Need help answering these multiple choice questions

What are some of the drivers leading management to need more frequent information technology related audits? (SELECT ALL THAT APPLY):

Boards are under greater scrutiny by various stakeholders to gain a more informed understanding of risk, including IT risk.

Electronic infrastructure and digital communication systems are tightly integrated with key business processes, including high risk financial processes.

Legal and regulatory changes require ongoing audits of key IT processes and systems.

Corporate senior management recognized the increasing importance of information systems and therefore recognized the need for assurance.

Which of the following BEST describes an example of a preventive control?

User ID and password

Management style

Monthly access review

Organizational culture

Which of the following BEST explains why IT governance provides a starting point for the IT auditor?

IT governance focuses accountability at both management and staff during the employee evaluation process.

IT governance provides a means to communicate relevant policies to management and staff.

IT governance includes the tone at the top which influences the culture and overall acceptance of the IT audit process.

IT governance is the responsibility of the board of directors and executive management.

Mismanagement of IT risk can cause an enormous cost to an organization, in both hard dollars, and soft (i.e., reputation). Accordingly, should clearly highlight important sources of risk within the organization (e.g., system downtime).

IT solutions

Capability maturity models

Performance measures

Common language

Enterprise Risk Management (ERM), as a business discipline within the line of defense, seeks to increase a companys understanding of, and response to, various enterprise level risks, and how these risks may impact the achievement of business objectives and strategies

First

Second

Third

Fourth

is defined as the level of risk that a company is willing to take on.

Risk appetite

Risk approach

Risk assessment

Residual risk

is the process of analyzing risk likelihood and the business impact. Refers to the actions that can be taken once a risk has been identified. These actions may include, mitigating the risk, accepting the risk, or transfer / sharing the risk.

Risk event; risk appetite

Risk assessment; risk response

Risk response; risk assessment

Risk governance; compliance

The IT auditor can MOST effectively help a company deal with increasing IT-related risk by:

Performing a weekly review of system-based audit logs to determine if the company has been breached.

Conducting an audit of the companys network security and pointing out weak firewall configuration settings in the audit report.

Ensuring that the company has a log-in banner that warns unauthorized users that they may be subject to criminal prosecution and penalties.

Alerting management and the Audit Committee of the risks related to IT, and making audit recommendations that are focused on the root cause.