IIA-CIA-Part1 Practice Test

Organizations that use a highly structured command-and-control management approach
are at greater risk of:

A.

Delayed response due to the inability to reach consensus among decision makers.

B.

Negative consequences that result from lower-level staff's unwillingness to confront errors by superiors.

C.

Erosion of staff morale due to perceptions of ineffective leadership.

D.

Waste and abuse of organizational resources resulting from management override of controls.

Which of the following would be the best source of information for a chief audit executive to
use in planning future audit staff requirements?

A.

Discussions of audit needs with executive management and the audit committee.

B.

Review of audit staff education and training records.

C.

Review of audit staff size and composition of similar-sized companies in the same industry.

D.

Interviews with existing audit staff.

Which of the following best describes the most important criteria when assigning
responsibility for specific tasks required in an audit engagement?

A.

Auditors must be given assignments based primarily upon their years of experience.

B.

All auditors assigned an audit task must have the knowledge and skills necessary to
complete the task satisfactorily.

C.

Tasks must be assigned to the audit team member who is most qualified to perform them.

D.

All audit team members must have the skills necessary to satisfactorily complete any
task that will be required in the audit engagement.

An internal auditor is assigned to conduct an audit of security for a local area network
(LAN) in the finance department of the organization. Investment decisions,including the use
of hedging strategies and financial derivatives,use data and financial models which run on
the LAN. The LAN is also used to download data from the mainframe to assist in decisions.
Which of the following should be considered outside the scope of this security audit engagement?

A.

Investigation of the physical security over access to the components of the LAN.

B.

The ability of the LAN application to identify data items at the field or record level and
implement user access security at that level.

C.

Interviews with users to determine their assessment of the level of security in the system
and the vulnerability of the system to compromise.

D.

The level of security of other LANs in the company which also utilize sensitive data.

Which is the least effective form of risk management?

A.

Systems-based preventive control.

B.

People-based preventive control.

C.

Systems-based detective control.

D.

People-based detective control.