ISCA Important Questions – May 2019

ISCA Important Questions – May 2019 CA Nikunj Shah

IMPORTANT QUESTIONS

CA FINAL ‐ ISCA Applicable for May 2019 exams

This publication contains Multiple Choice Questions

(MCQs) and Chapter‐wise listing of ‘Most Likely (**)’

and ‘Likely (*)’ questions for May 2019 examinations.

Its objective is to help students in their preparations

for exams. Although great care is taken in identifying

these questions, the author gives NO ASSURANCE OR

SURETY that any of these questions will be asked in

the exams. Students are advised to cover the entire

syllabus thoroughly to maximize their prospects of

scoring well in this subject.

I take this opportunity to wish you All The Very Best!!

‐ CA Nikunj Shah


Data Analytics & Forensic Audit | www.dafi.in |Training & Consulting Page 2 of 31

I believe I can fly

I believe I can touch the sky

I think about it every night and day

Spread my wings and fly away

‐ Robert Sylvester Kelly (R. Kelly)

American singer, songwriter, record

producer, and former professional

basketball player.



Prologue

My dear students,

I am happy to note that the Board of Studies has thoroughly revamped the examination pattern for assessing students in paper 6 of CA Final (now ‘old course’). From May 2019, there shall be a 30% weightage for objective type questions (MCQs). This is a welcome step and I had been mooting for this since over five years.

Attempting a paper where 30 marks are for objective questions, is like fighting a battle with a double edge sword. While the outer edge i.e. a thorough understanding of the topics along with sufficient practice is sure to fetch you marks, the inner edge i.e. rote learning (mugging up) can go against you. MCQs can be your best bet to score, since the right answer is in front of you! At the same time, so are the other three wrong answers to confuse you!!

“ISCA Important Questions – May 2019” is divided in two parts – Part A & Part B. I am pleased to share with you a question bank of MCQs in Part A. These MCQs, I believe, will not only help you to prepare for changed exam pattern, but shall also give you a better insight in understanding the topics as well.

In Part B – Most likely & likely question sets, be rest assured that I have selected the questions with the same care that I have been doing all these years; although it may appear that there is not much change in questions as compared with questions in earlier years.

I acknowledge that all my efforts in bringing out this publication, are no match when compared with the affection, confidence & respect that you’ll have reposed in me throughout the journey. Thank you very much.

I shall be happy to know of your success. Until then, prepare well, pray hard and last but not the least, have unshakeable faith in your own self. And yes, in case you aspire to make a career in professional practice, feel free to get in touch with me. I do look forward to welcome you on board as ‘My dear professional colleague”!

Good Luck & God Bless!!

Warm wishes,

CA Nikunj Shah

Mumbai

May 18, 2019



Analysis of ISCA Important Questions – Nov. 18 (Immediate Previous Examination)

Chapter No. Question in ISCA Important Questions – Nov. 18 Q. No. & Marks asked

for in Nov. 18

Q. No. Marks

1 COBIT 5 has a specific process “MEA02 Monitor, Evaluate

and Assess the system of Internal Controls.” Discuss in brief

any 6 key practices for assessing and evaluating the system

of Internal Control in an enterprise based on this process.

5(a) 6 marks

1 What goal & metrics can be used to measure specific

success of a GRC program?

2(b) 6 marks

1 Discuss the Key Management Practices for Aligning IT

Strategy with Enterprise Strategy?

4(b) 6 marks

3 What do you understand by asynchronous attacks? Briefly

explain some forms of asynchronous attacks.

6(c) 4 marks

3 Explain the major kinds of cyber‐attacks? 3(a) 6 marks

6 State some of the critical factors which should be

considered by an IS Auditor as a part of his / her

preliminary review of audit environment during an IS Audit

2(a) 6 marks

7 Explain ‘Authentication of Electronic Records’ with

reference to S.3A of ITAA, 2008

4(a) 6 marks

8 What is BYOD? Explain it’s advantages and threats 7(c) 4 marks

Total Marks asked for out of ISCA Important Questions – Nov. 18 44 Marks

Disclaimer: Past performance may not be repeated.



PART A‐ MCQs

Kya Hai Jawab ISCA? Play Memorize Recall

CHAPTER 1

MCQ #

MCQ Ans.

1 ________ provides the overall charter under which all units in the enterprise, including the information systems function must operate.

A. Enterprise Strategic Plan C. Information Systems Requirements Plan

B. Information Systems Strategic Plan D. Information Systems Application & Facilities Plan

A

2 Attack is best defined as:

A. Is the likelihood that an organisation would face a vulnerability being exploited

C. Extent of loss the organisation has to face when a risk materialises

B. Event with the potential to cause harm

D. Set of actions designed to compromise any desired feature of an information system

D

3 Threat is best defined as:

A. Is the likelihood that an organisation would face a vulnerability being exploited

C. An entity, circumstance or event with the potential to harm the software system or component.

B. Is the weakness in the system safeguards that exposes the system

D. Extent of loss the organisation has to face when a risk materialises

C

4 The statements correct about risk are: (i) Loss potential that exist as the result of threat / vulnerability process (ii) is the weakness in the system safeguards that exposes the system (iii) uncertainty of loss expressed in terms of probability of such loss (iv) Risk is calculated as probability times exposure (v) Risk is the extent of loss the organisation has to face

A. (i) and (iii) only C. (i), (iii) and (iv) only

B. (i), (ii) and (iv) only D. (iii), (iv) and (v) only

C

5 The statements correct about business governance or performance are: (i) This dimension focuses on strategy and value creation (ii) This dimension is monitored by the audit committee (iii) It is business oriented and takes a forward looking view (iv) This dimension does not lend easily to a regime of standards and assurance


B. (i), (ii) and (iv) only D. (i), (ii) and (iii) only

C

6 Per COSO, the five interrelated components of internal control are: I. Control (or Operating) environment II. Policies, procedures, practices and enterprise structure III. Risk assessment IV. Control activities V. Information and communication VI. Monitoring VII. Asset safeguarding and Data Integrity.

A. I, II, III, IV and V C. I, III, IV, V and VI

B. I, II, V, VI and VII D. II, IV, V, VI and VII

C

7 Risk Assessment, a component of internal control, does NOT include: I. C



Determination of Goals and Objectives II. Identification of Risks III. Risk Analysis IV. Security of assets V. Segregation of duties VI. Controls over information systems.

A.I, II and III. C. IV, V and VI

B. I, III and V D. II, IV, and VI

8 Control Activities, a component of Internal Control, includes following, EXCEPT: I. Determination of Goals and Objectives II. Risk Analysis III. Security of assets IV. Segregation of duties V. Controls over information systems. VI. Identification of Risks. VII. Approvals and authorizations

A.II, III and VI C. I, II and VI

B. I, III and V D. II, VI, and VII

C

9 The COBIT framework allows following EXCEPT: I. Management to benchmark security & control practices of IT environments II. Users of IT services to be assured that adequate security and control exist III. Providing Guidelines in applying IS auditing standards IV. Auditors to substantiate their opinions on internal control and to advise on IT security and control matters.

A. I C. III

B. II D. IV

C

10 The statements correct about steering committee are: (i) It is a high level committee with a mandate to design and develop appropriate systems for the enterprise (ii) It ensures that IT deployment is in tune with the enterprise business goals and objectives (iii) It is ideally led by a member of the BOD and comprises of functional heads from all key departments of the enterprise including the audit and IT department. (iv) Its role and responsibility must be documented and approved by the senior management

A.II, III and IV C. I, II, III and IV

B. I, III and IV D. II & IV

A

11 The issues covered by corporate governance or conformance include the following EXCEPT : (i) Roles of the chairman and the CEO, (ii) Role and Composition of the Board of Directors (iii) Board Committees (iv) Controls assurance (v) Strategy Committee


B. (i), (ii) and (iv) only D. v only

D

12 The key management practices, which need to be implemented for evaluating ‘Whether business value is derived from IT’ are: (i) Evaluate Value Optimization (ii) Direct Value Optimization (iii) Monitor Value Optimization (iv) Audit Value Optimization

A.II, III and IV C. I, II, III and IV

B. I, II and III D. II & IV

B

13 Any risk still remaining after the counter measures are analysed and implemented is called

A. Residual Risk C. Detection Risk

B. Control Risk D. Inherent Risk

A

14 Outsourcing infrastructure management is a good example of _________ risk management strategy

A. Tolerate / Accept the risk C. Transfer / Share the risk

B. Terminate / Eliminate the risk D. Treat / Mitigate the risk

C

15 COBIT 5 does not focus only on the IT function, but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise. This is based on ________ principle of COBIT 5.

B



A. Meeting Stakeholder needs C. Applying a single integrated framework

B. Covering the enterprise end‐to‐end D. Enabling a holistic approach

16 COBIT ‐ (i) Provides guidelines in applying IS auditing standards. (ii) Gives best

practice in IT Service Management. (iii) is business framework for governance and

management of enterprise IT. (iv) Is designed to provide guidance on selection of

adequate & proportionate security controls

A. (i) C. (iii)

B. (ii) D. (iv)

C

CHAPTER 2

1 A notable definition of MIS is:

A. Network of information that does management decision making.

C. MIS is a computer based system that provides flexible and speedy access to accurate data.

B. Network of information that replaces management decision making.

D. A system that provides tailor‐made information packages

C

2 Of the following, the three misconceptions about MIS are: –1. Study of MIS is about the use of computers. –2. MIS may or may not use computers. –3. More data in reports means more information –4. Accuracy in reporting is of vital importance

A.1, 2 and 3 C. 1, 3 and 4

B. 2, 3 and 4 D. 1, 2 and 4

C

3 Following is NOT a pre‐requisite of MIS

A. Database C. Control and Maintenance of MIS

B. Qualified system and management staff

D. Heavy Planning element

D

4 Out of the following, which is NOT one of the effects of using computers in MIS

A. Scope of analysis widened C. More comprehensive information

B. Increases the effectiveness of Information Systems

D. Sub system concept

D

5 Of the following, one is NOT the limitation of MIS 1.Not a substitute for effective management. 2. May not have requisite flexibility to quickly update itself with changing needs of time. 3. Cannot provide tailor‐made information packages 4.Database ‐ consolidates data records formerly stored in many data files

A.1 C. 3

B. 2 D. 4

D

6 Following are the characteristics of types of information used in executive decision‐making, EXCEPT: 1. Lack of Structure 2. High degree of certainty 3. Future orientation 4. Formal source 5. High level of detail

A. 2, 4 and 5

C. 1, 2, 3, 4 and 5

B. 1, 2 and 3 D. 1,2, 3 and 4

A

7 EIS serves the following purpose, except: 1. Support managerial learning 2. Allow timely access to info. for taking operational decisions 3. Direct attention to specific business problems 4. Provides information that is actually important

B



A. 1 C. 3

B. 2 D. 4

8 Of the following, all the components of a DSS are: 1. User – a manager with an unstructured / semi structured business problem 2. One or more database. 3. Planning Language 4. Computer 5. Model Base.

A. 1, 2, 3 and 5 C. 1, 2, 3, 4 and 5

B. 1, 2 and 3 D. 1,2, 3 and 4

A

9 Following are the benefits of an expert system EXCEPT: 1. Support managerial learning 2. It preserves knowledge 3. Assist novices in thinking the way experienced professionals do 4. Can used as a strategic tool

A. 1 C. 3

B. 2 D. 4

A

10 Following are the components of Transaction Processing System EXCEPT

A. Database C. Processing

B. Inputs D. Outputs

A

11 Following are the examples of Decision Support System (DSS) in Accounting Information systems EXCEPT

A. Cost Accounting System C. Budget Variance Analysis System

B. Capital Budgeting System D. Balance Score Card

D

CHAPTER 3

1 Following are the categories of controls based on nature of IS resources, EXCEPT:

A. Logical Access C. SDLC Controls

B. Physical Access D. Environmental

C

2 Following are the categories of controls based on their objectives, except:

A. Preventive C. Internal Accounting

B. Detective D. Compensatory

C

3 Employing qualified personnel is an example of:

A. Internal Accounting C. Preventive control

B. Detective control D. Compensatory control

C

4 Echo control in telecommunications is an example of:

A. Preventive Control C. Compensatory Control

B. Corrective Control D. Detective Control

D

5 Following are the characteristics of an Corrective Control except:

A. Minimize the impact C. An established mechanism to refer reported unlawful activities to appropriate person

B. Remedy problems D. Modify systems to minimize future occurrences

C

6 Controls that provide a stable infrastructure in which information systems can be built, operated and maintained on day‐to‐day basis are called ________

A. Application Controls C. Managerial Controls

B. Data Processing Environmental Controls

D. Organizational Controls

C

7 ‘Unlawful misappropriation of money or other things of value, by the person to whom it was entrusted (typically an employee), for his/her own use or purpose’ is a

D



threat due to cyber crime and is known as:

A. Fraud C. Denial of service

B. Theft of proprietary information D. Embezzlement

8 Following are examples of financial control techniques, EXCEPT: I. Authorization II. Budgets III. An official IT Structure IV. Cancellation of documents V. Dual control VI. Input/ output verification VII. Sequentially numbered documents VIII. Existence of an IT steering committee IX. Supervisory review

A. I and VI only C. III and VIII only

B. VI and VIII only D. I and III only

C

9 ____________ is implemented to ensure that access to systems, data and programs is restricted to authorized users so as to safeguard information against unauthorized use, disclosure or modification, damage or loss.

A. Application Control C. Logical Access Control

B. Data Processing Environmental Control

D. Organisational Control

C

10 Any function or activity that works to ensure the processing accuracy of the application can be considered an:

A. Logical Access Control C. Application Control

B. Data Processing Environmental Control

D. Organisational Control

C

11 The three steps of Access control mechanism are the following except:

A. Identification C. Authorization

B. Authentication D. Validation

D

12 Check digits are redundant digits that helps verify the

A. Data that is subject to process through different stages

C. Accuracy of other characters in the code

B. Reasonableness by comparing two or more fields for cross verification

D. Accuracy and completeness of data used at processing stage

C

13 Various backup strategies that ensure the existence of the database by establishing backup and recovery procedures include the following, EXCEPT

A. Edit Checks C. Dual recording of data

B. Periodic dumping of data D. Logging input transactions

A

14 Information that, if made public or even shared around the organization, could seriously impede the organization’s operations and is considered critical to its ongoing operations is usually classified as:

A. Internal use only C. Proprietary

B. Highly Confidential D. Top Secret

B

15 The following is true about Data integrity controls except: i. The primary objective is to prevent, detect, and correct errors in data stored on digital media. ii. They protect data from accidental or malicious alteration or destruction iii. They provide assurance to the user that the information meets expectations about its quality and integrity. iv. Audit Trail can also be classified as a data integrity control technique.

A. iii C. iv

B. ii D. i

D

16 Following is not a type of ‘Data Transmission Control’:

A. Audit Trail C. Network Monitoring

B. Data encryption D. Routing verification

A

17 __________is an illicit coding contained in a legitimate program, causes an illegitimate action.

C



A. Trap Door C. Trojan Horse

B. Bomb D. Worm

18 __________is following an authorized person through a secured door or electronically attaching to an authorized telecommunication link that intercepts and alters transmissions

A. Trap Door C. Piggybacking

B. Data Leakage D. Wire Tapping

C

19 The following statement about ‘Ticket oriented approach’ to authorisation is NOT true:

A. It operates via a row in the matrix

C. It allows efficient administration of capabilities

B. Its primary advantage is its run‐time efficiency

D. Assigns users a ticket for each resource they are permitted to access

C

CHAPTER 4

1 Of the following, the tasks undertaken under Business Impact Analysis are: (i) assess the "pain threshold," (ii) develop a profile of recovery requirements (iii) Identify dependencies and interdependencies (iv) Determine the maximum allowable downtime (v) assessing the potential impacts resulting from various events or incidents (vi) determine the available options and formulation of appropriate alternative operating strategies

A. (ii), (iii) and (v) C. (i), (iii) and (v)

B. (ii), (iv) and (vi) D. (ii), (iv) and (v)

C

2 The component of Disaster Recovery plan that sets out procedures to restore full information system capabilities is called:

A. Recovery plan C. Emergency Plan

B. Backup plan D. Test plan

A

3 Following are the aspects that must be articulated in an emergency plan except: (i) who is to be notified immediately when the disaster occurs (ii) location of backup resources (iii) any evacuation procedures (iv) return procedures (v) actions to be undertaken as soon as a disaster strikes (vi) identify a recovery committee

A. (ii) and (vi) only C. (i) and (iii) only

B. (ii), (iv) and (vi) only D. (ii) only

A

4 The most economical method of backup where only the files that changed since the last backup are backed up is:

A. Full Backup C. Differential Backup

B. Incremental Backup D. Mirror Backup

B

5 _________ describe the actions to be taken to move essential business activities or support services to alternate temporary locations, to bring business process back into operation in the required time‐scale.

A. Alternate manual procedures C. Resumption procedures

B. Emergency procedures D. Fallback procedures

D

6 __________ is the operation’s piece of Business Continuity Planning

A. Business resumption planning C. Crisis Management

B. Disaster recovery planning D. Business Impact Plan

A

7 The goal of business continuity plan should be to: (i) Identify weakness and implement a disaster program (ii) Minimize the duration of serious disruption to

C



business operations (iii) facilitate effective coordination of recovery tasks. (iv) reduce the complexity of the recovery effort

A. (i) and (ii) only C. All of the above

B. (i), (ii) and (iii) only D. (ii), (iii) and (iv) only

8 As a part of developing a Business Continuity plan, a Steering Committee which has the overall responsibility of providing guidance and direction should be established in the __________ phase

A. Pre‐Planning activities (Project initiation)

C. Business Impact Analysis

B. Detailed definition of requirements D. Plan Development

A

9 In __________ backup, the files are not compressed in zip files and they can not be password protected

A. Full Backup C. Differential Backup

B. Incremental Backup D. Mirror Backup

D

10 If fast recovery is critical, an organization might need ______ backup

A. Hot Site C. Warm Site

B. Warm Site D. Reciprocal Arrangements

A

11 An alternate processing facility contains selected peripheral equipment plus a small mainframe with sufficient power to handle critical applications. Such alternate processing facility is called

A. Hot Site C. Warm Site

B. Warm Site D. Reciprocal Arrangements

B

CHAPTER 5

1 Following is NOT a risk associated with SDLC (traditional approach)

A. Development team may find it cumbersome.

C. Users may not see the end product for long time.

B. Is not suitable for large projects. D. Rigid approach may prolong the duration of many projects.

B

2 The systems development approach in which product is decomposed into a number of components, each of which are designed and built separately (termed as builds) is:

A. Spiral Model C. Prototyping

B. Incremental Model D. Agile Methodologies

B

3 Of the following, the reasons as to why the organizations fail to achieve their Systems Development Objectives are: 1. Shifting user needs 2. Development of strategic systems 3. New technologies 4. Resistance to change 5. Lack of user participation 6. Little room for use of iteration

A.1, 2, 3, 4, 5, 6 C. 1, 3, 4, 5 and 6 only

B. 1, 2, 4, 5 and 6 only D. 1, 2, 3, 4 and 5 only

D

4 Of the following, the two major components of a systems development process are 1. Systems analysis 2. Systems design 3. Acquisition and Development 4. Implementation and Maintenance

A. 3 and 4 C. 1 and 4

B. 2 and 3 D. 1 and 2

D

5 Following are the phases of traditional / waterfall approach to SDLC. 1. Preliminary investigation 2. Design of the system 3. Requirements analysis or systems analysis. 4

D



Acquisition and development of software 5. System testing 6. Implementation and maintenance

The order in which these phases are performed is:

A. 1, 2, 3, 4, 5, 6 C. 3, 1, 2, 4, 5, 6

B. 3, 1, 2, 4, 6, 5

D. None of the above (suggest the right answer)

6 Following is NOT one of the advantages of SDLC framework from an IS Audit perspective 1. Gives clear understanding of the various phases 2. Enables to report on compliance 3. The phases are important milestones for review 4. Enables to be a guide during the various phases of SDLC.

A.1 C. 4

B. 2 D. 3

D

7 Of the following, identify the activities involved in the phase ‘Requirements analysis or systems analysis’ : 1. Determining information requirements 2. Conduct feasibility study. 3. Study the present system to identify its problems and shortcomings 4. Identify the features which the new system should include.

A. 1, 3, 4 C. 1, 2, 3 and 4

B. 1 and 2 only D. 2, 3, 4

A

8 Identify which is NOT a basic principle of Traditional / Waterfall Approach of SDLC

A. Project divided into sequential phases

C. Phase wise implementation of system

B. Some overlap and splash back acceptable across phases

D. Maintain tight control through extensive written documentation

C

9 Of the following select the option with ALL weaknesses of the Traditional / Waterfall Approach of SDLC ‐ i) Inflexible, slow, costly, and cumbersome due to significant structure and tight controls. (ii) Project progresses forward, with only slight movement backward. (iii) Supports less experienced project teams iv) Little room for use of iteration, which can reduce manageability if used. (v) Success depends upon early identification and specification of requirements

A. i, ii, iv, v C. i, ii, iv

B. i, ii, iii, iv, v D. i, iv, v

A

10 Following are the steps involved in the prototyping approach to systems development: 1. Identify Information System Requirements 2. Develop the initial prototype 3. Test and Revise. 4 Obtain User Signoff of the approved prototype

The order in which these steps are performed is:

A. 1, 2, 3, 4 C. 2, 1, 3, 4

B. 2, 1, 4, 3

D. None of the above (suggest the right answer)

A

11 A strength of the prototyping approach to systems development is:

A. Approval process & control are not strict

C. Especially Useful for resolving unclear objectives

B. Requirements may frequently change significantly

D. May not have sufficient checks & balances incorporated

C

12 The statement(s) not correct about Rapid Action Development are: 1. The planning of software is interleaved with testing the software itself. 2. If the project starts to slip, emphasis is on reducing quality to fit the timebox, not in increasing the deadline 3. Key emphasis is on technological or engineering excellence. 4 Active user involvement is desirable 5. Key objective is for fast development and delivery of a high quality system

C



A All above are incorrect C. 1, 2, 3 and 4 only

B. 1, 2 and 3 only D. 2 and 3 only

13 The systems development approach which is most suitable for large, expensive and complicated projects is:

A. Incremental Model C. Prototyping

B. Spiral Model D. Agile Methodologies

B

14 Weaknesses of the Incremental Model of systems development are: 1. lack of overall consideration of the business problem 2. Problems may arise pertaining to system architecture 3. Well‐defined interfaces are required 4. Difficult problems tend to be pushed to the future to demonstrate early success 5. Provides the ability to monitor the effect of incremental changes.

A. All of the above C. 1, 2, 3 and 4 only

B. 1, 3 and 4 only D. 1, 2 and 4 only

C

15 Weaknesses of the Prototyping approach to systems development are: 1. Can only be successful if the system users are willing to devote significant time in experimenting 2. Prototype may not have sufficient checks and balances incorporated 3. Approval process and control are not strict 4. Inadequate testing can make the approved system error‐prone 5. Inadequate documentation makes the system difficult to maintain.

A. 1, 2, 3 and 4 only C. All of the above

B. 1, 3 and 4 only D. 1, 2 and 4 only

C

CHAPTER 6

1 The two broad categories of IS Audit objectives are:

A. Approvals & authorizations and Effectiveness and efficiency

C. Asset safeguarding & data integrity and Controls over information systems.

B. Asset safeguarding & data integrity and Effectiveness and efficiency

D. Approvals & authorizations and Controls over information systems

B

2 The two major effects of using computers on Audit are:

A. Changes to authorization procedures and Changes to Audit Evaluation

C. Changes in audit trail & audit evidence and Controls over information systems.

B. Changes to evidence collection and Changes to evidence evaluation

D. Changes to authorizations procedures and changes to record keeping

B

3 The steps in IT Audit are: I. Scoping and pre‐audit survey II. Planning & preparation III. Closure IV. Fieldwork: V. Reporting VI. Analysis The order in which these steps are performed is

A. I, II, III, IV, V and VI C. I, II, IV, VI, V and III

B. I, IV, II, III, VI and V D. I, II, IV, VI, III and V

C

4 Audit trails support security objectives in three ways, except:

A. Detecting unauthorized access C. Ensuring IT services are available as required.

B. Promoting personal accountability D. Facilitating the reconstruction of events

C

5 The following statement(s) about Audit Planning is(are) NOT correct: (i) Planning occurs throughout the audit as an iterative process (ii) planning activities are

C



concentrated in the planning phase(iii) In planning the IS controls audit, the auditor may select systems that contain sensitive information (iv) In this phase, the auditor determines an effective and efficient way to obtain the evidential matter necessary to achieve the objectives of the IS controls audit and the audit report

A. All of above are incorrect C. All are correct

B. i only D. i and ii only

6 Tests to ensure whether end‐user applications are producing valid and accurate information are: i) Browse the directories of the PCs in which the end‐user‐developed application resides. Any irregularities in files should be investigated. ii) Use computer – assisted techniques iii) Conduct several tests with both valid and invalid data to test the ability and extent of error detection, correction, and prevention within the application. iv) Look for controls such as input balancing and record or hash totals to ensure that the end user reconciles any differences between input and output.

A. All of above C. i), ii) and iv) only

B. i) and ii) only D. i) and iv) only

C

7 The auditor, using GAS such as Excel, Idea or ACL can do the following, EXCEPT: (i) Do sampling (ii) data extraction (iii) determine whether invalid transactions were identified and corrected by programmed controls (iv) exception reporting (v) summarize and foot totals

A. (iii) and (v) only C. (iii) only

B. (i) and (ii) only D. (iv) and (v) only

C

8 Following are the categories of Application Controls EXCEPT:

A. Boundary Controls C. Communication Controls

B. Segregation of Duties D. Database Controls

B

9 Generation of risk‐control‐matrix is a task performed in the _________ phase of Information Systems Audit

A. Scoping and pre‐audit survey C. Analysis

B. Fieldwork D. Planning

D

10 The ________ audit tool of the concurrent audit technique that relies on creation of a dummy entity in the application system files and the processing of audit test data against the entity as a means of verifying processing authenticity, accuracy, and completeness

A. Snapshot C. Continuous and Intermittent simulation

B. Integrated test facility D. System Control Audit Review file (SCARF)

B

11 The ________ audit tool of the concurrent audit technique that ensures that every update to the database that arises from processing the selected transaction will be checked to determine whether discrepancies exist between the results it produces and those the application system produces.

A. Snapshot C. Continuous and Intermittent simulation (CIS)

B. Integrated test facility (ITF) D. System Control Audit Review file (SCARF)

C

CHAPTER 7

1 The following statements about Information Technology (IT) Act 2000 are correct D



EXCEPT – (i) It extends to the whole of India (without exclusion of state of Jammu & Kashmir) (ii) It applies to any offence or contravention thereunder committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India (iii) It is based on model law on E‐Commerce adopted by UNCITRAL (iv) It was amended by passing the IT (Amendment) Act 2008

A. (i) and (ii) only C. (iii) only

B. (ii) only D. All the statements are correct

2 In creating digital signature, the electronic message is converted into a message digest by using a mathematical function called “hash function”. This ensures:

A. integrity of the content C. Confidentiality of the content

B. identification of originator of the message

D. Availability of the content

A

3 The following statements about “hash function” are correct – (i) “Hash function” means an algorithm mapping or translation of one sequence of bits into another known as “hash result” or “message digest”(ii) The electronic record yields the same “hash result” every time the algorithm is executed. (iii) It is impossible to derive the original electronic record from the “hash result” produced by the algorithm (iv) Two different electronic records can never produce the same “hash result”

A. (i), (ii) and (iv) only C. (iii) only

B. (ii) only D. All the statements are correct

D

4 Per Information Technology (Amendment) Act, 2008 an electronic record can be authenticated by:

A. Affixing Digital Signature only [Sec. 3]

C. Either by affixing Digital Signature [Sec. 3] or by Affixing Electronic Signature only [Sec. 3A]

B. Affixing Electronic Signature only [Sec. 3A]

D. By affixing scanned copy of physical signature

C

5 The standard ISO/IEC 27001:2005 aims to provide:

A. Mandatory requirements for IS auditing and reporting

C. a methodology for implementation of information security in an organization.

B. Guidelines in applying IS auditing standards

D. Management with guidance on IT management, control & security

C

6 The four phases of information security management consist of:

A. Plan – Do – Check ‐ Act C. Plan – Do – Act ‐ Check

B. Plan – Check – Do ‐ Act D. Plan – Do –Check ‐ Improve

A

7 IT Information Library (ITIL) aims to provide:

A. Selection of adequate & proportionate security controls.

C. A set of practices for IT Service Management that focuses on aligning IT services with needs of business.

B. Guidelines in applying IS auditing standards

D. Management with guidance on IT management, control & security

C

8 Guidance / good practices on financial management for IT services is included in the ___________ volume of ITIL V3

A. Service Strategy C. Service Transition

B. Service Design D. Service Operation

A

9 Guidance / good practices on service level management for IT services is included in the ___________ volume of ITIL V3

B





10 Guidance / good practices on change management for IT services is included in the ___________ volume of ITIL V3



C

11 Guidance / good practices on measurement of service performance for IT services is included in the ___________ volume of ITIL V3

A. Service Strategy C. Continual Service Improvement


C

12 Guidance / good practices on incident management for IT services is included in the ___________ volume of ITIL V3

A. Service Strategy C. Continual Service Improvement


D

CHAPTER 8

1 The statements correct about grid computing are: (i) The idea of grid computing is to make use of non‐utilized computing power (ii) It enables heterogeneous resources of computers to work cooperatively and collaboratively to solve a specific problem (iii) Grid computing is scalable (iv) Storage in grid computing is economically suited for small objects

A. (i) and (iii) only C. (i), (ii), (iii) and (iv)

B. (i), (ii) and (iii) only D. (iv) only

B

2 __________ is NOT a cloud computing environment

A. Public Cloud C. Hybrid Cloud

B. Private Cloud D. Social Cloud

D

3 Following are instances of Infrastructure as a Service (IaaS), EXCEPT

A. Network as a Service (NaaS) C. Database as a Service (DBaas)

B. Storage as a Service (STaas) D Platform as a Service (PaaS)

D

4 __________ provides the users the ability to develop and deploy an application on the development platform provided by the service provider

A. Network as a Service (NaaS) C. Platform as a Service (PaaS)

B. Storage as a Service (STaas) D. Desktop as a Service (DTaas)

C

5 __________ provides the ability to the end users to access an application over internet that is hosted and managed by the service provider

A. Software as a Service (SaaS) C. Database as a Service (DBaas)

B. Storage as a Service (STaas) D. Platform as a Service (PaaS)

A

6 ____________ is an ability given to end users; typically an organization or an enterprise; to access an authentication infrastructure that is built, hosted, managed and provided by the third party service provider.

A. Software as a Service (SaaS) C. Security as a Service (SECaas)

B. Identity as a Service (IDaas) D. Platform as a Service (PaaS)

B

7 Following are the characteristics of cloud computing, EXCEPT: (i) High Scalability (ii) Agility (iii) High availability and reliability (iv) Multi‐Sharing (v) Virtualization (vi) Cost efficiency (vii) Quick Deployment

A. (iv) and (v) only C. (vi) and (vii) only

C



B. (vi) only D. (iv), (v), (vi) and (vii) only

8 Following are the issues related cloud computing: (i) Confidentiality, Integrity & Availability (ii) Agility (iii) Governance (iv) Trust (v) Legal & Compliance (vi) Privacy (vii) Audit (viii) Backup and Recovery

A. (i), (iii), (iv), (v), (vi) and (vii) only C. (ii) and (viii) only

B. (i), (iii), (iv), (v), (vi), (vii) and (viii) only

D. (iv), (v), (vi) and (vii) only

A

9 Following are the components of mobile computing, EXCEPT: (i) Mobile communication (ii) Mobile Hardware (iii) Mobile Software (iv) Mobile Middleware (v) Wired Networks

A. (iv) and (v) only C. (vi) only

B. (v) only D. (ii), (iv) and (v) only

A

10 As mobile devices move, they encounter networks with different features. The ability of the mobile device to switch from one network mode to another is one of the issues in mobile computing known as:

A. Bandwidth C. Power Consumption

B. Location intelligence D. Revising the technical architecture

B

11 Green computing or Green IT refers to:

A. The study and practice of environmentally sustainable computing or IT

C. A policy that allows user to use their preferred computing devices

B. The ability to share information across a wireless platform

D. the idea of making use of non‐utilized computing power by needy organizations

A

12 __________ describes sites wherein the computers will generate raw data on their own, without direct user interaction

A. Web 2.0 C. BYOD

B. Cloud Computing D. Web 3.0 or Semantic Web

D

13 ___________ allows the free classification of information available on the web, which helps the user to classify and find information, using approaches such as tagging.

A. Ajax C. Mash‐ups

B. File Sharing / Podcasting D. Folksonomy

D

14 __________ refers to a generation of world wide web that marks transition from static HTML Web Pages to a more dynamic web that is focused on the ability of people to collaborate and share information online.

A. Web 2.0 C. Mobile Computing

B. Cloud Computing D. Web 3.0 or Semantic Web

A





PART B – Most likely & likely question sets

Legends:

(**) – Most Likely

(*) – Likely

CH – 1

(**)

Q: What are the sample areas of GRC for Review by Internal Auditors listed by the IIA? (6 Marks)

Q: What are the common strategies to manage risks / Risk Management Strategies (6 Marks)

Q: Briefly describe the key management practices provided by COBIT 5 for ensuring IT compliances. (6

Marks)

Q: What are the key Governance practices for Risk management in COBIT 5? (5 Marks)

(*)

Q: Short Note: Five principles of COBIT (4 Marks)

Q: What do you understand by GEIT? Also explain its key benefits (6 Marks)

Q: Explain the following terms: (2 Marks each)

‐ Vulnerability, Threat, Exposure, Risk, Residual Risk, Counter measure

CH – 2

(**)

Q: ‘MIS supports the managers at different levels to take decisions to fulfill the organizational goals. Explain

the major characteristics of MIS to achieve these goals.’ (6 Marks)

Q: In what ways does an EIS differ from the Traditional Information System? (5 Marks)

Q: Short Note: Knowledge Management Systems (4 Marks)

Q: What is information? Briefly discuss its attributes (6 Marks)

Q: Short Note: Business Intelligence (4 Marks)

(*)

Q: Briefly discuss components of DSS. How is database implemented at three different levels? (6 Marks)

Q: What are the features of TPS (4 Marks)

Q: There is a practical set of principles to guide the design of measures and indicators to be included in an

EIS. Explain those principles in brief. (6 Marks)

Q: Briefly describe components of ERP Model? (5 Marks)



CH – 3

(**)

Q: As an IS auditor, what are the output controls required to be reviewed with respect to application

controls? (6 Marks)

Q: Short Note: Information Technology General Controls (ITGC) (5 Marks)

Q: What do you understand by financial controls? Explain with examples various financial control

techniques (6 Marks)

Q: What do you understand by Boundary Controls? Explain major Boundary Control techniques in brief (6

Marks)

(*)

Q: Do you consider corrective controls as a part of Internal controls? Describe the characteristics of

corrective controls (6 Marks)

Q: What are the major impacts of cyber frauds on an enterprise? (4 Marks)

Q: Explain briefly the two categories of controls classified on the basis of “Audit Functions” (4 Marks)

Q: What is meant by information security policy? Discuss various types of IS policies and their hierarchies.

(6 Marks)

CH – 4

(**)

Q: What is Business Continuity Planning? What are the three areas covered under Business continuity (6

Marks)

Q: Short Note: Business Impact Analysis (4 Marks)

Q: List out major activities to be carried out in the implementation of a Business continuity Plan (4 Marks)

Q: Discuss the objectives and goals of Business Continuity planning. (5 Marks)

Q: Briefly explain various types of systems back‐up for the system and data together. (6 Marks)

(*)

Q: How an auditor will determine whether the Disaster recovery plan was developed using a sound and

robust methodology (6 Marks)

Q: What are the various components of a Disaster Recovery Plan? (6 Marks)

Q: Backup option sites for ALTERNATE PROCESSING FACILITY ARRANGEMENTS.

Q: What is BCM Policy? What are its objectives? (4 Marks)



CH – 5

(**)

Q: Discuss in detail how analysis of present system is made by the system analyst. (4 Marks)

Q: What do you understand by agile model of system development? Also explain its major strengths and

weakness in brief. (6 Marks)

Q: What is unit testing? Explain five categories of tests that a programmer typically performs on a

program unit (6 Marks)

Q: Distinguish between Black box testing / Whit Box testing / Grey Box testing (4 Marks)

(*)

Q: Explain the different conversion / changeover strategies used for conversion from a manual to a

computerized system. (5 Marks)

Q: Discuss various stages through which an in‐house creation of programs has to pass (6 marks)

Q: Explain major strengths and weakness of Spiral model (6 Marks)

Q: From the perspective of IS audit, what are the advantages of system development life cycle? (4 Marks)

Q: Many‐a‐times organizations fail to achieve their Systems Development Objectives. Justify the

statement bringing out the reasons (6 Marks)

CH – 6

(**)

Q: Explain major types of IS Audit in brief (6 Marks)

Q: IS Auditors review risks relating to IT Systems and processes. Briefly discuss these risks (4 Marks)

Q: Discuss various accounting audit trails and operations audit trails of Input controls (6 Marks)

Q: Short Notes: Objectives of IS Audit (4 Marks)

(*)

Q: Discuss the three layers of application security and related Audit Issues (6 Marks)

Q: Briefly explain the two major effects of using computers on Audit? (6 Marks)

Q: Describe major advantages of continuous audit techniques (4 Marks)

Q: Short Note: Audit Trails (4 Marks)



CH – 7

(**)

Q: What are the sample areas that need to be reviewed in an IS Audit assignment as per the requirement

of RBI for Systems Controls and Audit (6 Marks)

Q: Define: (i) Affixing digital signature (ii) Asymmetric crypto system (iii) Computer resource (iv) Private

and Public keys (v) Secure system (vi) Computer Networks (6 Marks)

Q: Discuss the provisions related to punishment for publishing or transmitting "obscene material" in e‐

form (5 Marks)

Q: Discuss the provisions related to retention of electronic records as per IT Act, 2008? (6 Marks)

(*)

Q: Describe the ‘Tampering with computer source documents’ in the light of S. 65 of the IT Act (4 Marks)

Q: Describe the power to make rules by central government in respect of electronic signature in the light

of S. 10 of the IT Act (4 Marks)

Q: What are the requirements of SEBI for systems controls and audit (6 Marks)

Q: What is a “Protected System” under the IT Act? (4 Marks)

CH – 8

(**)

Q: Describe the various types of Cloud Computing models (6 Marks)

Q: Discuss best practices of Green IT. (4 Marks)

Q: What are the components of Web 2.0 for social networks (6 Marks)

Q: Management wants to know the major challenges in using Cloud Computing technology for running new

web application. Write any five challenges. (5 Marks)

Q: The cloud computing architecture comprises of two parts. Briefly describe these two parts. (4 Marks)

(*)

Q: What is cloud computing? What are its characteristics? (6 Marks)

Q: State some of the well‐identified issues with cloud computing (4 Marks)

Q: State some of the pertinent objectives in order to achieve the goals of cloud computing (4 Marks)

Q: Write Short Note: Cloud v/s. Grid computing (4 Marks)

*** Good Luck & God Bless!! ***



Analysis of ISCA Important Questions – May 18

Chapter No. Question in ISCA Important Questions – May 18 Q. No. & Marks asked

for in May 18

Q. No. Marks

1 What are the benefit of COBIT 5? 3(a) 6 marks

3 Discuss five interrelated components of Internal Control 1(c) 5 marks

3 Briefly explain major data integrity policies 5(a) 6 marks

4 What are the objectives of performing BCP tests 6(c) 4 marks

6 Short Note ITF

[Integrated Test Facility (ITF) is one of the continuous audit

tool. Explain how ITF is used in continuous audit by an

auditor]

3(b) 6 marks

6 What are the six stages in IS Audit

[You have been appointed as an IS Auditor of a Company.

Can you please explain different steps involved in the

conduct of your Information System Audit]

2(a) 6 marks

7 Explain the provision related to protection of personal data

under ITAA, 2008

3(b) 2 marks

8 Discuss components of mobile computing 5(b) 6 marks

Total Marks asked for out of ISCA Important Questions – May 18 41 Marks



Analysis of ISCA Important Questions – Nov. 17


for in Nov 17

Q. No. Marks

1 What are the sample areas of GRC for Review by Internal

Auditors listed by the IIA?

3(a) 6 marks

2 Explain any four features of electronic mail 2 (c) 4 marks

3 As an IS auditor, what are the output controls required to

be reviewed with respect to application controls?

6 (c) 4 marks

4 What is Business Continuity Planning? What are the three

areas covered under Business continuity

5 (c) 4 marks

5 Discuss in detail how analysis of present system is made by

the system analyst.

1 (a) 5 marks

5 Discuss Basic Principles / Advantages / Disadvantages of

Rapid Application Development

6 (a) 6 marks

7 Define: (i) Affixing digital signature (ii) Asymmetric crypto

system (iii) Computer resource (iv) Private and Public keys

(v) Secure system (vi) Computer Networks

4 (b) 6 marks

Total Marks asked for out of ISCA Important Questions – Nov 17 35 Marks






for in May 17

Q. No. Marks

1 You are appointed as a member of the IT Steering

Committee for IT implementation and deployment in a

large company. What are the major functions of this

committee?

2(a) 6 marks

8 The Cloud computing Architecture comprises of two parts.

Briefly describe these two parts

2(c) 4 marks

4 List out the major activities to be carried out in the

implementation of a Business Continuity Plan

3(c) 4 marks

6 Describe the categories of Information Systems Audit 4(a) 6 marks

6 IS Auditors review risks to IT systems and processes. Briefly

discuss these risks.

4(c) 4 marks

7 Discuss “Authentication of Electronic Records” with

reference to the IT Act.

5(a) 6 marks

7 What is a “Protected System” under the IT Act? 5(c) 4 marks

1 What are the key benefits of GEIT? 6(c) 4 marks

8 Short note on Cloud Vs. Grid Computing 7(b) 4 marks

7 Short note on ISO 27001 7(e) 4 marks







for in Nov. 16

Q. No. Marks

5 What are the characteristics of a good program code? 3(a) 6 marks

6 Discuss the ways Audit trails can be used to support

security objectives. [Short Note: Audit Trails]

3(b) 6 marks

2 Briefly describe the characteristics of the types of

information used in Executive Decision making.

4(a) 6 marks

1 Explain key benefits of IT Governance achieved at the

highest level in an organization

4(b) 6 marks

5 A variety of tasks during the SDLC are performed by special

teams / Individuals. Define in brief the roles of (i) Systems

analyst, (ii) Programmer (iii) Database Administrator (iv)

Domain specialists (v) IS Auditor (vi) Quality Assurance

[Role of Domain Specialist in Systems Development]

6(b) 6 marks

4 What are the various types of Backups? 7(a) 4 marks







for in May 16

Q. No. Marks

7 What are the various sample areas that need to be

reviewed by IS Audit assignment as per the requirement of

RBI for Systems controls and Audit? (6 Marks)

1(c) 5 marks

8 Describe the various types of Cloud computing Models

2(b) 6 marks

5 Elaborate various categories of maintenance.

3(a) 6 marks

6 ABC is looking for a suitable IS Auditor. Please send an

introductory note to ABC Ltd. Explaining your suitability by

describing the skill set and competence you possess for the

job other than your qualification.

3(b) 6 marks

3 State various types of Application Subsystem and briefly

describe those.

(Describe how application controls and their audit trail are

categorized)

4(a) 6 marks

8 Describe the major components of Web 2.0 for social

networks.

4(c) 4 marks

6 As an IS auditor of a company, you want to use SCARF

technique for collecting some information, which you want

to utilize, for discharging some of your functions. Briefly

describe the type of information that can be collected

through the use of SCARF technique.

5(a) 6 marks

5 Feasibility study is an important aspect of System

Development Life Cycle (SDLC). Explain the dimensions,

which are evaluated for this study.

5(c) 4 marks






for in Nov. 15

Q. No. Marks

8 If the employees of the company are allowed to use

personal device, such as laptop, smartphones, tablets, etc.,

to connect and access the data, what could be the security

risks involved? Classify and elaborate such risks.

Q: What are the various BYOD Threats

Q:1 (a) 5 Marks

8 What are the advantages of using Cloud Computing

environment?

Q:1 (b) 5 Marks

6 In this company, what are your functions as an IS auditor?

Q: What are the risks relating to IT systems and processes

reviewed by the IT auditors?

Q:1 (c) 5 Marks

2 ‘MIS Supports the managers at different levels to take

decisions to fulfill the organizational goals. Explain the major

characteristics of MIS to achieve these goals.’

Q: What is MIS? Describe any six characteristics of an

effective MIS

Q:2 (a) 6 Marks

4 Explain the various plans that need to be designed for

Business Continuity Management?

Q: What are the various components of a Disaster Recovery

Plan?

Q: 2 (b) 6 Marks

1 Briefly describe the key management practices provided by

COBIT 5 for ensuring IT compliances.

Q:3 (c) 4 Marks

3 As a member of IS Steering committee, how do you classify

the information for better integrity and security?

Q: What do you understand by classification of information?

Explain different classification of information

Q: 4 (c) 4 Marks

3 What is meant by Information Security policy?

Q: Short Note: Information Security Policy

Q:5 (a) 3 Marks

7 Describe the service strategy of ITIL framework

Q: Short Notes: Any one Book of ITIL

Q: 6 (c) 4 Marks

6 Short Notes: Objectives of IS Audit Q: 7 (a) 4 Marks

2 Short Notes: Components of ERP Model? Q: 7 (e) 4 Marks





Chapter No. Question in ISCA Important Questions – May 15 Q. No. & Marks asked for

in May 15

Q. No. Marks

4 What are the tasks that you will undertake to ensure that

BCM program is place while assessing the BIA

Q:1 (b) 5 Marks

8 Management wants to know the major challenges in using

Cloud Computing technology for running new web

application. Write any five challenges.

Q:1 (c) 5 Marks

5 Many‐a‐times organizations fail to achieve their Systems

Development Objectives. Justify the statement bringing out

the reasons

Q:3 (a) 6 Marks

3 Do you consider corrective controls as a part of Internal

controls? Describe the characteristics of corrective controls

Q:4 (a) 6 Marks

6 Different auditors go about IS auditing in different ways.

Despite this, IS Audit process can be categorized into broad

categories. Discuss the statement explaining broad steps

involved in the process

Q:4 (b) 6 Marks

1 Discuss the Key Management Practices for Aligning IT

Strategy with Enterprise Strategy?

Q: 6 (a) 6 Marks

1 Short Note: Five principles of COBIT Q:7 (a) 4 Marks

4 Short Note: Backup option sites for ALTERNATE PROCESSING

FACILITY ARRANGEMENTS.

Q: 7 (c) 4 Marks






Chapter

No.

Question in ISCA Important Questions – Nov. 14 Q. No. & Marks asked for

in Nov. 14

Q. No. Marks

1 What is IT Governance? What are the benefits of IT

governance?

Q:3 (c) 4 Marks

6 As an IS auditor, what are the output controls required to be

reviewed with respect to application controls?

Q:4 (a) 6 Marks

1 What are the key management practices for assessing and

evaluating internal controls per “MEA 02 Monitor, Evaluate

and Assess the System of Internal Control”

Q:4 (b) 6 Marks

7 What are the four phases of implementation of ISMS? Q: 4 (c) 4 Marks

3 What are the repercussions of cyber frauds on an enterprise? Q: 5 (c) 4 Marks

6 Compared to traditional audit, evidence collection has

become more challenging with the use of computers to the

auditors. What arethe issues which affect evidence collection

and understanding the reliability of controls in financial

audit?

Q: 6 (a) 6 Marks

3 Short Note: Internal Controls as per COSO Q:7 (b) 4 Marks

1 Short Note: Risk, Vulnerability and Threat Q:7 (c) 4 Marks

4 Short Note: Types of backups Q:7 (d) 4 Marks

5 Short Note: Design of Database Q:7 (e) 4 Marks






Chapter

No.

(per old

syllabus)

Question in ISCA Important Questions – May 14 Q. No. & Marks asked for

in May 14

Q. No. Marks

2 Q: Write short note: “Systems Requirement Specifications

(SRS)”

Q: 1(a) 5 Marks

5 Explain the threats due to cyber crimes Q:4(a) 6 Marks

1 Describe the main pre‐requisites of a Management

Information System which makes it an effective tool.

Q:5(a) 6 Marks

10 Explain the provisions that restrict liabilities of Network

service providers (Intermediaries) in the ITAA, 2008

Q:5(c) 4 Marks

3 Explain with examples various financial control techniques Q:6(a) 6 Marks

4 Define and explain the SCARF / CIS methodology Q:7(a) 4 Marks

5 Short Note: Risk Assessment Q:7(c) 4 Marks

8 Short Note: COBIT Enablers Q:7(6) 4 Marks

Total Marks asked for out of Important Questions – ISCA May 14 39 Marks


*** Good Luck & God Bless!! ***

Documents

ISCA Important Questions – May 2019