CBA Information Technology Auditing Questions and Answers

Question 1

An IT auditor is evaluating a bank's use of a public cloud service provider (CSP) for hosting its mobile banking application. Under the shared responsibility model, which of the following controls is MOST likely the bank's responsibility to implement and audit?

Accepted Answer

Configuration of the virtual machine operating systems and security groups.

Answer

In a cloud computing environment, the shared responsibility model dictates the security obligations of the cloud service provider and the customer. While the CSP is responsible for the security 'of' the cloud (e.g., physical data centers, underlying hardware, and network), the customer (the bank) is responsible for security 'in' the cloud. This includes correctly configuring their own resources, such as virtual machine operating systems, user access controls, and network security groups (firewalls).

Question 2

During a review of a bank's Business Continuity Plan (BCP), an auditor notes that the plan has not been updated in over three years. The Business Impact Analysis (BIA) is also outdated. Which of the following is the GREATEST risk associated with this finding?

Accepted Answer

The recovery strategies may no longer be effective for current critical business operations.

Answer

The primary risk of an outdated BCP and BIA is that the bank's operations, critical systems, and processes may have changed significantly. Therefore, the recovery strategies documented in the plan may no longer be relevant or effective for restoring essential services within their required timeframes (Recovery Time Objectives), potentially leading to significant financial and reputational damage during a disruption.

Question 3

Which of the following IT governance frameworks provides a comprehensive model that bridges the gap between technical issues, business risks, and control requirements, making it highly suitable for auditors in the banking sector?

Accepted Answer

COBIT (Control Objectives for Information and Related Technologies)

Answer

COBIT is a leading framework for the governance and management of enterprise IT. It is specifically designed to align IT with business goals, manage risks, and ensure regulatory compliance, which are all critical in the banking industry. Unlike ITIL, which focuses on IT service management, or ISO 27001, which is centered on the information security management system, COBIT provides an overarching governance structure that helps auditors evaluate the entire IT control environment in the context of business objectives.

Question 4

A bank's IT auditor is performing a review of Information Technology General Controls (ITGCs). Which of the following areas is considered one of the four core domains of an ITGC audit?

Accepted Answer

Change management processes.

Answer

IT General Controls (ITGCs) are the foundational controls for the IT environment. Audits of ITGCs typically focus on four main domains: Access Management, Change Management, IT Operations, and Data/System Backup and Recovery. Change management ensures that modifications to systems are properly authorized, tested, and implemented, which is crucial for maintaining the integrity of financial reporting systems.

Question 5

In an audit of a bank's data governance program, which of the following findings would represent the MOST significant weakness?

Accepted Answer

There is a lack of clearly defined ownership and stewardship for critical data elements.

Answer

A fundamental principle of effective data governance is accountability, which is established through clear ownership and stewardship roles. Without defined owners for critical data elements (e.g., customer information, transaction records), there is no clear responsibility for data quality, integrity, and security, leading to increased risk of data breaches, poor decision-making, and regulatory non-compliance.

(CBA) Certified Bank Auditor Practice Test

(CBA) Certified Bank Auditor Practice Test

CBA Information Technology Auditing Questions and Answers