CBA Information Technology Audits Questions and Answers

Question 1

An IT auditor is reviewing a bank's change management process for its core banking system. Which of the following represents the MOST significant control weakness?

Accepted Answer

The same developer who codes a change is responsible for deploying it into the production environment.

Answer

The most significant weakness is the lack of segregation of duties. A developer having the ability to both write and deploy code to production creates a risk of unauthorized or untested changes, potentially leading to fraud, data integrity issues, or system failure. The other options, while not ideal, represent lesser risks. Paper forms are an inefficiency, not a critical control failure. Testing by someone other than the requester can be acceptable. Documenting emergency changes retrospectively is a common practice, provided the initial approval is timely and the process is well-controlled.

Question 2

A bank recently experienced a significant data center outage due to a natural disaster. The IT department successfully failed over to the disaster recovery (DR) site. When auditing the bank's Business Continuity Plan (BCP), which of the following is the MOST important audit procedure to perform?

Accepted Answer

Assessing the adequacy of the Business Impact Analysis (BIA) to ensure the Recovery Time Objectives (RTOs) for critical systems were met.

Answer

The Business Impact Analysis (BIA) is the foundation of the Business Continuity Plan. It identifies critical business processes and sets the Recovery Time Objectives (RTOs)—the maximum tolerable downtime. The most crucial audit step is to verify if the bank's recovery performance during the actual disaster met these predefined objectives. If critical systems were not restored within their RTOs, the BCP was not effective, regardless of training, budget, or documentation details.

Question 3

During an audit of logical access controls for the bank's wire transfer system, which of the following conditions would be of GREATEST concern to a Certified Bank Auditor?

Accepted Answer

Shared, generic user accounts are used by the treasury department for end-of-day processing.

Answer

The use of shared or generic accounts is the most significant concern because it eliminates individual accountability. If a fraudulent transaction occurs, it becomes impossible to trace the action to a specific person. This undermines non-repudiation and makes investigation extremely difficult. While delayed termination, weak password policies, and less frequent access reviews are all control weaknesses, the inability to hold individuals accountable for their actions poses a more severe and direct risk to the institution.

Question 4

An auditor is evaluating the controls over a bank's new customer-facing mobile application, which was developed by a third-party vendor. According to the FFIEC IT Examination Handbook, which of the following is a primary responsibility of the bank's management?

Accepted Answer

Conducting a thorough risk assessment and due diligence process before and during the engagement.

Answer

The FFIEC places significant emphasis on third-party risk management. While the bank may not perform code reviews directly, it is ultimately responsible for the risks introduced by its vendors. A primary responsibility of the bank's management is to conduct comprehensive due diligence and ongoing risk assessments of its third-party service providers. This includes evaluating the vendor's security posture, financial stability, and operational controls to ensure they meet the bank's own risk appetite and regulatory requirements.

Question 5

A Certified Bank Auditor is planning an audit of the bank's cybersecurity incident response plan. Which audit test would BEST assess the plan's practical effectiveness?

Accepted Answer

Reviewing the results and lessons learned from a recent tabletop exercise or simulation drill.

Answer

While plan approval, accurate contact lists, and secure storage are important compliance checks, the best way to assess the *effectiveness* of an incident response plan is to see how it performs in practice. Reviewing the outcomes of a tabletop exercise or a full simulation drill provides concrete evidence of the team's preparedness, identifies gaps in the plan, and demonstrates the bank's ability to respond to an actual incident.

(CBA) Certified Bank Auditor Practice Test

(CBA) Certified Bank Auditor Practice Test

CBA Information Technology Audits Questions and Answers