CAP Certified Information Audit Process Practice Exam Set 1

Though management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:


Options are :

  • discuss the issue with senior management since reporting this could have a negative impact on the organization.
  • identify whether such software is, indeed, being used by the organization.
  • reconfirm with management the usage of the software.
  • include the statement of management in the audit report

Answer : identify whether such software is, indeed, being used by the organization.

CAP Certified Authorization Professional Practice Exam Set 9

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?


Options are :

  • Gain more assurance on the findings through root cause analysis.
  • Document the finding and present it to management.
  • Recommend that program migration be stopped until the change process is documented.
  • Recommend redesigning the change management process

Answer : Gain more assurance on the findings through root cause analysis.

Which of the following is the key benefit of control self-assessment (CSA)?


Options are :

  • Internal auditors can shift to a consultative approach by using the results of the assessment.
  • Management ownership of the internal controls supporting business objectives is reinforced.
  • Improved fraud detection since internal business staff are engaged in testing controls
  • Audit expenses are reduced when the assessment results are an input to external audit work.

Answer : Management ownership of the internal controls supporting business objectives is reinforced.

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:


Options are :

  • not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit
  • not include the finding in the final report, because the audit report should include only unresolved findings.
  • include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.
  • include the finding in the closing meeting for discussion purposes only.

Answer : include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings.

CAP Authentication of the Professional Practice Examination Set 9

The final decision to include a material finding in an audit report should be made by the


Options are :

  • auditee's manager.
  • audit committee.
  • IS auditor.
  • CEO of the organization

Answer : IS auditor.

Which of the following would be the MOST effective audit technique for identifying segregation of duties violations in a new enterprise resource planning (ERP) implementation?


Options are :

  • Reviewing the complexities of authorization objects
  • Building a program to identify conflicts in authorization
  • Reviewing a report of security rights in the system
  • Examining recent access rights violation cases

Answer : Building a program to identify conflicts in authorization

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?


Options are :

  • Dumping the memory content to a file
  • Removing the system from the network
  • Rebooting the system
  • Generating disk images of the compromised system

Answer : Rebooting the system

CAP Certified Authorization Professional Practice Exam Set 6

During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not beingchecked properly. While preparing the audit report, the IS auditor should:


Options are :

  • advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.
  • record the observations separately with the impact of each of them marked against each respective finding
  • record the observations and the risk arising from the collective weaknesses.
  • apprise the departmental heads concerned with each observation and properly document it in the report.

Answer : record the observations and the risk arising from the collective weaknesses.

The success of control self-assessment (CSA) highly depends on:


Options are :

  • the implementation of a stringent control policy and rule-driven controls.
  • having line managers assume a portion of the responsibility for control monitoring.
  • the implementation of supervision and the monitoring of controls of assigned duties.
  • assigning staff managers the responsibility for building, but not monitoring, controls.

Answer : having line managers assume a portion of the responsibility for control monitoring.

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:


Options are :

  • report the disagreement to the audit committee for resolution.
  • ask the auditee to sign a release form accepting full legal responsibility.
  • elaborate on the significance of the finding and the risks of not correcting it.
  • accept the auditee's position since they are the process owners.

Answer : elaborate on the significance of the finding and the risks of not correcting it.

CAP Certified Authorization Professional Practice Exam Set 7

Which of the following is an attribute of the control self-assessment (CSA) approach?


Options are :

  • Auditors are the primary control analysts
  • Broad stakeholder involvement
  • Policy
  • Limited employee participation

Answer : Broad stakeholder involvement

A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:


Options are :

  • allows management to relinquish responsibility for control.
  • can be used as a replacement for traditional audits.
  • allows IS auditors to independently assess risk.
  • can identify high-risk areas that might need a detailed review later

Answer : can identify high-risk areas that might need a detailed review later

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:


Options are :

  • report the matter to the audit committee
  • expand activities to determine whether an investigation is warranted
  • report the possibility of fraud to top management and ask how they would like to proceed.
  • consult with external legal counsel to determine the course of action to be taken.

Answer : expand activities to determine whether an investigation is warranted

CAP Authentication of the Professional Practice Examination Set 12

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?


Options are :

  • Forensic analysis
  • System log analysis
  • Compliance testing
  • Analytical review

Answer : Compliance testing

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?


Options are :

  • Generalized audit software (GAS)
  • Test data
  • Integrated test facility (ITF)
  • Attribute sampling

Answer : Generalized audit software (GAS)

When preparing an audit report the IS auditor should ensure that the results are supported by:


Options are :

  • workpapers of other auditors.
  • an organizational control self-assessment.
  • sufficient and appropriate audit evidence.
  • statements from IS management.

Answer : sufficient and appropriate audit evidence.

CAP Certified Authorization Professional Practice Exam Set 8

The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:


Options are :

  • perform the audit according to the defined scope.
  • provide a basis for drawing reasonable conclusions.
  • ensure complete audit coverage
  • comply with regulatory requirements

Answer : provide a basis for drawing reasonable conclusions.

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?


Options are :

  • Report the use of the unauthorized software and the need to prevent recurrence to auditee management
  • Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.
  • Personally delete all copies of the unauthorized software.
  • Inform the auditee of the unauthorized software, and follow up to confirm deletion

Answer : Report the use of the unauthorized software and the need to prevent recurrence to auditee management

An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:


Options are :

  • inform management of the possible conflict of interest after completing the audit assignment.
  • inform the business continuity planning (BCP) team of the possible conflict of interest prior to beginning the assignment.
  • communicate the possibility of conflict of interest to management prior to starting the assignment.
  • decline the assignment.

Answer : communicate the possibility of conflict of interest to management prior to starting the assignment.

CAP Certified Authorization Professional Practice Exam Set 1

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:


Options are :

  • access rights to the work papers.
  • audit trail of the versioning of the work papers
  • confidentiality of the work papers.
  • approval of the audit phases.

Answer : confidentiality of the work papers.

An IS auditor evaluating logical access controls should FIRST:


Options are :

  • evaluate the security environment in relation to written policies and practices
  • document the controls applied to the potential access paths to the system.
  • obtain an understanding of the security risks to information processing.
  • test controls over the access paths to determine if they are functional.

Answer : obtain an understanding of the security risks to information processing.

CAP Certified Authorization Professional Practice Exam Set 7

An IS auditor is performing an audit of a remotely managed server backup. The IS auditor reviews the logs for one day and finds one case where logging on a server has failed with the result that backup restarts cannot be confirmed. What should the auditor do?


Options are :

  • Review the classifications of data held on the server
  • Seek an explanation from IS management
  • Issue an audit finding
  • Expand the sample of logs reviewed

Answer : Expand the sample of logs reviewed

An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?


Options are :

  • Many user IDs have identical passwords
  • There are a number of external modems connected to the network.
  • Network monitoring is very limited.
  • Users can install software on their desktops.

Answer : Many user IDs have identical passwords

The PRIMARY purpose of an IT forensic audit is:


Options are :

  • to participate in investigations related to corporate fraud.
  • to determine that there has been criminal activity.
  • the systematic collection of evidence after a system irregularity.
  • to assess the correctness of an organization's financial statements

Answer : the systematic collection of evidence after a system irregularity.

CAP Certified Authorization Professional Practice Exam Set 13

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:


Options are :

  • address audit objectives.
  • . specify appropriate tests
  • collect sufficient evidence.
  • minimize audit resources.

Answer : address audit objectives.

An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:


Options are :

  • the auditor wishes to avoid sampling risk.
  • the probability of error must be objectively quantified.
  • the tolerable error rate cannot be determined.
  • generalized audit software is unavailable

Answer : the probability of error must be objectively quantified.

Which of the following is the PRIMARY advantage of using computer forensic software for investigations?


Options are :

  • Time and cost savings
  • The preservation of the chain of custody for electronic evidence
  • Ability to search for violations of intellectual property rights
  • Efficiency and effectiveness

Answer : The preservation of the chain of custody for electronic evidence

CAP Certified Authorization Professional Practice Exam Set 9

The extent to which data will be collected during an IS audit should be determined based on the:


Options are :

  • audile's ability to find relevant evidence.
  • availability of critical and required information
  • purpose and scope of the audit being done.
  • auditor's familiarity with the circumstances.

Answer : purpose and scope of the audit being done.

The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?


Options are :

  • Integrated test facility
  • Generalized audit software
  • Embedded audit module
  • Test data

Answer : Generalized audit software

When selecting audit procedures, an IS auditor should use professional judgment to ensure that:


Options are :

  • all significant deficiencies identified will be corrected within a reasonable period.
  • sufficient evidence will be collected.
  • all material weaknesses will be identified.
  • audit costs will be kept at a minimum level.

Answer : sufficient evidence will be collected.

CAP Certified Authorization Professional Practice Exam Set 6

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions