education

31. Information security governance requires strategic alignment in terms of:

a. enterprise requirements are the basis for security requirements
b. security requirements are the basis for enterprise requirements
c. current technology trend
d. benchmarking with industry standards

32. Which of the following is the PRIMARY objective of an IT performance measurement

process?
a. To reduce error
b. To obtain performance data
c. To finalize the requirement baseline
d. To improve performance

33. Which of the following is not an application control?

a. Preprocessing authorization of sales transactions
b.Reasonableness test for unit selling price of sale
c.Post-processing review of sales transactions by the sales department
d.Separation of duties between computer programmer and operators

34.Service auditors do not issue which of the following types of reports?

a.Report on implemented controls
b.Report on controls that have been implemented and tested for design effectiveness
c.Report on controls that have been implemented and tested for operating effectiveness
d.Each of the above is issued
35. Test to determine whether last 50 new user requisitions were correctly processed is an
example of:
 a. discovery sampling
b. substantive testing
c. compliance testing
d. stop-or-go sampling

36. Which of the following best describes a fundamental control weakness often associated with
electronic data processing systems?
a. Electronic data processing equipment is more subject to systems error than manual
processing is subject to human error.
b. Electronic data processing equipment processes and records similar transactions in a
similar manner.
c. Electronic data processing procedures for detection of invalid and unusual transactions
are less effective than manual control procedures.
d. Functions that would normally be separated in a manual system are combined in
the electronic data processing system
37. Where computer processing is used in significant accounting applications, internal control
procedures may be defined by classifying control procedures into two types: general and
a. Administrative
b. Specific
c. Application
d. Authorization

38. Which of the following best describe the early stages of an IS audit?
a. Observing key organizational facilities
b. Assessing the IS environment
c. Understanding business process and environment applicable to the review
d. Reviewing prior IS audit reports

39. A validation which ensures that input data are matched to predetermined reasonable limits or
occurrence rates, is known as:
a. Reasonableness check
b. Validity check
c. Existence check
d. Limit check
40. Which of the following data entry controls provides the greatest assurance that the data is
entered correctly?
a. Using key verification
b. Segregating the data entry function from data entry verification
c. Maintaining a log/record detailing the time, date, employee’s initials/user id and progress
 of various date preparation and verification tasks
d. Adding check digits

REFERENCES

https://cpadiary.files.wordpress.com/2013/04/chapter-12.doc
https://www.proprofs.com/quiz-school/story.php?title=cisa-mock-test-domain-2-100-questions-
3-hours
http://www.internalauditor.me/article/information-technology-general-controls-the-basics/
https://c.ymcdn.com/sites/flclerks.site-
ym.com/resource/resmgr/How_to_do_a_General_IT_Contr.pdf
https://www.scribd.com/document/252356215/CISA-Practice-Exam-Questions
https://www.coursehero.com/file/22541822/CISA-Exam-Questions/
BECKER PROFESSIONAL EDUCATIONAL
https://www.cpaarmy.com/cpa-practice-exam-sample-test-far-financial-accounting-reporting/
http://cisaexamstudy.com/sampling-mock-test/
https://www.slideshare.net/ArshadAJaved/cisa-xam-100-practice-question
https://www.techylib.com/en/view/typowehee/part_i_multiple_choice_and_short_questions
https://www.journalofaccountancy.com/issues/2014/may/coso-it-controls-20138951.html

AICPA 2018 (Understanding the entity and its environment and assessing the risk of material
misstatement)
Auditing CIA Reviewer | Academia.edu
https://www.academia.edu › Auditing_CI...