Multiple-Choice Questions (MCQ) on Auditing General

Controls in a Computerized Environment

Instructions:
• Select the best answer for each question.
• Each question has only one correct answer.

Section 1: General Concepts of IT General Controls (ITGCs)

1. Why are IT General Controls (ITGCs) important in a

computerized environment?
a) They help in financial reporting only
b) They ensure IT systems operate reliably and securely
c) They reduce hardware costs
d) They replace the need for audits

2. Which of the following best describes the relationship

between ITGCs and application controls?
a) ITGCs function independently of application controls
b) Weak ITGCs can compromise the effectiveness of
application controls
c) Application controls only apply to manual processes
d) ITGCs are only relevant for cloud-based systems

3. Which IT governance framework provides a

comprehensive approach to IT controls?
a) COBIT
b) ISO 9001
c) GAAP
d) Six Sigma

4. The primary objective of access controls is to:

a) Restrict unauthorized access while allowing legitimate
users to perform their tasks
b) Eliminate the need for passwords in IT systems
c) Increase system processing speed
d) Ensure employees can access all systems freely

5. Which of the following is an example of a compensating

control for weak password security?
a) Removing password requirements
b) Implementing multi-factor authentication
c) Allowing users to write down their passwords
d) Increasing password expiration time to two years

Section 2: Access Controls

6. Which of the following best describes role-based access

control (RBAC)?
a) Access is granted based on job roles and responsibilities
b) Users can request any access they want without restriction
c) Every employee automatically gets administrator rights
d) System access is assigned randomly

7. User access reviews are performed primarily to:

a) Verify that users only have the necessary permissions for
their roles
b) Improve system response times
c) Track user productivity in the system
d) Allow unrestricted access for all employees

8. An example of a detective control in access management

is:
a) Logging and reviewing failed login attempts
b) Setting up a strong password policy
c) Restricting administrator access to authorized personnel
d) Implementing multi-factor authentication

9. Which of the following is the best practice when an

employee resigns?
a) Keep their account active for future use
b) Immediately revoke all access rights
c) Delay deactivation of their account for 90 days
d) Allow continued access for knowledge transfer

10. Which of the following can help mitigate the risk of

unauthorized access to IT systems?
a) Single-factor authentication
b) Regularly reviewing user access logs
c) Using shared accounts for sensitive data access
d) Allowing IT staff to share administrator passwords

Section 3: Change Management Controls

11. The purpose of a formal change management process is
to:
a) Ensure changes are authorized, tested, and documented
before implementation
b) Allow quick system updates without review
c) Remove the need for IT audit reviews
d) Enable employees to modify software settings freely

12. A rollback plan is essential in change management

because:
a) It speeds up software development
b) It provides a way to revert to a previous stable state if a
change fails
c) It prevents all system updates
d) It eliminates the need for backups

13. What is the primary function of a Change Advisory

Board (CAB)?
a) Approving and reviewing significant IT changes
b) Developing IT security policies
c) Monitoring employee internet usage
d) Performing routine system maintenance

14. Which of the following best describes patch

management?
a) Keeping systems updated by applying security fixes and
software updates
b) Replacing all IT hardware every year
c) Removing outdated applications without review
d) Preventing any changes to existing systems

15. Which of the following is a risk of not having a formal

change management process?
a) Faster IT operations
b) Increased risk of unauthorized system modifications
c) Reduced system downtime
d) Higher employee satisfaction

Section 4: IT Operations Controls

16. The purpose of system backups is to:
a) Store copies of data to prevent loss due to system failures
or cyberattacks
b) Speed up system performance
c) Allow users to bypass security controls
d) Reduce the need for firewalls

17. A disaster recovery plan (DRP) is primarily concerned

with:
a) Ensuring business operations continue after a system
failure or disaster
b) Increasing the size of IT teams
c) Improving customer service response time
d) Enhancing employee training programs

18. What is the best practice for ensuring reliable data

backups?
a) Keeping backups only on local servers
b) Storing backups in multiple locations, including offsite or
cloud storage
c) Performing backups only when system issues arise
d) Deleting older backup files immediately after a new
backup

19. Business continuity planning (BCP) differs from disaster

recovery planning because BCP:
a) Focuses on long-term operational resilience, not just IT
recovery
b) Only applies to financial institutions
c) Covers cybersecurity but not physical security
d) Is only relevant for large organizations

20. Which of the following helps prevent IT system failures?

a) Regular monitoring of system logs and performance
metrics
b) Allowing employees unrestricted access to modify
configurations
c) Decreasing the frequency of system updates
d) Storing critical data only in one location

Section 5: Physical and Environmental Security

21. An example of a physical security control is:
a) Biometric access to data centers
b) Using strong passwords
c) Implementing a firewall
d) Conducting cybersecurity awareness training

22. The main purpose of environmental controls in a data

center is to:
a) Maintain optimal temperature and humidity to prevent
equipment failure
b) Improve employee comfort
c) Increase internet speed
d) Enhance software performance

23. Fire suppression systems in server rooms help prevent:

a) Damage to critical IT infrastructure in case of a fire
b) Cybersecurity threats
c) Employee unauthorized access
d) System processing delays
24. The most effective way to prevent unauthorized physical
access to a data center is:
a) Requiring biometric or key card authentication
b) Posting warning signs at the entrance
c) Allowing open access for IT employees
d) Disabling security cameras

25. A key control to prevent “tailgating” in restricted areas is:

a) Installing mantrap security doors
b) Conducting annual IT security training
c) Changing passwords regularly
d) Allowing visitors to use shared access badges

Section 6: IT General Controls and Audit Process

26. The main purpose of an ITGC audit is to:

a) Assess the effectiveness of IT controls in ensuring data
integrity and security
b) Improve software functionality
c) Reduce IT costs
d) Increase employee internet access

27. A strong audit trail is important because it:

a) Provides a record of system activities for accountability
and review
b) Speeds up financial transactions
c) Increases software download speeds
d) Eliminates the need for access controls

28. An example of an ITGC audit finding is:

a) Weak password policies allowing unauthorized access
b) High employee turnover rates
c) Poor customer service ratings
d) Outdated office furniture