http://www.infopediaonline.com/When auditing third-party service providers, an IS auditor should be concerned with which of the
following? Choose the BEST answer.
A. Ownership of the programs and files
B. A statement of due care and confidentiality, and the capability for continued service of the
service provider in the event of a disaster
C. A statement of due carehttp://www.infopediaonline.com/
D. Ownership of programs and files, a statement of due care and confidentiality, and the
capability for continued service of the service provider in the event of a disaster
Answer: D
When performing an IS strategy audit, an IS auditor should review both short-term (one-year) andhttp://www.infopediaonline.com/
long-term (three- to five-year) IS strategies, interview appropriate corporate management
personnel, and ensure that the external environment has been considered. The auditor should
especially focus on procedures in an audit of IS strategy. True or false?
A. True
B. False
Answer: B
What process allows IS management to determine whether the activities of the organization differ
from the planned or expected levels? Choose the BEST answer.
A. Business impact assessment
B. Risk assessment
C. IS assessment methods
D. Key performance indicators (KPIs)
Answer: Chttp://www.infopediaonline.com/
When should reviewing an audit client's business plan be performed relative to reviewing an
organization's IT strategic plan?
A. Reviewing an audit client's business plan should be performed before reviewing an
organization's IT strategic plan.
B. Reviewing an audit client's business plan should be performed after reviewing an
organization's IT strategic plan.
C. Reviewing an audit client's business plan should be performed during the review of an
organization's IT strategic plan.
D. Reviewing an audit client's business plan should be performed without regard to an
organization's IT strategic plan.
Answer: A
Allowing application programmers to directly patch or change code in production programs
increases risk of fraud. True or false?
A. True
B. False
Answer: Ahttp://www.infopediaonline.com/
Who should be responsible for network security operations?
A. Business unit managers
B. Security administrators
C. Network administrators
D. IS auditors
Answer: B
Proper segregation of duties does not prohibit a quality control administrator from also being
responsible for change control and problem management. True or false?
A. True
B. False
Answer: Ahttp://www.infopediaonline.com/
What can be implemented to provide the highest level of protection from external attack?
A. Layering perimeter network protection by configuring the firewall as a screened host in a
screened subnet behind the bastion host
B. Configuring the firewall as a screened host behind a router
C. Configuring the firewall as the protecting bastion host
D. Configuring two load-sharing firewalls facilitating VPN access from external hosts to internal
hosts
Answer: A
The directory system of a database-management system describes:
A. The access method to the data
B. The location of data AND the access method
C. The location of datahttp://www.infopediaonline.com/
D. Neither the location of data NOR the access method
Answer: B
How is the risk of improper file access affected upon implementing a database system?
A. Risk varies.
B. Risk is reduced.http://www.infopediaonline.com/
C. Risk is not affected.
D. Risk is increased.
Answer: D
In order to properly protect against unauthorized disclosure of sensitive data, how should hard
disks be sanitized?http://www.infopediaonline.com/
A. The data should be deleted and overwritten with binary 0s.
B. The data should be demagnetized.
C. The data should be low-level formatted.
D. The data should be deleted.
Answer: B
When reviewing print systems spooling, an IS auditor is MOST concerned with which of the
following vulnerabilities?
A. The potential for unauthorized deletion of report copies
B. The potential for unauthorized modification of report copies
C. The potential for unauthorized printing of report copies
D. The potential for unauthorized editing of report copies
Answer: Chttp://www.infopediaonline.com/
Why is the WAP gateway a component warranting critical concern and review for the IS auditor
when auditing and testing controls enforcing message confidentiality?
A. WAP is often configured by default settings and is thus insecure.
B. WAP provides weak encryption for wireless traffic.
C. WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL.
D. WAP often interfaces critical IT systems.
Answer: C
Proper segregation of duties prevents a computer operator (user) from performing security
administration duties. True or false?
A. True
B. Falsehttp://www.infopediaonline.com/
Answer: A
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a
digital network?
A. Modems convert analog transmissions to digital, and digital transmission to analog.
B. Modems encapsulate analog transmissions within digital, and digital transmissions within
analog.
C. Modems convert digital transmissions to analog, and analog transmissions to digital.
D. Modems encapsulate digital transmissions within analog, and analog transmissions within
digital.
Answer: Ahttp://www.infopediaonline.com/
Which of the following are effective in detecting fraud because they have the capability to
consider a large number of variables when trying to resolve a problem? Choose the BEST
answer.
A. Expert systems
B. Neural networks
C. Integrated synchronized systems
D. Multitasking applications
Answer: B
What supports data transmission through split cable facilities or duplicate cable facilities?
A. Diverse routing
B. Dual routing
C. Alternate routing
D. Redundant routing
Answer: Ahttp://www.infopediaonline.com/
What type(s) of firewalls provide(s) the greatest degree of protection and control because both
firewall technologies inspect all seven OSI layers of network traffic?
A. A first-generation packet-filtering firewall
B. A circuit-level gateway
C. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls
D. An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls
Answer: C
Which of the following can degrade network performance? Choose the BEST answer.
A. Superfluous use of redundant load-sharing gateways
B. Increasing traffic collisions due to host congestion by creating new collision domains
C. Inefficient and superfluous use of network devices such as switches
D. Inefficient and superfluous use of network devices such as hubs
Answer: Dhttp://www.infopediaonline.com/
Which of the following provide(s) near-immediate recoverability for time-sensitive systems and
transaction processing?
A. Automated electronic journaling and parallel processing
B. Data mirroring and parallel processing
C. Data mirroring
D. Parallel processing
Answer:B
What is an effective control for granting temporary access to vendors and external support
personnel? Choose the BEST answer.
A. Creating user accounts that automatically expire by a predetermined date
B. Creating permanent guest accounts for temporary use
C. Creating user accounts that restrict logon access to certain hours of the day
D. Creating a single shared vendor administrator account on the basis of least-privileged access
Answer: Ahttp://www.infopediaonline.com/
Which of the following help(s) prevent an organization's systems from participating in a distributed
denial-of-service (DDoS) attack? Choose the BEST answer.
A. Inbound traffic filtering
B. Using access control lists (ACLs) to restrict inbound connection attempts
C. Outbound traffic filtering
D. Recentralizing distributed systems
Answer: Chttp://www.infopediaonline.com/
What is a common vulnerability, allowing denial-of-service attacks?
A. Assigning access to users according to the principle of least privilege
B. Lack of employee awareness of organizational security policies
C. Improperly configured routers and router access lists
D. Configuring firewall access rules
Answer: C
What are trojan horse programs? Choose the BEST answer.
A. A common form of internal attack
B. Malicious programs that require the aid of a carrier program such as email
C. Malicious programs that can run independently and can propagate without the aid of a carrier
program such as email
D. A common form of Internet attac k
Answer: D
What is/are used to measure and ensure proper network capacity management and availability of
services? Choose the BEST answer.
A. Network performance-monitoring tools
B. Network component redundancy
C. Syslog reporting
D. IT strategic planning
Answer: A
What can be used to gather evidence of network attacks?
A. Access control lists (ACL)
B. Intrusion-detection systems (IDS)
C. Syslog reporting
D. Antivirus programs
Answer: B
Which of the following is a passive attack method used by intruders to determine potential
network vulnerabilities?
A. Traffic analysis
B. SYN flood
C. Denial of service (DoS)
D. Distributed denial of service (DoS)
Answer: A
Which of the following fire-suppression methods is considered to be the most environmentally
friendly?
A. Halon gas
B. Deluge sprinklers
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers
Answer: C
What is a callback system?
A. It is a remote-access system whereby the remote-access server immediately calls the user
back at a predetermined number if the dial-in connection fails.
B. It is a remote-access system whereby the user's application automatically redials the remote-
access server if the initial connection attempt fails.
C. It is a remote-access control whereby the user initially connects to the network systems via
dial-up access, only to have the initial connection terminated by the server, which then
subsequently dials the user back at a predetermined number stored in the server's configuration
database.
D. It is a remote-access control whereby the user initially connects to the network systems via
dial-up access, only to have the initial connection terminated by the server, which then
subsequently allows the user to call back at an approved number for a limited period of time.
Answer: C
What type of fire-suppression system suppresses fire via water that is released from a main valve
to be delivered via a system of dry pipes installed throughout the facilities?
A. A dry-pipe sprinkler system
B. A deluge sprinkler system
C. A wet-pipe system
D. A halon sprinkler system
Answer: A
Digital signatures require the sender to "sign" the data by encrypting the data with the sender's
public key, to then be decrypted by the recipient using the recipient's private key. True or false?
A. False
B. True
Answer: B
Which of the following provides the BEST single-factor authentication?
A. Biometrics
B. Password
C. Token
D. PIN
Answer: A
What is used to provide authentication of the website and can also be used to successfully
authenticate keys used for data encryption?
A. An organizational certificate
B. A user certificate
C. A website certificate
D. Authenticode
Answer: C
What determines the strength of a secret key within a symmetric key cryptosystem?
A. A combination of key length, degree of permutation, and the complexity of the data-encryption
algorithm that uses the key
B. A combination of key length, initial input vectors, and the complexity of the data-encryption
algorithm that uses the key
C. A combination of key length and the complexity of the data-encryption algorithm that uses the
key
D. Initial input vectors and the complexity of the data-encryption algorithm that uses the key
Answer: B
What process is used to validate a subject's identity?
A. Identification
B. Nonrepudiation
C. Authorization
D. Authentication
Answer: D
What is often assured through table link verification and reference checks?
A. Database integrity
B. Database synchronization
C. Database normalcy
D. Database accuracy
Answer: A
Which of the following s hould an IS auditor review to determine user permissions that have been
granted for a particular resource? Choose the BEST answer.
A. Systems logs
B. Access control lists (ACL)
C. Application logs
D. Error logs
Answer: B
What should IS auditors always check when auditing password files?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network
D. That password files are archived
Answer: B
Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer
Answer: C
When should systems administrators first assess the impact of applications or systems patches?
A. Within five business days following installation
B. Prior to installation
C. No sooner than five business days following installation
D. Immediately following installation
Answer: B
Which of the following is the most fundamental step in preventing virus attacks?
A. Adopting and communicating a comprehensive antivirus policy
B. Implementing antivirus protection software on users' desktop computers
C. Implementing antivirus content checking at all network-to-Internet gateways
D. Inoculating systems with antivirus code
Answer: A
Which of the following is of greatest concern when performing an IS audit?
A. Users' ability to directly modify the database
B. Users' ability to submit queries to the database
C. Users' ability to indirectly modify the database
D. Users' ability to directly view the database
Answer: A
What are intrusion-detection systems (IDS) primarily used for?
A. To identify AND prevent intrusion attempts to a network
B. To prevent intrusion attempts to a network
C. Forensic incident response
D. To identify intrusion attempts to a network
Answer: D
Rather than simply reviewing the adequacy of access control, appropriateness of access policies,
and effectiveness of safeguards and procedures, the IS auditor is more concerned with
effectiveness and utilization of assets. True or false?
A. True
B. False
Answer: B
If a programmer has update access to a live system, IS auditors are more concerned with the
programmer's ability to initiate or modify transactions and the ability to access production than
with the programmer's ability to authorize transactions. True or false?
A. True
B. False
Answer: A
Organizations should use off-site storage facilities to maintain _________________ (fill in the
blank) of current and critical information within backup files. Choose the BEST answer.
A. Confidentiality
B. Integrity
C. Redundancy
D. Concurrenc y
Answer: C
The purpose of business continuity planning and disaster-recovery planning is to:
A. Transfer the risk and impact of a business interruption or disaster
B. Mitigate, or reduce, the risk and impact of a business interruption or disaster
C. Accept the risk and impact of a business
D. Eliminate the risk and impact of a business interruption or disaster
Answer: B
If a database is restored from information backed up before the last system image, which of the
following is recommended?
A. The system should be restarted after the last transaction.
B. The system should be restarted before the last transaction.
C. The system should be restarted at the first transaction.
D. The system should be restarted on the last transaction.
Answer: B
An off-site processing facility should be easily identifiable externally because easy identification
helps ensure smoother recovery. True or false?
A. True
B. False
Answer: B
Which of the following is the dominating objective of BCP and DRP?
A. To protect human life
B. To mitigate the risk and impact of a business interruption
C. To eliminate the risk and impact of a business interruption
D. To transfer the risk and impact of a business interruption
Answer: A
How can minimizing single points of failure or vulnerabilities of a common disaster best be
controlled?
A. By implementing redundant systems and applications onsite
B. By geographically dispersing resources
C. By retaining onsite data backup in fireproof vaults
D. By preparing BCP and DRP documents for commonly identified disasters
Answer: B
Mitigating the risk and impact of a disaster or business interruption usually takes priority over
transference of risk to a third party such as an insurer. True or false?
A. True
B. False
Answer: A
Off-site data storage should be kept synchronized when preparing for recovery of time-sensitive
data such as that resulting from which of the following? Choose the BEST answer.
A. Financial reporting
B. Sales reporting
C. Inventory reporting
D. Transaction processing
Answer: D
What is an acceptable recovery mechanism for extremely time-sensitive transaction processing?
A. Off-site remote journaling
B. Electronic vaulting
C. Shadow file processing
D. Storage area network
Answer: C
Off-site data backup and storage should be geographically separated so as to
________________ (fill in the blank) the risk of a widespread physical disaster such as a
hurricane or earthquake.
A. Accept
B. Eliminate
C. Transfer
D. Mitigate
Answer: D
Why is a clause for requiring source code escrow in an application vendor agreement important?
A. To segregate systems development and live environments
B. To protect the organization from copyright disputes
C. To ensure that sufficient code is available when needed
D. To ensure that the source code remains available even if the application vendor goes out of
business
Answer: D
What uses questionnaires to lead the user through a series of choices to reach a conclusion?
Choose the BEST answer.
A. Logic trees
B. Decision trees
C. Decision algorithms
D. Logic algorithms
Answer: B
What protects an application purchaser's ability to fix or change an application in case the
application vendor goes out of business?
A. Assigning copyright to the organization
B. Program back doors
C. Source code escrow
D. Internal programming expertise
Answer: C
Who is ultimately responsible for providing requirement specifications to the software-
development team?
A. The project sponsor
B. The project members
C. The project leader
D. The project steering committee
Answer: A
What should regression testing use to obtain accurate conclusions regarding the effects of
changes or corrections to a program, and ensuring that those changes and corrections have not
introduced new errors?
A. Contrived data
B. Independently created data
C. Live data
D. Data from previous tests
Answer: D
An IS auditor should carefully review the functional requirements in a systems-development
project to ensure that the project is designed to:
A. Meet business objectives
B. Enforce data security
C. Be culturally feasible
D. Be financially feasible
Answer: A
Which of the following processes are performed during the design phase of the systems-
development life cycle (SDLC) model?
A. Develop test plans.
B. Baseline procedures to prevent scope creep.
C. Define the need that requires resolution, and map to the major requirements of the solution.
D. Program and test the new system. The tests verify and validate what has been developed.
Answer: B
When should application controls be considered within the system-development process?
A. After application unit testing
B. After application module testing
C. After applications systems testing
D. As early as possible, even in the development of the project's functional specifications
Answer: D
What is used to develop strategically important systems faster, reduce development costs, and
still maintain high quality? Choose the BEST answer.
A. Rapid application development (RAD)
B. GANTT
C. PERT
D. Decision trees
Answer: A
Test and development environments should be separated. True or false?
A. True
B. False
Answer: A
What kind of testing should programmers perform following any changes to an application or
system?
A. Unit, module, and full regression testing
B. Module testing
C. Unit testing
D. Regression tes ting
Answer: A
Which of the following uses a prototype that can be updated continually to meet changing user or
business requirements?
A. PERT
B. Rapid application development (RAD)
C. Function point analysis (FPA)
D. GANTT
Answer: B
What is the most common reason for information systems to fail to meet the needs of users?
Choose the BEST answer.
A. Lack of funding
B. Inadequate user participation during system requirements definition
C. Inadequate senior management participation during system requirements definition
D. Poor IT strategic planning
Answer: B
Who is responsible for the overall direction, costs, and timetables for systems-development
projects?
A. The project sponsor
B. The project steering committee
C. Senior management
D. The project team leader
Answer: B
When should plans for testing for user acceptance be prepared? Choose the BEST answer.
A. In the requirements definition phase of the systems-development project
B. In the feasibility phase of the systems-development project
C. In the design phase of the systems-development project
D. In the development phase of the systems-development project
Answer: A
Above almost all other concerns, what often results in the greatest negative impact on the
implementation of new application software?
A. Failing to perform user acceptance testing
B. Lack of user training for the new system
C. Lack of software documentation and run manuals
D. Insufficient unit, module, and systems testing
Answer: A
Input/output controls should be implemented for which applications in an integrated systems
environment?
A. The receiving application
B. The sending application
C. Both the sending and receiving applications
D. Output on the sending application and input on the receiving application
Answer: C
Authentication techniques for sending and receiving data between EDI systems is crucial to
prevent which of the following? Choose the BEST answer.
A. Unsynchronized transactions
B. Unauthorized transactions
C. Inaccurate transactions
D. Incomplete transactions
Answer: B
After identifying potential security vulnerabilities, what should be the IS auditor's next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the vulnerabilities
D. To immediately advise senior management of the findings
Answer: C
What is the primary security concern for EDI environments? Choose the BEST answer.
A. Transaction authentication
B. Transaction completeness
C. Transaction accuracy
D. Transaction authorization
Answer: D
Which of the following exploit vulnerabilities to cause loss or damage to the organization and its
assets?
A. Exposures
B. Threats
C. Hazards
D. Insufficient controls
Answer: B
Business process re-engineering often results in ______________ automation, which results in
_____________ number of people using technology. Fill in the blanks.
A. Increased; a greater
B. Increased; a fewer
C. Less; a fewer
D. Increased; the same
Answer: A
Whenever business processes have been re-engineered, the IS auditor attempts to identify and
quantify the impact of any controls that might have been removed, or controls that might not work
as effectively after business process changes. True or false?
A. True
B. False
Answer: A
When should an application-level edit check to verify that availability of funds was completed at
the electronic funds transfer (EFT) interface?
A. Before transaction completion
B. Immediately after an EFT is initiated
C. During run-to-run total testing
D. Before an EFT is initiated
Answer: D
________________ (fill in the blank) should be implemented as early as data preparation to
support data integrity at the earliest point possible.
A. Control totals
B. Authentication controls
C. Parity bits
D. Authorization controls
Answer: A
What is used as a control to detect loss, corruption, or duplication of data?
A. Redundancy check
B. Reasonableness check
C. Hash totals
D. Accuracy check
Answer: C
Data edits are implemented before processing and are considered which of the following?
Choose the BEST answer.
A. Deterrent integrity controls
B. Detective integrity controls
C. Corrective integrity controls
D. Preventative integrity controls
Answer: D
Processing controls ensure that data is accurate and complete, and is processed only through
which of the following? Choose the BEST answer.
A. Documented routines
B. Authorized routines
C. Accepted routines
D. Approved routines
Answer: B
What is a data validation edit control that matches input data to an occurrence rate? Choose the
BEST answer.
A. Accuracy check
B. Completeness check
C. Reasonableness check
D. Redundancy check
Answer: C
Database snapshots can provide an excellent audit trail for an IS auditor. True or false?
A. True
B. False
Answer: A
An IS auditor is using a statistical sample to inventory the tape library. What type of test would
this be considered?
A.Substantive
B. Compliance
C. Integrated
D. Continuous audit
Answer: A
An IS auditor usually places more reliance on evidence directly collected. What is an example of
such evidence?
A. Evidence collected through personal observation
B. Evidence collected through systems logs provided by the organization's security administration
C. Evidence collected through surveys collected from internal staff
D. Evidence collected through transaction reports provided by the organization's IT administration
Answer: A
What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to
ensure reliable communication?
A. Nonconnection-oriented protocols
B. Connection-oriented protocols
C. Session-oriented protocols
D. Nonsession-oriented protocols
Answer: B
How is the time required for transaction processing review usually affected by properly
implemented Electronic Data Interface (EDI)?
A. EDI usually decreases the time necessary for review.
B. EDI usually increases the time necessary for review.
C. Cannot be determined.
D. EDI does not affect the time necessary for review.
Answer: A
What would an IS auditor expect to find in the console log? Choose the BEST answer.
A. Evidence of password spoofing
B. System errors
C. Evidence of data copy activities
D. Evidence of password sharing
Answer: B
Atomicity enforces data integrity by ensuring that a transaction is either completed in its entirely
or not at all. Atomicity is part of the ACID test reference for transaction processing. True or false?
A. True
B. False
Answer: A
Why does the IS auditor often review the system logs?
A. To get evidence of password spoofing
B. To get evidence of data copy activities
C. To determine the existence of unauthorized access to data by a user or program
D. To get evidence of password sharing
Answer: C
What is essential for the IS auditor to obtain a clear understanding of network management?
A. Security administrator access to systems
B. Systems logs of all hosts providing application services
C. A graphical map of the network topology
D. Administrator access to systems
Answer: C
How is risk affected if users have direct access to a database at the system level?
A. Risk of unauthorized access increases, but risk of untraceable changes to the database
decreases.
B. Risk of unauthorized and untraceable changes to the database increases.
C. Risk of unauthorized access decreases, but risk of untraceable changes to the database
increases.
D. Risk of unauthorized and untraceable changes to the database decreases.
Answer: B
What is the most common purpose of a virtual private network implementation?
A. A virtual private network (VPN) helps to secure access between an enterprise and its partners
when communicating over an otherwise unsecured channel such as the Internet.
B. A virtual private network (VPN) helps to secure access between an enterprise and its partners
when communicating over a dedicated T1 connection.
C. A virtual private network (VPN) helps to secure access within an enterprise when
communicating over a dedicated T1 connection between network segments within the same
facility.
D. A virtual private network (VPN) helps to secure access between an enterprise and its partners
when communicating over a wireless connection.
Answer: A
What benefit does using capacity-monitoring software to monitor usage patterns and trends
provide to management? Choose the BEST answer.
A. The software can dynamically readjust network traffic capabilities based upon current usage.
B. The software produces nice reports that really impress management.
C. It allows users to properly allocate resources and ensure continuous efficiency of operations.
D. It allows management to properly allocate resources and ensure continuous efficiency of
operations.
Answer: D
What can be very helpful to an IS auditor when determining the efficacy of a systems
maintenance program? Choose the BEST answer.
A. Network-monitoring software
B. A system downtime log
C. Administration activity reports
D. Help-desk utilization trend reports
Answer: B
What are used as a countermeasure for potential database corruption when two processes
attempt to simultaneously edit or update the same information? Choose the BEST answer.
A. Referential integrity controls
B. Normalization controls
C. Concurrenc y controls
D. Run-to-run totals
Answer: A
What increases encryption overhead and cost the most?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key
Answer: B
Which of the following best characterizes "worms"?
A. Malicious programs that can run independently and can propagate without the aid of a carrier
program such as email
B. Programming code errors that cause a program to repeatedly dump data
C. Malicious programs that require the aid of a carrier program such as email
D. Malicious programs that masquerade as common applications such as screensavers or
macro-enabled Word documents
Answer: A
What is an initial step in creating a proper firewall policy?
A. Assigning access to users according to the principle of least privilege
B. Determining appropriate firewall hardware and software
C. Identifying network applications such as mail, web, or FTP servers
D. Configuring firewall access rules
Answer: C
What type of cryptosystem is characterized by data being encrypted by the sender using the
recipient's public key, and the data then being decrypted using the recipient's private key?
A. With public-key encryption, or symmetric encryption
B. With public-key encryption, or asymmetric encryption
C. With shared-key encryption, or symmetric encryption
D. With shared-key encryption, or asymmetric encryption
Answer: B
How does the SSL network protocol provide confidentiality?
A. Through symmetric encryption such as RSA
B. Through asymmetric encryption such as Data Encryption Standard, or DES
C. Through asymmetric encryption such as Advanced Encryption Standard, or AES
D. Through symmetric encryption such as Data Encryption Standard, or DES
Answer: D
What are used as the framework for developing logical access controls?
A. Information systems security policies
B. Organizational security policies
C. Access Control Lists (ACL)
D. Organizational charts for identifying roles and responsibilities
Answer: A
Which of the following are effective controls for detecting duplicate transactions such as
payments made or received?
A. Concurrency controls
B. Reasonableness checks
C. Time stamps
D. Referential integrity controls
Answer: C
Which of the following is a good control for protecting confidential data residing on a PC?
A. Personal firewall
B. File encapsulation
C. File encryption
D. Host-based intrusion detection
Answer: C
Which of the following is a guiding best practice for implementing logical access controls?
A. Implementing the Biba Integrity Model
B. Access is granted on a least-privilege basis, per the organization's data owners
C. Implementing the Take-Grant access control model
D. Classifying data according to the subject's requirements
Answer: B
What does PKI use to provide some of the strongest overall control over data confidentiality,
reliability, and integrity for Internet transactions?
A. A combination of public-key cryptography and digital certificates and two-factor authentication
B. A combination of public-key cryptography and two-factor authentication
C. A combination of public-key cryptography and digital certificates
D. A combination of digital certificates and two-factor authentication
Answer: C
Which of the following do digital signatures provide?
A. Authentication and integrity of data
B. Authentication and confidentiality of data
C. Confidentiality and integrity of data
D. Authentication and availability of data
Answer: A
Regarding digital signature implementation, which of the following answers is correct?
A. A digital signature is created by the sender to prove message integrity by encrypting the
message with the sender's private key. Upon receiving the data, the recipient can decrypt the
data using the sender's public key.
B. A digital signature is created by the sender to prove message integrity by encrypting the
message with the recipient's public key. Upon receiving the data, the recipient can decrypt the
data using the recipient's public key.
C. A digital signature is created by the sender to prove message integrity by initially using a
hashing algorithm to produce a hash value or message digest from the entire message contents.
Upon receiving the data, the recipient can independently create it.
D. A digital signature is created by the sender to prove message integrity by encrypting the
message with the sender's public key. Upon receiving the data, the recipient can decrypt the data
using the recipient's private key.
Answer: C
Which of the following would provide the highest degree of server access control?
A. A mantrap-monitored entryway to the server room
B. Host-based intrusion detection combined with CCTV
C. Network-based intrusion detection
D. A fingerprint scanner facilitating biometric access control
Answer: D
What are often the primary safeguards for systems software and data?
A. Administrative access controls
B. Logical access controls
C. Physical access controls
D. Detective access controls
Answer: B
Which of the following is often used as a detection and deterrent control against Internet attacks?
A. Honeypots
B. CCTV
C. VPN
D. VLAN
Answer: A
Which of the following BEST characterizes a mantrap or deadman door, which is used as a
deterrent control for the vulnerability of piggybacking?
A. A monitored double-doorway entry system
B. A monitored turnstile entry system
C. A monitored doorway entry system
D. A one-way door that does not allow exit after entry
Answer: A
Which of the following is an effective method for controlling downloading of files via FTP? Choose
the BEST answer.
A. An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall
Answer: B
Which of the following provides the strongest authentication for physical access control?
A. Sign-in logs
B. Dynamic passwords
C. Key verification
D. Biometrics
Answer: D
What is an effective countermeasure for the vulnerability of data entry operators potentially
leaving their computers without logging off? Choose the BEST answer.
A. Employee security awareness training
B. Administrator alerts
C. Screensaver passwords
D. Close supervision
Answer: C
What can ISPs use to implement inbound traffic filtering as a control to identify IP packets
transmitted from unauthorized sources? Choose the BEST answer.
A. OSI Layer 2 switches with packet filtering enabled
B. Virtual Private Networks
C. Access Control Lists (ACL)
D. Point-to-Point Tunneling Protocol
Answer: C
What is the key distinction between encryption and hashing algorithms?
A. Hashing algorithms ensure data confidentiality.
B. Hashing algorithms are irreversible.
C. Encryption algorithms ensure data integrity.
D. Encryption algorithms are not irreversible.
Answer: B
Which of the following is BEST characterized by unauthorized modification of data before or
during systems data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack
Answer: A
Which of the following is used to evaluate biometric access controls?
A. FAR
B. EER
C. ERR
D. FRR
Answer: B
Who is ultimately responsible and accountable for reviewing user access to systems?
A. Systems security administrators
B. Data custodians
C. Data owners
D. Information systems auditors
Answer: C
Establishing data ownership is an important first step for which of the following processes?
Choose the BEST answer.
A. Assigning user access privileges
B. Developing organizational security policies
C. Creating roles and responsibilities
D. Classifying data
Answer: D
Which of the following is MOST is critical during the business impact assessment phase of
business continuity planning?
A. End-user involvement
B. Senior management involvement
C. Security administration involvement
D. IS auditing involvement
Answer: A
What type of BCP test uses actual resources to simulate a system crash and validate the plan's
effectiveness?
A. Paper
B. Preparedness
C. Walk-through
D. Parallel
Answer: B
Which of the following typically focuses on making alternative processes and resources available
for transaction processing?
A. Cold-site facilities
B. Disaster recovery for networks
C. Diverse processing
D. Disaster recovery for systems
Answer: D
Which type of major BCP test only requires representatives from each operational area to meet to
review the plan?
A. Parallel
B. Preparedness
C. Walk-thorough
D. Paper
Answer: C
What influences decisions regarding criticality of assets?
A. The business criticality of the data to be protected
B. Internal corporate politics
C. The business criticality of the data to be protected, and the scope of the impact upon the
organization as a whole
D. The business impact analysis
Answer: C
Of the three major types of off-site processing facilities, what type is characterized by at least
providing for electricity and HVAC?
A. Cold site
B. Alternate site
C. Hot site
D. Warm site
Answer: A
With the objective of mitigating the risk and impact of a major business interruption, a disaster-
recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs
associated with recovery. Although DRP results in an increase of pre- and post-incident
operational costs, the extra costs are more than offset by reduced recovery and business impact
costs. True or false?
A. True
B. False
Answer: A
Of the three major types of off-site processing facilities, what type is often an acceptable solution
for preparing for recovery of noncritical systems and data?
A. Cold site
B. Hot site
C. Alternate site
D. Warm site
Answer: A
Any changes in systems assets, such as replacement of hardware, should be immediately
recorded within the assets inventory of which of the following? Choose the BEST answer.
A. IT strategic plan
B. Business continuity plan
C. Business impact analysis
D. Incident response plan
Answer: B
Although BCP and DRP are often implemented and tested by middle management and end
users, the ultimate responsibility and accountability for the plans remain with executive
management, such as the _______________. (fill-in-the-blank)
A. Security administrator
B. Systems auditor
C. Board of directors
D. Financial auditor
Answer: C
Obtaining user approval of program changes is very effective for controlling application changes
and maintenance. True or false?
A. True
B. False
Answer: A
Library control software restricts source code to:
A. Read-only access
B. Write-only access
C. Full access
D. Read-write access
Answer: A
When is regression testing used to determine whether new application changes have introduced
any errors in the remaining unchanged code?
A. In program development and change management
B. In program feasibility studies
C. In program development
D. In change management
Answer: A
What is often the most difficult part of initial efforts in application development? Choose the BEST
answer.
A. Configuring software
B. Planning security
C. Determining time and resource requirements
D. Configuring hardware
Answer: C
What is a primary high-level goal for an auditor who is reviewing a system development project?
A. To ensure that programming and processing environments are segregated
B. To ensure that proper approval for the project has been obtained
C. To ensure that business objectives are achieved
D. To ensure that projects are monitored and administrated effectively
Answer: C
Whenever an application is modified, what should be tested to determine the full impact of the
change? Choose the BEST answer.
A. Interface systems with other applications or systems
B. The entire program, including any interface systems with other applications or systems
C. All programs, including interface systems with other applications or systems
D. Mission-critical functions and any interface systems with other applications or systems
Answer: B
The quality of the metadata produced from a data warehouse is _______________ in the
warehouse's design. Choose the BEST answer.
A. Often hard to determine because the data is derived from a heterogeneous data environment
B. The most important consideration
C. Independent of the quality of the warehoused databases
D. Of secondary importance to data warehouse content
Answer: B
Function Point Analysis (FPA) provides an estimate of the size of an information system based
only on the number and complexity of a system's inputs and outputs. True or false?
A. True
B. False
Answer: B
Who assumes ownership of a systems-development project and the resulting system?
A. User management
B. Project steering committee
C. IT management
D. Systems developers
Answer: A
Structured programming is BEST described as a technique that:
A. provides knowledge of program functions to other programmers via peer reviews.
B. reduces the maintenance time of programs by the use of small-scale program modules.
C. makes the readable coding reflect as closely as possible the dynamic execution of the
program.
D. controls the coding and testing of the high-level functions of the program in the development
proc ess.
Answer: B
Which of the following data validation edits is effective in detecting transposition and transcription
errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check
Answer: B
An offsite information processing facility having electrical wiring, air conditioning and flooring, but
no computer or communications equipment is a:
A. cold site.
B. warm site.
C. dial-up site.
D. duplicate processing facility.
Answer: A
A number of system failures are occurring when corrections to previously detected errors are
resubmitted for acceptance testing. This would indicate that the maintenance team is probably
not adequately performing which of the following types of testing?
A. Unit testing
B. Integration testing
C. Design walk-throughs
D. Configuration management
Answer: B
In an EDI process, the device which transmits and receives electronic documents is the:
A. communications handler.
B. EDI translator.
C. application interface.
D. EDI interface.
Answer: A
The MOST significant level of effort for business continuity planning (BCP) generally is required
during the:
A. testing stage.
B. evaluation stage.
C. maintenance stage.
D. early stages of planning.
Answer: D
Which of the following network configuration options contains a direct link between any two host
machines?
A. Bus
B. Ring
C. Star
D. Completely connected (mesh)
Answer: D
Which of the following types of data validation editing checks is used to determine if a field
contains data, and not zeros or blanks?
A. Check digit
B. Existence check
C. Completeness check
D. Reasonableness check
Answer: C
Which of the following tests is an IS auditor performing when a sample of programs is selected to
determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls
Answer: B
A data administrator is responsible for:
A. maintaining database system software.
B. defining data elements, data names and their relationship.
C. developing physical database structures.
D. developing data dictionary system software.
Answer: B
A database administrator is responsible for:
A. defining data ownership.
B. establishing operational standards for the data dictionary.
C. creating the logical and physical database.
D. establishing ground rules for ensuring data integrity and security.
Answer: C
An IS auditor reviewing the key roles and responsibilities of the database administrator (DBA) is
LEAST likely to expect the job description of the DBA to include:
A. defining the conceptual schema.
B. defining security and integrity checks.
C. liaising with users in developing data model.
D. mapping data model with the internal schema.
Answer: D
To affix a digital signature to a message, the sender must first create a message digest by
applying a cryptographic hashing algorithm against:
A. the entire message and thereafter enciphering the message digest using the sender's private
key.
B. any arbitrary part of the message and thereafter enciphering the message digest using the
sender's private key.
C. the entire message and thereafter enciphering the message using the sender's private key.
D. the entire message and thereafter enciphering the message along with the message digest
using the sender's private key.
Answer: A
A sequence of bits appended to a digital document that is used to secure an e-mail sent through
the Internet is called a:
A. digest signature.
B. electronic signature.
C. digital signature.
D. hash signature.
Answer: C
A critical function of a firewall is to act as a:
A. special router that connects the Internet to a LAN.
B. device for preventing authorized users from accessing the LAN.
C. server used to connect authorized users to private trusted network resources.
D. proxy server to increase the speed of access to authorized users.
Answer: B
Which of the following hardware devices relieves the central computer from performing network
control, format conversion and message handling tasks?
A. Spool
B. Cluster controller
C. Protocol converter
D. Front end processor
Answer: D
The use of a GANTT chart can:
A. aid in scheduling project tasks.
B. determine project checkpoints.
C. ensure documentation standards.
D. direct the post-implementation review.
Answer: A
Which of the following translates e-mail formats from one network to another so that the message
can travel through all the networks?
A. Gateway
B. Protocol converter
C. Front-end communication processor
D. Concentrator/multiplexor
Answer: A
Which of the following BEST describes the necessary documentation for an enterprise product
reengineering (EPR) software installation?
A. Specific developments only
B. Business requirements only
C. All phases of the installation must be documented
D. No need to develop a customer specific documentation
Answer: C
A hub is a device that connects:
A. two LANs using different protocols.
B. a LAN with a WAN.
C. a LAN with a metropolitan area network (MAN).
D. two segments of a single LAN.
Answer: D
A LAN administrator normally would be restricted from:
A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.
Answer: C
Which of the following is a telecommunication device that translates data from digital form to
analog form and back to digital?
A. Multiplexer
B. Modem
C. Protocol converter
D. Concentrator
Answer: B
Which of the following systems-based approaches would a financial processing company employ
to monitor spending patterns to identify abnormal patterns and report them?
A. A neural network
B. Database management software
C. Management information systems
D. Computer assisted audit techniques
Answer: A
A hardware control that helps to detect errors when data are communicated from one computer to
another is known as a:
A. duplicate check.
B. table lookup.
C. validity check.
D. parity check.
Answer: D
For which of the following applications would rapid recovery be MOST crucial?
A. Point-of-sale system
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback
Answer: A
The initial step in establishing an information security program is the:
A. development and implementation of an information security standards manual.
B. performance of a comprehensive security control review by the IS auditor.
C. adoption of a corporate information security policy statement.
D. purchase of security access control software.
Answer: C
A malicious code that changes itself with each file it infects is called a:
A. logic bomb.
B. stealth virus.
C. trojan horse.
D. polymorphic virus.
Answer: D
Which of the following is a continuity plan test that uses actual resources to simulate a system
crash to cost-effectively obtain evidence about the plan's effectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walk-through
Answer: C
An organization having a number of offices across a wide geographical area has developed a
disaster recovery plan (DRP). Using actual resources, which of the following is the MOST
costeffective
test of the DRP?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression tes t
Answer: B
The IS auditor learns that when equipment was brought into the data center by a vendor, the
emergency power shutoff switch was accidentally pressed and the UPS was engaged. Which of
the following audit recommendations should the IS auditor suggest?
A. Relocate the shut off switch.
B. Install protective covers.
C. Escort visitors.
D. Log environmental failures.
Answer: B
Company.com has contracted with an external consulting firm to implement a commercial
financial system to replace its existing in-house developed system. In reviewing the proposed
development approach, which of the following would be of GREATEST concern?
A. Acceptance testing is to be managed by users.
B. A quality plan is not part of the contracted deliverables.
C. Not all business functions will be available on initial implementation.
D. Prototyping is being used to confirm that the system meets business
requirements.
Answer: B
In a public key infrastructure (PKI), the authority responsible for the identification and
authentication of an applicant for a digital certificate (i.e., certificate subjects) is the:
A. registration authority (RA).
B. issuing certification authority (CA).
C. subject CA.
D. policy management authority.
Answer: A
Which of the following is a data validation edit and control?
A. Hash totals
B. Reasonableness checks
C. Online access controls
D. Before and after image reporting
Answer: B
A control that detects transmission errors by appending calculated bits onto the end of each
segment of data is known as a:
A. reasonableness check.
B. parity check.
C. redundancy check.
D. check digits.
Answer: C
What is the primary objective of a control self-assessment (CSA) program?
A. Enhancement of the audit responsibility
B. Elimination of the audit responsibility
C. Replacement of the audit responsibility
D. Integrity of the audit responsibility
Answer: A
Audit responsibility enhancement is an objective of a control self-assessment (CSA) program.
IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial
evaluation of the controls, they conclude that control risks are within the acceptable limits. True or
false?
A. True
B. False
Answer: A
As compared to understanding an organization's IT process from evidence directly collected, how
valuable are prior audit reports as evidence?
A. The same value.
B. Greater value.
C. Lesser value.
D. Prior audit reports are not relevant.
Answer: C
What is the PRIMARY purpose of audit trails?
A. To document auditing efforts
B. To correct data integrity errors
C. To establish accountability and responsibility for processed transactions
D. To prevent unauthorized access to data
Answer: C
How does the process of systems auditing benefit from using a risk-based approach to audit
planning?
A. Controls testing starts earlier.
B. Auditing resources are allocated to the areas of highest concern.
C. Auditing risk is reduced.
D. Controls testing is more thorough.
Answer: B
After an IS auditor has identified threats and potential impacts, the auditor should:
A. Identify and evaluate the existing controls
B. Conduct a business impact analysis (BIA)
C. Report on existing controls
D. Propose new controls
Answer: A
The use of statistical sampling procedures helps minimize:
A. Detection risk
B. Business risk
C. Controls risk
D. Compliance risk
Answer: A
What type of risk results when an IS auditor uses an inadequate test procedure and concludes
that material errors do not exist when errors actually exist?
A. Business risk
B. Detection risk
C. Residual risk
D. Inherent risk
Answer: B
A primary benefit derived from an organization employing control self-assessment (CSA)
techniques is that it can:
A. Identify high-risk areas that might need a detailed review later
B. Reduce audit costs
C. Reduce audit time
D. Increase audit accuracy
Answer: C
What type of approach to the development of organizational policies is often driven by risk
assessment?
A. Bottom-up
B. Top-down
C. Comprehensive
D. Integrated
Answer: B
Who is accountable for maintaining appropriate security measures over information assets?
A. Data and systems owners
B. Data and systems users
C. Data and systems c ustodians
D. Data and systems auditors
Answer: A
Proper segregation of duties prohibits a system analyst from performing quality-assurance
functions. True or false?
A. True
B. False
Answer: A
What should an IS auditor do if he or she observes that project-approval procedures do not
exist?
A. Advise senior management to invest in project-management training for the staff
B. Create project-approval procedures for future project implementations
C. Assign project leaders
D. Recommend to management that formal approval procedures be adopted and documented
Answer: D
Who is ultimately accountable for the development of an IS security policy?
A. The board of directors
B. Middle management
C. Security administrators
D. Network administrators
Answer: A
Proper segregation of duties normally does not prohibit a LAN administrator from also having
programming responsibilities. True or false?
A. True
B. False
Answer: B
A core tenant of an IS strategy is that it must:
A. Be inexpensive
B. Be protected as sensitive confidential information
C. Protect information confidentiality, integrity, and availability
D. Support the business objectives of the organization
Answer: D
Batch control reconciliation is a _____________________ (fill in the blank) control for mitigating
risk of inadequate segregation of duties.
A. Detective
B. Corrective
C. Preventative
D. Compensatory
Answer: D
Key verification is one of the best controls for ensuring that:
A. Data is entered correctly
B. Only authorized cryptographic keys are used
C. Input is authorized
D. Database indexing is performed properly
Answer: A
If senior management is not committed to strategic planning, how likely is it that a company's
implementation of IT will be successful?
A. IT cannot be implemented if senior management is not committed to strategic planning.
B. More likely.
C. Less likely.
D. Strategic planning does not affect the success of a company's implementation of IT.
Answer: C
Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST
answer.
A. Lack of employee awareness of a company's information security policy
B. Failure to comply with a company's information security policy
C. A momentary lapse of reason
D. Lack of security policy enforcement procedures
Answer: A
What topology provides the greatest redundancy of routes and the greatest network fault
tolerance?
A. A star network topology
B. A mesh network topology with packet forwarding enabled at each host
C. A bus network topology
D. A ring network topology
Answer: B
If an IS auditor observes that individual modules of a system perform correctly in development
project tests, the auditor should inform management of the positive results and recommend
further:
A. Documentation development
B. Comprehensive integration testing
C. Full unit testing
D. Full regression testing
Answer: B
If an IS auditor observes that individual modules of a system perform correctly in development
project tests, the auditor should inform management of the positive results and recommend
further comprehensive integration testing.
When participating in a systems-development project, an IS auditor should focus on system
controls rather than ensuring that adequate and complete documentation exists for all projects.
True or false?
A. True
B. False
Answer: B
What is a reliable technique for estimating the scope and cost of a software-development project?
A. Function point analysis (FPA)
B. Feature point analysis (FPA)
C. GANTT
D. PERT
Answer: A
Which of the following is a program evaluation review technique that considers different scenarios
for planning and control projects?
A. Function Point Analysis (FPA)
B. GANTT
C. Rapid Application Development (RAD)
D. PERT
Answer: D
If an IS auditor observes that an IS department fails to use formal documented methodologies,
policies, and standards, what should the auditor do? Choose the BEST answer.
A. Lack of IT documentation is not usually material to the controls tested in an IT audit.
B. The auditor should at least document the informal standards and policies. Furthermore, the IS
auditor should create formal documented policies to be implemented.
C. The auditor should at least document the informal standards and policies, and test for
compliance. Furthermore, the IS auditor should recommend to management that formal
documented policies be developed and implemented.
D. The auditor should at least document the informal standards and policies, and test for
compliance. Furthermore, the IS auditor should create formal documented policies to be
implemented.
Answer: C
What often results in project scope creep when functional requirements are not defined as well as
they could be?
A. Inadequate software baselining
B. Insufficient strategic planning
C. Inaccurate resource allocation
D. Project delays
Answer: A
Fourth-Generation Languages (4GLs) are most appropriate for designing the application's
graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation
procedures. True or false?
A. True
B. False
Answer: A
Run-to-run totals can verify data through which stage(s) of application processing?
A. Initial
B. Various
C. Final
D. Output
Answer: B
________________ (fill in the blank) is/are are ultimately accountable for the functionality,
reliability, and security within IT governance. Choose the BEST answer.
A. Data custodians
B. The board of directors and executive officers
C. IT security administration
D. Business unit managers
Answer: B
What can be used to help identify and investigate unauthorized transactions? Choose the BEST
answer.
A. Postmortem review
B. Reasonableness checks
C. Data-mining techniques
D. Expert systems
Answer: C
Network environments often add to the complexity of program-to-program communication,
making the implementation and maintenance of application systems more difficult. True or false?
A. True
B. False
Answer: A
______________ risk analysis is not always possible because the IS auditor is attempting to
calculate risk using nonquantifiable threats and potential losses. In this event, a
_______________ risk assessment is more appropriate. Fill in the blanks.
A. Quantitative; qualitative
B. Qualitative; quantitative
C. Residual; subjective
D. Quantitative; subjective
Answer: A
What must an IS auditor understand before performing an application audit? Choose the BEST
answer.
A. The potential business impact of application risks.
B. Application risks must first be identified.
C. Relative business processes.
D. Relevant application risks.
Answer: C
What is the first step in a business process re-engineering project?
A. Identifying current business processes
B. Forming a BPR steering committee
C. Defining the scope of areas to be reviewed
D. Reviewing the organizational strategic plan
Answer: C
When storing data archives off-site, what must be done with the data to ensure data
completeness?
A. The data must be normalized.
B. The data must be validated.
C. The data must be parallel-tested.
D. The data must be synchronized.
Answer: D
Which of the following can help detect transmission errors by appending specially calculated bits
onto the end of each segment of data?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check
Answer: A
What is an edit check to determine whether a field contains valid data?
A. Completeness check
B. Accuracy check
C. Redundancy check
D. Reasonableness check
Answer: A
A transaction journal provides the information necessary for detecting unauthorized
_____________ (fill in the blank) from a terminal.
A. Deletion
B. Input
C. Access
D. Duplication
Answer: B
An intentional or unintentional disclosure of a password is likely to be evident within control logs.
True or false?
A. True
B. False
Answer: B
When are benchmarking partners identified within the benchmarking process?
A. In the design stage
B. In the testing stage
C. In the research stage
D. In the development stage
Answer: C
A check digit is an effective edit check to:
A. Detect data-transcription errors
B. Detect data-transposition and transcription errors
C. Detect data-transposition, transcription, and substitution errors
D. Detect data-transposition errors
Answer: B
Parity bits are a control used to validate:
A. Data authentication
B. Data completeness
C. Data source
D. Data accuracy
Answer: B
The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):
A. Implementor
B. Facilitator
C. Developer
D. Sponsor
Answer: B
IS management has decided to rewrite a legacy customer relations system using
fourthgeneration
languages (4GLs). Which of the following risks is MOST often associated with system
development using 4GLs?
A. Inadequate screen/report design facilities
B. Complex programming language subsets
C. Lack of portability across operating systems
D. Inability to perform data intensive operations
Answer: D
Which of the following would be the BEST method for ensuring that critical fields in a master
record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
Answer: D
Which of the following is a dynamic analysis tool for the purpose of testing software modules?
A. Blackbox test
B. Desk checking
C. Structured walk-through
D. Design and code
Answer: A
Which of the following is MOST likely to result from a business process reengineering (BPR)
project?
A. An increased number of people using technology
B. Significant cost savings, through a reduction in the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase
Answer: A
Which of the following devices extends the network and has the capacity to store frames and act
as a storage and forward device?
A. Router
B. Bridge
C. Repeater
D. Gateway
Answer: B
Which of the following is a benefit of using callback devices?
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
Answer: A
A call-back system requires that a user with an id and password call a remote server through a
dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password using a telephone number
from its database.
B. dials back to the user machine based on the user id and password using a telephone number
provided by the user during this connection.
C. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using its database.
D. waits for a redial back from the user machine for reconfirmation and then verifies the user id
and password using the sender's database.
Answer: A
Which of the following would prevent accountability for an action performed, thus allowing
nonrepudiation?
A. Proper authentication
B. Proper identification AND authentication
C. Proper identification
D. Proper identification, authentication, AND authorization
Answer: B
Which of the following is the MOST critical step in planning an audit?
A. Implementing a prescribed auditing framework such as COBIT
B. Identifying current controls
C. Identifying high-risk audit targets
D. Testing controls
Answer: C
To properly evaluate the collective effect of preventative, detective, or corrective controls within a
process, an IS auditor should be aware of which of the following? Choose the BEST answer.
A. The business objectives of the organization
B. The effect of segregation of duties on internal controls
C. The point at which controls are exercised as data flows through the system
D. Organizational control policies
Answer: C
What is the recommended initial step for an IS auditor to implement continuous-monitoring
systems?
A. Document existing internal controls
B. Perform compliance testing on internal controls
C. Establish a controls-monitoring steering committee
D. Identify high-risk areas within the organization
Answer: D
What type of risk is associated with authorized program exits (trap doors)? Choose the BEST
answer.
A. Business risk
B. Audit risk
C. Detective risk
D. Inherent risk
Answer: D
Which of the following is best suited for searching for address field duplications?
A. Text search forensic utility software
B. Generalized audit software
C. Productivity audit software
D. Manual review
Answer: B
Which of the following is of greatest concern to the IS auditor?
A. Failure to report a successful attack on the network
B. Failure to prevent a successful attack on the network
C. Failure to recover from a successful attack on the network
D. Failure to detect a successful attack on the network
Answer: A
An integrated test facility is not considered a useful audit tool because it cannot compare
processing output with independently calculated data. True or false?
A. True
B. False
Answer: B
An advantage of a continuous audit approach is that it can improve system security when used in
time-sharing environments that process a large number of transactions. True or false?
A. True
B. False
Answer: A
If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties,
such as having the security administrator perform an operations function, what is the auditor's
primary responsibility?
A. To advise senior management.
B. To reassign job functions to eliminate potential fraud.
C. To implement compensator controls.
D. Segregation of duties is an administrative control not considered by an IS auditor.
Answer: A
Who is responsible for implementing cost-effective controls in an automated system?
A. Security policy administrators
B. Business unit management
C. Senior management
D. Board of directors
Answer: B
Why does an IS auditor review an organization chart?
A. To optimize the responsibilities and authority of individuals
B. To control the responsibilities and authority of individuals
C. To better understand the responsibilities and authority of individuals
D. To identify project sponsors
Answer: C
Ensuring that security and control policies support business and IT objectives is a primary
objective of:
A. An IT security policies audit
B. A processing audit
C. A software audit
D. A vulnerability assessment
Answer: A
CISA (Certified Information Security Administrator)
