General controls (ITGC) are broad policies safeguarding the entire IT infrastructure (security, systems, development), while application controls are specific, automated controls within software ensuring data integrity for specific transactions. General controls support the reliable operation of application controls, which focus on input, processing, and output.

IT General Controls (ITGC)
ITGCs apply to all IT systems and support the overall IT environment. Key areas include:

·         Access Controls: Managing user access to systems, data, and programs.

·         Change Management: Ensuring authorized, tested changes to systems.

·         Backup and Recovery: Protecting against data loss.

·         Physical Security: Securing data centers and hardware.

·         IT Operations: Managing data center operations and backups.

IT Application Controls (ITAC)
ITACs are embedded in business applications (like ERP or billing systems) to ensure transaction accuracy and completeness. They typically focus on three areas:

·         Input Controls: Validation checks, data formatting, and authorization checks (e.g., ensuring fields are not blank, dropdown menus).

·         Processing Controls: Ensuring authorized transactions are processed accurately and completely.

Output Controls: Verifying that output reports and data are complete, accurate, and properly distributed.

Key Differences

·         Scope: ITGC covers the broad IT infrastructure; ITAC covers specific application transactions.

·         Purpose: ITGC maintains a reliable operating environment; ITAC ensures accuracy of data.

·         Responsibility: ITGC is managed by IT staff; ITAC is often managed by business process owners.

·         Nature: ITGC often includes manual procedures, while ITAC is usually automated.

Case-based questions, scenarios, and answers analyzing IT System Controls, General Controls (ITGC), and Application Controls, based on auditing standards and scenarios.

Case 1: The “Too-Busy” Administrator (General Control Focus)

Scenario: A company, XYZ Ltd., has a high-turnover IT department. Due to limited staff, the Database Administrator (DBA) not only manages database security but also develops and changes the application code. An internal audit reveals that while password policies are enforced, there is no formal log review of the DBA’s actions, and the DBA has approved their own code changes in the production environment.

·         Q1: Which general control principle is violated here?

o    Answer: Segregation of Duties (SoD). The roles of system development/change management and system administration (access control) must be separate.

·         Q2: What is the risk associated with this scenario?

o    Answer: Risk of unauthorized or malicious changes to the production system (sabotage or fraud) going undetected, as the developer is also the auditor of their own work.

·         Q3: Recommend a general control to mitigate this risk.

o    Answer: Implement a strict change management process where developers have read-only access to production and code changes are approved by a separate, authorized user or change manager.

Case 2: The Erroneous Invoice (Application Control Focus)

Scenario: A distribution company uses an ERP system to process customer orders. A new order taker mistakenly enters an order for 100,000 units instead of the usual 1,000 units. The system accepts the order, generates an invoice, and posts the revenue. The customer calls to complain.

·         Q1: What type of application control failed here?

o    Answer: Input Controls—specifically, a reasonable check or validity check.

·         Q2: How could this have been prevented?

o    Answer: A “reasonableness test” (e.g., comparing the current order against historical order data) would have flagged the transaction as anomalous and paused it for manual review.

·         Q3: Is this a “Preventive” or “Detective” control issue?

o    Answer: It is a failure of a preventive control (stopping bad data entry).

Case 3: The Untraceable Data (General & Application Controls)

Scenario: A financial services company finds that a batch processing run for payroll resulted in incorrect totals. Upon investigation, they cannot determine which transactions were processed or if the input file was altered.

·         Q1: What application control was missing?

o    Answer: Run-to-run totals (processing control) and check digits (input control). These ensure that data is not lost or changed during processing.

·         Q2: Why does the system lack accountability?

o    Answer: Lack of adequate audit trails (a General Control), which should log which user or process modified the data, and when.

Summary: Key Contrasts

Important Case-Based Takeaways

·         ITGC Failure Impact: If General Controls (e.g., access security) are weak, application controls (e.g., password restrictions within an app) cannot be trusted.

·         Real-life Failures: Many frauds result from no segregation of duties (e.g., same person onboarded vendors and paid them).

·         Configuration vs. Manual: Automated controls (like system configurations) are often stronger than manual procedures because they are consistent.

🔷 1. SYSTEM CONTROLS – OVERVIEW

System controls ensure:

• Reliability of financial reporting
• Safeguarding of assets
• Data integrity, confidentiality & availability

👉 Divided into:

1. General Controls (ITGC)
2. Application Controls

🔷 2. GENERAL CONTROLS (ITGC)

✅ Meaning

Controls that apply to overall IT environment, not specific applications.

👉 They create the foundation for effective application controls.

🔑 IMPORTANT EXAM POINT:

👉 If ITGC is weak → Application controls cannot be relied upon.

🔷 TYPES OF GENERAL CONTROLS

1. 🔐 Access Controls

• Restrict unauthorized access to systems/data
• Examples:
  • User ID & Password
  • Multi-factor authentication *
  • Role-based access

👉 Risks:

• Unauthorized transactions
• Data theft

*Multi-Factor Authentication (MFA) in system control enhances security by requiring two or more independent credentials—knowledge, possession, or inherence—to verify identity, making users 99% less likely to be hacked. It prevents unauthorized access, mitigates phishing risks, and secures sensitive digital or physical assets.

2. 🔄 Change Management Controls

• Ensure changes in system are:
  • Authorized
  • Tested
  • Documented

👉 Examples:

• Version control
• Approval before deployment

👉 Risk:

• Unauthorized program changes

3. 💻 IT Operations Controls

• Ensure smooth day-to-day operations

Examples:

• Job scheduling
• Backup procedures
• Incident management

👉 Risk:

• System downtime
• Data loss

4. 🏢 Physical & Environmental Controls

• Protect hardware & infrastructure

Examples:

• CCTV, biometric access
• Fire alarms, UPS

👉 Risk:

• Theft, disaster loss

5. 🧾 System Development Controls (SDLC)

• Controls during system development lifecycle

Phases:

• Planning → Design → Testing → Implementation

👉 Risk:

• Poor system design
• Errors in output

🔁 Mnemonic for ITGC:

👉 “ACOPS”

• Access
• Change management
• Operations
• Physical controls
• SDLC

🔷 3. APPLICATION CONTROLS

✅ Meaning

Controls within specific applications/software to ensure:

• Accuracy
• Completeness
• Authorization of transactions

🔑 IMPORTANT EXAM POINT:

👉 Application controls are transaction-level controls

🔷 TYPES OF APPLICATION CONTROLS

1. 📥 Input Controls

Ensure data entered is accurate & valid

Examples:

• Validation checks (format, range)
• Mandatory fields
• Check digits

👉 Risk:

• Garbage in → Garbage out

2. ⚙️ Processing Controls

Ensure data is processed correctly

Examples:

• Run-to-run totals
• Reasonableness checks
• Error reports

👉 Risk:

• Incorrect calculations

3. 📤 Output Controls

Ensure output is accurate and reaches correct users

Examples:

• Review of reports
• Restricted report access
• Reconciliation

👉 Risk:

• Wrong decision making

4. 📊 Master Data Controls

Controls over standing data (e.g., vendor, customer)

Examples:

• Approval for changes
• Audit trail

👉 Risk:

• Fraud via fake vendors

🔁 Mnemonic for Application Controls:

👉 “IPOM”

• Input
• Processing
• Output
• Master data

🔷 4. KEY DIFFERENCES (EXAM FAVOURITE)

www.gmsisuccess.in

🔷 5. AUDIT PERSPECTIVE (VERY IMPORTANT)

🔍 Auditor Focus:

For ITGC:

• Test:
  • Access rights
  • Change logs
  • Backup systems

For Application Controls:

• Test:
  • Data validation
  • Reconciliation
  • Exception reports

🔑 CRITICAL EXAM CONCLUSION:

👉 Strong ITGC → Auditor can rely on system
👉 Weak ITGC → Auditor must do more substantive testing

🔷 6. COMMON EXAM MCQ TRAPS

❌ Confusing ITGC with application controls
❌ Assuming application controls work without ITGC
❌ Ignoring master data controls
❌ Treating all controls as preventive

🔷 7. QUICK REVISION SUMMARY

• ITGC = Backbone of IT system
• Application controls = Transaction accuracy
• ITGC failure → Entire system risk
• Input → Processing → Output → Master data

Below are important, exam-oriented, crisp notes on Input Controls, Process Controls, Output Controls, General IT Controls, Application Controls, and Techniques to Evaluate Controls in an Automated Environment — suitable for CMA, CIA, CISA, ACCA, CIMA, CPA exams.

✅ 1. INPUT CONTROLS

Purpose: Ensure data entered into the system is accurate, complete, authorized, and valid.

Key Input Controls

1. Field Check / Data Type Check
   – Ensures correct data type (numeric, date, characters).
2. Limit Check
   – Validates value does not exceed a pre-set maximum/minimum.
3. Range Check
   – Ensures the value falls within an acceptable range.
4. Validity Check / Referential Integrity
   – Compares data against master files (e.g., customer ID exists).
5. Completeness Check
   – Ensures all mandatory fields are entered (e.g., invoice number not blank).
6. Reasonableness Check
   – Logical test between two related fields (e.g., OT hours > 0 only if status = present).
7. Check Digit Verification
   – Prevents transposition errors using mathematical algorithms (used in credit cards, bank accounts).
8. Sequence Check / Batch Control
   – Ensures documents are complete and in sequence (missing invoices detected).
9. Authentication Controls
   – User login, passwords, biometrics to ensure authorized input.
10. Batch Totals
    –

• Financial totals (sum of amounts),
• Hash totals (sum of non-financial numeric fields),
• Record count (number of entries).

✅ 2. PROCESS CONTROLS

Purpose: Ensure data processing is complete, accurate, and valid during system operations.

Key Process Controls

1. Run-to-Run Totals
   – Ensures totals remain consistent before & after processing.
2. Control Totals Reconciliation
   – Compares batch totals from input → processing → output.
3. Reasonableness / Logic Tests
   – System-embedded rules verify processing (e.g., price × qty = total?).
4. Error Detection & Correction Routines
   – Processing program flags errors and sends messages to user.
5. Edit Checks / System Validations
   – System automatically validates data during calculations.
6. File Label Checks
   – Ensures correct master file is used during processing.
7. Parity Check / Checksum
   – Ensures data integrity during transmission.
8. Backup & Recovery During Processing
   – Checkpoints, rollback, journaling.

✅ 3. OUTPUT CONTROLS

Purpose: Ensure processed information is accurately generated, distributed, and used by authorized persons only.

Key Output Controls

1. Report Distribution Controls
   – Only authorized users receive reports (invoice, payroll reports).
2. Output Review & Reconciliation
   – User departments review accuracy (e.g., payroll summary × employee list).
3. Spooling Controls
   – Protect data in print queues (prevents unauthorized access).
4. Error Listing & Exception Reports
   – Identifies transactions not processed.
5. Retention & Disposal Controls
   • Secure storage of reports,
   • Controlled shredding/disposal.
6. Display Controls
   – Output displayed only to authorized users.

✅ 4. GENERAL IT CONTROLS (GITC)

Purpose: Provide the overall system environment and infrastructure to ensure integrity of all IT processes.

Categories

1. Access Controls

• Authentication: passwords, MFA.
• Authorization: Role-based access (RBAC).
• User provisioning, de-provisioning.

2. Change Management Controls

• All changes to systems are approved, tested, documented, and controlled.
• Separation between development, testing, and production.

3. IT Operations Controls

• Backup & recovery procedures
• Disaster recovery plan (DRP)
• Job scheduling
• Incident management

4. Physical & Environmental Controls

• Server room restricted access
• Fire suppression, air conditioning, UPS

5. System Development Life Cycle (SDLC) Controls

• Project approvals
• Testing & validation
• Quality assurance
• Post-implementation review

✅ 5. APPLICATION CONTROLS

Purpose: Controls embedded in specific software apps to ensure integrity of transactions.

Types

1. Input Controls (covered above)
2. Processing Controls (covered above)
3. Output Controls (covered above)
4. Integrity Controls
   – Database constraints, referential integrity.
5. Authorization Controls
   – Approval workflows, segregation of duties within application.

Examples:

• ERP three-way match (PO–GRN–Invoice)
• Payroll system updates based on HR master data only
• Automated credit limit checks
• System restricts duplicate payments

✅ 6. TECHNIQUES TO EVALUATE CONTROL SYSTEM IN AUTOMATED ENVIRONMENT (IT AUDIT TECHNIQUES)

1. CAATs (Computer-Assisted Audit Techniques)

Tools used by auditors to test automated systems.

Types:

• Generalized Audit Software (GAS) – ACL, IDEA
• Test Data – Auditors input dummy records to test controls
• Integrated Test Facility (ITF) – Dummy division or department inside system
• Parallel Simulation – Auditor simulates processing independently
• Embedded Audit Modules – Audit hooks built into system

2. IT Control Testing Techniques

1. Walkthroughs
   – Trace a transaction from initiation → processing → output.
2. Reperformance
   – Auditor re-runs a process to verify results.
3. Observation
   – Watching how controls operate (login, approval workflow).
4. Inspection of Logs & Evidence
   – Access logs, change management logs, error logs.
5. Inquiry
   – Discussions with system and process owners.

3. Black-Box Testing

• Focuses on functionality only, not internal code.
• Tests input → output accuracy.

4. White-Box Testing

• Reviews internal logic, code, paths, branches.

5. Penetration Testing (Ethical Hacking)

• Evaluates IT security by simulating attacks.

6. Vulnerability Assessment

• Scans for software, network, configuration weaknesses.

✅ 7. HIGH-SCORING SHORT NOTES (Quick Revision)

Input controls: field check, limit check, range check, completeness, check digit, batch totals.
Processing controls: run-to-run totals, logic tests, data integrity checks, file label checks.
Output controls: distribution control, reconciliation, exception reports, retention policies.
General IT Controls: access control, change management, IT operations, physical safeguards.
Application controls: automated approvals, edit checks, matching, validations.
Evaluation techniques: CAATs, ITF, Test Data, Parallel Simulation, walkthroughs, black-box/white-box testing.

www.gmsisuccess.in

Below is a clear, exam-oriented, structured set of notes on
Input Controls · Processing (Application) Controls · Output Controls
for Manufacturing, Finance, Revenue, Payroll, Procurement Cycles.
These are written in CMA / CIA / CISA exam style with examples and keywords that help score marks.

✅ 1. INPUT CONTROLS — BY PROCESS CYCLE

Input controls ensure accuracy, validity, completeness of data before it enters the system.

A. MANUFACTURING PROCESS (MES + ERP)

1. Barcode / RFID validation – wrong material scanned → reject
2. Machine sensor reading validation – range checks, format checks
3. Production order input checks – cannot start without approved BOM & routing
4. Operator login authentication – prevents unauthorized shop floor entries
5. Mandatory quality check entries – system blocks movement to next stage
6. Raw material issuance validation – must match BOM quantity tolerance

B. FINANCE (General Ledger Accounting)

1. Journal entry validation – debits = credits, mandatory fields
2. GL account posting rules – prevent posting to closed periods
3. Vendor/customer master creation controls – dual approval
4. Invoice number duplication checks
5. Currency validation against forex tables

C. REVENUE CYCLE

1. Customer credit validation before order acceptance
2. SO–Delivery–Invoice matching
3. Quantity/price validation vs master data
4. Duplicate order checks
5. Mandatory customer ID entry

D. PAYROLL CYCLE

1. Employee master validation – only HR can create/update employee profile
2. Input time-sheet validation – range checks, maximum hours per day
3. Biometric or swipe validation – to avoid ghost employees
4. Pay rate validation vs HR master
5. Overtime approval checks

E. PROCUREMENT CYCLE

1. Vendor master validation – PAN, GST, bank account verification
2. PO creation validation – item codes, budget checks
3. Three-way match input validation – PO-GRN–Invoice
4. Price tolerance validation
5. Duplicate invoice prevention

✅ 2. PROCESSING / APPLICATION CONTROLS — BY CYCLE

Processing controls ensure correct, complete, authorized processing once inputs are accepted.

A. MANUFACTURING PROCESS

1. Run-to-run totals – raw material issue → production → scrap → finished goods
2. Standard costing calculation controls
3. Routing logic validation – correct sequence of operations
4. Automated WIP updates from MES to ERP
5. Exception handling for machine breakdowns
6. Batch processing controls for production reporting

B. FINANCE

1. Automatic accrual calculations
2. Depreciation processing validation
3. Period-end closing controls – postings blocked after close
4. GL–subledger reconciliation automation
5. Duplicate journal identification

C. REVENUE CYCLE

1. Sales order processing logic – do not ship > ordered quantity
2. Automatic tax computation
3. Real-time credit limit enforcement
4. Revenue cutoff controls at month-end
5. Interface controls between CRM → ERP → Billing

D. PAYROLL CYCLE

1. Gross-to-net pay calculation validation
2. Auto payroll tax calculation
3. Pay register balancing (control totals)
4. Negative pay validation
5. Run-to-run reconciliation between payroll runs

E. PROCUREMENT CYCLE

1. Automated 3-way match logic (PO–GRN–Invoice)
2. Purchase budget control at PR/PO stage
3. Duplicate payment validation
4. Vendor payment batch approval workflow
5. GRN blocking for price mismatch

✅ 3. OUTPUT CONTROLS — BY CYCLE

Output controls ensure that reports, documents, and system outputs are accurate, distributed properly, and used correctly.

A. MANUFACTURING PROCESS

1. Production report validation – actual vs plan
2. Scrap reports sent only to authorized supervisors
3. WIP valuation reports protected via access rights
4. Machine performance dashboards – accuracy checks
5. Control of printed job tickets

B. FINANCE

1. Trial balance, FS review & sign-off
2. Restricted access to financial statements
3. Exception reports (unbalanced journals, open periods)
4. Account reconciliation reports
5. Audit trail reports for all GL changes

C. REVENUE CYCLE

1. Invoice distribution control – correct customer & format
2. Aging reports accuracy validation
3. Dispatch register output accuracy
4. Failed billing run alerts
5. Revenue MIS reports access rights

D. PAYROLL CYCLE

1. Pay slip accuracy and confidentiality controls
2. Bank payment file reconciliation
3. Payroll register output review
4. TDS/PF/ESIC statutory output validation
5. Unauthorized printing restrictions

E. PROCUREMENT CYCLE

1. PO print/output control (authorized only)
2. Vendor payment advice validation
3. GRN & inspection report distribution controls
4. Open PO / overdue PO exception reports
5. Mismatch reports for GRN–Invoice

Below is a clean, exam-oriented, professional summary of
Input Controls · Application (Processing) Controls · Output Controls
specifically for Authorization, Authentication, Verification, Evaluation, User Ownership of Business Transactions.

This is written in a way suitable for CISA/CIA/CMA/CIMA/ACCA exams.

✅ **1. INPUT CONTROLS

→ applied BEFORE a transaction enters the system**

These controls ensure the transaction is valid, authorized, accurate, complete, and belongs to the correct user.

A. AUTHORIZATION (Before entry)

Controls ensuring only approved transactions are entered.

·         Maker-Checker / Dual Approval before transaction submission

·         Approval Codes required before PO creation, journal entry, payment run

·         Authorization limits (amount, type of transaction)

·         Digital approval workflow validation

·         Mandatory attachment of approval evidence

B. AUTHENTICATION (User identity validation before entering data)

·         Username + password validation

·         MFA (OTP, biometric, token)

·         Device authentication

·         Login time/location restrictions

·         Session start logging

C. VERIFICATION (Check correctness of input data)

·         Mandatory fields (customer ID, item code, amount)

·         Duplicate transaction checks

·         Format checks (numeric only, date format)

·         Range checks (discount cannot exceed 10%)

·         Cross-field validation (qty * price = amount)

·         Valid master data lookup (valid vendor, valid GL code)

D. EVALUATION (Check business logic before acceptance)

·         Credit limit check before sales order

·         Budget check before purchase request

·         Stock availability check before delivery

·         Policy compliance check (e.g., travel claim criteria)

E. USER OWNERSHIP OF BUSINESS TRANSACTIONS

·         User-specific workflow assignment

·         Role-based input screens

·         Only transaction owner can submit/edit draft

·         Prevent entering transactions on behalf of others

·         Audit trail showing creator + purpose

✅ **2. APPLICATION (PROCESSING) CONTROLS

→ applied DURING the transaction flow inside the system**

These ensure authorized, correct, consistent, complete processing of approved data.

A. AUTHORIZATION (During processing)

·         Workflow routing based on approval hierarchy

·         System-enforced maker–checker separation

·         Rejection if approval chain incomplete

·         Automatic tagging of approver identity

B. AUTHENTICATION (Processing integrity)

·         Session timeout

·         Re-authentication for high-risk actions (payments, data edits)

·         Role-based access at processing level (who can approve, post, delete)

C. VERIFICATION (During calculation/processing)

·         Validation of transaction status (e.g., cannot invoice if GRN not posted)

·         Recalculation of totals (system auto-calculates amount, tax)

·         Check digits & hash totals during interface processing

·         Run-to-run controls in batch processing

·         Exception validation (e.g., negative stock)

D. EVALUATION (Business rule enforcement)

·         3-way matching (PO + GRN + Invoice)

·         Credit hold logic

·         Salary calculation rules (pay grade × rate)

·         Purchase approval workflow logic

·         Compliance rules embedded in application (e.g., max per diem)

E. USER OWNERSHIP OF TRANSACTIONS

·         No unauthorized overwrites

·         Transaction cannot be posted by person who created it

·         Change history (before-after values) preserved

·         User responsibility enforced through audit trail

·         Automated restriction on deleting processed entries

✅ **3. OUTPUT CONTROLS

→ applied AFTER transaction processing**

These ensure accurate, secure, and authorized distribution of transaction outputs.

A. AUTHORIZATION (Who receives outputs?)

·         Access control on generated reports

·         Distribution to only authorized recipients

·         Approval required before releasing invoices, payments

·         Restrict printing of sensitive reports (payroll, pricing)

B. AUTHENTICATION (Identity checks before accessing results)

·         MFA for viewing financial statements

·         Encryption + secure login for bank payment files

·         Role-based report viewers

·         Output file integrity check before download

C. VERIFICATION (Accuracy of output)

·         Reconciliation reports (input vs output totals)

·         System-generated exception reports

·         Control totals (debits = credits, inventory in vs out)

·         Compare key fields: approved vs processed quantities

·         Hash totals for interface outputs (ERP → bank, ERP → vendor portal)

D. EVALUATION (Business review of generated reports)

·         Supervisor review of revenue, cost, exception, and variance reports

·         Review of approval logs (who approved what)

·         KPI dashboards verifying rule compliance

·         Review of rejected transactions and overrides

E. USER OWNERSHIP

·         Audit trail showing who executed/output the report

·         Responsibility for validating output accuracy

·         Ownership matrix: who owns which report and decisions

·         Version control to ensure people use the correct output

·         Monitoring unauthorized report extraction

⭐ FULL SUMMARY TABLE (Exam Perfect Revision Chart)

Below are 50 tricky, challenging, scenario-based MCQs with answers covering:
✔ Input Controls
✔ Processing Controls
✔ Output Controls
✔ General IT Controls (GITC)
✔ Application Controls
✔ Techniques to Evaluate Controls in Automated Environment (CAATs, ITF, Test Data, etc.)

Perfect for CIA, CISA, CMA, ACCA, CPA, CIMA exam prep.

www.gmsisuccess.in

Here is a comprehensive exam-oriented question bank on System Controls (ITGC & Application Controls) including case-based MCQs, Assertion–Reasoning, True/False, Odd-one-out, and tricky formats—aligned with CIA Part 1 style.

🔷 1. CASE-BASED MCQs (HIGH LEVEL)

📘 Case 1:

ABC Ltd. implemented a new ERP system. During audit, it was found:

• Developers had access to production environment
• No formal approval for system changes
• Input validation checks exist in the system

❓ Question:

Which control weakness is MOST critical?

A. Lack of input validation
B. Weak change management control
C. Lack of output control
D. Poor documentation

✅ Answer: B

👉 Reason: Even if application controls exist, weak ITGC (change management) undermines system reliability.

📘 Case 2:

An auditor finds:

• Strong password policy
• Proper segregation of duties
• No validation checks for invoice entry

❓ Question:

What is the MOST likely risk?

A. Unauthorized access
B. Data entry errors
C. System failure
D. Data backup failure

✅ Answer: B

👉 Reason: Missing input controls → inaccurate transactions

📘 Case 3:

Company generates payroll reports automatically but:

• Reports are not reviewed
• Access is restricted
• Processing controls exist

❓ Question:

Which control is missing?

A. Input control
B. Processing control
C. Output control
D. ITGC

✅ Answer: C

🔷 2. ASSERTION – REASONING QUESTIONS

❓ Q1:

Assertion (A): Application controls ensure accuracy of transactions
Reason (R): Application controls operate at transaction level

A. Both A and R are true, and R explains A
B. Both true, but R does not explain A
C. A true, R false
D. A false, R true

✅ Answer: A

❓ Q2:

Assertion (A): Strong ITGC guarantees absence of fraud
Reason (R): ITGC ensures system-wide control environment

✅ Answer: C

👉 ITGC helps, but does not guarantee no fraud

❓ Q3:

Assertion (A): Input controls prevent incorrect data entry
Reason (R): They include validation and edit checks

✅ Answer: A

🔷 3. TRUE / FALSE (TRICKY)

1. Application controls are independent of ITGC
   ❌ False
2. Change management is part of ITGC
   ✅ True
3. Output controls ensure completeness of input
   ❌ False
4. Weak ITGC increases audit risk
   ✅ True
5. Master data controls are part of ITGC
   ❌ False (they are application controls)

🔷 4. ODD ONE OUT (VERY IMPORTANT)

❓ Q1:

A. Password control
B. Backup procedure
C. Invoice validation
D. Access restriction

✅ Answer: C (Application control, others are ITGC)

❓ Q2:

A. Input validation
B. Processing checks
C. Output review
D. Firewall security

✅ Answer: D (ITGC)

❓ Q3:

A. Change management
B. Segregation of duties
C. Run-to-run totals
D. Physical access control

✅ Answer: C (Application control)

🔷 5. MATCH THE FOLLOWING

✅ Answer:

• A → 2
• B → 1
• C → 3

🔷 6. MULTI-SELECT MCQs

❓ Q:

Which are examples of ITGC?

A. Change management
B. Input validation
C. Backup procedures
D. Password control

✅ Answer: A, C, D

🔷 7. CASE-BASED ASSERTION (ADVANCED)

📘 Case:

System has:

• Strong access controls
• Weak change management
• Strong input validation

❓ Assertion:

System reliability is high

❓ Reason:

Application controls compensate for weak ITGC

A. Both true
B. Both false
C. A true, R false
D. A false, R true

✅ Answer: B

👉 Weak ITGC → overall reliability compromised

🔷 8. FILL IN THE BLANKS

1. ______ controls ensure data accuracy at entry stage
   ✅ Input controls
2. ______ controls form foundation of IT environment
   ✅ General controls
3. ______ controls ensure reports are reviewed
   ✅ Output controls

🔷 9. EXAM TRAP CASE

📘 Case:

Auditor relies on system-generated reports without testing ITGC.

❓ Question:

Is this appropriate?

A. Yes
B. No

✅ Answer: B

👉 Must evaluate ITGC before relying on system output

🔷 10. VERY TRICKY MCQ

❓ Q:

Which control failure has the MOST pervasive impact?

A. Missing input control
B. Weak ITGC
C. Missing output control
D. Missing processing control

✅ Answer: B

🔷 FINAL REVISION LINE (IMPORTANT)

👉 “ITGC failure = System failure”
👉 “Application controls = Transaction accuracy”

www.gmsisuccess.in

✅ 50 TRICKY & SCENARIO-BASED MCQs WITH ANSWERS

(Answers at the end)

INPUT, PROCESSING & OUTPUT CONTROLS (Q1–18)

1. A clerk enters a customer code “CUST-980” but the system rejects it because “letters not allowed.” This is an example of:

A. Range check
B. Field check
C. Validity check
D. Limit check

2. An order entry system rejects an order for 8,000 units because the preset maximum is 5,000. This control prevents:

A. Reasonableness errors
B. Limit violations
C. Master data mismatches
D. Sequence errors

3. A company finds that invoice #4021 is missing in the batch sequence. Which input control detects this first?

A. Check digit
B. Sequence check
C. Range check
D. Field check

4. During input, the system calculates the checksum “57” based on a formula and rejects mismatches. This prevents:

A. Transcription errors
B. Processing errors
C. Output misrouting
D. Unauthorized access

5. An employee enters a negative sales quantity, and the system rejects it. This is:

A. Sign check
B. Limit check
C. Hash total
D. Completeness check

6. A payroll system ensures overtime hours >0 only when “Present” status = Yes. This is an example of:

A. Reasonableness test
B. Completeness check
C. Check digit validation
D. Batch total

7. Before processing a batch of invoices, the system counts 118 records; after processing only 116 appear. What control identifies the issue?

A. Hash total
B. Record count
C. Check digit
D. Range check

8. While processing payroll, an error log shows 25 employees with missing bank account details. This is an example of:

A. Error listing
B. Exception report
C. Output reconciliation
D. Processing validation

9. The accounting department reviews system-generated pay slips before distributing them. This is:

A. Reperformance
B. Output review control
C. Batch input validation
D. Test data review

10. A buyer receives a vendor report addressed to another department. Which output control should prevent this?

A. Spooling control
B. Distribution control
C. Label check
D. User authentication

11. During network transmission, the system uses parity bits. This mainly prevents:

A. Data duplication
B. Data corruption in transit
C. Unauthorized access
D. Processing errors

12. A system flags “Item price × Quantity ≠ Total invoice amount.” This is a:

A. File label control
B. Logic check
C. Sequence check
D. Run-to-run check

13. “Before and after” totals for a batch do not match after processing. What control is triggered?

A. Run-to-run total
B. Range validation
C. Hash total
D. Reasonableness test

14. During posting to the GL, the system confirms the use of the correct master file before proceeding. This is:

A. File existence check
B. File label check
C. Referential integrity check
D. Hash total check

15. A user enters a vendor code that does not exist in the vendor master. The system rejects it. This is:

A. Range check
B. Validity check
C. Sequence check
D. Limit check

16. An invoice batch has:

Record count: 40
Hash total: 12,590
Amount total: ₹3,60,000
After processing, only the amount total matches. What error likely occurred?
A. Wrong amounts posted
B. Missing or extra invoices
C. Transposed digits
D. Master file mismatch

17. A customer returns goods but the credit note is missing in system reports. Which control should detect it?

A. Exception report
B. Range check
C. Spooling control
D. Completeness check

18. Duplicate invoices were processed. Which input control should prevent this?

A. Check digit
B. Duplicate check
C. Limit test
D. Reasonableness check

GENERAL IT CONTROLS (Q19–30)

19. A developer accesses the live production database to fix code on a weekend. Which GITC failed?

A. Access control
B. Change management
C. Physical control
D. Output control

20. A former employee’s ID remains active for 40 days after resignation. Which control weakness?

A. Password policy
B. User provisioning / de-provisioning
C. Encryption
D. Backup procedures

21. Fire suppression, CCTVs, and biometric locks are examples of:

A. Application controls
B. Physical controls
C. Input controls
D. Output controls

22. Before pushing an update, the IT team tests it in a staging environment. This is part of:

A. Incident Management
B. SDLC – Testing phase
C. Output control
D. Network monitoring

23. Overnight batch jobs fail due to low disk space. Which GITC is weak?

A. Access control
B. Operations control
C. Physical control
D. Change management

24. A system was changed without documentation or approvals. What control failed?

A. Authorization control
B. Change management control
C. Application control
D. Validity control

25. A server room air conditioner malfunction leads to data center shutdown. Which GITC relates?

A. Environmental control
B. Input control
C. Output control
D. Processing control

26. A user accesses payroll but is from purchasing department. This violates:

A. SDLC
B. Segregation of duties
C. Authentication
D. Authorization

27. A ransomware attack succeeds because backups were not updated for 2 months. GITC weakness:

A. Physical control
B. Backup & recovery
C. Access control
D. Processing control

28. Logs show that system changes were made without logging. Weakness in:

A. Monitoring controls
B. Application controls
C. Input controls
D. Output controls

29. DRP was not tested for two years. What risk increases the most?

A. Undetected fraud
B. System recovery failure
C. Data entry errors
D. Unauthorized access

30. A power failure occurs and data is lost during processing due to no checkpoints. Control missing:

A. Batch total
B. File labeling
C. Backup during processing
D. Logic check

APPLICATION CONTROLS (Q31–40)

31. A procurement system’s 3-way match prevents:

A. Payment delays
B. Unauthorized payments
C. Duplicate purchase orders
D. Inaccurate master data

32. A customer credit limit check before order confirmation is what type?

A. Input control
B. Integrity control
C. Application authorization control
D. Output control

33. A payroll system pays only employees listed in the HR master. This is:

A. Integrity control
B. Range check
C. Validity check
D. Duplicate check

34. A system prevents a sales order unless the customer is approved by Finance. This is:

A. Processing control
B. Application-level authorization control
C. Input control
D. Output control

35. ERP blocks invoice posting if GL period is closed. This is:

A. Output control
B. File label check
C. Integrity & authorization control
D. Batch validation

36. A system denies payment because vendor bank details are not verified. What control is this?

A. Output control
B. Vendor master authorization control
C. Range check
D. Sequence test

37. Duplicate GRN entries were found in inventory. Missing control?

A. Run-to-run control
B. Duplicate check
C. Limit check
D. Authorization check

38. Employee salary changes require HR manager approval in system. This ensures:

A. Input validity
B. Authorization & integrity
C. Range accuracy
D. Exception reporting

39. A system automatically logs out inactive users after 5 minutes. This is:

A. Input control
B. Application security control
C. Output control
D. Logic check

40. A bank ATM rejects a transaction for invalid PIN attempts exceeding 3. This is:

A. Limit check
B. Security control
C. Completeness control
D. Reasonableness check

TECHNIQUES TO EVALUATE CONTROLS / CAATs (Q41–50)

41. An auditor enters fake transactions into a copy of the production system to test controls. This is:

A. Parallel simulation
B. Test data
C. ITF
D. Reperformance

42. Auditor sets up a dummy department inside live ERP and posts transactions to test controls. This is:

A. Test data
B. Parallel simulation
C. Integrated Test Facility
D. GAS analysis

43. Auditor uses ACL/IDEA to reperform depreciation calculations. This technique is:

A. Embedded module
B. GAS
C. Test data
D. Penetration testing

44. To test automated credit checks, the auditor reprocesses actual data using independent logic. This is:

A. ITF
B. Test data
C. Parallel simulation
D. Reperformance manually

45. Auditor monitors transactions in real-time using audit hooks placed inside application. This is:

A. Embedded audit modules
B. ITF
C. Parallel simulation
D. Test data

46. An auditor runs the same payroll program and compares results to the company’s output. This is:

A. Black-box testing
B. Parallel simulation
C. ITF
D. Test data

47. Auditor traces one payroll transaction from start to finish to observe control operation. This is:

A. Walkthrough
B. GAS
C. Test data
D. Penetration test

48. A cybersecurity team attempts to break into the network to test security. This is:

A. Vulnerability scan
B. Penetration testing
C. Black-box test
D. Test data

49. An auditor scans systems for missing patches and weak passwords. This is:

A. Penetration testing
B. Vulnerability assessment
C. Integrated testing
D. ITF

50. Auditor reviews logs, error reports, and user access audit trails. This is:

A. Observation
B. Inspection
C. Reperformance
D. Test data

✅ ANSWER KEY

1-B
2-B
3-B
4-A
5-A
6-A
7-B
8-A
9-B
10-B
11-B
12-B
13-A
14-B
15-B
16-B
17-A
18-B
19-B
20-B
21-B
22-B
23-B
24-B
25-A
26-D
27-B
28-A
29-B
30-C
31-B
32-C
33-A
34-B
35-C
36-B
37-B
38-B
39-B
40-B
41-B
42-C
43-B
44-C
45-A
46-B
47-A
48-B
49-B
50-B

www.gmsissuccess.in

Below are 50 CASE-STUDY BASED, TRICKY & CHALLENGING MCQs on:
✔ Input Controls
✔ Processing Controls
✔ Output Controls
✔ Application Controls
✔ General IT Controls (GITC)
✔ CAATs & IT Audit Techniques

All questions are scenario-driven like CIA/CISA/CMA exams.
Answers included at the end.

✅ 50 CASE-STUDY BASED MCQs (Challenging & Tricky)

Case 1: Payroll System Failure (Q1–5)

A company’s payroll system processed salaries incorrectly for 42 employees due to missing attendance data caused by incorrect master file updates.

1. Which control should have prevented incomplete attendance data from being used in payroll processing?

A. Range check
B. Completeness check
C. File label check
D. Authorization control

2. The HR executive mistakenly updated the wrong employee’s attendance using a similar employee code. Which control would best reduce this?

A. Check digit
B. Sequence check
C. Referential integrity
D. Limit check

3. After payroll error, the auditor compares expected salary totals with system-generated totals. This is an example of:

A. Output reconciliation
B. Input validation
C. Test data method
D. Run-to-run totals

4. Multiple unauthorized edits were made by a junior HR staff. Which GITC failure is indicated?

A. Change management
B. Access control
C. Physical control
D. Output control

5. Which CAAT technique would allow auditors to test payroll calculations without affecting live data?

A. ITF
B. Parallel simulation
C. GAS
D. Embedded audit module

Case 2: Procurement Fraud Risk (Q6–10)

The purchasing manager colluded with a vendor to approve fake invoices. The system did not perform 3-way matching due to a configuration error.

6. Which application control would prevent payment of fake invoices?

A. Limit check
B. Three-way match (PO–GRN–Invoice)
C. Sequence check
D. Range validation

7. The system posted invoices even when purchase orders were not approved. Which control is missing?

A. Authorization control
B. Completeness control
C. Hash total
D. Reasonableness test

8. Which general IT control ensures that system configurations like matching rules are not changed without approval?

A. Access control
B. Change management
C. Input validation
D. Physical controls

9. To identify all payments to a suspicious vendor, the auditor uses ACL to extract and analyze transactions. This reflects:

A. Test data
B. Parallel simulation
C. Embedded audit module
D. Generalized Audit Software

10. Many duplicate invoices from the vendor were found. Which specific control should prevent this?

A. Batch total
B. Duplicate check
C. Range check
D. Sign check

Case 3: Manufacturing Production Errors (Q11–15)

The production system generated wrong material usage reports. Incorrect quantities were processed due to corrupted input data.

11. Before processing, the system could have detected incorrect quantities through:

A. Sign check
B. Logic check
C. Validity check
D. Duplicate check

12. If a wrong version of the production master file was used, which control failed?

A. File label check
B. Batch total
C. Input completeness
D. Output review

13. Production totals before and after processing did NOT match. Which control detects this?

A. Run-to-run total
B. Hash total
C. Reasonableness test
D. File existence check

14. A system crash caused loss of production data during processing. Which control prevents loss?

A. Exception report
B. Checkpoints & rollback
C. Parallel simulation
D. Test data

15. Material consumption reports were distributed to wrong departments. This indicates failure of:

A. Output distribution control
B. Input validation control
C. Integrity control
D. Change management

Case 4: Banking Transaction Errors (Q16–20)

A bank ATM system allowed customers to withdraw more than the daily limit due to a coding error.

16. Which control should have prevented withdrawals exceeding limits?

A. Authentication control
B. Limit check
C. Completeness check
D. Sequence check

17. The error existed because the updated code bypassed approval. This shows weakness in:

A. Change management
B. Access control
C. Output review
D. Physical protection

18. The bank wants to test the updated ATM code using simulated accounts and transactions. Best method?

A. Test data
B. ITF
C. Parallel simulation
D. Reperformance

19. If customers received incorrect withdrawal receipts, which control should detect it?

A. Output validation
B. File label check
C. Batch control
D. Logic check

20. Auditor traces a single ATM transaction from card swipe to settlement. This is:

A. Walkthrough
B. Reperformance
C. Observation
D. Parallel testing

Case 5: Sales Order Processing Issues (Q21–25)

A sales system accepts orders even when customer credit limits are exceeded.

21. Which control should prevent this?

A. Range check
B. Credit limit validation
C. File label check
D. Hash total

22. A sales order was created for a non-existent customer code. Missing control?

A. Validity check
B. Sign check
C. Run-to-run check
D. Reasonableness check

23. To detect missing sales orders, the system should use:

A. Sequence check
B. Duplicate check
C. Limit check
D. Completeness check

24. Auditor reprocesses sales orders using independent logic to test system accuracy. Technique?

A. Test data
B. Generalized Audit Software
C. Parallel simulation
D. ITF

25. Sales invoices were printed twice and mailed twice. Which control failed?

A. Spooling control
B. Distribution control
C. Range check
D. Logic test

Case 6: Inventory Shrinkage (Q26–30)

The warehouse reported mismatched inventory records due to incorrect scanning at receipt.

26. Wrong item codes scanned should be prevented by:

A. Sequence check
B. Validity check
C. Range validation
D. Hash total

27. Barcodes unreadable due to damage indicate reliance on which input control?

A. Check digit
B. Batch control
C. Limit test
D. Sequence check

28. Lost inventory records indicate missing:

A. Backup control
B. Run-to-run control
C. Error listing control
D. Output integrity

29. Warehouse staff printed inventory reports belonging to other warehouses. Missing control?

A. Output distribution control
B. File label control
C. Authorization control
D. Access control

30. Auditor inserts fake receiving transactions into the live system using a dummy warehouse. Method?

A. Test data
B. Parallel simulation
C. ITF
D. GAS

Case 7: E-Commerce Website Failure (Q31–35)

The customer checkout module frequently crashes and loses order data.

31. Which processing control prevents order loss during crashes?

A. Logic check
B. Checkpoints & rollback
C. Exception report
D. Duplicate check

32. System accepts invalid coupon codes ensuring heavy discounts. Which control should prevent?

A. Validity check
B. Range check
C. Hash total
D. Sequence check

33. Orders placed through mobile app are missing in ERP. Which control detects incomplete transfers?

A. Run-to-run total
B. File label check
C. Output reconciliation
D. Range validation

34. Customer receives emails meant for another customer. Control weakness?

A. Output distribution
B. File label check
C. Authorization
D. Integrity

35. Audit team uses automated scripts to check if all orders received online match ERP entries. Method?

A. Reperformance
B. Test data
C. GAS
D. ITF

Case 8: Financial Closing Errors (Q36–40)

GL posting errors occurred because the system allowed posting into a closed accounting period.

36. Which control should prevent postings in a closed period?

A. Authorization control
B. Integrity control
C. File label check
D. Limit check

37. Accountant modified GL mapping without approval. Control failure?

A. Input validation
B. Access control
C. Change management
D. Processing validation

38. Month-end totals before and after adjustments do not match. Which control helps detect this?

A. Sequence check
B. Hash total
C. Run-to-run total
D. Reasonableness test

39. Auditor inserts invalid GL codes to test system response. Technique?

A. Test data
B. GAS
C. Walkthrough
D. ITF

40. Financial statements printed before approvals may indicate weakness in:

A. Output distribution
B. Physical security
C. File label check
D. Range control

Case 9: Hospital Patient Billing Errors (Q41–45)

Billing system charged patients for services they never received.

41. Missing service entries in system relate to which control?

A. Completeness check
B. Duplicate control
C. Range control
D. Limit test

42. System accepted service codes not listed in the approved medical services file. Missing control?

A. File existence check
B. Validity check
C. Sequence control
D. Sign check

43. Billing clerks accessed doctor-fee rate tables and changed rates. Weak GITC?

A. Access control
B. Output control
C. Input control
D. Hash control

44. Auditor reviews history logs to find who changed rate tables. Technique?

A. Observation
B. Inspection
C. Walkthrough
D. Reperformance

45. Auditor simulates billing using a copy of production data. This is:

A. ITF
B. Test data
C. Parallel simulation
D. GAS

Case 10: Airline Reservation System Error (Q46–50)

Customers were issued duplicate boarding passes due to system delays.

46. Which control should prevent duplicate boarding passes?

A. Duplicate check
B. Range test
C. Completeness check
D. File label check

47. Reservation system crashed due to untested patch deployment. Weakness?

A. Change management
B. Physical safeguard
C. Input control
D. Integrity control

48. Auditor enters invalid travel dates “32/13/2025” to test validation. Method?

A. ITF
B. Test data
C. Reperformance
D. Black-box test

49. Wrong flight manifests were sent to security teams. Which control failed?

A. Output distribution
B. Access control
C. File label
D. Range check

50. Auditor monitors live reservation transactions through embedded code in system. Method?

A. Parallel simulation
B. Test data
C. Embedded audit module
D. ITF

✅ ANSWER KEY

1-B
2-C
3-A
4-B
5-B
6-B
7-A
8-B
9-D
10-B
11-B
12-A
13-A
14-B
15-A
16-B
17-A
18-A
19-A
20-A
21-B
22-A
23-A
24-C
25-A
26-B
27-A
28-A
29-A
30-C
31-B
32-A
33-A
34-A
35-C
36-A
37-C
38-C
39-A
40-A
41-A
42-B
43-A
44-B
45-C
46-A
47-A
48-B
49-A
50-C

www.gmsisuccess.in

Below are 60 extremely challenging, case-study based, scenario-driven MCQs on:

✔ Input Controls
✔ Process Controls
✔ Output Controls
✔ General IT Controls (GITCs)
✔ Application Controls
✔ Control Evaluation Techniques in Automated Environments (audit trail review, CAATs, test data, integrated test facility, continuous auditing, etc.)

These are difficult, layered with traps, and designed for CMA / CIA / CISA exam level.

✅ 60 ULTRA-DIFFICULT SCENARIO MCQs WITH ANSWERS

(Answers provided after each question)

INPUT CONTROLS (1–12)

1.

A company uses barcode scanners to capture warehouse shipments. Auditors notice that when barcodes are damaged, employees manually key-in shipment codes, often entering incorrect digits. Which control would MOST effectively reduce incorrect manual entries?

A. Limit checks
B. Check digit verification
C. Range check
D. Reasonableness check

Answer: B

2.

A bank requires loan officers to type customer IDs manually if the magnetic card reader fails. Several cases were found where invalid IDs were entered and processed. The BEST control?

A. Field format check
B. Pre-numbered forms
C. Dual authorization
D. Database access control

Answer: A

3.

During data entry on vendor invoices, an AP clerk enters a quantity of “9,000” instead of “900.” The system accepts it because the vendor sometimes ships in bulk. What input control is missing?

A. Sequence check
B. Reasonableness check
C. Existence check
D. Batch total check

Answer: B

4.

A retail POS system occasionally records duplicate sales when the cashier presses “Enter” twice. Which control prevents duplication?

A. Limit test
B. Field check
C. Transaction edit check
D. Duplicate record check

Answer: D

5.

An online banking system allows users to input unlimited-length text for the payee name and amount field, causing data truncation errors. Missing control?

A. Limit check
B. Size check
C. Completeness check
D. Range check

Answer: B

6.

Customer orders entered into the ERP often miss mandatory fields like “Shipping Address.” Which control?

A. Completeness check
B. Redundant data check
C. Reasonableness test
D. Logical check

Answer: A

7.

A system validates vendor numbers by checking their existence in the master file. This is:

A. SIC
B. Validity check
C. Hash total check
D. Control total check

Answer: B

8.

A data-entry clerk uploads a batch of transactions, but one transaction was missing. What control prevents incomplete batch uploads?

A. Cross-footing check
B. Hash total
C. Record count check
D. Limit check

Answer: C

9.

A clerk typed “31 Feb 2025” and system accepted it. Missing:

A. Sequence check
B. Limit check
C. Range check
D. Validity check

Answer: D

10.

An insurance firm receives scanned claim forms. The OCR system misreads some fields. BEST control?

A. Dual entry
B. Field check
C. Batch totals
D. Manual review of exception reports

Answer: D

11.

A data-entry operator mistakenly swaps customer ID and product ID columns. What prevents wrong field assignment?

A. Field label check
B. Format check
C. Reasonableness check
D. Table lookup check

Answer: B

12.

A clerk enters a quantity of “–50” and system accepts negative values. Missing?

A. Limit check
B. Validity check
C. Reasonableness test
D. Input mask

Answer: A

PROCESS CONTROLS (13–24)

13.

Payroll runs continue to process terminated employees because HR updates are not integrated. BEST control?

A. Sequence checks
B. Automated interface reconciliation
C. Limit checks
D. Output review

Answer: B

14.

A bank’s loan system recalculates interest incorrectly on leap years. The cause is most likely a failure in:

A. Input validation
B. Processing logic controls
C. Output accuracy
D. IT general controls

Answer: B

15.

An ERP accidentally processes the same batch twice. BEST prevention?

A. Logging
B. Checkpoint restart
C. Run-to-run controls
D. File lockout

Answer: C

16.

An insurance claim is processed even though supporting documents were not uploaded. Missing process control?

A. Edit check
B. Exception handling
C. Conditional processing
D. Interface control

Answer: C

17.

The system truncates large numbers in financial reports. Cause?

A. Input mask error
B. Buffer overflow
C. Processing routine error
D. Output formatting error

Answer: C

18.

A manufacturing system processes production quantities without checking against BOM standards. Missing:

A. Run-to-run controls
B. Reasonableness test
C. Validity test
D. Dual access control

Answer: B

19.

Order processing logic allows discount > 40% without approval. Missing:

A. Workflow control
B. Range check
C. Business rule control
D. Exception control

Answer: C

20.

A bank batch job crashes midway, causing data imbalance. Needed:

A. Sequence check
B. Control total
C. Checkpoint restart
D. Reconciliation

Answer: C

21.

Data transmitted between modules is sometimes lost. Best control?

A. Echo check
B. Reasonableness check
C. Record count
D. File validation

Answer: A

22.

A hospital billing system performs calculations incorrectly only when special characters are entered in patient details. Root issue?

A. Input error
B. Weak processing logic validation
C. Weak GITC
D. Output error

Answer: B

23.

Inventory adjustments get overwritten when concurrent entries occur. Best control?

A. Lockout control
B. Version control
C. Concurrent update control
D. Batch control

Answer: C

24.

An application combines two fields in processing but occasionally swaps them. Control?

A. Field mapping validation
B. Limit test
C. Edit check
D. Reperformance

Answer: A

OUTPUT CONTROLS (25–32)

25.

Sensitive payroll reports are emailed as PDFs without encryption. Lacking:

A. Output validation control
B. Output distribution control
C. Logical access control
D. Data classification control

Answer: B

26.

Financial statements print incomplete totals because system did not verify full report creation. Needed:

A. Pagination control
B. Output completeness check
C. Hash total check
D. Batch control

Answer: B

27.

Customer invoices sometimes print without item descriptions. Why?

A. Missing processing logic
B. Poor output field mapping
C. Weak input validation
D. Inaccurate master data link

Answer: D

28.

Printed reports sometimes exclude the last page. Best control?

A. End-of-report message
B. Output validation
C. Job control language check
D. Reconciliation

Answer: A

29.

An automated system emails duplicate copies of invoices to customers. Missing:

A. Output logging
B. Print spooling
C. Output sequence control
D. Access control

Answer: C

30.

A manufacturing report shows “0 units produced,” but audit trail shows production occurred. Likely failure?

A. Input
B. Output formatting
C. Process logic
D. Data summarization

Answer: D

31.

Users complain that output reports display outdated data. Missing:

A. Cache control
B. Real-time data sync
C. Output-to-input reconciliation
D. Timestamp check

Answer: D

32.

Management receives overly detailed output reports containing confidential data. Needed:

A. Report filtering controls
B. Encryption
C. Access rights
D. Print authorization

Answer: A

GENERAL IT CONTROLS (33–46)

33.

A developer with production access modifies code during a financial close. Which GITC failed?

A. Backup control
B. Change management
C. Incident response
D. Logical access

Answer: D

34.

Developers deploy code directly without testing. Missing:

A. Configuration control
B. Systems development control
C. Change migration control
D. Version control

Answer: C

35.

A ransomware attack succeeded because employees reused passwords. Issue with:

A. Authentication
B. Authorization
C. Availability
D. Integrity

Answer: A

36.

Frequent system outages are caused by untested patches. GITC weakness?

A. Logical access
B. Backup and recovery
C. Change management
D. Operations control

Answer: C

37.

Backup tapes stored in same room as servers. Which principle violated?

A. Segregation of duties
B. Confidentiality
C. Offsite backup control
D. Incident response

Answer: C

38.

A terminated employee’s login works for two weeks. Cause?

A. Faulty HR interface
B. Poor termination procedures
C. Bad patching
D. Weak monitoring

Answer: B

39.

Unauthorized changes detected in log files. Missing:

A. Encryption
B. Access control
C. Integrity checks
D. Monitoring

Answer: C

40.

Disaster recovery test reveals missing vendor contact numbers. Issue?

A. IR plan incomplete
B. BCP not updated
C. DRP outdated
D. Access rights incomplete

Answer: C

41.

System runs out of storage every quarter, halting processes. Missing:

A. Capacity management
B. Backup control
C. Incident management
D. Monitoring

Answer: A

42.

A system update removed critical accounting configuration. Lacking:

A. Change documentation
B. Parallel testing
C. Segregation of duties
D. Backup rollback

Answer: A

43.

User passwords are stored in plain text. Missing:

A. Encryption control
B. Access control
C. Firewalls
D. Authentication control

Answer: A

44.

A vendor-managed system allows vendor unrestricted admin access. Weakest area?

A. Patch management
B. SLA security clause
C. Network monitoring
D. Backup access

Answer: B

45.

Unauthorized USB devices are found accessing files. Control needed?

A. Physical control
B. Endpoint security
C. Logical access
D. Cryptographic control

Answer: B

46.

A power outage caused a database corruption. Missing:

A. UPS control
B. Backup control
C. Data integrity
D. Failover cluster

Answer: A

APPLICATION CONTROLS (47–53)

47.

An ERP does not prevent posting of journal entries without description. Missing:

A. Completeness check
B. Application logic control
C. Range check
D. Format check

Answer: A

48.

A system generates duplicate purchase orders. Weak:

A. Sequence control
B. Input control
C. Authorization logic
D. Transaction ID control

Answer: D

49.

Discount approval workflow allows bypass when system is offline. Weak:

A. Workflow control
B. Authorization logic
C. Interface control
D. Override control

Answer: D

50.

A mobile banking app crashes when large attachments uploaded. Cause?

A. Input validation
B. Exception handling
C. Poor data processing
D. Insufficient memory control

Answer: B

51.

Customers receive statements with another customer’s name. Failure:

A. Data classification
B. Output control
C. Application access logic
D. Data mapping

Answer: D

52.

The VAT calculation module fails when new rates introduced. Missing:

A. Change management
B. Parameterization
C. Authorization
D. Validation

Answer: B

53.

A company performs month-end closing manually due to application failure. Weak:

A. Automated control
B. System integration
C. Application reliability
D. Backup processing

Answer: C

CONTROL EVALUATION TECHNIQUES (54–60)

54.

Auditors plant fictitious employees in payroll to test controls continuously. Technique?

A. Test data
B. Parallel simulation
C. Integrated Test Facility (ITF)
D. Reperformance

Answer: C

55.

Auditors run their own calculation program and compare results with system output. Technique?

A. ITF
B. Parallel simulation
C. Reperformance
D. Test data

Answer: B

56.

Auditors submit invalid transactions to see if system rejects them. Technique?

A. CAATs test data
B. ITF
C. Parallel processing
D. Examination

Answer: A

57.

Auditors use scripts to continuously scan for unusual transactions. Technique?

A. Real-time monitoring
B. Continuous auditing
C. Exception reporting
D. Parallel testing

Answer: B

58.

Auditors test entire data sets instead of samples. Technique?

A. Data analytics
B. CAATs
C. Test data
D. ADA (Audit Data Analysis)

Answer: B

59.

A system generates alert when a user overrides a control. This supports which auditing method?

A. Test data
B. Embedded audit module
C. Data tracing
D. Exception reporting

Answer: B

60.

Auditors trace data from source documents through each system stage. Method?

A. Process walkthrough
B. Data tracing
C. Reconciliation
D. Reperformance

Answer: B

www.gmsisuccess.in

✅ CASE STUDY 1 — Cloud-Based ERP Financial Close Failure

A multinational company, Arden Global, recently migrated its entire financial closing process to a cloud-based ERP. During the first quarter-end close after migration, several critical failures occurred:

• Journal entries posted by external consultants without approval
• Scheduled batch jobs (currency revaluation, depreciation, accrual postings) ran out of sequence
• The interface between AP and GL transferred incomplete batches with missing invoices
• System logs showed mass overrides by a single power user
• Management reports showed inconsistent totals due to cache delays in the reporting database
• Backup restoration tests failed: restored database contained data from 3 days earlier
• A newly deployed patch caused the foreign exchange rate table to reset to default values

You are the internal auditor assigned to evaluate the breakdown.

MCQs (1–7)

1.

The MOST significant control failure leading to unauthorized journal entries posted by external consultants is:

A. Weak input validation controls
B. Ineffective change management
C. Inadequate role-based access and provisioning controls
D. Poor interface reconciliation

2.

Batch jobs running out of sequence indicate a failure in:

A. Application access security
B. IT operations scheduling controls
C. Input completeness checks
D. Backup and restoration configuration

3.

The AP → GL interface is transmitting batches with missing invoices. Which control would MOST effectively detect this BEFORE posting?

A. Run-to-run totals in GL
B. Hash total and record count reconciliation at the interface layer
C. Edit checks in AP data entry
D. Output report validation

4.

A single power user executed multiple overrides during financial close. The MOST effective detective control is:

A. Periodic user access review
B. Continuous monitoring of privileged user activity logs
C. Segregation of duties during role assignment
D. Multi-factor authentication for superusers

5.

The inconsistency in management reports due to reporting database cache delays indicates a weakness in:

A. Output formatting control
B. Real-time data synchronization and replication controls
C. Input completeness
D. Reasonableness checks in reporting logic

6.

The backup restoration produced data from three days earlier. Which GITC weakness is the ROOT cause?

A. Backup encryption failure
B. Backup scheduling or job failure not being monitored
C. Excessive backup retention
D. Incorrect user access to backup files

7.

The patch deployment that reset FX rate tables indicates failure in:

A. Application-level interface controls
B. Configuration management and regression testing
C. Input validation rules
D. Audit trail integrity controls

✅ ANSWER KEY — CASE STUDY 1

1 — C
2 — B
3 — B
4 — B
5 — B
6 — B
7 — B

www.gmsisuccess.in

✅ CASE STUDY 2 — Automated Payroll System Fraud & Processing Breakdown

A large retail chain DeltaMart uses a fully automated cloud payroll system integrated with biometric attendance. During an internal fraud investigation, auditors discovered:

• 18 ghost employees were created in the HR master by an HR supervisor
• The system processed payroll even when biometric data was missing or unreadable
• A recent system enhancement disabled the “duplicate bank account detection” rule
• Payroll batches were uploaded to the bank without review of exception reports
• Overtime calculations showed systematic inflation due to a flawed calculation algorithm
• User access review showed terminated employees retained access for 45 days
• The IT audit trail shows missing logs for 3 critical payroll days due to logging service failure

As the internal auditor, you must determine root causes and control gaps.

MCQs (1–7)

1.

The creation of 18 ghost employees MOST directly indicates a breakdown in:

A. Input validation controls
B. Access provisioning and segregation of duties within HR master maintenance
C. Payroll batch reconciliation
D. Exception-handling workflow

2.

Biometric data missing but payroll still processing indicates failure in:

A. Input completeness and mandatory field validation
B. Application access control
C. Payroll cycle reconciliation
D. GITC disaster recovery

3.

The removal of duplicate bank account detection after a system enhancement indicates a failure in:

A. Incident response
B. Change management and regression testing
C. Input validation checks
D. Role-based provisioning

4.

Payroll batches uploaded to the bank without reviewing exception reports is primarily a failure in:

A. General IT controls
B. Output control and review procedures
C. Input validation
D. Business continuity planning

5.

Systematic overtime inflation due to flawed algorithms MOST directly signals:

A. Incorrect input controls
B. Processing logic failure due to poor unit and integration testing
C. Output distribution errors
D. Incorrect master data configuration

6.

Terminated employees retaining access for 45 days is a breakdown of:

A. Multi-factor authentication
B. Identity and access management lifecycle controls
C. Password rotation policies
D. Output controls

7.

Missing system logs for critical payroll processing days implies:

A. Poor log retention storage
B. Ineffective continuous monitoring of logging service health
C. Weak encryption over logs
D. Over-reliance on manual compensating controls

✅ ANSWER KEY — CASE STUDY 2

1 — B
2 — A
3 — B
4 — B
5 — B
6 — B
7 — B

www.gmsisuccess.in

✅ CASE STUDY 3 — Manufacturing Execution System (MES) Data Integrity Collapse

Titan Motors, a global automotive manufacturer, relies on a Manufacturing Execution System (MES) integrated with ERP for real-time production, inventory valuation, and quality control.

During an internal audit, the following issues were discovered:

• Production orders were automatically closed by the MES even though physical production was incomplete
• The PLC–MES interface intermittently dropped sensor readings, resulting in missing machine data
• Quality checks were bypassed when operators used an administrator override key, intended only for emergencies
• The ERP inventory valuation showed negative quantities in several plants
• A recent MES patch caused part master data to default to old standard rates, inflating WIP
• MES audit logs rotated every 24 hours, causing loss of detailed traceability for investigations
• Control room monitoring dashboards showed outdated machine data because the real-time refresh connector had failed for 3 weeks

This system is considered mission-critical for safety and financial reporting.

MCQs (1–7)

1.

Automatic closure of production orders despite incomplete physical production indicates a failure in:

A. Input validation controls
B. Workflow and processing logic controls in MES
C. Output verification control
D. General IT access management

2.

The intermittent loss of PLC sensor readings MOST likely represents a breakdown in:

A. Input completeness controls at the interface layer
B. Output formatting
C. Master data maintenance
D. Application access rights

3.

Operators bypassing quality checks using an admin override key indicates weakness in:

A. Segregation of duties and privilege restriction
B. Input data validation
C. Backup and recovery
D. Physical access control to the shop floor

4.

Negative inventory appearing in ERP is MOST likely caused by:

A. Incorrect output reports
B. Failed interface reconciliation and run-to-run controls
C. Faulty input validation
D. Poor user training

5.

A patch causing part master data to revert to old standard rates indicates failure in:

A. Regression testing and configuration management
B. Interface validation
C. Exception handling
D. Output distribution controls

6.

24-hour log rotation causing loss of traceability affects:

A. Application availability
B. Audit trail integrity and forensic readiness
C. Backup scheduling
D. Output validation

7.

Dashboards showing outdated machine data due to failed data refresh connector highlight weakness in:

A. Output formatting controls
B. Real-time data replication and monitoring controls
C. Mandatory field validation
D. Encryption controls

✅ ANSWER KEY — CASE STUDY 3

1 — B
2 — A
3 — A
4 — B
5 — A
6 — B
7 — B

www.gmsisuccess.in

CASE STUDY 4 — Advanced, Tricky, Scenario-Based MCQs (CMA / CIA / CISA–Level)

Theme: Cybersecurity Governance, Data Governance, IT Controls, Fraud Risk & Ethics
Total: Start with 5 MCQs for Case Study 4. If you want 70+, say “continue”.

📘 CASE STUDY 4: “THE PHANTOM ACCESS INCIDENT”

Background:
GlobalTech Manufacturing Ltd. (GTML) operates in 14 countries. Its ERP integrates procurement, inventory, payroll, and financial reporting.
A recent internal audit identified unusual system behaviour:

• Multiple failed login attempts to the CFO account at 2:47 AM.
• Successful login from an unregistered IP address 20 minutes later.
• Several vendor master data fields were changed, including bank account numbers.
• System logs show the use of a privileged service account the same night.
• The IT security manager claims all privileged accounts require MFA, but auditors found that service accounts bypass MFA due to “operational constraints.”
• A whistleblower reported that an AP supervisor might be colluding with an external vendor.

MCQ 1

The internal auditors discovered that bank account details were changed using a privileged service account that bypasses MFA.
What is the MOST significant control weakness?

A. Lack of segregation of duties in the AP department
B. Improper monitoring of master data change logs
C. Privileged accounts not subject to full authentication controls
D. Unusual login times not flagged by the system

Correct Answer: C

Why: The ability for privileged accounts to bypass MFA is the root enabler of unauthorized access. The other issues are important, but secondary.

MCQ 2

After investigating, auditors found that the privileged service account had its password last changed 3 years ago because it is used for automated scripts. What should the auditor recommend FIRST?

A. Disable the account immediately
B. Rotate credentials and enforce periodic password changes
C. Implement real-time monitoring of automated scripts
D. Require AP supervisors to approve all master data changes

Correct Answer: B

Why: Immediate disabling may break core operations.
The FIRST step is credential rotation and enforcing lifecycle management.

MCQ 3

The CFO asks whether this incident indicates an “override of controls.”
Which factor BEST indicates that management override likely occurred?

A. Changes were made during non-working hours
B. Vendor accounts were modified without approval
C. Logs show access from an external IP not on the whitelist
D. A privileged account was intentionally configured to bypass MFA

Correct Answer: D

Why: Designing or permitting privileged accounts to bypass MFA reflects intentional weakening of controls, a hallmark of override.

MCQ 4

The AP supervisor claims the vendor bank changes were made “for urgent payment processing.” The auditor notes the supervisor’s nephew works for that vendor. Which principle of the IIA Code of Ethics is MOST violated?

A. Competency
B. Confidentiality
C. Integrity
D. Objectivity

Correct Answer: D (Objectivity)

Why: Conflict of interest directly affects independence and unbiased judgment.

MCQ 5

An external cybersecurity consultant reviewed the access logs and reported that “the anomalous login behaviour should have triggered alerts under the SIEM configuration.”
What does this MOST directly indicate?

A. Ineffective detective controls
B. Poor configuration management
C. Weak application controls
D. Lack of preventive controls

Correct Answer: A

Why: The SIEM (Security Information & Event Management) is a detective control, and it failed to identify suspicious events.

www.gmsisuccess.in

📘 CASE STUDY 5 — Ultra-Challenging, Scenario-Based MCQs (CMA / CIA / CISA Exam Level)

Theme: Data Governance · IT General Controls · Fraud Risk · Cyber Incident Response · Ethical Dilemmas
*We begin with the first 5 MCQs. Say “continue” for more (up to 70).

CASE STUDY 5: “THE SILENT DATA CORRUPTION CRISIS”

Background:
NovaHealth Diagnostics (NHD) runs 32 labs and uses a centralized Laboratory Information Management System (LIMS) that integrates:

• Billing
• Payroll
• Inventory
• Diagnostic results
• Regulatory reporting

During a quarterly audit, internal auditors discovered:

• Multiple patient test results were overwritten without a system alert.
• The database integrity logs show checksum mismatches on three tables.
• A junior IT administrator recently ran a schema update script in production without peer review.
• Backup restoration test failed — last three backups were corrupted.
• A vendor support engineer had VPN access at the same time the data corruption occurred.
• Finance noted unexplained increases in reagent consumption and inventory adjustments.

MCQ 1

The most critical concern when test results are overwritten without any alert is a failure in:

A. Authorization controls
B. Data integrity controls
C. Input validation controls
D. Segregation of duties

Correct Answer: B

Because checksum mismatches and silent overwrites directly indicate integrity control failure.

MCQ 2

The IT administrator claims the schema update was “routine.” What should the auditor assess FIRST?

A. Whether the script was approved in the change management system
B. Whether version control documentation exists
C. Whether the developer understood the system impact
D. Whether the script was tested in UAT

Correct Answer: A

The FIRST test is always whether the change was formally approved through change management.

MCQ 3

The vendor VPN session overlaps with the corruption timestamp. What is the BEST immediate auditor response?

A. Terminate vendor access permanently
B. Request the VPN activity logs and session commands
C. Assume vendor involvement since timing matches
D. Disable all external VPN accounts

Correct Answer: B

The correct professional step is to obtain evidence, not jump to conclusions.

MCQ 4

The corrupted backups indicate a long-standing issue. Which control weakness does this MOST strongly point to?

A. Poor incident response
B. Weak data classification policies
C. Ineffective backup monitoring and testing
D. Inadequate user access provisioning

Correct Answer: C

Failed restoration means backup integrity verification controls are ineffective.

MCQ 5

Finance suspects inventory fraud because reagent usage is higher while the number of tests has remained steady. Which red flag BEST supports this?

A. Lack of automated reconciliation between LIMS and inventory module
B. Vendor engineer had system access
C. Backups were corrupted
D. Schema update ran in production

Correct Answer: A

Without automated reconciliation, quantities can be manipulated to cover theft or misuse.

**CASE STUDY 5 — CONTINUED (MCQs 6–15)

Ultra-difficult · Scenario-based · CIA/CISA/CMA exam level**

We continue the same case:

NovaHealth Diagnostics (NHD) has

• silent data overwrites,
• checksum mismatches,
• unapproved schema updates,
• corrupted backups,
• vendor VPN access overlaps,
• suspicious reagent inventory usage.

MCQ 6

The checksum mismatches appear only on tables that were part of the schema update. What is the auditor’s MOST likely conclusion?

A. The corruption is unrelated to the change
B. Change management controls failed and data integrity was compromised
C. The vendor intentionally manipulated the data
D. User access provisioning caused the issue

✅ Correct Answer: B

Schema change + integrity mismatch = failed change management + compromised integrity.

MCQ 7

The auditor notices that the LIMS audit log does not record “before–after” values for data changes. Which critical control is missing?

A. Input edit checks
B. Preventive access control
C. Non-repudiation and traceability
D. Encryption of data at rest

✅ Correct Answer: C

Without before–after values, user accountability and traceability are lost.

MCQ 8

Restoration testing shows the last 3 backups are all corrupted. What does this imply about internal controls?

A. The corruption must have happened more than 3 days ago
B. Backup retention policy is adequate
C. Backups are not encrypted
D. Backup process lacks end-to-end verification

✅ Correct Answer: D

The system is backing up corrupted data → no verification, no validation.

MCQ 9

Which indicator MOST strongly suggests intentional tampering rather than system error?

A. Only specific patient records of high-profile clients were altered
B. Multiple tables have checksum mismatches
C. Backups are corrupted
D. Vendor had remote access during the incident

✅ Correct Answer: A

Targeted alteration → intentional, not accidental.

MCQ 10

Which control would MOST effectively prevent unapproved schema changes in production?

A. Database encryption
B. Automated role-based access control with production lockout
C. Manual review of logs
D. Password rotation

✅ Correct Answer: B

RBAC + production environment lockout prevents direct DDL/DML execution by junior staff.

MCQ 11

Inventory adjustments are not separately approved and are part of a daily automated batch. What key control is missing?

A. Supervisory review of exception reports
B. Encryption between LIMS and Inventory module
C. Input formatting rules
D. Two-factor authentication

✅ Correct Answer: A

Without manual review, fraudulent adjustments can be hidden inside batches.

MCQ 12

Which of the following would BEST detect silent overwriting of patient results?

A. Duplicate record checks
B. Hash-based record versioning (immutable logs)
C. Stronger password rules
D. Data entry training

✅ Correct Answer: B

Immutable logs + hashing → cannot overwrite without detection.

MCQ 13

The internal auditor finds that the vendor’s VPN account is shared by 4 engineers. What is the MAJOR risk?

A. Excessive log size
B. Lack of accountability and inability to attribute actions
C. Use of weak internet
D. Vendor lock-in risk

✅ Correct Answer: B

Shared credentials = cannot trace actions → major audit violation.

MCQ 14

The IT team claims the checksum mismatch is a “false positive.” What should the auditor request FIRST?

A. Independent recalculation of checksums
B. A meeting with the vendor
C. Proof that the result is harmless
D. Review of password policies

✅ Correct Answer: A

Recompute checksum to validate whether data corruption is real.

MCQ 15

If the LIMS system auto-deletes log files after 48 hours due to storage limitations, what is the MOST severe consequence?

A. Increased cost of storage
B. Loss of forensic evidence during fraud or breach investigations
C. Slower system performance
D. Higher backup frequency

✅ Correct Answer: B

Short log retention = no forensic trail, extremely high risk for healthcare.

www.gmsisuccess.in

CASE STUDY 5 — CONTINUED (MCQs 16–25)

Ultra-difficult · Scenario-based · CIA / CISA / CMA Part 1 control environment level

MCQ 16

The auditor discovers that the database server’s system clock is 4 minutes ahead of the application server. This MOST critically affects:

A. User authentication
B. Log correlation and incident reconstruction
C. Encryption strength
D. Backup compression

✅ Correct Answer: B

Time desynchronization breaks log correlation, making investigations unreliable.

MCQ 17

NHD uses a batch job to sync reagent usage from LIMS to Inventory every 8 hours. Corrupted transactions in LIMS caused the batch to stop mid-run without alerting Finance. This indicates a failure in:

A. Input edit controls
B. Run-to-run completeness checks and batch failure alerts
C. Output formatting controls
D. IT asset management

✅ Correct Answer: B

A batch job must have run-to-run totals + error alerts.

MCQ 18

The auditor finds disabled audit logging on the table containing high-value reagent consumption data. What is the strongest implication?

A. Storage optimization
B. Unauthorized suppression of evidence
C. Poor hardware performance
D. Lack of user training

✅ Correct Answer: B

Disabling logs on a sensitive table = possible intentional concealment.

MCQ 19

During corruption, several rows were updated with NULL values, but NULL is not allowed for that field. Which control failed?

A. Business rule validation
B. Authentication
C. Encryption
D. Change approval

✅ Correct Answer: A

NULL appearing in a NOT NULL field = business rule validation failure.

MCQ 20

A forensic specialist notes that the corruption occurred at 02:14 AM, exactly when the nightly index rebuild is scheduled. What is the BEST conclusion?

A. Index rebuild caused intentional tampering
B. Index rebuild might have exposed an existing flaw or triggered corruption
C. Index rebuild is unnecessary
D. Index rebuild should never be automated

✅ Correct Answer: B

Rebuilds can expose latent schema/data integrity issues — not necessarily fraud.

MCQ 21

The vendor states: “We run scripts only when the customer authorizes us.” What should the auditor request to validate this claim?

A. Password policy documentation
B. Vendor SOC 2 report
C. Ticketing system logs showing approval + timestamps
D. Network diagram

✅ Correct Answer: C

Must verify approval evidence, not just vendor assurance.

MCQ 22

An analysis shows that user IDs used during corruption were active for over 3 hours of idle time. This indicates a deficiency in:

A. Encryption
B. Automatic session timeout controls
C. Data masking
D. Job rotation

✅ Correct Answer: B

Long idle sessions = weak/disabled session timeout controls.

MCQ 23

During interviews, LIMS operators mention they frequently “override system warnings because they slow us down.” What control weakness is evident?

A. Access provisioning
B. Poor user awareness and weak enforcement of preventive controls
C. Incident response
D. Data classification

✅ Correct Answer: B

Users bypass warnings → controls not enforced + poor training.

MCQ 24

A root-cause analysis reveals that the corruption began immediately after a failed hotfix deployment. Which control would MOST likely have prevented the issue?

A. Network segmentation
B. Mandatory rollback procedures and deployment OR reversal plans
C. Mandatory vacation policy
D. Batch monitoring

✅ Correct Answer: B

Hotfix failures require automatic rollback policies.

MCQ 25

Which control would BEST detect unauthorized schema modifications in real time?

A. File integrity monitoring (FIM) on database binaries
B. Host-based intrusion detection (HIDS) with DDL/DML monitoring rules
C. Monthly DBA review
D. Manual peer review of logs

✅ Correct Answer: B

HIDS can detect real-time schema modifications with DDL triggers.

www.gmsisuccess.in