Name: ______________________________ Permit # ________

Schedule: ______________________

FINAL EXAMINATION IN ACT42

INFORMATION SYSTEMS AUDITING

1. Imagine that someone asks you to do something unethical like covering up a fraud. What would you do?
a. As an auditor, you must cut off all your connections, interests and don’t participate in any decisions by
any employees. Just wait for them to mess things up and do your job after that.
b. Go with his/her intention and keep it by yourselves, but report it anonymously to the management
c. Explain the company policies and its consequences to him/her and let him decide if he/she will still pursue
his/her fraud covering up without getting involved.
d. Advise the person to look for someone else to do his/her dirty job.
2. Auditor determines the method of sampling, number of items that will be examined from each population type
and which items to select for their opinions
a. Statistical Sampling
b. Variable Sampling
c. Discovery Sampling
d. Non-Statistical Sampling
e. None of the Above
3. Imagine a situation where you have to deal with uncooperative colleagues. What would you do?
a. Still assign them in their duties and if they still don’t do what they are assigned to do, file a report to the
management about their actions.
b. Assign a group leader that you know they trust and able to work with. Mitigate the responsibility to
someone else.
c. Report them to the management and get them fired for being uncooperative.
d. Report their actions and suggest actions that the management will choose about the employee (e.g.
reassignment of duty/ other department)
4. In this testing segregation of duties, security awareness, competency is done by the auditor
a. Observe personnel
b. Review IS Documentation
c. Interview personnel
d. Review IS Policies, Standards, Procedures
e. Review IS Organization[---=
5. What would you do if the system crashed after a change you implemented?
a. Look for the fault in the system and blame the software analysts and development team for releasing an
unfinished/untested system.
b. Analyze the risk involved in the system crashing that happened and assess what measures should be taken
to prevent this incident again.
c. Form a group of systems analyst and let them determine the reason of the system failure.
6. It is the Stay-out-of-Jail card for all auditors, as long as they only do what they have permission to do
a. Objective
b. Signature
c. Scope
d. Constraints
e. Checklist
7. How do you develop an audit plan?
a. Create a timeframe, perform sampling, set priorities, address solutions
b. Interview personnel’s, analyze risks, perform testing, address solutions
c. Create policies, set priorities, interview personnel’s, perform testing, address solutions
d. Observe current policies, perform testing, interview personnel’s, address solutions
8. A trait of auditor wherein he is checking standards, policies, processes that are to be followed
a. Assertive
b. Objective Evidence Evaluation
c. Independent
d. Qualified
 e. Competent
9. How do you keep up with changes in regulations and laws?
a. Performing ISACA Auditing Standards
b. Abiding on company policies
c. Implementing and reviewing internal controls
d. Revise a new internal control for the company monthly
10. In this testing the auditor must keep an eye open for irregularities and/or illegal acts, unusual relationships,
material misstatements
a. Supervision
b. Professional Skepticism
c. Interview personnel
d. Observe personnel
e. Both A and D
11. How do you think internal auditing can add value to a company?
a. By providing inputs and recommendations to problems encountered on the internal controls
implemented
b. By providing inputs before and after an internal control is implemented
c. By working side-by-side with your fellow employees to help them develop a solution to an internal control
problem, while maintaining professionalism on your role as the auditor
d. By assessing controls with a system prior to solution deployment.
12. It means you have no special interest to the group being audited (e.g. No tips/reasons to choose the auditee etc.)
a. Professional Independence
b. Organizational Independence
c. Social Independence
d. Cultural Independence
e. None of the Above
13. Insufficient Firewall/IPS Restrictions is an example of
a. Control Risks
b. Inherent Risks
c. Detection Risk
d. Internal Risk
14. Proves the integrity of actual processing. Its provides evidence of the validity and integrity of the balances in
financial statements and transactions that support these balances.
a. Substantive Testing
b. Compliance Testing
c. Evidence Testing
d. Organizational Testing
15. Assertions means:
a. You are checking standards, policies, processes that are to be followed.
b. Pushing your goal for the company
c. Implementing internal controls instantly
d. Adding value to the company
16. It is the largest part of the Audit plan:
a. Objective
b. Scope
c. Constraints
d. Checklist
e. Signature
17. Independent means:
a. Refers to the independence of the internal auditor or of the external auditor from parties that may have
a financial interest in the business being audited.
b. You are not tied to the organization, are not close friends with anyone in it, do not attend parties.
c. independence from parties whose interests might be harmed by the results of an audit
d. independence from parties that have an interest in the results published in financial statements of an
entity
18. Sampling where the auditor determines sample size and selection criteria
 a. Non-Statistical Sampling
b. Variable Sampling
c. Unstratified Mean per unit Sampling
d. Statistical Sampling
e. None of the Above
19. An IS auditor should plan their audit approach based upon:
a. Materiality
b. Management recommendations
c. ISACA recommendations
d. Risk
20. The FIRST step that an auditor should take is:
a. Prepare the Audit Objectives and Scope
b. Learn about the organization
c. Study ISACA audit recommendations for the functional area
d. Perform an IT risk assessment
21. An inherent risk for a school would be:
a. Students trying to hack into the system to change grades
b. A firewall does not catch spoofed IP addresses
c. An audit does not find fraud which actually exists
d. People do not change their passwords regularly

22. A Certified Internal Auditor (CIA) is working in a non–internal audit position as the director of purchasing. The CIA
signs a contract to procure a large order from the supplier with the best price, quality, and performance. Shortly
after signing the contract, the supplier presents the CIA with a gift of significant monetary value. Which of the
following statements regarding the acceptance of the gift is correct?
a. Acceptance of the gift would be prohibited only if it were noncustomary.
b. Acceptance of the gift would violate the IIA Code of Ethics and would be prohibited for a CIA.
c. Since the CIA is no longer acting as an internal auditor, acceptance of the gift would be governed only by
the organization’s code of conduct.
d. Since the contract was signed before the gift was offered, acceptance of the gift would not violate either
the IIA Code of Ethics or the organization’s code of conduct.
23. An inherent risk for a school would be:
a. Students trying to hack into the system to change grades
b. A firewall does not catch spoofed IP addresses
c. An audit does not find fraud which actually exists
d. People do not change their passwords regularly
e. A student hacker trying to perform a robbery
24. When conducting interviews during the early stages of an internal audit, it is more effective to:
a. Ask for specific answers that can be quantified.
b. Ask people about their jobs.
c. Ask surprise questions about daily procedures.
d. Take advantage of the fact that fear is an important factor in an audit.
25. During an audit, the internal auditor should consider the following factor(s) in determining the extent to which
analytical procedures should be used:
a. Adequacy of the system of internal control.
b. Significance of the area being examined.
c. Precision with which the results of analytical audit
d. All of the above.