CISA DOMAIN 1

1. A CISA has been asked to audit a Financial Accounting system and is checking access to the last
twenty-five accounts that were accessed the previous day. Which sampling method will the CISA
use?
A. Variable sampling
B. Compliance testing
C. Stop-or-Go sampling
D. Substantive testing

ANSWER: B

Explanation: The tests being undertaken are to check if the last twenty-five accounts were accurately
authorized and is, therefore, Compliance testing. It is generally undertaken to ascertain if controls are
being applied in compliance with policy. If compliance tests show adequate internal controls,
substantive tests can be minimized.

2. A CISA would be most impacted in his audit results and review actions by _____ risk.
A. Inherent
B. Control
C. Preventive
D. Detection

ANSWER: B

Explanation: A CISA would be most impacted in his audit results and review actions by Control risk which
is the risk that material error exists, not preventable or detectable in time by internal controls. Control
risk must be mitigated by management action.

3. Which of the following is the most imperative step determined when an IS auditor is planning an
audit?
A. Planning the collection of evidence
B. Developing a plan to review logical and physical access controls
C. Performing a risk assessment
D. Reviewing all security policies and procedures

ANSWER: C

Explanation: ISACA IS Audit and Assurance Standard 1202 states – in Risk Assessment in Planning,
statement 1202.2: IS audit and assurance professionals shall identify and assess risk relevant to the area
under review when planning individual engagements. Therefore, the most critical step is performing a
risk assessment.

4. A MNC has recently implemented a legacy system on a new application that is built on Service
Oriented Architecture (SOA). What would be the first step of an IS auditor who is reviewing the
application?
A. Reviewing the usage of service security standards like Security Assertions Markup Language
(SAML)
B. Studying the legacy system controls
C. Reviewing the service repository documentation to understand services and their association
with relevant business processes
D. Auditing the core service and its interfaces

ANSWER: C

Explanation: A service-oriented architecture (SOA) is typically built on a distributed environment, in

which services are combined to mirror actual business processes. This is done by encapsulating business
logic as a black box. For this reason, the IS auditor must necessarily understand the mapping of business
processes to services. Reviewing the use of service security standards by the Security Assertions Markup
Language (SAML) is the next step.

5. During an audit, the CISA found a large number of PCs containing unauthorized software. What
should an IS auditor do?
A. Halt the audit until all unauthorized software is removed
B. Inform all the auditees and ask them to delete the same
C. Report to the management on the usage of this unauthorized software and the need for
controls
D. Inform the IT department and ask them to take action

ANSWER: C

Explanation: The CISA must inform management of the risk associated with pirated or unlicensed
software which should be banned by the organization and controls put in place to prevent the same.

6. An audit charter is an important part of an audit. Which of the following principles should be
reflected in it?
A. Detail the authority, scope, and responsibilities of the audit function.
B. Ensure it meets the needs of the auditee management.
C. Describe the audit objectives and review of internal controls.
 D. Describe all the audit procedures to achieve the objectives.

ANSWER: A

Explanation: The audit charter should reflect scope, management's objectives for audit, and authority
provided to the IS auditors. As it will not be detailed, it will not include audit objectives or procedures or
details on checking of controls.

7. A CISA has found several instances of access through authorization outside normal management
during the audit of an identity management system of a MNC. What should be the next step?
A. Stop the audit and report the problem
B. Review all access controls
C. Reprimand the managers who provide unauthorized access
D. Undertake an additional analysis

ANSWER: D

Explanation: It is imperative for the IS auditor to undertake substantive testing and additional analysis to
understand why the approval process is not working as needed. It is necessary to identify if this was
caused by managers not following procedures or an access control issue or a combination of both.

8. A CISA has been asked, as part of an audit, to focus on compliance. Which of the following
sampling methods would be used?
A. Difference estimation sampling
B. Attribute sampling
C. Stratified mean per unit sampling
D. Variable sampling

ANSWER: B

Explanation: Attribute sampling is commonly used for compliance testing. It estimates the rate of
occurrence of a specific quality or attribute in a population and confirms whether the quality exists.

9. A CISA is testing access to a remote server in another location and finds very few access calls
have been made for it to be deemed as a significant sample size. What could be the CISA’s next
step?
A. Ignore it as there as too few samples
B. Ask the IT team to provide a comprehensive list
C. Find an alternative testing procedure
D. Attempt dummy access using access to registered users
ANSWER: C

Explanation: If the sample data size is too small to meet with the specified objective, the CISA needs to
develop an alternate testing procedure seeking auditee approval.

10. A CISA has been asked to conduct a post-implementation review of an application, but has
refused stating that his independence is compromised. Which of the given actions CISA could
use as a reference?
A. Audited the application during testing
B. Was a Quality assurance team member who reviewed the application
C. Was a development team member who implemented specific functionalities during
development
D. Mentored the Project Manager of the application on the best practices in development

ANSWER: A

Explanation: The CISA’s independence has been compromised due to being a team member
participating in the development, acquisition and implementation of the application.

11. Which of the following is an advantage of the continuous audit approach?

A. It ensures review and follow up on audit issues in a timely manner.
B. It does not require an auditor to collect evidence.
C. It ensures controls are enforced and monitored of by the IT department.
D. It makes data sampling easy.

ANSWER: A

Explanation: As continuous auditing gathers findings almost in real time, audit and response to audit
issues can be carried out in a timely manner.

12. Identify the best choice for a CISA who wishes to acquire a CAATs tool to test the security
configuration settings of several systems of an organization.
A. Data analytics tool
B. Utility software
C. Generalized audit software
D. Decision Support system

ANSWER: B
Explanation: The CISA should ideally use a utility software that will review the configuration settings for
the entire application security including operating systems, database, and system security.

13. An IS auditor is reviewing an IT organization that provides its customers access to its systems
through the Internet. The IS auditor is uncertain whether to perform a detailed review of the
network security components including firewall and VPN settings. How should the IS auditor
proceed?
A. Add an auditor who is technically competent to handle this
B. Request auditee management for pertinent access controls
C. Check IS auditing guidelines
D. Conduct and document a risk analysis

ANSWER: D

Explanation: The best approach of the IS auditor would be to conduct and document a risk analysis to
determine what presents the greatest risk and include this into audit scope and then decide if it should
include the network security components.

14. A CISA conducting a review found a lack of clearly defined roles and privileges in the application,
which has led to a deficiency in the transaction authorization control objective. What should be
the next step?
A. Report the finding to auditee management
B. Run a set of transactions as a sample and check authorization
C. Ask IT department for details of user access rights
D. Use a GAS to check the controls

ANSWER: B

Explanation: The CISA must first run a set of sample transaction and check authorization. Based on the
results, the impact and materiality of this could be reported.

15. An IS auditor has been called in to conduct an audit in an organization that is installing an ERP
across key functions. What would be the FIRST step?
A. Study the functions being displaced by the ERP system and its controls
B. Study the implementation impact of a new ERP in and then prepare the audit plan
C. Add ERP into the scope of the audit charter
D. Ask for all ERP controls in various functions

ANSWER: B
Explanation: An ERP implementation will have a huge impact on IS controls in the system. Therefore, it is
imperative that the IS auditor studies the impact of an ERP implementation and then plan the audit.

16. A CISA has been asked as part of scope to review the work of an outsourced provider who is
undertaking backup and batch processing for the IS Department. What would be the next step?
A. Include an audit of the Outsourced Service Provider
B. Review the audit of the service provider
C. Review the Outsourced Provider’s contractual agreements
D. Review the service level agreements and the service delivery reports

ANSWER: D

Explanation: The CISA would find an objective basis for the evaluation of the outsourced services by
reviewing the actual performance of the service provider documented in the Service Delivery reports
against the Service level agreement contracted.

17. Before an audit, the IS auditor has been asked by the auditee management to provide good
auditing practices and checklists to ensure required controls are in place. Can the IS auditors
provide these lists and still independently and objectively carry out the audit?
A. Checklists should not be provided as auditees could pre-prepare the audit systems.
B. Checklists can be provided so that IT controls are strong.
C. Checklists can be provided with the understanding that audit scope may cover areas not in the
checklist.
D. Checklists should not be provided as the IS auditor has already exposed the controls to be
checked.

ANSWER: C

Explanation: The IS auditor can perform a comprehensive audit beyond the Checklist points and details.
The auditee management can at best use the checklist to continuously monitor and address issues on IT
systems which would not affect the audit scope or integrity.

18. A CISA is planning an IS compliance audit. Which of these would help determine the extent of
data collection?
A. Purpose, objective, and scope of the audit
B. Organization's size and nature of business
C. Previous year’s audit findings
D. CISA’s understanding of the organization’s business
ANSWER: A

Explanation: The purpose, objective, and scope of the audit directly indicate the quantum and extent of
data to be collected.

19. The CISA has been asked to conduct an IT systems review as part of scope. While reviewing the
prior audit findings finds that the audit scope included several new applications including a CRM
system that was installed last year. Since then, a new ERP has also been implemented. However,
the IT manager wishes audit focus on the CRM system as it faces customers and several
complaints have been raised. How should the CISA respond?
A. Audit only the CRM system as it is part of the scope
B. Audit all the systems
C. Find the highest-risk systems and plan audit based on these results
D. Audit only the ERP application as it has significant controls

ANSWER: C

Explanation: A risk-based approach requires conducting a risk assessment and then taking a decision
based on the risk posed to the organization.

20. Just before a critical Go Live of an e-commerce system, a CISA has been asked to review the
security controls. The CISA undertakes a penetration test with inconclusive results. There is no
time left for further testing. What should the CISA do?
A. Prepare the audit report without published evidence of inconclusive testing.
B. Ask for a postponement of the scheduled go-live date till additional testing is carried out.
C. Prepare the audit report based on the available results and recommend follow-up audit testing.
D. Recommend audit postponement as audit work cannot be completed within the agreed time
frame.

ANSWER: C

Explanation: If the CISA is unable to get sufficient data on controls for a critical system within the agreed
audit schedule, this should be mentioned in the audit report and follow-up testing recommended for a
later date. Management can then make an informed choice.

21. An IS auditor has been asked to undertake a compliance audit of a defense organization that
operates an online system that contains sensitive information. What should be the IS auditor’s
FIRST step?
A. Review Network and firewall controls of the online system
 B. Review legal and regulatory requirements regarding data privacy
C. Review Asset Register and IS organizational chart
D. Review IS policies and procedures

ANSWER: B

Explanation: The audit criteria would be defined by the legal and regulatory requirements and the audit
should, therefore, review compliance and context of laws, regulations, policies, and procedures.

22. The CISA has discovered significant deterioration in the performance of an organization's
network during audit. What should be the IS auditor’s next step?
A. Check the antivirus controls
B. Check network protocols
C. Check network devices
D. Check network topology

ANSWER: D

Explanation: The CISA by studying the network topology can quickly understand the potential points of
failure or bottlenecks and then review specific network areas of the network requiring more detailed
analysis.

23. A CISA is reviewing data mining and auditing software to be used in future IS audits. What is the
first requirement?
A. Provide the right data for sampling through interfaces with organization systems
B. Provide audit hooks to support continuous auditing
C. Support customized audit programming to assist in investigative analysis
D. Capture data accurately from systems without causing performance problems

ANSWER: A

Explanation: The tool must firstly work effectively by interfacing with various systems in the organization
and provide meaningful data for analysis.

24. A CISA has been asked to study the process being used for the protection of digital evidence.
Which of the following findings could cause the MOST concern?
A. During evidence retrieval, the data owner was absent.
B. No logs were available for transportation of evidence.
C. The contents of the systems were not systematically backed up.
D. The system was switched off by an investigator.
ANSWER: B

Explanation: According to the Security policy, data asset owners are identified and responsible for data.
Evidence must be handled properly through a documented chain of custody and having no logs available
could imply that the evidence could have been manipulated in a physical or logical manner.

25. A CISA has been asked to audit on online e-commerce business with large volumes of
transactions. Which of the following audit techniques is the MOST appropriate for proactively
reviewing emerging risk?
A. Computer-assisted audit (CAATs) usage
B. Sampling transaction logs
C. Reviewing controls and incidents
D. Continuous auditing

ANSWER: D

Explanation: To proactively review emerging risk, the implementation of continuous auditing would
ensure a near real-time feed of information to management. These automated reporting processes
would ensure quick implementation of corrective actions.

26. An IS auditor as part of the audit scope has been asked to review management's risk assessment
of information systems. Which of the following would the IS auditor review first?
A. Threats/vulnerabilities affecting the assets
B. Controls already in place
C. Effectiveness of the controls in place
D. Mechanism for monitoring the risk related to the assets

ANSWER: A

Explanation: The IS auditor would primarily focus on the risk related to the use of information assets in
isolation from the installed controls. The value of the systems or assets and the threats and
vulnerabilities affecting them is key to assessing the information systems risk.

27. An IS auditor is planning an IS audit. Identify the MOST critical step.

A. Identifying the audit members
B. Identifying the audit scope
C. Identifying the areas of significant risk
D. Identifying the audit schedule

ANSWER: C
Explanation: When designing a risk-based audit plan, it is important to identify the areas of highest risk
to determine the areas to be audited.

28. An IS auditor is planning to determine whether the operational effectiveness of controls is

properly applied to transaction processing. What is the MOST effective audit practice?
A. Testing of control design
B. Documentation review
C. Interviews with personnel
D. Substantive testing

ANSWER: A

Explanation: Tests of controls are the most effective procedure to assess whether controls accurately
support operational effectiveness and assesses whether the control is structured to meet a specific
control objective.

29. During an IS audit, the extent to which data will be collected is determined based on the:
A. availability of evidence.
B. purpose and scope of the audit being done.
C. auditor's familiarity with business processes.
D. auditor's familiarity with the organization.

ANSWER: B

Explanation: The extent to which data will be collected during an IS audit should be related directly to
the scope and purpose of the audit.

30. An IS auditor is reviewing a Marketing Services organization in terms of logical access and
notices that user IDs are shared among agents while administering their customer accounts.
What is The MOST appropriate action for an IS auditor to take?
A. Document findings which explain the risk of using shared IDs
B. Inform management about the issue
C. Review audit logs of all agent IDs
D. Ask the IT Security Head to remove the IDs from the system

ANSWER: A

Explanation: An IS auditor must detect and document findings, control the deficiencies, and report it in
the audit report. The findings should highlight how the use of shared IDs is not recommended as it does
not allow for accountability of transactions.
 31. A CISA is conducting a compliance test to determine whether controls support management
policies and procedures. The test assists the CISA to:
A. review the control objective.
B. check the integrity of data controls.
C. review the reporting controls.
D. check that the control is operating as needed.

ANSWER: D

Explanation: Compliance tests are used to test the existence and effectiveness of a defined process. IS
auditors want reasonable assurance on the controls they rely on. An effective control is one that meets
management expectations and objectives and is operating as designed.

32. A CISA has been requested to conduct an IS audit to identify payroll overpayments for the
previous year. Which technique should the CISA use?
A. Use Generalized audit software
B. Generate sample test data
C. Use Integrated test facility
D. Use embedded audit module

ANSWER: A

Explanation: A CISA using generalized audit software could design appropriate tests to recompute the
payroll, thereby determining whether there were overpayments and to whom they were made.
Generalized audit software generally has features such as mathematical computations, stratification,
statistical analysis, sequence checking, duplicate checking, and recomputations.

33. A CISA during a security audit of IT processes has found that documented security procedures
did not exist. What should the CISA do?
A. Help IT department create the required procedures
B. Halt the audit
C. Conduct substantive testing
D. Identify and evaluate existing practices

ANSWER: D

Explanation: The CISA looks to identify potential risk and would therefore be able to identify and
evaluate the existing security practices being followed by the organization. The findings and risk must be
provided to management with recommendations on documentation of the current controls and
enforcing the documented procedures.

34. A CISA performs a risk analysis and has identified threats and potential impacts. What is the next
step?
A. Assess the risk assessment process
B. Identify and evaluate the existing controls
C. Identify information assets
D. Review risks and potential threats

ANSWER: B

Explanation: The CISA must identify and evaluate the existence and effectiveness of existing and
planned controls so that the risk level can be calculated after the potential threats and possible impacts
are identified.

35. Which of the following is the MOST reliable evidence for an IS auditor?
A. Top management assuring that application controls are available
B. Data downloaded from Internet
C. IS auditor previous year report showing conformance
D. Official confirmation from a bank verifying an account balance

ANSWER: D

Explanation: Evidence obtained from independent third parties such as a bank in this case can be always
considered more reliable than assurance provided by management, previous year audit or the internet.

36. An IS auditor is evaluating the collective effect of preventive, detective and corrective controls
within a process. Which of the following is true in this instance?
A. Preventive and detective controls are most significant.
B. Corrective controls are compensating controls.
C. Asset owners indicate the missing controls.
D. The point at which controls are exercised as data flow through the system.

ANSWER: D

Explanation: An IS auditor must focus on when controls are exercised as data flow through a computer
system.
 37. An IS auditor is reviewing evidence of the segregation of duties in an IS department. Which audit
method would be BEST used?
A. Observation and employee interviews
B. Security policies review
C. Organization chart and roles and responsibilities review
D. Testing of user access controls

ANSWER: A

Explanation: An IS auditor can observe the IS staff performing their tasks and whether they are
performing any incompatible operations. By interviewing the IS staff, the auditor gets an overview of the
tasks performed. Based on this, the IS auditor can evaluate the segregation of duties.

38. A CISA has reviewed the disaster recovery planning (DRP) process of an organization and asks
for a meeting with top management to discuss findings. Why would the CISA do this?
A. To halt the audit as process is inadequate
B. To ensure management implement corrective actions
C. To review audit scope and objectives
D. To ensure factual accuracy of the findings

ANSWER: D

Explanation: The CISA has requested the meeting most likely to confirm the factual accuracy of the audit
findings and present an opportunity for management to agree on or respond to recommendations for
corrective action.

39. A CISA has been asked to review a potentially fraudulent transaction and would definitely
evaluate the transaction. What would be the next course of action?
A. Ensuring the integrity of evidence is maintained
B. Ensuring independence of IS auditor is maintained
C. Reviewing all relevant information
D. Setting a honeypot trap

ANSWER: C

Explanation: The IS auditor has been requested to perform an investigation to capture evidence which
may be used for legal purposes, and therefore, it is critical that the evidence be preserved.
 40. A CISA is reviewing a system configuration. Which of the following would be the BEST evidence
in support of the current system configuration settings?
A. System configuration set provided by IS team
B. Report with configuration values retrieved from the system by the IS auditor
C. System configuration settings screenshot
D. Configuration audit report findings

ANSWER: B

Explanation: Evidence provided that is system-generated information cannot be modified before it is

presented to an IS auditor and is more reliable than information provided by various parties.

41. Why would a CISA request for data flow diagrams to review as part of the audit plan?
A. Review graphics of data paths and storage
B. Study the order of data hierarchically
C. Review data flow diagram design
D. Understand how data is generated

ANSWER: A

Explanation: The CISA would study the data flow diagram to understand the movement of data through
a process as Data flow diagrams chart data flow and storage by tracing data from its origination to
destination as well as highlighting the paths and storage of data.

42. An IS auditor is reviewing evidence during an audit. Which of the following could be considered
as MOST reliable?
A. An auditee providing oral evidence during interview
B. Sample data results from an external IS auditor
C. A system-generated accounting report
D. Confirmation received from a customer

ANSWER: B

Explanation: An independent test with data results performed by an IS auditor can be considered the
most reliable source as an audit is carried out through inspection, observation, and inquiry determined
by risk.

43. Why would a CISA undertaking audit review the organization chart?
A. To understand how business is structured
B. To review communication channels
 C. To understand top management
D. To understand individual roles, authority, and responsibility

ANSWER: D

Explanation: The organizational chart is key for the CISA to understand roles and responsibilities and
reporting lines as it provides information about the responsibilities and authority of individuals in the
organization and the proper segregation of functions.

44. An IS auditor has been asked to review the controls that govern system-generated exception
reports. Which of the following could BEST prove control effectiveness?
A. CEO confirms control effectiveness
B. Review the access control for these reports
C. Review the System-generated exception reports over a period
D. Review template of the system-generated exception report

ANSWER: C

Explanation: The IS auditor would find the best form of evidence in the form of a system-generated
report as it is documented evidence of the effective operation of the control.

45. Why would a CISA prefer to use an integrated test facility (ITF)?
A. The source of the transaction is system generated and needs no review.
B. A separate test process would not be required for need-based testing.
C. It continuously validates application systems through real-time testing.
D. It generates dummy test data.

ANSWER: B

Explanation: An ITF creates a fictitious entity in the database to process test transactions simultaneously
with live inputs and ensures periodic testing does not require separate test processes. It performs a test
transaction like a real transaction and validates that the transaction processing is done correctly.

46. A CISA has been asked to review a Purchase Order system. Which sampling method could be
used to verify whether purchase orders issued to vendors have been authorized according to
the authorization list?
A. Attribute sampling
B. Variable sampling
C. Preventive control
D. Unstratified mean per unit
ANSWER: A

Explanation: Attribute sampling is used for compliance testing; therefore, the attribute of whether each
purchase order was correctly authorized would be used to determine compliance with the authorization
list control.

47. A CISA is asked to review the accuracy of a financial tax calculation. What is the best method?
A. Through review and analysis of the source code of the calculation programs.
B. Prepare a simulated transaction for processing and comparing the results to predetermined
results.
C. Using generalized audit software to calculate monthly totals.
D. Review documentation of the calculation system.

ANSWER: B

Explanation: Creating a simulated transaction, processing it, and comparing the results to
predetermined results would the best method for CISA to confirm accuracy of tax calculation.

48. In general, an IS auditor performs a review of application controls to evaluate which of the
below?
A. Effectiveness of controls
B. Impact of exposure
C. Process controls
D. Application of access controls

ANSWER: B

Explanation: Primarily, an IS auditor undertakes an application control review to evaluate the

application's automated controls and an assessment of any exposures resulting from the control
weaknesses.

49. The CISA has concluded his closing meeting when an auditee informs him that corrective action
has already been taken on a finding. What should the CISA do?
A. Include all the findings in the final report
B. Not include this finding in the final report
C. Include this finding in the final report stating the corrective action
D. Include this finding in the final report with a closed status

ANSWER: A
Explanation: The CISA must include all findings in the final report even if an action is taken before an
audit ended. The audit report must identify the finding and describe the corrective action taken. An
audit report should reflect the status as it existed at the start of the audit.

50. The CISA has been asked to review auditing controls regarding sales returns as fraud is
suspected. Which of the following is the best sampling method?
A. Stop-Or-Go sampling
B. Substantive sampling
C. Discovery sampling
D. Detective sampling

ANSWER: C

Explanation: The CISA uses discovery sampling to verify whether a type of event has occurred.
Therefore, it is the best method to assess the risk of fraud and to identify whether fraud has occurred.

51. An IS auditor is developing a risk-based audit strategy. Why should a risk assessment be
conducted?
A. To check if vulnerabilities and threats are identified
B. To verify if audit risk has been considered
C. To verify controls to mitigate risk are available
D. To determine if a gap analysis is appropriate

ANSWER: A

Explanation: The IS auditor conducts a risk assessment to ensure that that the risk and vulnerabilities are
understood while developing a risk-based audit strategy. This lays out the audit areas and coverage.

52. At the closing meeting, an auditee vehemently disagrees with a finding stating it is not material.
What action should the CISA take?
A. Remove the finding after ensuring auditee signs a form accepting full legal responsibility
B. Halt the closing meeting till things calm down
C. Accept the auditee's remark and dilute the finding
D. Explain the significance of the finding and the risk of not correcting it

ANSWER: D

Explanation: It is important for the IS auditor to explain and clarify risk and exposures of a finding as the
auditee may not grasp the magnitude of exposure.
 53. An internal IS auditor has provided the audit report to the department manager who is disputing
the findings. What should the IS auditor first do?
A. Review and validate the supporting evidence for the findings
B. Reopen the audit and test the control again
C. Call a third party to verify the findings
D. Include the findings in the report with the department manager's comments

ANSWER: A

Explanation: The IS auditor must first revalidate the evidence for the findings and even after revalidating
and retesting, if there is a disagreement, the unresolved issues should be included in the report. The IS
auditor should support the conclusions with evidence and any compensating controls or corrections
provided by the manager should be also be considered.

54. When would the IS auditor use statistical sampling instead of judgment or non-statistical
sampling?
A. When the sampling risk is unknown
B. When generalized audit software is not available
C. When the probability of error needs to be objectively quantified
D. When error rates are not known

ANSWER: C

Explanation: The IS auditor would use statistical sampling, which is an objective method of sampling. It
can help the confidence coefficient by determining the sample size and quantify the probability of error
for an expected error rate and confidence level.

55. A CISA is reviewing an outsourced operation for Network administration and determines that
the procedures to monitor remote network administration activities are inadequate. However,
the IS Head points out that this is primarily a help desk activity with Help Desk procedures.
There are intrusion detection system (IDS) and firewalls with supporting logs. What should the
CISA do?
A. Revise the finding in the audit report
B. Retract the finding because the IDS log is activated
C. Retract the finding because the firewall rules are monitored
D. Document the identified findings in the audit report

ANSWER: D
Explanation: The IS auditor must include the management response in the report, but that will not affect
the requirement to report the finding. The IS auditor independence would need the additional
information provided by the auditee to be taken into consideration.

56. An IS auditor is to review the design of network monitoring controls and the network. What will
the auditor first review?
A. Network bandwidth
B. System capacity and availability reports
C. Topology diagrams
D. System chart

ANSWER: C

Explanation: The IS auditor would need to review the topology diagram that documents the existence,
completeness, accuracy, and adequacy of network documentation. This would ensure a good review of
the network monitoring controls.

57. The CISA auditor is entering his findings on a computer system when a virus is detected. What
should the next step be?
A. Take no action and report findings later in the audit report.
B. Ask the IT department to run the virus diagnostic tool.
C. Inform the appropriate personnel immediately.
D. Run the local virus tool to delete the virus.

ANSWER: C

Explanation: The CISA should alert the organization after detecting the virus and await their response.

58. A CISA during the planning stage of an IS audit would primarily aim at:
A. collecting sufficient evidence.
B. designing the appropriate tests.
C. identifying audit resources.
D. meeting audit objectives.

ANSWER: D

Explanation: ISACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to
address the audit objectives.
 59. A CISA should use professional judgment when selecting audit procedures to ensure _____.
A. audit findings are addressed in time
B. control weaknesses will be identified
C. adequate evidence will be collected
D. appropriate auditors would conduct the audit

ANSWER: C

Explanation: ISACA's guidelines provide information on how to meet the standards when performing IS
audit work. A CISA would use professional judgment which is a subjective and often qualitative
evaluation of conditions arising in the course of an audit. This could arise in assessing the sufficiency of
evidence to be collected.

60. An IS auditor needs to verify that the tape library inventory records are accurate and has
decided to carry out a substantive test. Which test would the IS auditor use?
A. Checking back up procedures
B. Ensuring authorization of tape movement
C. Physically counting the tape inventory
D. Reviewing logs of receipts and issues of tapes

ANSWER: C

Explanation: The IS auditor carries out a substantive test by gathering evidence to evaluate the
completeness, accuracy or validity of individual transactions, data or other information and would
therefore conduct a physical count of the tape inventory.

61. The Capability Maturity Model Integration (CMMI) approach is used frequently by software
development organizations. Which of the following is NOT correct regarding CMMI?
A. It is a model for incremental improvement.
B. It was built on the Agile Framework model.
C. It helps the organization evolve from one level to the next and constantly improves its
processes.
D. It was created for process improvement and developed by Carnegie Mellon.

ANSWER: B

Explanation: This model was not built upon the Agile Framework model.

62. The CISA is asked to perform a computer forensic investigation and is collecting evidence. What
would be the primary concern?
 A. Collection
B. Data integrity
C. Preservation
D. Disclosure

ANSWER: C

Explanation: The CISA would be aware that failure to properly preserve evidence could jeopardize
admissibility in legal proceedings. Therefore, preservation and documentation of evidence for review by
law enforcement and judicial authorities is paramount in this type of audit.

63. An IS auditor is auditing an organization and finds during an interview of an employee that the
responses do not match job descriptions and documented procedures. What should the IS
auditor do?
A. Halt the audit
B. Report a finding that this controls is inadequate
C. Increase audit scope to include substantive testing
D. Review the job descriptions

ANSWER: C

Explanation: The IS auditor would expand the audit scope by testing the controls and include additional
substantive tests to confirm if documented procedures or job descriptions are in place and whether the
employee was unable to articulate he true description of his responsibilities.

64. A CISA has completed an extensive Network audit and reports an audit finding that notes the
lack of firewall protection features at the perimeter network gateway. The audit
recommendation includes a named software product to address this vulnerability. Which of the
following could the CISA have possibly failed to observe?
A. Audit acumen
B. Professional independence
C. Professional ethics
D. Professional competence

ANSWER: B

Explanation: As the CISA has recommended a specific product, it has compromised the CISA's
professional independence.
 65. The CISA has planned an audit and has decided to undertake a functional walk-through as a part
of the process. Why is this planned?
A. To understand organizational culture
B. To identify control weakness
C. To understand the business process
D. To plan audit conduct through this sampling

ANSWER: C

Explanation: The CISA needs to understand the business process to conduct an audit. A walk-through
promotes understanding.

66. Why must an auditor always conduct a meeting with auditees prior to formal audit closure?
A. To ensure no area was neglected
B. To review feedback on audit conduct
C. To ensure agreement on the findings
D. To allow time for disagreements over findings

ANSWER: C

Explanation: The IS auditor meets with auditees prior to formally closing a review to gain agreement on
the findings and understand management responses.

67. An IS auditor has been asked to audit application system change controls. What would BEST
help the IS auditor to verify if there were unauthorized program changes since the last
authorized program update?
A. Source code compilation
B. Configuration library check
C. Coding standards
D. Automated code comparison

ANSWER: D

Explanation: The IS auditor would use an automated code comparison to compare two versions of the
same program to determine to verify if they correspond.

68. The CISA would prepare the audit report keeping in mind the results are supported by _____.
A. adequate and appropriate audit evidence
B. in line with audit objectives
C. prior audit results
 D. control self-assessment results

ANSWER: A

Explanation: ISACA's IS Audit and Assurance Standards on reporting requires that the IS auditor have
sufficient and appropriate audit evidence to support the reported results. The report should be based on
evidence collected during the course of the review.

69. An IS auditor who is reviewing an IT department finds that the organization is using software
that is not licensed. However, the IT Head is vehement in his denial. What should the IS auditor
do?
A. Report the finding and response in the audit report
B. Recheck the evidence of such software usage
C. Recheck by running an automated tool
D. Seek a confidential meeting with top management

ANSWER: B

Explanation: The IS auditor should get sufficient evidence that unlicensed software is being used. Then,
to maintain objectivity and independence, must include this in the report.

70. Who makes the decision to include a material finding in an audit report?
A. IS auditor
B. Audit committee
C. Auditee
D. Top management

ANSWER: A

Explanation: The IS auditor will make the final decision about what to include or exclude from the audit
report. Anybody else would impair independence of the auditor.

71. An IS auditor is reviewing sensitive electronic work papers and observed they were not
encrypted. Why is this of concern?
A. It could compromise the versioning of the work papers.
B. It could compromise the confidentiality of work papers.
C. It could impact approval of the audit findings.
D. It could reveal weak access control rights to the work papers.

ANSWER: B
Explanation: The IS auditor would be concerned about lack of encryption as this would breach the
confidentiality of the work papers.

72. A CISA must obtain sufficient and appropriate audit evidence so that there is a _____.
A. basis for drawing reasonable conclusions
B. compliance with legal regulations
C. comprehensive audit coverage
D. meeting of the audit objectives

ANSWER: A

Explanation: The scope of an IS audit is driven by its objectives and identifying relevant control
weaknesses. The CISA must obtain sufficient and appropriate evidence to not only identify control
weaknesses but also document and validate them.

73. During the conduct of an audit, the CISA has reasons to believe that fraud may be present. What
should the CISA do?
A. Halt the audit report to the audit committee.
B. Report to the top management the possibility of fraud.
C. Expand audit to understand if an investigation is warranted.
D. Check with appropriate legal authorities.

ANSWER: C

Explanation: The CISA must first for evaluate if fraud is indicated and decide on additional action if
necessary or whether an investigation should be recommended.

74. An IS auditor has been asked to review logical access controls. What should be the next step?
A. Review documented logical and physical controls
B. Understand the security risks to information processing
C. Review access controls authorized personnel
D. Review security policies and practices

ANSWER: B

Explanation: The IS auditor can understand the security risks facing information processing by reviewing
relevant documentation, by inquiries, and conducting a risk assessment. The IS auditor must ensure the
logical controls are adequate to address risk.
 75. Which of the following should the IS audit charter that is built for an organization specify?
A. Audit schedules
B. Objectives and scope of IS audit engagements
C. Named audit personnel
D. Role of the IS audit function

ANSWER: D

Explanation: An IS audit charter primarily establishes the role of the IS audit function and would detail
the overall authority, scope, and responsibilities of the audit function.

76. A CISA is reviewing a Sales order processing system and wants to find duplicate invoice records
in the invoice master file. Which of the following methods should be used?
A. Variance sampling
B. Detective control
C. Computer-assisted audit techniques
D. Integrated test facility

ANSWER: C

Explanation: The CISA would use computer-assisted audit techniques or CAATs to review the entire
invoice file and look for those items that meet the selection criteria of duplicate records.

77. An IS auditor is auditing a new implementation of ERP in an organization and is concerned about
segregation of duties not being followed. What can the auditor do?
A. Construct security roles matrix to identify potential conflicts in authorization
B. Review security rights in ERP
C. Reviewing the ERP documentation
D. Review other ERP instances of violation of segregation of duties

ANSWER: A

Explanation: The IS auditor could best build a matrix that identify conflicts in authorization in the ERP.
This would help in identifying violations in segregation of duties.

78. An IS auditor is reviewing several production systems as part of audit scope. Which of the
following would the auditor use to verify unauthorized modifications in production programs?
A. Production system logs review
B. Forensic analysis
C. Compliance testing
 D. Detective controls

ANSWER: C

Explanation: The IS auditor could use compliance testing to verify that the change management process
has been applied consistently and that only authorized modifications were made to production
programs.

79. A CISA is undertaking a review of a change control of an application and observes that the
change management process is not formally documented, leading to failure. What should be the
next step?
A. Undertaking root cause analysis to gain assurance on findings
B. Asking the IT department to document the change process
C. Redesigning the change management process
D. Documenting the findings and presenting it to management

ANSWER: A

Explanation: The CISA must undertake a root cause analysis to verify why the current process is not
being followed and is related to deficiencies in the change management process before recommending
any other action.

80. What is the MOST important component of a privacy policy?

A. Notifications
B. Warranties
C. Liabilities
D. Geographic coverage

ANSWER: A

Explanation: Privacy policies must contain notifications and opt-out provisions; they are a high-level
management statement of direction. They do not necessarily address warranties, liabilities or
geographic coverage, which are more specific.

81. The PRIMARY purpose of an IT forensic audit is _____.

A. to detect corporate fraud
B. to collect and analyze evidence after a system irregularity
C. to review financial integrity
D. to detect criminal activity
ANSWER: B

Explanation: A forensic audit is used to systematically collect and analyze evidence after a system
irregularity to be used in judicial proceedings.

82. An IS auditor is using an integrated test facility (ITF). What caution should be exercised?
A. Test data should be generated
B. Production data should be isolated from test data
C. Test data should not be manipulated
D. Dummy data is used for testing

ANSWER: B

Explanation: The IS auditor when using an integrated test facility creates a fictitious file in the database,
allowing for test transactions to be processed simultaneously with live data. The test data must
therefore be kept separate from production data.

83. An IS auditor has been assigned to conduct a test that compares job run logs to computer job
schedules. Which of the following observations would be of the greatest concern to the IS
auditor?
A. There are a growing number of emergency changes.
B. There were instances when some jobs were not completed on time.
C. There were instances when some jobs were overridden by computer operators.
D. Evidence shows that only scheduled jobs were run.

ANSWER: C

Explanation: The overriding of computer processing jobs by computer operators could lead to
unauthorized changes to data or programs. This is a critical control and therefore of concern.

84. A CISA who is auditing the networks in an organization finds physical devices connected to the
network but not included in the network diagram. The IT Head mentions that the network
diagram is obsolete and is being updated. What should the CISA do?
A. Include the devices not on network as part of scope
B. Review impact of the devices not included in the audit scope
C. Mention control deficiencies in the audit findings
D. Halt the audit and ask for scope revision

ANSWER: B
Explanation: The CISA auditor must note that not everything on the network diagram would risk the
network/system. If the undocumented devices do not impact the audit scope, then they may be
excluded from the current audit engagement.

85. Capability Maturity Model Integration (CMMI) is a process improvement approach that is used
to help organizations improve their performance and is also used as a framework for appraising
the process maturity of the organization. Which of the following is an incorrect mapping of the
levels based on this model?

1. Maturity Level 2 – Managed

2. Maturity Level 3 – Defined
3. Maturity Level 4 – Quantitatively Managed
4. Maturity Level 5 – Optimizing

A. 1
B. 1 and 2
C. All of them
D. None of them

ANSWER: D

Explanation: All the four levels mentioned are to be assigned to an organization during its evaluation
against the CMMI model.

86. Which of the following does the Sarbanes–Oxley Act require the board of an
organization to do?
A. Register public accounting firms
B. Establish or adopt, by rule, auditing, quality control, ethics, independence, and other
standards related to preparation of the audit reports for issuers
C. Conduct inspections of accounting firms
D. All of the above

ANSWER: D

Explanation: The Sarbanes-Oxley Act of 2002, sponsored by Paul Sarbanes and Michael Oxley,
changed federal securities law significantly. It requires all financial reports to include an
Internal Controls Report that show a company's financial data, accurate and adequate
controls are in place to safeguard financial data and need to be audited by a SOX auditor.

87. Identify an accurate statement about the Cyber Security Enhancement Act as
 incorporated into the Homeland Security Act of 2002.
A. It demands life sentences for those hackers who recklessly endanger lives.
. B. It requires ISPs to hand over records.
C. It does not outlaw publications such as details of PGP.
D. None of the above is correct.

ANSWER: B

Explanation: The Act amended the USA PATRIOT Act to further loosen restrictions on Internet
service providers (ISPs) as to when, and to whom, they can voluntarily release information
about subscribers.

88. Which of the following statements is true about the National Strategy to Secure
Cyberspace?

A. It applies only to the defense area.

B. It applies only to medical records.
C. It’s objective is to reduce national vulnerability to cyber-attacks.
D. None of the above

ANSWER: C

Explanation: The National Strategy to Secure Cyberspace was drafted by the Department of
Homeland Security in reaction to the September 11, 2001 terrorist attacks. Released on
February 14, 2003, it offers suggestions to business, academic, and individual users of
cyberspace to secure computer systems and network ad identifies three strategic objectives:
(1) Prevent cyber-attacks against America's critical infrastructures; (2) Reduce national
vulnerability to cyber-attacks; and (3) Minimize damage and recovery time from cyber-
attacks that do occur.

89. This Act is the first-ever federal privacy standard to protect patient’s medical records.

A. Encrypted Communications Privacy Act of 1996

B. Privacy Act of 1974
C. HIPAA of 1996
D. All of the above

ANSWER: C

Explanation: HIPAA is the federal law that establishes standards for the privacy and security of health
information, as well as standards for electronic data interchange (EDI) of health information.
 90. During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting
functions are being performed by the same user of the financial system. Which of the following
reviews conducted by a supervisor would represent the BEST compensating control?
A. Audit trails that show the date and time of the transaction
B. A summary daily report with the total numbers and dollar amounts of each transaction
C. User account administration
D. Computer log files that show individual transactions in the financial system

ANSWER: D

Explanation: Computer logs will record the activities of individuals during their access to a computer
system or data file and will record any abnormal activities, such as the modification or deletion of
financial data.

91. An IS auditor suspects an incident is occurring while an audit is being performed on a financial
system. What should the IS auditor do FIRST?
A. Request the system be shut down to preserve evidence
B. Report the incident to management
C. Ask for immediate suspension of the suspect accounts
D. Immediately investigate the source and nature of the incident

ANSWER: B

Explanation: Reporting the suspected incident to management will help initiate the incident response
process, which is the most appropriate action. Management is responsible for making decisions
regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit.

92. Which of the following responsibilities would MOST likely compromise the independence of an
IS auditor when reviewing the risk management process?
A. Participating in the design of the risk management framework
B. Advising on different implementation techniques
C. Facilitating risk awareness training
D. Performing a due diligence review of the risk management processes

ANSWER: A

Explanation: Participating in the design of the risk management framework involves designing controls,
which will compromise the independence of the IS auditor to audit the risk management process.
 93. An enterprise is developing a strategy to upgrade to a newer version of its database software.
Which of the following tasks can an IS auditor perform without compromising the objectivity of
the IS audit function?
A. Advise on the adoption of application controls to the new database software
B. Provide future estimates of the licensing expenses to the project team
C. Recommend at the project planning meeting how to improve the efficiency of the migration
D. Review the acceptance test case documentation before the tests are carried out

ANSWER: D

Explanation: The review of the test cases will facilitate the objective of a successful migration and ensure
proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

94. Which of the following requirements has the lowest priority level in information security?
A. Technical
B. Regulatory
C. Privacy
D. Business

ANSWER: A

Explanation: Information security priorities may, at times, override technical specifications, which then
must be rewritten to conform to minimum security standards. Regulatory and privacy requirements are
government-mandated and, therefore, not subject to override. The needs of the business should always
take precedence in deciding the information security priorities.

95. Which of the following choices is the MOST likely cause of significant inconsistencies in system
configurations?
A. Lack of procedures
B. Inadequate governance
C. Poor standards
D. Insufficient training

ANSWER: B

Explanation: Governance is the rules the organization operates by and the oversight to ensure
compliance as well as feedback mechanisms that provide assurance that the rules are followed. A failure
of one or more of those processes is likely to be the reason that system configurations are inconsistent.
 96. Which of the following choices is the MOST important consideration when developing the
security strategy of a company operating in different countries?
A. Diverse attitudes toward security by employees and management
B. Time differences and the ability to reach security officers
C. A coherent implementation of security policies and procedures in all countries
D. Compliance with diverse laws and governmental regulations

ANSWER: D

Explanation: In addition to laws varying from one country to another, they can also conflict, making it
difficult for an organization to create an overarching enterprise security policy that adequately
addresses the requirements in each nation. The repercussions of failing to adhere to multiple legal
frameworks at the same time go well beyond the impacts of the other considerations listed.

97. What is the MOST important element to consider when developing a business case for a
project?
A. Feasibility and value proposition
B. Resource and time requirements
C. Financial analysis of benefits
D. Alignment with organizational objectives

ANSWER: A

Explanation: Feasibility and value proposition will be major considerations if a project has to proceed.

98. The enactment of policies and procedures to prevent hacker intrusions is an example of an
activity that belongs to _____.
A. Risk management
B. Compliance
C. IT management
D. Governance

ANSWER: D

Explanation: Governance is concerned with implementing adequate mechanisms for ensuring that
organizational goals and objectives can be achieved. Policies and procedures are common governance
mechanisms.

99. Which of the following choices is a necessary attribute of an effective information security
governance framework?
 A. An organizational structure with minimal conflicts of interest, sufficient resources, and defined
responsibilities
B. Organizational policies and guidelines in line with predefined procedures
C. Business objectives aligned with a predefined security strategy
D. Security guidelines that address multiple facets of security such as strategy, regulatory
compliance, and controls

ANSWER: A

Explanation: An information security framework will help ensure the protection of information assets
from confidentiality, integrity and availability perspectives. Organizational structures that minimize
conflicts of interest are important for this to work effectively.

100. Business goals define the strategic direction of the organization. Functional goals define
the tactical direction of a business function. Security goals define the security direction of the
organization. What is the MOST important relationship between these concepts?
A. Functional goals should be derived from security goals.
B. Business goals should be derived from security goals.
C. Security goals should be derived from business goals.
D. Security and business goals should be defined independently.

ANSWER: C

Explanation: Security goals should be developed based on the overall business strategy. The business
strategy is the most important steering mechanism for directing the business and is defined by the
highest management level.

101. Maturity levels are an approach to determine the extent that sound practices have been
implemented in an organization based on outcomes. Another approach developed to essentially
achieve the same result is _____.
A. Controls applicability statements
B. Process performance and capabilities
C. Probabilistic Risk Assessment
D. Factor Analysis of Information Risk

ANSWER: B

Explanation: Process performance and capabilities provides a more detailed perspective of maturity
levels and serves essentially the same purpose.
 102. Information security governance must be integrated into all business functions and
activities PRIMARILY to:
A. maximize security efficiency.
B. standardize operational activities.
C. achieve strategic alignment.
D. address operational risk.

ANSWER: D

Explanation: All aspects of organizational activities pose risk that is mitigated through effective
information security governance and the development and implementation of policies, standards, and
procedures.

103. An IS auditor discovers some users have installed personal software on their PCs. This is
not explicitly forbidden by the security policy. The BEST approach for an IS auditor should be to
recommend the:
A. IS department implement control mechanisms to prevent unauthorized software installations.
B. security policy be updated to include specific language regarding unauthorized software.
C. IS department prohibit the download of unauthorized software.
D. users to obtain approval from an IS manager before installing nonstandard software.

ANSWER: A

Explanation: An IS auditor's obligation is to report on observations noted and make the best
recommendation, which is implementing preventive controls to prohibit unauthorized software
installation. Lack of specific language addressing unauthorized software in the acceptable use policy is a
weakness in administrative controls. Strengthening administrative controls is useful, but not as effective
as implementing preventive control mechanisms. Preventing downloads of unauthorized software is not
the complete solution. Unauthorized software can be also introduced through CDs and USB drives.
Requiring approval from the IS manager before installation of the nonstandard software is an exception
handling control. It would not be effective unless a preventive control to prohibit user installation of
unauthorized software is established first.

104. Which of the following represents an example of a preventive control with respect to IT
personnel?
A. Review of visitor logs for the data center
B. A log server that tracks logon IP addresses of users
C. Implementation of a badge entry system for the IT facility
D. An accounting system that tracks employee telephone calls

ANSWER: C
Explanation: Preventive controls are used to reduce the probability of an adverse event occurring. A
badge entry system would prevent unauthorized entry to the facility. Review of visitor logs, log servers,
or telephone call accounting systems are detective controls in most circumstances.

105. Which of the following choices is MOST likely to ensure that responsibilities are carried
out?
A. Signed contracts
B. Severe penalties
C. Assigned accountability
D. Clear policies

ANSWER: C

Explanation: Assigning accountability to individuals is most likely to ensure that duties are properly
carried out.

106. Identify the MOST important requirement when developing information security
governance.
A. Complying with applicable corporate standards
B. Achieving cost-effectiveness of risk mitigation
C. Obtaining consensus of business units
D. Aligning with organizational goals

ANSWER: D

Explanation: Information security governance is the set of responsibilities and practices exercised by the
board and executive management with the goal of providing strategic direction, ensuring that objectives
are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s
resources are used responsibly. It should support and reflect the goals of the organization.

107. What is the most important consideration when developing a business case for an
information security investment?
A. The impact on the risk profile of the organization
B. The acceptability to the board of directors
C. The implementation benefits
D. The affordability to the organization

ANSWER: C
Explanation: A business case is defined as documentation of the rationale for making a business
investment, used both to support a business decision on whether to proceed with the investment and as
an operational tool to support management of the investment through its full economic life cycle. A
business case covers not only long-term benefits, but short-term ones and the costs.

108. The acceptable limits of organizational standards are PRIMARILY determined by _____
.
A. likelihood and impact
B. risk appetite
C. relevant policies
D. a defined strategy

ANSWER: B

Explanation: Risk appetite is the amount of risk, on a broad level, that an entity is willing to accept in
pursuit of its mission. This would set the acceptable limits for organizational standards.

109. Which of the following should be an IS auditor's PRIMARY concern after discovering that
the scope of an IS project has changed and an impact study has not been performed?
A. The time and cost implications caused by the change
B. The risk that regression tests will fail
C. Users not agreeing with the change
D. The project team not possessing the skills to make the necessary change

ANSWER: A

Explanation: Any scope change might have an impact on the duration and cost of the project; that is the
reason why an impact study is conducted and the client is informed of the potential impact on the
schedule and cost. A change in scope does not necessarily impact the risk that regression tests will fail,
that users will reject the change or that the project team will lack the skills to make the change.

110. What is the MOST likely reason that an organizational policy can be eliminated?
A. There is no credible threat.
B. The policy is ignored by staff.
C. Underlying standards are obsolete.
D. The policy is not required by regulatory requirements.

ANSWER: A
Explanation: If it is certain that there is no threat, then there is no risk, and a policy is not needed to
address it.

111. Which of the following is the objective of an IS auditor discussing the audit findings with
the auditee?
A. Communicate results of the audit to senior management
B. Develop timelines for the implementation of suggested recommendations
C. Confirm the findings and develop a course of corrective action
D. Identify compensating controls to the identified risks

ANSWER: C

Explanation: Before communicating the results of an audit to senior management, the IS auditor will
review the findings with the auditee to confirm the accuracy of the findings and to develop a course of
corrective action. The IS auditor then finalize and presents the report to relevant levels of senior
management. Based on discussions with senior management/the audit committee, the IS auditor may
agree to develop an implementation plan for the suggested recommendations, along with the time
lines.

112. In addition to threat and vulnerability, which of the following choices is the MOST
important consideration to ensure the effectiveness of a continuous risk monitoring approach?
A. Impact
B. Risk
C. Frequency
D. Exposure

ANSWER: D

Explanation: Threat, vulnerability, and exposure constitute the essential elements to determine risk.
Exposure is the potential loss to an area due to the occurrence of an adverse event.

113. Which of the following items is the BEST basis for determining the value of intangible
assets?
A. Contribution to revenue generation
B. Business impact analysis
C. Threat assessment and analysis
D. Replacement costs

ANSWER: A
Explanation: The value of any business asset is generally based on its contribution to generating
revenues for the organization, both now and in the future.

114. Which of the following is the BEST way to establish a basis on which to build an
information security governance program?
A. Align the business with an information security framework
B. Understand the objectives of the various business units
C. Direct compliance with regulatory and legal requirements
D. Meet with representatives of the various security functions

ANSWER: B

Explanation: The governance program needs to be a comprehensive security strategy intrinsically linked
with business objectives. It is impossible to build an effective program for governance without
understanding the objectives of the business units, and the objectives of the business units can best be
understood by examining their processes and functions.

115. The CISA is reviewing a Stores Purchase application. How are the purchase orders
validated?
A. Reviewing if unauthorized personnel are changing application parameters
B. Checking the list of purchase orders
C. Comparing receipts of purchase against purchase orders
D. Checking the application logs

ANSWER: A

Explanation: Testing access controls will help determine the purchase order validity.

116. What is the purpose of an information security policy?

A. Express clearly and concisely the goals of an information security protection program
B. Outline the intended configuration of information system security controls
C. Mandate the behavior and acceptable actions of all information system users
D. Authorize the steps and procedures necessary to protect critical information systems

ANSWER: A

Explanation: The purpose of the policy is to set out the goals of the information security program. The
information security program will address all elements of system protection, including configuration,
behavior, and procedures.
 117. What should be the PRIMARY basis of a road map for implementing information security
governance?
A. Policies
B. Architecture
C. Legal requirements
D. Strategy

ANSWER: D

Explanation: The road map detailing the steps, resources, and time lines for development of the strategy
is developed after the strategy is determined.

118. New regulatory and legal compliance requirements that will have an effect on the
information security will MOST likely come from the _____.
A. corporate legal officer
B. internal audit department
C. affected departments
D. compliance officer

ANSWER: C

Explanation: The departments affected by legal and regulatory requirements (such as the human
resources [HR] department) are typically advised by their respective associations of new or changing
regulations and the probable impacts on various organizations.

119. Which of the following metrics will provide the BEST indication of organizational risk?
A. Annual loss expectancy (ALE)
B. The number of information security incidents
C. The extent of unplanned business interruptions
D. The number of high-impact vulnerabilities

ANSWER: C

Explanation: An unplanned business interruption is a standard measure because it provides a

quantifiable measure of how much business may be lost due to the inability to acquire, process, and
produce results that affect the customer.

120. Senior management is reluctant to budget for the acquisition of an intrusion prevention
system (IPS). Which of the following activities should the chief information security officer
(CISO) perform?
 A. Develop and present a business case for the project
B. Seek the support of the users and information asset custodians
C. Invite the vendor for a proof of concept demonstration
D. Organize security awareness training for management

ANSWER: A

Explanation: Senior management needs to understand the link between the acquisition of an intrusion
prevention system (IPS) and the organization's business objectives. A business case is the best way to
present this information.

121. Which of the following should be the FIRST action of an IS auditor during a dispute with
a department manager over audit findings?
A. Retest the control to validate the findings
B. Engage a third party to validate the findings
C. Include the findings in the report with the department manager's comments
D. Revalidate the supporting evidence for the findings

ANSWER: D

Explanation: Conclusions drawn by an IS auditor should be adequately supported by evidence, and any
compensating controls or corrections pointed out by a department manager should be taken into
consideration. Therefore, the first step would be to revalidate the evidence for the findings. Retesting
the control would normally occur after the evidence has been revalidated. While there are cases where
a third party may be needed to perform specialized audit procedures, an IS auditor should first
revalidate the supporting evidence to determine whether there is a need to engage a third party. If after
revalidating and retesting, there are unsettled disagreements, those issues should be included in the
report.

122. Which of the following choices is the BEST attribute of key risk indicators (KRIs)?
A. High flexibility and adaptability
B. Consistent methodologies and practices
C. Robustness and resilience
D. The ratio of cost to benefit

ANSWER: B

Explanation: Effective key risk indicators (KRIs) result from the deviation from baselines and consistent
methodologies and practices establish the baseline.
 123. Which of the following recommendations is the BEST one to promote a positive
information security governance culture within an organization?
A. Strong oversight by the audit committee
B. Organizational governance transparency
C. Collaboration across business lines
D. Positive governance ratings by stock analysts

ANSWER: C

Explanation: To promote a positive governance culture, it is essential to establish collaboration across

business lines. In this way, line management will speak a common language and share the same goals.

124. An IS audit department is planning to minimize its dependency on key individuals.

Activities that contribute to this objective are documented procedures, knowledge sharing,
cross-training, and _____.
A. succession planning
B. staff job evaluation
C. responsibilities definition
D. employee award programs

ANSWER: A

Explanation: Succession planning ensures that internal personnel with the potential to fill key positions
in the company are identified and developed. Job evaluation is the process of determining the worth of
one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary
system can be established. Staff responsibilities definition provides for well-defined roles and
responsibilities, and employee award programs provide motivation; however, they do not minimize
dependency on key individuals.

125. Which of the following would be evaluated as a preventive control by an IS auditor?

A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging

ANSWER: C

Explanation: Table lookups are preventive controls; data is checked against predefined tables, which
prevent any undefined data to be entered. Transaction logs are a detective control and provide audit
trails. Before and after image reporting makes it possible to trace the impact that transactions have on
computer records. This is a detective control. Tracing and tagging is used to test application systems and
controls, but is not a preventive control in itself.

126. Which of the following vulnerabilities allowing attackers access to the application
database is the MOST serious?
A. Validation checks missing data input pages
B. Password rules not allowing sufficient complexity
C. Weak application transaction log management
D. Application and database sharing a single access ID

ANSWER: A

Explanation: Attackers can exploit the weaknesses that exist in the application layer. For example, they
can submit a part of an SQL statement (SQL injection attack) to illegally retrieve application data.
Validation control is an effective countermeasure.

127. An organization is MOST likely to include an indemnity clause in a service level

agreement (SLA) because it:
A. reduces the likelihood of an incident.
B. limits impact to the organization.
C. is a regulatory requirement.
D. ensures performance.

ANSWER: B

Explanation: An indemnity clause is a compensatory control that serves to reduce impact if the provider
causes financial loss.

128. What is the MOST essential attribute of an effective key risk indicator (KRI)?
A. It is accurate and reliable.
B. It provides quantitative metrics.
C. It indicates required action.
D. It is predictive of a risk event.

ANSWER: D

Explanation: A key risk indicator (KRI) should indicate that a risk is developing or changing to show an
investigation is needed to determine the nature and extent of that risk.

129. Which of the following actions should the information security manager take first on
finding that the current controls are not sufficient to prevent a serious compromise?
 A. Strengthen existing controls
B. Reassess the risk
C. Set new control objectives
D. Modify security baselines

ANSWER: B

Explanation: Control decisions are driven by risk. Risk should be carefully reassessed and analyzed to
correct potential misjudgment in the original assessment.

130. What is the most important reason to periodically test controls?

A. To meet regulatory requirements

B. To meet due care requirements
C. To ensure the objectives are met
D. To achieve compliance with the standard policy

ANSWER: C

Explanation: Periodical testing of controls ensures the controls continue to meet their objectives.

131. What is a PRIMARY advantage of performing a risk assessment on a consistent basis?

A. It lowers the costs of assessing risks.
B. It provides evidence of attestation.
C. It is a necessary part of third-party audits.
D. It provides trends in the evolving risk profile.

ANSWER: D

Explanation: Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that
appropriate controls are in place.

132. A company has installed biometric fingerprint scanners at all entrances in response to a
management requirement for better access control. Due to the large number of employees
coupled with a slow system response, it takes a substantial amount of time for all workers to
gain access to the building and workers are increasingly piggybacking. What is the BEST course
of action for the information security manager to address this issue?

A. Replace the system for better response time

B. Escalate the issue to management
C. Revert to manual entry control procedures
 D. Increase compliance enforcement

ANSWER: B

Explanation: It is a business decision on how management wants to deal with the problem and not
directly a security issue. Conflicts of this nature are best addressed by the management.

133. Which of the following is the best basis to determine appropriate levels of information
resource protection?
A. A business case
B. A vulnerability assessment
C. Asset classification
D. Asset valuation

ANSWER: C

Explanation: Asset classification based on criticality and sensitivity provides the best basis for assigning
levels of information resource protection.

134. Risk is a combination of probability and business impact. A competitor has produced the
same software product and brought to the market quickly. The competitors in this situation
would be seen as a(n) _____.
A. vulnerability
B. asset
C. risk
D. threat agent

ANSWER: D

Explanation: The attackers are the entities that exploited a vulnerability; thus, they are the threat
agents.

135. The issue of “reasonable expectation of privacy” (REP) has to be the reference when it
comes to employee monitoring. In the U.S. legal system, the expectation of privacy is used when
defining the scope of the privacy protections provided by the ___________.
A. Federal Privacy Act
B. PATRIOT Act
C. Fourth Amendment of the Constitution
D. Bill of Rights

ANSWER: C
Explanation: In the U.S. legal system, the expectation of privacy is used when defining the scope of the
privacy protections provided by the Fourth Amendment of the Constitution. If it is not specifically
explained to an employee that monitoring is possible and/or probable, when the monitoring takes place,
he could claim that his privacy rights have been violated and launch a civil suit against a company.

136. The IS auditor is suspicious that an employee is sending sensitive data to one of the
company’s competitors. The employee has to use this data for daily activities, hence it is difficult
to restrict the employee’s access rights. Which of these best describes the company’s
vulnerability, threat, risk, and necessary control?
A. Vulnerability is employee access rights, threat is internal entities misusing privileged access,
risk is the business impact of data loss, and the necessary control is detailed network traffic
monitoring.
B. Vulnerability is lenient access rights, threat is internal entities misusing privileged access,
risk is the business impact of data loss, and the necessary control is detailed user
monitoring.
C. Vulnerability is employee access rights, threat is internal employees misusing privileged
access, risk is the business impact of confidentiality, and the necessary control is multifactor
authentication.
D. Vulnerability is employee access rights, threat is internal users misusing privileged access,
risk is the business impact of confidentiality, and the necessary control is CCTV.

ANSWER: B

Explanation: A vulnerability is a lack of control. In this situation the access control may be weak in
nature, thus exploitable. The vulnerability is that the user, who must be given access to the sensitive
data, is not properly monitored to deter and detect a willful breach of security. The threat is that any
internal entity might misuse given access. The risk is the business impact of losing sensitive data. One
control that could be put into place is monitoring so that access activities can be closely watched.

137. The IT governance board in an organization wants to ensure that the physical security
program developed for the organization increases performance, decreases risk in a cost-
effective manner, and allows management to make informed decisions and have asked the
audit department for suggestions. Which of these is the best possible choice?
A. Performance-based program
B. Defense-in-depth program
C. Layered program
D. Security through obscurity

ANSWER: A
Explanation: It is possible to determine how beneficial and effective the physical security program is only
if it is monitored through a performance-based approach with measurements and metrics to gauge the
effectiveness of countermeasures. This would increase the performance of the physical security
program and decrease the risk to the company in a cost-effective manner.

138. Companies should follow certain steps in selecting and implementing a new computer
product. Which of the following sequences is ordered correctly?
A. Evaluation, accreditation, certification
B. Evaluation, certification, accreditation
C. Certification, evaluation, accreditation
D. Certification, accreditation, evaluation

ANSWER: B

Explanation: The first step is evaluation. Evaluation involves reviewing the product’s protection
functionality and assurance ratings. The next phase is certification. Certification involves testing the
newly purchased product within the company’s environment. The final stage is accreditation, which is
the management’s formal approval.

139. Cable telecommunication networks used to provide a security risk so that neighbors
could commonly access each other’s Internet-based traffic because the traffic was not
encrypted. Which of the following is an international telecommunications standard that now
addresses these issues?
A. Safe Harbor Encryption Requirements
B. Data-Over-Cable Service Interface Specifications
C. Privacy Service Requirements
D. Telecommunication Privacy Protection Standard

ANSWER: B

Explanation: Most cable providers comply with Data-Over-Cable Service Interface Specifications
(DOCSIS), which is an international telecommunications standard that allows for the addition of high-
speed data transfer to an existing cable TV (CATV) system. DOCSIS includes MAC-layer security services
in its Baseline Privacy Interface/Security (BPI/SEC) specifications. This protects individual user traffic by
encrypting the data as they travel over the provider s infrastructure. Sharing the same medium brings up
a slew of security concerns, because users with network sniffers can easily view their neighbors traffic
and data as both travel to and from the Internet. Many cable companies are now encrypting the data
that go back and forth over shared lines through a type of data link encryption.
 140. There are different categories of evidence depending on what form they are in and how
they were collected. Which of the following is considered supporting evidence?
A. Best evidence
B. Corroborative evidence
C. Conclusive evidence
D. Direct evidence

ANSWER: B

Explanation: Corroborative evidence cannot stand alone instead is used as supporting information in a
trial. It is often a testimony indirectly related to the case but offers enough correlation to supplement
the lawyer’s argument. The other choices are all types of evidence that can stand alone.

141. A risk management program must be developed properly and in the right sequence.
Which of the following options provides the correct sequence for the given steps?
1. Develop a risk management team
2. Calculate the value of each asset
3. Identify the vulnerabilities and threats that can affect the identified assets
4. Identify company assets to be assessed

A. 1, 3, 2, 4
B. 2, 1, 4, 3
C. 3, 1, 4, 2
D. 1, 4, 2, 3

ANSWER: D

Explanation: The correct sequence of steps for setting up a risk management program is as follows:

1. Develop a risk management team 2. Identify company assets to be assessed 3. Calculate the value of
each asset 4. Identify the vulnerabilities and threats that can affect the identified assets.

142. An IS auditor has been asked to advise the team developing a security program for a
medical organization. The auditor has been instructed by the security steering committee to
follow the ISO/IEC international standards when constructing and implementing this program so
that certification can be accomplished. Which of the following best describes the phases that
should be advised?
A. “Plan” by defining scope and policy. “Do” by managing identified risks. “Check” by carrying out
monitoring procedures and audits. “Act” by implementing corrective actions.
 B. “Plan” by defining scope and policy. “Do” by creating an implementation risk mitigation plan and
implementing controls. “Check” by carrying out monitoring procedures and audits. “Act” by
implementing corrective actions.
C. “Plan” by identifying controls. “Do” by creating an implementation risk mitigation plan. “Check”
by carrying out monitoring procedures and audits. “Act” by implementing corrective actions.
D. “Plan” by defining scope and policy. “Do” by creating an implementation risk mitigation plan and
implementing controls. “Check” by carrying out monitoring procedures and audits. “Act” by
implementing risk management.

ANSWER: B

Explanation: When building an information security management system (ISMS) based upon the ISO/IEC
standard, it is best to follow the Plan-Do-Check-Act approach. ISO/IEC 27001 defines the components of
this approach as the following:

1. Plan: Establish ISMS policy, objectives, processes, and procedures relevant to managing risk and
improving information security to deliver results in accordance with an organization’s overall
policies and objectives. 2. Do: Implement and operate the ISMS policy, controls, processes, and
procedures. 3. Check: Assess and, where applicable, measure process performance against ISMS
policy, objectives, and practical experience and report the results to management for review. 4.
Act: Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the
ISMS.

143. Which of the following best describes the core reasons the Department of Defense
Architecture Framework and the British Ministry of Defense Architecture Framework were
developed?
A. Data needs to be captured and properly presented so that decision makers understand complex
issues quickly, which allows for fast and accurate decisions.
B. Modern warfare is complex and insecure; data needs to be properly secured against enemy
efforts to ensure decision makers can have access to it.
C. Critical infrastructures are constantly under attack in warfare situations; these frameworks are
used to secure these types of environments.
D. Weapon systems are computerized and must be hardened and secured in a standardized
manner.

ANSWER: A

Explanation: Modern warfare is complex, and activities happen fast, which requires adaptable personnel
and systems to be more than ever before. Data needs to be captured and properly presented so that
decision makers understand complex issues quickly, which allows for fast and accurate decisions.
 144. The security manager of a large bank that provides online banking and other online
services recently found out that some of the customers complained about changes to their bank
accounts they did not make. He worked with the security team and discovered all changes took
place after proper authentication was done. Which of the following describes what most likely
had taken place in this situation?
A. Web servers were compromised through cross-scripting attacks.
B. SSL connections were decrypted through a man-in-the-middle attack.
C. Personal computers were compromised with Trojan horses that installed keyloggers.
D. Web servers were compromised, and masquerading attacks were carried out.

ANSWER: C

Explanation: While all of these situations could have taken place, the most likely attack type in this
scenario is the use of a keylogger. Attackers commonly compromise personal computers by tricking the
users into installing Trojan horses that have the capability to install keystroke loggers. The keystroke
logger can capture authentication data that the attacker can use to authenticate as a legitimate user and
carry out malicious activities.

145. A large bank needs to engage a new software development company to create an
internal banking software program. It has to be created specifically for the bank’s environment,
so it must be proprietary in nature. Which of the following would be useful as a gauge to
determine how advanced and mature the software development companies are in their
processes?
A. SAS 70
B. Capability Maturity Model Integration
C. Auditing results
D. Key performance metrics

ANSWER: B

Explanation: The Capability Maturity Model Integration (CMMI) model outlines the necessary
characteristics of an organization’s security engineering process. It addresses the different phases of a
secure software development life cycle, including concept definition, requirements analysis, design,
development, integration, installation, operations, and maintenance, and what should happen in each
phase. It can be used to evaluate security engineering practices and identify ways to improve them. It
can also be used by customers in the evaluation process of a software vendor.

146. In the context of types of intellectual property, the Anti-cybersquatting Consumer

Protection Act (ACPA) was enacted to protect _____.
 A. trade secrets
B. copyrights
C. trademarks
D. patents

ANSWER: C

Explanation: The ACPA was enacted for trademark owners to have legal recourse to protect the illegal
registration of their domain names. It is only relevant under the following categories: domain name
registrant has the intent to profit from registering the trademark domain name; the registrant registers
or uses a domain name that at the time of registration is identical or confusingly similar to an existing
distinctive mark, or is identical or confusingly similar to a famous mark; or is a trademark, word, or name
protected by certain sections of the U.S. Code.

147. The International Organization on Computer Evidence (IOCE) was appointed to draw up
international principles for procedures relating to _____.
A. information evidence
B. digital evidence
C. conclusive evidence
D. real evidence

ANSWER: B

Explanation: In March 1998, the IOCE was appointed to draw up international principles for the
procedures relating to digital evidence to ensure the harmonization of methods and practices among
nations, and to guarantee the ability to use digital evidence collected by one national state in the courts
of another state.

148. A CISA asked to detect fraud in a national insurance company decided to use a database
tool to help identify violations, and identify relationships between the captured data through
the use of rule discovery. The tools should help identify relationships among a wide variety of
information types. What kind of knowledge discovery in the database can be considered?
A. Probability
B. Statistical
C. Classification
D. Behavioral

ANSWER: B

Explanation: Data mining also known as knowledge discovery in database is a technique used to identify
valid and useful patterns. Different types of data can have various interrelationships, and the method
used depends on the type of data and patterns that are sought based on Probabilistic Data
interdependencies and statistically identifies relationships between data elements and uses rule
discovery.

149. Which of the following best describes the difference between the role of the ISO/IEC
27000 series and COBIT?
A. The COBIT provides a high-level overview of security program requirements, while the ISO/IEC
27000 series provides the objectives of the individual security controls.
B. The ISO/IEC 27000 series provides a high-level overview of security program requirements,
while COBIT provides the objectives of the individual security controls.
C. COBIT is process oriented, and the ISO/IEC standard is solution oriented.
D. The ISO/IEC standard is process oriented, and COBIT is solution oriented.

ANSWER: B

Explanation: The ISO/IEC 27000 series provides a high-level overview of security program requirements,
while COBIT provides the objectives of the individual security controls. COBIT provides the objectives
that the real-world implementations (controls) you chose to put into place need to meet.

150. Which of the following provides a true characteristic of a fault tree analysis?
A. Fault trees are assigned qualitative values to faults that can take place over a series of business
processes.
B. Fault trees are assigned failure mode values.
C. Fault trees are labeled with actual numbers pertaining to failure probabilities.
D. Fault trees are used in a stepwise approach to software debugging.

ANSWER: C

Explanation: Fault tree analysis follows this general process. First, an undesired effect is taken as the
root, or top, event of a tree of logic. Then, each situation that has the potential to cause that effect is
added to the tree as a series of logic expressions. Fault trees are then labeled with actual numbers
pertaining to failure probabilities.

-------------------------------------------------------------------------------------------------------------------------------------
 CISA DOMAIN 2
1. Which type of risk is represented by preventing or detecting a material error?
A. Audit risk
B. Detection risk
C. Governance risk
D. Control risk

ANSWER: B

Explanation: A detection risk is the failure to detect a material error.

2. What is the difference between an audit sample and the total population?
A. Precision
B. Error limits
C. Level of risk
D. Sigma limits

ANSWER: A

Explanation: Precision is used to detail the expected error rate of the sample compared to total
population. Based on the error, higher rates above 5% may need more sampling and test of
more evidence.

3. Which of these is not the primary reason for risk analysis?

A. Assist decisions
B. Avoid disaster
C. Assist in identifying risks and threats
D. Ensure absolute safety during an audit

ANSWER: D

Explanation: Risk analysis does not ensure absolute safety. The purpose of using a risk-based
audit strategy is to ensure the audit adds value with meaningful information.

4. Which of these is not a quantitative sampling model?

A. Stratified mean per unit
B. Unstratified mean per unit
C. Qualitative estimation
D. Difference estimation

ANSWER: C
Explanation: Difference estimation, stratified mean, and unstratified mean are sample types for
substantive testing.

5. Which of the following is not true regarding a control self-assessment (CSA)?

A. User is empowered to take ownership and accountability
B. Removes the need for a traditional audit
C. Used to identify high-risk areas for later review
D. Does not have the same level of independence as an external auditor

ANSWER: B

Explanation: All the statements are true except B. A CSA is not a substitute for a traditional
audit.

6. Which control classification type can be used to repair the impact of a threat?
A. Forensic
B. Detective
C. Corrective
D. Preventive

ANSWER: C

Explanation: Corrective controls are used to fix the damage caused by a threat’s impact.

7. Which of these would be the concern in an audit report and findings?

A. Auditee locations
B. Lack of infrastructure for audit team seating
C. Communication with auditees
D. Barriers placed on the evidence use or audit procedures

ANSWER: D

Explanation: Undue restrictions on the scope would be a major concern and behaves as an
insufficient reliable evidence.

8. Due care can be defined as:

A. Proportionate to possible risk or loss
B. Minimum care during audit
C. Average care during audit
D. Extraordinary care during audit

ANSWER: A
Explanation: Due care is proportionate to the probable risk or loss.

9. Why is an audit committee set up?

A. To augment the auditing skills
B. To coordinate, govern, and manage the audit
C. To review and ensure proper assurance
D. To review the audit activities on a regular basis

ANSWER: C

Explanation: An audit committee is set up to review and challenge the assurances made, and
maintain a working equation with management and auditors.

10. An auditor has a significant team of 13 members. Which of these data collection
methods is the best to use?
A. Broad-based sample through questionnaire
B. Detailed documentation review
C. Departmental and auditee observation
D. Interviews

ANSWER: D

Explanation: Interviewing selected personnel is a good technique with a large audit team.

11. What would be undertaken in the initial stages of an IS audit?

A. Reviewing prior audit findings
B. Reviewing documentation
C. Reviewing access controls
D. Commencing the planning process

ANSWER: D

Explanation: An audit planning process to identify the objectives, resources, and a risk-based
approach is kicked-off in initial stages.

12. What is the relationship between compliance testing and substantive testing?
 A. Compliance testing checks for the presence of controls; substantive testing checks
the substance of internal contents
B. Substantive testing tests for controls; compliance testing tests the objectives
C. Compliance tests are run by the internal QA teams, and substantive tests by external
auditors
D. There is no difference

ANSWER: A

Explanation: Substantive testing checks the substance or integrity of a transaction. Whereas,

compliance testing looks for the presence of controls.

13. The IT Governance team is not very happy with the auditor’s suggestion of using CAAT.
What could be their objection?
A. External and unknown software
B. Cost and complexity of operation
C. Evidence shared through automated tool
D. Documented evidence can be reviewed for corrective action

ANSWER: B

Explanation: CAATs produce more accurate data, but operational costs and the complex
training of this automated tool leads to objection.

14. The Audit Committee believes the auditor has deviated from the professional audit
standards. Under which of these circumstances has this possibly occurred?
A. Standards have been interpreted at the auditor’s discretion
B. The auditor did not get permission from the committee to review some evidences
C. The audit charter’s scope of authority was followed
D. Auditor flexibility in appointment was provided to auditees who did not report as
per the schedule

ANSWER: A

Explanation: Standards are mandatory, and no discretion to deviate from them is acceptable.

15. What are the types of risk responses in a Risk Plan?

A. Avoid, accept, transfer, and mitigate
B. Minimize, legislate, transfer, and reduce
 C. Avoid, ignore, litigate, and insure
D. Transfer, mitigate, litigate, and assure

ANSWER: A

Explanation: The risk responses are to avoid, accept, transfer to another party, and mitigate to
reduce exposure.

16. Audits are treated with respect and deference by organizations. What ideal principles
are essential for proper conduct of an audit?
A. Getting instructions from management concerning evidence and procedure
B. Ensuring buy-in from top management
C. Review of organizational security controls
D. Adhering to standards, guidelines, and best practices

ANSWER: D

Explanation: Audits should adhere to standards, guidelines, and best practices.

17. Which of these define the external auditor standing, and also documents agreed terms
and conditions?
A. Audit Charter
B. Audit Calendar
C. Audit Engagement
D. Audit Plan

ANSWER: C

Explanation: Audit Engagement letter is used to define the relationship with independent
auditors, and it documents the agreement between audit committee and the independent
auditor, providing responsibility, accountability, and authority for an audit.

18. Which of the below entities set the scope of an audit?

A. Top Management
B. Audit Committee
C. Auditor
D. Organizational Customer
ANSWER: D

Explanation: The organizational customer sets the scope, grants authority, and provides needed
access to the auditor.

19. Which of these methods is used by the audit team to plan an audit when the
requirements and the process to audit are unclear?
A. Simulation method
B. Process method
C. Observation method
D. Interview method

ANSWER: B

Explanation: Process methods such as Plan-Do-Check-Act can be used to gather requirements.

The cycle is iterative until there is adequate information to conduct the audit.

20. Which of the below audits are also used for regulatory licensing or external reporting?
A. Qualified audit
B. Third-party audit
C. Independent audit
D. Control self-assessment

ANSWER: C

Explanation: Independent audits are conducted formally adhering to standards that map to the
desired regulatory licensing and external reporting needs.

21. An IT Governance Board is seeking to transfer the risk to an outsourced contractor.

Which of these would be of great concern?
A. Costs and budget would be significantly higher
B. Contractor may not be able to bear the loss consequences
C. Liability still rests with the parent company
D. There is a risk that highly skilled manpower in the parent organization is lost

ANSWER: C
Explanation: Even though the IS component has been outsourced, the liability for failure
remains with the parent organization.

22. Several documents are produced as part of an audit plan. Which among these identifies
an individual’s responsibility for specific audit jobs to ensure quality?
A. Skills matrix
B. Duties matrix
C. Auditor assignment matrix
D. Activities matrix

ANSWER: A

Explanation: A skills matrix is used to identify audit skills required to ensure the right person is
performing the task.

23. Which of these is NOT true regarding the usage of work produced by other individuals in
an audit?
A. Fair and impartial work
B. Scope as per the audit plan
C. Review and supervision
D. Accept the work based on the designated role and responsibility

ANSWER: C

Explanation: The auditor should never use another individual’s work because the job role and
responsibility deem him/her to have the right skills and competence.

24. The Head of Quality has been promoted to head the independent audit team in an
organization reporting only to the Chairperson. What among these could qualify
him/her for this position?
A. Quality personnel are used in organizational resistance
B. Quality practices such as reviews would help during the audit
C. Quality conduct is similar to audit conduct
D. Quality is measured by the cost of nonconformance

ANSWER: D

Explanation: Quality is measured by the added costs for failure or nonconformance. Planning,
prevention, and conformance to specifications in terms of audit standards will create a high
degree of quality in audit conduct.
 25. ISACA has referred to as testing for strong controls. What is a strong control?
A. Prevents the issue from reoccurring
B. Using all types of preventative, detective, and corrective controls
C. Effective implementation of multiple controls targeting the same objective
D. Implementation of inherent controls across the organization

ANSWER: C

Explanation: Implementation of various types of preventative, detective, and corrective

controls using a combined approach of administrative methods, physical methods, and
technical methods would lead to a depth of controls or strong controls.

26. Which of these would be the best type of controls to focus on managing and monitoring
inside a specific unit of the organization?
A. Deterrent controls
B. Pervasive controls
C. Departmental controls
D. System controls

ANSWER: B

Explanation: The direction and behavior of a unit is defined by Pervasive controls that cut
across all their activities to create a cooperative environment.

27. What does the term unqualified opinion imply?

A. No restrictions on audit report usage
B. Audit team is not skilled or qualified on audit scope
C. Auditor provides opinion without being asked
D. Restrictions on audit report usage

ANSWER: A

Explanation: When an auditor has reservations about audit results, and the report is valid under
certain conditions, it is known as a qualified opinion. An unqualified opinion has no restrictions
on the usage.

28. An enterprise hosts its data center onsite and has outsourced the management of its
key financial applications. Which of the following controls BEST ensures the outsourced
company's employees adhere to the security policies?
 A. Sign-off is required on the enterprise's security policies for all users
B. An indemnity clause is included in the contract with the service provider
C. Mandatory security awareness training is implemented for all users
D. Security policies should be modified to address compliance by third-party users

ANSWER: B

Explanation: Having the service provider sign an indemnity clause will ensure compliance to the
enterprise's security policies because any violations discovered would lead to a financial liability
for the service provider. This will also prompt the enterprise to monitor security violations
closely.

29. Before implementing an IT balanced scorecard (BSC) for projects, an enterprise must:
A. update the IT resource inventory
B. define key performance indicators (KPIs) for each project
C. group all strategic projects into a project portfolio
D. have IT service management practices in place

ANSWER: B

Explanation: By defining key performance indicators (KPIs) for each strategic project, the
enterprise will be in a position to measure the actual success of the project in terms of
meeting business needs expressed in performance parameters or numbers.

30. Which of the following has a great impact on the design of the IT governance
framework?
A. Information security risk and the security organization
B. Organizational structure and leadership
C. Organizational budgets and investment plans
D. The number of business units and employees

ANSWER: B

Explanation: IT governance leverages enablers, such as organizational structure and

leadership, to ensure that stakeholder needs, conditions and options are evaluated to
determine balanced, agreed-on enterprise objectives to be achieved. Leadership is
commonly expressed through the organizational principles, policies and frameworks.

31. Which of the following best provides an internal control environment?

A. Processes that ensure specific outcomes
B. Procedures that prescribe specific tasks
C. Automated processes that avoid human error
D. Roles and responsibilities that establish accountability

ANSWER: A

Explanation: Processes that ensure specific outcomes constitute a strong internal control
environment.

32. Which of the following should make the final data access decisions for a critical project?
A. Data owners
B. Project managers
C. Senior management
D. Database administrators (DBAs)

ANSWER: A

Explanation: Data owners are in the best position to decide about access, based on the
person's role and responsibilities.

33. Which of the following analyses best describes the intent of security metrics from a
governance standpoint?
A. Security management performance compared to business objectives
B. The overall security posture of an enterprise at any given time period
C. The risk present in the enterprise
D. Security incidents with which the enterprise has dealt

ANSWER: A

Explanation: The purpose of security metrics is to measure security performance against

business objectives; therefore, this option best describes the intent.

34. Which of the following enhances the oversight of the board of directors over the
effectiveness of IS internal controls?
A. Continuous auditing
B. An audit committee
C. Independent annual IS audits
D. Periodic reports from the chief information officer (CIO)

ANSWER: B
Explanation: To perform an effective oversight role on management, it is essential the
board of directors receives independent and reliable feedback and evidence. This is possible
through an audit committee.

35. Effective governance of enterprise IT requires that:

A. the IT strategy be an extension of the enterprise strategy
B. the enterprise strategy be an extension of the IT strategy
C. IT governance be independent of enterprise governance
D. investments in IT be made to obtain competitive advantage

ANSWER: A

Explanation: Effective IT governance requires that IT and business move in the same
direction; the IT strategy is required to be aligned with the enterprise's overall business
strategy. Each IT goal must clearly align with an enterprise goal.

36. What should a chief information officer (CIO) do FIRST to establish IT governance in an
enterprise?
A. Implement the best IT practices available in the industry
B. Implement the governance practices from the CIO's previous enterprise
C. Involve only internal stakeholders
D. Review the current enterprise practices and process

ANSWER: D

Explanation: The first step in establishing IT governance is to define the requirements and
objectives based on a review of current practices and process. This review should include
the mission, objectives, vision, values, culture, management style and relevant regulation.

37. Which of the following most accurately reflects the key areas in governance of an
enterprise IT?
A. Evaluate, direct, monitor (EDM)
B. Initiate, plan, execute, monitor, control
C. Requirement analysis, design, development, implementation, support
D. Plan, do, check, act (PDCA)

ANSWER: A

Explanation: Evaluate, direct, monitor (EDM) reflects the key areas involved in governing an
enterprise IT.
38. Which of the following most likely makes the decision on a request by a business unit to
implement an application that is not on the enterprise's list of approved technology
standards?
A. The IS audit committee
B. The enterprise investment committee
C. The IT steering committee
D. The IT architecture review board

ANSWER: D

Explanation: The IT architecture review board is the correct answer. One of the roles of the
IT architecture review board is to enforce architecture compliance and to consider
exception or dispensation requests.

39. Which of the following should be achieved first to enable implementation of an IT

governance framework?
A. Establishing the desire to change
B. Forming an implementation team
C. Empowering role players
D. Embedding new approaches

ANSWER: A

Explanation: Any plan to significantly modify existing processes and behaviors should start
with establishing a common desire to change or a "call to action," which can often be linked
to the current pain points or trigger events.

40. Which of the following factors is the most important to consider when establishing
governance of enterprise IT?
A. The enterprise's risk appetite
B. The IT strategic plan
C. The enterprise's organizational structure
D. The current IT process capability maturity

ANSWER: C
Explanation: The enterprise's organizational structure is the key factor to be considered in
defining requirements and objectives, and in driving the establishment of IT governance.
Factors such as centralization versus decentralization or enterprises with shared services
play a significant role.

41. For governance of enterprise IT to be successful, management and control of IT must be

the responsibility of:
A. the executive management
B. both the business and IT functions
C. the IT function only
D. the business function only

ANSWER: B

Explanation: The responsibility for management and control of enterprise IT should be

shared between the business and the IT function. For example, the business must fulfill its
data ownership responsibilities, while IT must fulfill its custodianship responsibilities.

42. With whom does the ownership for application controls reside?
A. The chief information officer (CIO)
B. The business
C. The IT steering committee
D. The architecture review board

ANSWER: B

Explanation: The business is responsible for defining and managing the application controls
as part of its data ownership responsibilities.

43. Which of the following best enables a successful implementation of IT governance?

A. IT steering committee involvement
B. Chief information officer (CIO) sponsorship
C. Board direction and mandate
D. Quarterly IT management meetings

ANSWER: C
Explanation: The direction for IT governance implementation must come from the highest
level of the enterprise-from the board.

44. An enterprise is planning to implement a framework for IT governance to align IT and

business strategy. To which dimension of the IT balanced scorecard (BSC) will this
strategic initiative be primarily linked?
A. Financial
B. Internal
C. Customer
D. Learning and growth

ANSWER: B

Explanation: The internal processes dimension of the IT BSC is aimed at effectiveness

through a structured approach and IT governance standards such as ISO 38500-
International Standard for Corporate Governance of Information Technology (IT
Governance) and frameworks such as COBIT. When implemented as a strategic project, it
will be linked to the internal process dimension of the IT BSC.

45. The benefit of strong IT Governance processes is:

A. improved productivity and a greater ability to respond to business needs
B. increased accountability and a greater ability to respond to compliance requirements
C. more effective incident and problem management
D. better IT investments and a greater agility to changing technology sophistication

ANSWER: A

Explanation: When business strategy is properly aligned with IT services as a part of IT

governance, the result is higher productivity and a greater ability to respond to business
requests. Alternatively, productivity and the ability to respond to business needs are drivers
to the establishment of strong IT governance processes.

46. Which of the following is the main objective of governance of enterprise IT?
A. Obtain funding for current and future IT projects
B. Take advantage of the latest technology
C. Optimize the use of available IT resources
D. Use technology to support business needs

ANSWER: D

Explanation: The main focus of the IT governance process is to ensure that current and
future business goals/needs are supported at all times.

47. Which of the following is the primary role of the IT steering committee?
A. Design the IT architecture
B. Process performance monitoring
C. Prioritize strategic IT projects
D. Define and justify IT-enabled projects

ANSWER: C

Explanation: The IT steering committee is an executive-management-level committee that

assists in the delivery of the IT strategy, oversees day-to-day management of IT service
delivery and IT projects, and focuses on implementation aspects. The status of strategic IT
projects should be reviewed because they are most important to the success of the
business.

48. Which of the following provides the best assurance that IS controls and practices are
performed effectively and as designed?
A. External audit
B. Chief information officer (CIO) attestation
C. Control self-assessment (CSA)
D. Internal audit

ANSWER: A

Explanation: External audit provides independent assurance that internal controls are
performing effectively and as designed to meet the business objectives; the report can be
sent to the board of directors for review.

49. An enterprise faced a major loss due to a weakness in a general IS control. The end-to-
end IT process was designed by the IT manager and approved by the chief information
 officer (CIO). Who is ultimately accountable for ensuring that corrective measures are
completed?
A. CIO
B. IT manager
C. Audit committee
D. Board of directors

ANSWER: D

Explanation: The board of directors is ultimately accountable for the success and failure of
IT governance. The accountability extends to ensuring that corrective measures are
performing as expected.

50. In implementing an IT balanced scorecard (BSC) for the governance of enterprise IT, it is
most important that:
A. enterprise architecture (EA) is aligned with business objectives
B. key performance indicators (KPIs) are defined
C. a focus on internal processes exists
D. employee compensation is linked to BSC performance

ANSWER: B

Explanation: An IT balanced scorecard (BSC) is useless without the measurable KPIs.

51. The effectiveness of IT governance is best determined by:

A. evaluating activities of the board's IT oversight committee
B. determining the percentage of projects delivered on time and within budget
C. evaluating stakeholder satisfaction
D. complying with international standards

ANSWER: C

Explanation: IT governance is the responsibility of executives and the board of directors and
consists of the leadership, organizational structures and processes that ensure the
enterprise's IT sustains and extends the enterprise's strategies and objectives.
52. Who is ultimately responsible for establishing accountability for information systems
controls?
A. Executive management
B. The data owner 50
C. The business process owner
D. The system custodian

ANSWER: A

Explanation: Executive management is ultimately responsible for establishing accountability

of information systems controls. Accountability establishes the ability to map a given
activity or event back to the responsible party.

53. An IT governance framework is most useful when it:

A. conforms to industry standards and is acceptable by IT management
B. enables a holistic approach
C. covers the enterprise end to end
D. is aligned with the enterprise culture and environment

ANSWER: D

Explanation: Every enterprise has to adapt and evolve its own IT governance framework.
Each enterprise has to have the framework tailored according to a number of factors such
as size, industry (type, growth status, practices and competitive landscape), and the
enterprise's organizational culture and needs. Doing so will contextualize the IT governance
framework to the enterprise's priorities and support the achievement of business objectives
unique to that enterprise.

54. Which of the following is most suitable for reporting issues related to the governance of
enterprise IT to senior management?
A. Audit reports
B. Vulnerability reports
C. IT steering committee minutes
D. Dashboards

ANSWER: D
Explanation: Dashboards are ideal tools for reporting to senior management about IT
governance issues because they aggregate many data points to a high-level report that
provides visual flags for those items requiring attention. Dashboards are usually supported
by more granular data so the recipient can drill down where more information is needed.

55. A company is experiencing a drastic reduction in failed projects. This could be due to:
A. employing a strict chief information officer (CIO)
B. good governance practices
C. increasing use of talented people
D. qualified project professionals

ANSWER: B

Explanation: The risk of IT projects failing to meet objectives occurs mainly because of the
lack of accountability and commitment in the enterprise. Governance practices help
enterprises evaluate the business value of each IT project (as a part of the portfolio
management approach) and ensure roles and accountabilities for each project. Good
governance practices help management ensure the success of more and more projects.

56. Which of the following best describes the benefit of IT governance?

A. Benefits realization
B. Resource optimization
C. Educated decision-making
D. Risk optimization

ANSWER: C

Explanation: Educated decision making in the context of good IT governance evaluates the
business value of different IT investments. Establishment of IT governance practices helps
enterprises implement the practices that improve the communication and decision making
processes across the enterprise. Educated decision making also establishes the clear
understanding of roles, responsibilities and accountabilities. All these will impact the
process of decision making at all levels of enterprises for deriving business values effectively
and efficiently.

57. What is a big challenge in the process of implementing governance of enterprise IT?
A. Understanding the unique nature and culture of the enterprise
B. Analyzing various frameworks and selecting the best one
C. Taking stock of the technology deployed by the enterprise
D. Selecting the performance measurement tools for various IT processes

ANSWER: A

Explanation: IT governance frameworks, standards, or practices can be applied to address

an enterprise's needs and culture. The IT role has various roles in any enterprise-
automation of work, management of information, and transformation of business. This
varies according to a number of factors such as size, industry (type, growth status, practices,
and competitive landscape), and the enterprise's organizational culture. Analysis of the
enterprise's needs and culture should be done prior to consideration of appropriate IT
governance frameworks, standards, or practices, and the analyses of the two areas (needs
and culture) should be treated separately to ensure the process integrity. The culture of an
enterprise is basically its personality. It comprises of assumptions, norms, and behaviors of
its members.

58. Which of the following pain points will most likely be solved by implementing
governance of enterprise IT?
A. Failure to meet regulatory requirements
B. Failure to meet enterprise objectives
C. Financial reporting inconsistencies
D. Frequent management turnover

ANSWER: B

Explanation: Implementation of governance of enterprise IT helps enterprises create

optimal value from IT by maintaining a balance between realizing benefits and optimizing
risk levels and resource use.

59. Which of the following responsibilities should primarily be assigned to the IT strategy
committee?
A. Implementing the IT strategy, plan and policies
B. Advising the board on major IT-related matters
C. Approving significant IT projects and investments
D. Developing business cases for strategic IT projects
ANSWER: B

Explanation: The IT strategy committee is a board-of-director-level committee, tasked with

ensuring the board is involved in major IT matters and decisions.

60. Which of the following steps is the first one when establishing governance for enterprise
IT?
A. Creating the appropriate environment
B. Identifying the technology direction
C. Performing an enterprise risk assessment
D. Implementing a balanced scorecard (BSC)

ANSWER: A

Explanation: Creating the appropriate environment is essential in setting the pace for
governance initiatives. Executive management should specify and design the guiding
principles, decision rights and accountability framework for governance of enterprise IT.
Process improvements are unlikely to become normal practices without a management
structure that assigns roles and responsibilities, commits to their continued operation, and
monitors conformance.

61. The parameters used to determine whether a system development project can be
outsourced should primarily be documented in the:
A. IT investment plan
B. resource availability plan
C. IT strategic plan
D. enterprise IT policy

ANSWER: C

Explanation: The IT strategic plan is a long-term plan (i.e., three- to five-year horizon) in
which the business and IT management cooperatively define how IT will contribute to the
enterprise's strategic objectives (goals). The IT strategy should include parameters for
outsourcing for the enterprise.

62. Which of the following choices best describes the purpose of adopting and
implementing enterprise architecture (EA)?
A. EA facilitates communication
B. EA facilitates decision making
C. EA facilitates business agility
D. EA facilitates mergers and acquisitions

ANSWER: B

Explanation: Enterprise architecture (EA) is a description of the fundamental underlying

design of the IT components of the business, the relationships among them and the manner
in which they support the enterprise's objectives. EA facilitates the decision-making process
by providing a road map that can guide future technology investments to ensure IT
alignment with the business and value delivery. It provides structure for facilitating change
management, informed decision making and communications.

63. Which of the following choices is the main reason implementing governance of an
enterprise IT is gaining importance?
A. Increased demand from the business for IT resources
B. Increased IT audit findings and deficiencies
C. Increased number of regulations
D. Increased awareness of IT-related risk and opportunities

ANSWER: D

Explanation: As more critical business processes are automated, management's reliance on

information provided by IT systems has been increasing. Implementing governance of
enterprise IT helps to manage increasing risk and avoid IT failures and poor performance.
Governance of enterprise IT also helps senior management take advantage of opportunities
created by newer technology with well-informed risk management processes.

64. What is the primary purpose of assessing process capability when planning the
implementation of governance of enterprise IT?
A. To assess technological capabilities
B. To plan for required resources
C. To understand current capabilities
D. To conduct a gap analysis

ANSWER: C
Explanation: In planning for the implementation of IT governance, senior management
needs to know "where are we now?" Assessment of process capability helps management
to know the enterprise's current capability.

65. Governance of enterprise IT is most effective when:

A. risk is optimized
B. stakeholder needs are met
C. resources are optimized
D. benefits are realized

ANSWER: B

Explanation: Enterprises are most effective when they meet stakeholder needs. Enterprises
exist to create value for their stakeholders.

66. Which one of the following tools is the most effective to communicate with the board of
directors about the business value of IT?
A. Internal rate of return (IRR)
B. IT balanced scorecard (BSC)
C. Return on investment (ROI)
D. Process capability assessment

ANSWER: B

Explanation: The balanced scorecard (BSC) gives the balanced view of the total value
delivery of IT to the business by incorporating both tangible and intangible values the
business wants to know. BSCs translate strategy into action to achieve goals with a
performance measurement system that goes beyond conventional accounting, measuring
those relationships and knowledge-based assets necessary to compete in the information
age: customer focus, process efficiency and the ability to learn and grow.

67. The subsidiary of a large multinational company has submitted an investment proposal
for an IT asset management software solution that does not comply with corporate IT
standards. Which of the following committees will make the decision on whether to
allow this exception?
A. The enterprise investment committee
B. The IT risk management committee
C. The IT steering committee
D. The IT architecture review board

ANSWER: D

Explanation: The IT architecture review board typically considers requests for architecture
exceptions as part of its mandate and will either deny the request, approve it or allow an
architecture dispensation.

68. Which of the following choices drives IT governance?

A. Value creation
B. Benefits realization
C. Risk optimization
D. Resource optimization

ANSWER: A

Explanation: Value creation is the main governance objective of an enterprise, achieved

when the three underlying objectives (benefits realization, risk optimization, and resource
optimization) are balanced. Governance enables IT, for example, to align with business
objectives and maximize value from investments.

69. Which of the following roles is responsible for designing an accountability framework for
IT governance?
A. IT strategy committee
B. Board of directors
C. Executive management
D. IT steering committee

ANSWER: C

Explanation: Executive management is responsible for executing the strategy, including

designing the accountability framework.

70. Which of the following benefits is the most important reason for using an IT balanced
scorecard (BSC)?
A. Strategic alignment with the business
B. Quantification of costs and benefits
C. Identification of tangible and intangible benefits
D. Performance measurement

ANSWER: A

Explanation: The balanced scorecard (BSC) was initially developed as a performance

management system that helps enterprises to drive their strategies and measurement.
More recently, the BSC has been applied to IT and has brought about the IT BSC that can be
linked to the business BSC, and in this way it can support IT/business governance and the
alignment process.

71. Which one of the following choices is the best indicator of good governance practice?
A. The IT risk register is well maintained
B. The IT policies and procedures are well maintained
C. The IT strategic plan is developed with the business
D. The board is regularly briefed on IT

ANSWER: D

Explanation: For effective monitoring by the board, it is important the board be briefed
regularly on IT functions. This will give the board the opportunity to evaluate and direct.

72. Which of the following choices best reduces resistance to organizational change?
A. Continued stakeholder involvement
B. Proactive communication
C. A clear definition of the desired state
D. Customized employee training

ANSWER: A

Explanation: It should not be assumed the various stakeholders involved in, or impacted by,
new or revised enablers will readily accept and adopt the change. The possibility of
ignorance and/or resistance to change needs to be addressed through continued
stakeholder involvement, which helps in the governance transparency process.
73. Which of the following choices is the biggest trigger for a chief executive officer (CEO) to
consider a high-level review of IT governance practices?
A. Absence of documented policies
B. Lack of IT standardization
C. Failed IT initiatives
D. Lack of a formal system development life cycle (SDLC) methodology

ANSWER: C

Explanation: Failed IT initiatives are cost drivers to the enterprise as a whole, and impact
the business processes as well as their automation. When an IT initiative fails, it can have a
major impact on the entire business and its profitability.

74. Which of the following choices is the main advantage of implementing a governance of
enterprise IT framework?
A. Establishing and monitoring accountability for IT-related initiatives
B. Reducing IT-related risk by increasing IT investment
C. Reducing IT-related costs by achieving IT process improvements
D. Centralizing IT control through an IT steering committee

ANSWER: A

Explanation: After the business strategy is defined and the business direction is clear,
establishing and monitoring accountabilities for various IT-related initiatives is critical. This
can be achieved by having in place a governance of enterprise IT framework.

75. When a new IT governance policy has been approved, it is best to:
A. have an independent party sign off
B. conduct a walk-through exercise
C. prepare a communication plan
D. update the IT strategy accordingly

ANSWER: C

Explanation: When a document, such as a policy, has been updated, it is good practice to
communicate those changes throughout the organization.
76. Which of the following choices is the primary reason for defining and managing the
enterprise IT strategy?
A. It has become an industry standard
B. It directs short-term IT goals
C. It improves the efficiency of IT services
D. It contributes to business value

ANSWER: D

Explanation: The enterprise IT strategy must be aligned with business objectives, which
focus on value delivery to stakeholders.

77. Information security governance awareness is best established when:

A. senior management is supportive
B. data ownership is identified
C. assets to be protected are identified
D. security certifications are issued

ANSWER: A

Explanation: The best way to increase awareness in the enterprise is through guaranteed
senior management championship.

78. A consulting firm re-engineered a customer trading system of an investment bank. Then
the investment bank requested a security review of this system from the same
consulting firm. From an IT governance perspective, which of the following choices is
the best to consider?
A. Ensure that sensitive customer data are securely kept inside the consulting firm
B. Ensure that a security assurance review plan is in line with regulatory requirements
C. Ensure that segregation of duties (SoD) is in place within the consulting firm
D. Ensure the service level meets the criteria in the vendor due diligence policy

ANSWER: C

Explanation: Careful consideration is required when a single vendor performs both

implementation and its review. Independence needs to be secured when a review is made.
When the same consulting firm conducts both implementation and its review, SoD may
need to be checked in order to maintain the validity of review results.
79. Which of the following benefits is the most important for senior management to
understand the value of governance of enterprise IT? It allows senior management to:
A. understand how the IT department works
B. make key IT-related decisions
C. optimize IT resource utilization
D. evaluate business continuity provisions

ANSWER: B

Explanation: When senior management understands the benefits of governance of

enterprise IT as well as new technologies and challenges, they act as informed decision
makers and take ownership of IT-related decisions.

80. Which of the following activities is the most essential for ensuring resource optimization
within governance of enterprise IT?
A. Providing direction for strategic resources
B. Defining guidelines for performance indicators
C. Evaluating resource strategy against enterprise requirements
D. Establishing principles for management of resources

ANSWER: D

Explanation: Establishing principles for management of resources creates the framework for
enabling allocation of optimized resources. ISACA's COBIT 5 framework states, "Define the
principles for guiding the allocation of management of resources and capabilities so that IT
can meet the needs of the enterprise, with the required capability and capacity according to
the agreed-on priorities and budgetary constraints."

81. Which of the following choices has the greatest impact on the selection of an IT
governance framework?
A. Corporate culture
B. Data regulatory requirements
C. Skills and competencies
D. Current process maturity level

ANSWER: A
 Explanation: Corporate culture is the way that enterprises make decisions. Enterprises
consider human factors, decision-making style, risk appetite, etc., and this has the greatest
impact on the selection of an IT governance framework.

82. When implementing governance of enterprise IT, which of the following factors is the
most critical for the success of the implementation?
A. Improving IT knowledge of the board of directors
B. Decision making on IT investments by the board of directors
C. Documenting the IT strategy
D. Identifying the enablers and establishing performance measures

ANSWER: D

Explanation: Implementation of governance of enterprise IT includes identification of the

enablers and the measurement of the goals.

83. While implementing IT governance within an enterprise, the primary focus must be on
the objectives of:
A. an enterprise
B. stakeholders
C. the business function
D. IT management

ANSWER: B

Explanation: Enterprises exist to create value for their stakeholders.

84. The PRIMARY focus in effective organizational change enablement of a governance of

enterprise IT implementation should be on:
A. documenting the what and how of change
B. clarifying the reason to change
C. communication of the vision
D. demonstrating achieved results

ANSWER: B
Explanation: The first action should be to work on the motivation of people by explaining the
reasons why the change is necessary.

85. Which of the following choices is the MOST relevant in the enterprise culture change of
an IT governance implementation?
A. Having employees who have values and beliefs
B. Having corporate values aligned with leaders in the industry
C. Having leaders who inspire new values
D. Having clearly communicated values and beliefs

ANSWER: C

Explanation: The culture of an enterprise is a reflection of leadership consciousness-a reflection

of the values, beliefs and behaviors of the leaders and the legacy of the past leaders-but
enabling enterprise culture change will be more effective because inspiring leaders can make
the organization align with their values.

86. Which of the following choices BEST describes the role of the board of directors in IT risk
governance?
A. Ensure the planning, budgeting, and performance of IT risk controls are appropriate.
B. Assess and incorporate the results of IT risk management activity into the decision-
making process.
C. Ensure the enterprise risk appetite and tolerance are understood and communicated.
D. Identify, evaluate, and minimize risk to IT systems that support the enterprise mission.

ANSWER: C

Explanation: The board of directors are responsible for setting the direction and boundaries
pertaining to the risk taken by an enterprise. Therefore, they need to understand and
communicate the level of risk appetite and tolerance they are ready to accept to effectively
manage their business.

87. Which of the following choices demonstrates the GREATEST influence of an IT

governance framework for IT-related issues?
A. To settle differences of opinion among board of directors members
B. To resolve cross-departmental conflicts
 C. To gain loyalty from key stakeholders
D. To investigate weaknesses within processes

ANSWER: B

Explanation: An IT governance framework can exert its greatest influence in resolving cross-
departmental conflicts for IT-related issues. When a governance framework is in place, business
units are aligned to strategies and resource prioritization is made accordingly.

88. Which of the following choices would PRIMARILY create transparency in the IT decision-
making process as part of governance of enterprise IT?
A. Stakeholder-approved roles, responsibilities, goals and metrics are communicated
B. The progress reporting process of service delivery is clearly established
C. Communication of decisions to IT employees is clear
D. Balanced scorecard (BSC) results are promptly communicated to the enterprise

ANSWER: A

Explanation: Transparency would be created by communicating stakeholder-approved roles,

responsibilities, goals and metrics to the enterprise. This allows everyone to understand the
basis for the decisions made.

89. Which of the following is not true concerning the process of terminating personnel?
A. The company must follow HR termination procedures
B. Any company property in possession of the employee must be returned
C. The employee must be allowed to copy any personal files from their computer
D. The employee’s recent history of login account activity should be reviewed in the
audit log

ANSWER: C

Explanation: Employee access should be disabled upon termination from the organization. All of
the other statements are true.

90. Which of the following is not true regarding mandatory access controls?
 A. Someone in authority determines what is acceptable
B. The controls are implemented by using technical methods
C. They are administrative controls
D. They are administered from a central authority

ANSWER: A

Explanation: Mandatory controls are the strongest type of controls. They can be implemented
by using both administrative and technical methods. Mandatory controls are centrally
managed. There is no way to increase access except by formal promotion of access by the
central authority. With discretionary controls, we allow someone to decide.

91. Which of the following is not considered a control failure?

A. Using a policy which lacks a detective mechanism to identify violations
B. Modifying an ineffective procedure outside of change control
C. Testing to discover how many policy violations have occurred
D. Implementing a policy or standard without consequences of failure

ANSWER: C

Explanation: All of the available options except testing indicate that a control failure was
present. The minimum effective control must include a preventative, detective, and corrective
action.

92. Which of the following is the best definition of user identity?

A. Match
B. Claim
C. Authority
D. Job role

ANSWER: B

Explanation: The user identity is a claim made by the user. This claim of identity must be
verified against a known record by using the authentication process. Authentication is a one-
time match attempt to determine whether access should be granted. A mismatch would result
in denied access.
 93. Which type of risk exemplifies the possibility of a material error that could not be
prevented or detected?
A. Overall audit risk
B. Detection risk
C. Inherent risk
D. Control risk

ANSWER: D

Explanation: A control risk is a risk that a material error exists or could be introduced the
auditor would be unable to detect. A control risk represents a loss of control.

94. What is the reason to create a skills matrix?

A. To identify the different skills and their individual billing rate
B. To designate who will perform each specific task
C. To identify skills needed and justify training to fill the gaps
D. To comply with the minimum standards of project management

ANSWER: C

Explanation: The primary goal is to identify all the skills needed and to justify additional training
before conducting the audit. Adding new personnel may be an acceptable option if training
would not cure the problem in time. Using a skills matrix is one of the best practices in project
management; however, that was not the best available choice.

95. Management should implement internal controls for the organization. Which of the
following represents a systematic process required to accomplish this objective?
A. Policies
B. Guidelines
C. Procedures
D. Baselines

ANSWER: A

Explanation: Policies provide a cookbook recipe of steps necessary to ensure compliance in

support of management’s objective. The hierarchy is management’s high-level policy,
supported by a mid-level standard, which is supported by a lower-level procedure. It is
mandatory to comply with the procedures.
 96. Steering committees perform all of the following functions except _____________.
A. Working in routine operations
B. Making decisions regarding centralization versus decentralization
C. Reporting to the board of directors on IS activities
D. Reviewing allocation of resources

ANSWER: A

Explanation: The steering committee is composed of executives from other areas of the
business who never participate in the work directed. The function of the steering committee is
to determine how to fulfill business objectives and priorities.

97. Who is responsible for implementing IT governance?

A. Chief information officer (CIO)
B. Chief executive officer (CEO)
C. Chief financial officer (CFO)
D. Board of directors

ANSWER: D

Explanation: IT governance is the responsibility of the most senior executives and shareholders,
who are all members of the board of directors. The board members set the strategic direction
of the organization and provide advisory services to help their executives implement the
strategy. C-level executives (CEO, CFO, and CIO) are expected to follow the directives issued by
the board of directors. The board of directors is the highest authority in the organization.

98. Which of the following is an approach that is not acceptable to gather information for a
risk analysis?
A. Bringing relevant people into a meeting to discuss their concerns
B. Sending an email to all employees explaining the basics of risk analysis and asking for
their cooperation and suggestions
C. Interviewing key people in IT and the user community
D. Sending a questionnaire to key personnel

ANSWER: B
Explanation: Sending email to all employees is not an acceptable method. All the other answers
are appropriate methods for gathering information. The most effective methods are personal
interviews and workshops. The interviewer or facilitator can guide the live responses while
ensuring consistency of measurement and answers. Less effective is a survey, which tends to
generate inconsistent answers that may not be completely truthful.

99. When auditing to determine the IT operational capability, which of the following is the
best evidence to determine if adequate recovery and restart procedures exist?
A. Reviewing program documentation
B. Interviewing support personnel
C. Reviewing operations documentation
D. Checking the system configuration

ANSWER: C

Explanation: The presence of up-to-date recovery and restart procedures is an excellent source
of evidence. If the opportunity is available, it would be a good idea to observe the support
personnel using the procedure effectively. The auditor may inquire when the last time the
procedure was tested or used. The lack of documentation is a control failure.

100. User involvement is the most critical requirement during which phase of the
business continuity planning?
A. Strategy selection
B. Risk analysis
C. Plan development
D. Business impact analysis

ANSWER: D

Explanation: Detailed information is collected during the business impact analysis (BIA) and
used to define the available time windows, the most critical resources, and alternatives. This
information provides an invaluable set of specifications the strategy must fit. It would be
impossible to calculate an effective strategy without the in-depth data provided by a current
business impact analysis. Without the BIA, the best you can hope for is a disaster rebuilding
plan for the servers or the building. Without a BIA, the IT recovery plan will ultimately fail to
meet the organization’s needs.
 101. Who is ultimately responsible for the development of an effective IT security
policy?
A. Chief information officer (CIO)
B. IT security manager
C. IT steering committee
D. Board of directors

ANSWER: D

Explanation: The board of directors represents the highest authority of the organization and has
ultimate responsibility for all internal controls. All individuals working inside the organization
are under the jurisdiction of the board of directors. It is the responsibility of the board to set
strategy, to provide emphasis and resources for work to be performed, and to verify the results.
Verification of results for internal controls can occur through the audit committee and
independent audit.

102. Which of these choices best represents the purpose of system accreditation?
A. Assign accountability to management
B. Ensure thoroughness of test results
C. Verify internal application controls
D. Make the developer responsible for the system’s intended use

ANSWER: A

Explanation: Management is responsible for the system and receives credit for success or owns
the liability of failure. It’s the responsibility of management to ensure the system is fit for its
intended use. Management is also responsible for funding adequate support.

103. Which of the following shows the five maturity levels of the software CMM in
order, from low (level 1) to high (level 5)?
A. Initialization, Repeatable, Defined, Managed, Optimizing
B. Initial, Repeatable, Defined, Managed, Optimized
C. Initial, Repeatable, Defined, Controlled, Optimized
D. Initialization, Defined, Repeatable, Managed, Optimizing

ANSWER: B

Explanation: Level 1 is the initial effort by heroes, level 2 represents repeatable procedures,
level 3 is a defined process, level 4 is managing the process and integrating with other systems,
and level 5 is improving the quality of the result.
 104. What is the best choice to explain the purpose of the Capability Maturity Model
(CMM)?
A. Assess fitness of use
B. Estimate turnaround time
C. Measure dependability
D. Current measure of integration

ANSWER: D

Explanation: The Capability Maturity Model (CMM) is used to measure the maturity of a
process by tracking attributes which reflect the current level of integration. Processes of higher
maturity are more dependable, with qualitative and quantitative measurement of their results.

105. What is the intended purpose of separation of duties?

A. Justify requirements for a larger IT staff
B. Involve multiple people in the change process
C. Separate internal and external functions
D. Eliminate the waste of valuable resources on low-priority work

ANSWER: B

Explanation: Separation of duties is intended to ensure that no individual executes a change

without the review of a second person. Separation of duties is designed to reduce errors and
intentional harm by involving additional people in the change process. Internal access controls
limit the amount of change that can be executed by one person.

106. Which of the following determines security access based on the user’s job role or
task?
A. Mandatory access control (MAC)
B. Discretionary access control (DAC)
C. Nondiscretionary access control
D. Rule-based access using security labels

ANSWER: C

Explanation: Nondiscretionary access control determines the user’s access control level
according to the job role or job task. For example, the server administrator is often granted full
access to the system in order to perform their job. This can be a security concern for particular
types of data.

107. Which of the following represents a natural risk that always exists?
A. Inherent risk
B. Control risk
C. Detective risk
D. Transfer risk

ANSWER: A

Explanation: Inherent risk is always present. Control risk represents the possibility that material
errors may be introduced. Detective risk is the risk that errors will not be discovered. Transfer
risk is merely a distracter.

108. The primary purpose of the business continuity plan is which of the below?
A. Protect upper management from possible criminal prosecution
B. Ensure that information systems data is safely stored offsite and readily accessible in
crisis situations
C. Reduce the risk from unexpected disruption of critical functions and operations
D. Provide hot sites or other reasonable locations to continue information systems
operations

ANSWER: C

Explanation: The goal of business continuity planning is to ensure that critical functions are not
interrupted or they can be resumed in the shortest possible time frame. It is not necessary for
all systems to be recovered immediately. Efforts should be focused on core systems that
generate revenue.

109. Which of the following types of access control uses rules with security labels for
processing?
A. Mandatory access control (MAC)
B. Discretionary access control (DAC)
C. Empirical access control (EAC)
D. Role-based access control (RBAC)
ANSWER: A

Explanation: Mandatory access control uses rules with security labels for processing. The user’s
security label must be an explicit match with the system security label and data security label.
Without a match, access is denied. The only way to grant access is through a formal increase in
access level.

110. Which is not a purpose of risk analysis in audit planning?

A. To define how the client organization should respond to internal control threats
B. To determine whether the audit is possible
C. To assist the auditor in identifying risks and threats
D. To help the auditor in determining audit objectives

ANSWER: A

Explanation: Risk analysis in the audit planning phase is intended to assist the auditor with
threats and risks to the audit itself. The audit planning risk analysis does not define how the
client organization should respond to internal control threats. The client is still required to
perform a full risk analysis to determine their unique threats and plan for internal controls.

111. What type of metrics or measurement for IT services would be the most ideal
type in terms of optimum management?
A. External
B. Service
C. Internal
D. Performance

ANSWER: A

Explanation: External measurements indicate how the end user would review the delivery of IT
services. Performance metrics need to place the greatest emphasis on the external view of
system availability, attitudes of IT personnel toward the users, total elapsed time to resolve
problems, and so forth. Metrics should represent how the user sees IT, not the internal details
with which only IT can relate.

112. What is the principal issue concerning transborder data flow?

A. Government taxation standards differ
 B. Differences may exist in the customs or procedures
C. Encryption must be implemented
D. Legal requirements may not be the same

ANSWER: D

Explanation: The concern with trans-border data flow is the difference in legal requirements
between countries. An additional concern with trans-border data flow is the level of risk may be
different depending on privacy laws and laws affecting intellectual property, such as trademark
and copyright.

113. During a controls audit, which of the following would be the most important
document to the auditor?
A. General network diagram
B. Facility blueprint showing access paths
C. Vendor’s support manual
D. Inventory of computer hardware including asset tag numbers

ANSWER: B

Explanation: It is nearly impossible to protect what is not defined. The first step is to document
physical access paths, the location of each network and telephone jack (access points),
equipment rooms, and physical barriers. The second step is to identify logical access points by
using a detailed network diagram. The third step is to review policies and procedures to
determine the possible effectiveness in that specific environment.

114. Which of these is a risk related to the ability to perform an audit and gather
meaningful evidence?
A. Overall audit risk
B. Control risk
C. Detection risk
D. Inherent risk

ANSWER: C

Explanation: A detection risk is the inability or low probability of finding meaningful evidence
concerning the subject audited. It may not be possible to detect everything necessary to
absolutely, positively prove or disprove a point. This is why a 95 percent assurance is
considered a high level of confidence.

115. The potential that a vulnerability will be exploited, causing a loss, is referred to
as which of the following?
A. Danger
B. Probability
C. Risk
D. Threat

ANSWER: B

Explanation: The term vulnerability refers to a path that may be taken by a threat to cause a
loss. The potential of loss is recognized as a probability. The probability represents the potential
likelihood that an event will occur.

116. Information system control objectives include all of the following except which
of the below?
A. Developing disaster recovery plans
B. Safeguarding assets
C. Developing an incident response plan
D. Identifying individual threats to a system

ANSWER: D

Explanation: The objective of control is to protect a system from loss. Controls are developed in
response to potential threats. The act of identifying individual threats will occur in risk
management.

117. What is the primary objective of a control self-assessment (CSA)?

A. To save money by eliminating the cost of external auditors
B. To leverage the audit function by shifting duties to functional areas
C. To improve overall quality of audit results
D. To empower workers to assess the active controls

ANSWER: D
Explanation: The control self-assessment is designed to empower the workers in improving the
effectiveness of internal controls. The control self-assessment will generate a better
understanding of the audit process and should improve future audit results. The CSA is
designed to foster ownership of responsibilities by the workers.

118. What is the first step toward building a security infrastructure?

A. Completing a qualitative risk analysis
B. Performing a business impact analysis
C. Defining the security policy
D. Implementing technical controls

ANSWER: C

Explanation: The first step is to define a security policy to communicate management’s overall
desire within the organization. The security policy will reflect management’s regard for controls
and will delegate authority for the function. The next steps are to conduct a risk analysis,
estimate business impact, select a strategy of effective controls, and finally implement the
controls. After implementation, the controls should be monitored for performance and
compliance.

119. What is the first step in developing a business continuity plan?

A. Selection of an appropriate strategy
B. Quantitative risk analysis
C. Analysis of the business impact
D. Qualitative risk analysis

ANSWER: C

Explanation: ISACA wants the CISA to analyze the business impact when reviewing the
development of a business continuity plan. The ISACA view presumes that a risk assessment has
been completed in advance.

120. Which team has staff members who remain at the recovery site to control
operations for the duration of the recovery?
A. Emergency management team
B. Offsite storage team
 C. Applications team
D. Emergency action team

ANSWER: A

Explanation: Recovery team leaders, shift supervisors, and operators maintain operations
during the full recovery.

121. Which type of insurance covers loss due to employees and often takes the form
of bankers’ blanket bonds?
A. Fidelity coverage
B. Media reconstruction
C. Business interruption
D. Low deductions

ANSWER: A

Explanation: Fidelity coverage protects against theft losses by an employee. The fidelity bond
often takes the form of blanket bonds. The company may need to successfully convict the
employee of theft before the bond will be paid.

122. Who is ultimately responsible for all project costs and timetables?
A. Project manager
B. Quality Assurance
C. Project steering committee
D. Project team member

ANSWER: C

Explanation: Although the project manager is responsible for day-to-day management, the
steering committee controls the scope and therefore has ultimate responsibility for the final
project costs and timetable.

123. Using separation of duties, who among these are specifically prohibited from
moving changes out of the test environment and into the production system
environment?
A. System administrators
 B. Database administrators
C. Programmers
D. Project managers

ANSWER: C

Explanation: To comply with separation of duties, programmers must not have write access into
the production libraries. Programmers are prohibited from making changes in the production
environment. The system operator or system administrator would be responsible for moving
software from the test library to the production library.

124. What is the purpose of bypass label processing?

A. Defeat MAC security controls
B. Implement DAC security controls
C. Defeat RBAC security controls
D. Implement TAC security controls

ANSWER: A

Explanation: The intention of bypass label processing is to circumvent security controls in a

mandatory access control (MAC) environment. Mandatory access control systems use labels to
enforce security policies.

125. The key steps in selecting a sample for an audit test include all of these except
________.
A. evaluating the sample’s relative value
B. calculating the sample size
C. determining the objectives of the test
D. performing substantive testing

ANSWER: C

Explanation: An audit test is done after the sample is selected. Samples may be selected by
using statistical or nonstatistical methods. The sample will be tested with the compliance tests
of applicability or substantive tests of content.

126. How does the auditor develop a professional opinion?

 A. Gathering of evidence and corresponding test results
B. Expert analysis of the situation
C. Past experience from performing a similar job as an IT staffer
D. Observations and discussions with personnel

ANSWER: A

Explanation: The auditor’s opinion is actually a score created by following formal audit
procedures, gathering applicable evidence via an evidence sampling plan, and obtaining the
results of formal testing. The only real point of opinion occurs when the auditor indicates any
reservations about how the audit was run or about the sufficiency of evidence. The final result
is a qualified opinion (with reservations) or unqualified opinion (no reservations).

127. When would the technique of stop-and-go sampling be used?

A. To uncover irregular or illegal activity
B. To verify cell sample in substantive tests
C. To test only the stratified mean for compliance tests
D. To halt testing at the earliest possible opportunity

ANSWER: D

Explanation: The stop-and-go sampling technique is used when the probability of errors is low.
This allows the test to be halted at the earliest possible opportunity after a reasonable quantity
and quality of samples have been tested.

128. Which of the following statements is not true concerning outsourcing?

A. Provides for efficiency in economies of scale
B. Is often difficult or expensive to reverse
C. Minimizes the loss of key personnel
D. Provides more-effective use of highly skilled personnel

ANSWER: C

Explanation: Outsourcing can cause the loss of highly skilled and experienced personnel who
will be difficult to replace. Outsourcing often provides improved efficiency with economies of
scale for functions outside the core business activities. Unfortunately, outsourced agreements
can be difficult or expensive to reverse.
 129. Which of the following best explains the purpose of an audit charter?
A. Authorize work, coordinate personnel, and grant funding
B. Specify personnel, coordinate responsibilities, identify audit subject
C. Specify limitations, demonstrate understanding between the parties, identify
sponsor
D. Delegate authority, set scope, provide resources

ANSWER: D

Explanation: The audit charter provides for the delegation of responsibility, authority, and
accountability in the audit. An audit charter represents a formal acknowledgment by
management and provides authority for the audit committee to engage independent auditors.

130. What is the fundamental limitation concerning internal controls?

A. The total cost of implementation may exceed profitability.
B. Audits are not required to test management’s assertion of control.
C. Employee participation is optional.
D. Management may be exempt from the controls.

ANSWER: D

Explanation: The fundamental limitation is that management may exempt themselves from the
internal control. Strong internal control laws such as the U.S. Sarbanes-Oxley Act, U.K. Turnbull
report, and the Basel II accord were created to force compliance by executive management.

131. Which of the following statements is true concerning discovery of potentially

illegal activity?
A. The evidence surrounding the discovery should be disclosed to the next-higher level
of management.
B. The auditor must notify law enforcement immediately.
C. The audit should be halted and the evidence of illegal activity presented to
management.
D. The auditor should make a legal determination as to the best action.

ANSWER: A

Explanation: The auditor should notify a higher level of management than where the potentially
illegal activity occurred. If the illegal activity involves persons responsible for internal controls,
the discovery should be reported to the management oversight committee. The auditor should
check with their own legal counsel for advice concerning the best action to take upon discovery
of a potentially illegal activity.

132. Which of the following sample methods is used in compliance testing?

A. Attribute sampling
B. Variable sampling
C. Stratified mean estimation
D. Difference estimation

ANSWER: A

Explanation: Compliance testing utilizes attribute sampling, discovery sampling, and stop-and-
go sampling methods. The other possible answer choices listed are used in substantial testing
techniques.

133. What is the purpose of an assessment, and what is its corresponding

trustworthiness value?
A. Determination of value, low
B. Same as external audit, high
C. External reporting, moderate
D. Same as internal audit, low

ANSWER: A

Explanation: The purpose of an assessment is to make a determination of value based on

fitness of use. Assessments by their nature are more cooperative with the auditee (people) to
generate a sense of ownership. Therefore, the corresponding trustworthiness value is low.
Assessments can be used for only internal purposes, never for external reporting or licensing.

134. Which of the following is not an acceptable method of risk management?

A. Accepting the outcome
B. Accepting the outcome
C. Intentionally skipping the disclosure of a threat
D. Avoiding the risk by transferring the process to a third party

ANSWER: C
Explanation: It is unacceptable to ignore a risk. Management must exercise due diligence with
regard to risk management. The acceptable methods of dealing with risk are to accept, reduce
(mitigate), transfer, or avoid the risk altogether.

135. Which of the below represents the best definition of forthright and honest
conduct without impropriety, deceit, or hidden agenda?
A. IT governance
B. End state
C. Opinion
D. Ethics

ANSWER: D

Explanation: Auditors are expected to exercise ethical conduct in all their activities. This
includes using only products you’ve obtained properly and are licensed to use, without any
exception. Using borrowed or unlicensed materials is a direct violation of ethics and copyright
law. Either of these violations will disgrace you and our profession. You don’t have to be
convicted to ruin your career or lose your CISA certification.

136. Who is responsible for detecting irregular and possibly illegal activity?
A. Management
B. Employees
C. Customers
D. Auditor

ANSWER: A

Explanation: It is the responsibility of management to detect irregular and possibly illegal

activity by implementing appropriate internal controls. The auditor is not required to detect
irregular or illegal activity. The auditor may participate in an investigation at the request of
management.

137. In business continuity, the recovery time objective (RTO) is based on which of
the following?
A. Acceptable time window during which the recovery of operations must be
completed
 B. Time allowed for developing the business continuity plan
C. The point in time prior to the outage at which data will be recovered
D. The minimum time required to restore operations

ANSWER: A

Explanation: The acceptable time window is referred to as the recovery time objective. The
time estimate is based on the maximum acceptable outage before the organization loses its
clients or violates a significant legal requirement. The legal requirement may be in the form of
contracts, laws, or industry regulations.

138. Which of the following is the most accurate representation of the best evidence?
A. Subjective
B. Objective
C. Indirect
D. Not related

ANSWER: B

Explanation: The best evidence is objective and directly proves a point with little explanation.
The best evidence is provided by an individual who is independent of the event and unbiased.
The best evidence will have a direct relationship to the subject.

139. Internal controls can be implemented by using one of three common methods.
Which of the following is not one of the three methods?
A. Physical control
B. Administrative control
C. Contractual control
D. Technical control

ANSWER: C

Explanation: The common implementation methods are physical, logical (technical), and
administrative. Contracts are a smaller component within the administrative category.

140. How should the auditor evaluate downtime metrics reported by IT operations?
 A. The auditor should evaluate downtime metrics anytime the system is unavailable for
any reason
B. The auditor should make exceptions for maintenance time as opposed to failure
C. Only failures are reported
D. The system should be up 99.999 percent of the time

ANSWER: A

Explanation: The auditor is always concerned when misrepresentation occurs. Uptime is when
the system is available for the user. Downtime is when the system is unavailable for any reason
whatsoever. The amount of downtime may be acceptable to the organization based on their
needs and operating schedule. Maintenance windows are just another form of downtime,
hopefully representing a good reason for the outage. Failure is a bad situation. Cost of
maintaining 24/7 uptime at 99.999 percent may not be necessary for offices closed on the
weekends. The financial ROI needs of the business are what matters, not IT attitudes.

141. Which of the following concepts refers to exercising appropriate judgment to

prevent negligence?
A. Due care
B. Civil procedure
C. Confidentiality
D. Awareness

ANSWER: A

Explanation: Due care represents the concern and appropriate judgment given to protect
something from a loss. It is the minimum level of attention required to prevent mishandling or
neglect.

142. What is the term used to refer to a person’s inability to deny participation in a
transaction?
A. Denial of service
B. Nondisclosure
C. Nonrepudiation
D. False rejection rate

ANSWER: C
Explanation: Nonrepudiation refers to a situation where a person cannot deny that a
transaction was executed or the data transmitted. The purpose of biometrics and strong
authentication is to ensure that only a particular individual is able to perform a specific
transaction. The goal is to say that only one person could have possibly done something.
Unfortunately, in the real world nonrepudiation is not always perfect.

143. Which term refers to a quantifiable measurement generated as a historical

score?
A. Key performance indicator
B. Critical success factor
C. Balanced scorecard
D. Threat matrix

ANSWER: A

Explanation: The key performance indicator (KPI) represents a historical score with quantifiable
measurement techniques. The critical success factor (CSF) is a particular event and must be
executed correctly every time. The CSF is a showstopper if it fails.

144. Which of the following is representative of two-factor authentication?

A. Strong passwords
B. Unique user ID and password
C. Something you know
D. User ID and physical characteristics

ANSWER: D

Explanation: Single-factor authentication refers to a password. Two-factor authentication refers

to a password and unique characteristic of the user. The second factor may be an ATM card in
your possession or a physical characteristic measured by a biometric system. To gain access, the
user would need their password plus the ATM card or biometric measurement.

145. Management is responsible for providing internal controls. Which of the

following refers to granting formal approval for a system to be used in production or at
a specific site?
A. Accreditation
 B. Certification
C. Verification
D. Reiteration

ANSWER: A

Explanation: Accreditation is the process of management giving formal approval for a system to
be used in production, based on their determination of fitness of use. Accreditation may be for
a particular purpose or site location. All systems must undergo recertification and
reaccreditation on a regular basis, usually annually.

146. Which of the following is used to verify the user’s identity?

A. Identification
B. Authorization
C. Authentication
D. Repudiation

ANSWER: C

Explanation: Authentication is used to verify the user’s identity in a single attempt by

comparing the user’s claim to a known reference. Identification is a search against all the
known information in an attempt to determine the user. Authorization is the granting of
permission to perform a particular transaction.

147. In public key infrastructure, what is the primary role of the certificate authority
(CA)?
A. Verify user transactions
B. Issue a certificate and maintain status records
C. Provide security services
D. Provide an access control mechanism

ANSWER: B

Explanation: The primary role is to issue the digital certificate credential and provide
verification services to parties concerning the validity of the digital certificate. The CA is
responsible for maintaining a record of valid certificates and revoked or expired certificates.
 148. When does the auditor safely agree to deviate from the published audit
standards?
A. As necessary
B. Whenever mutually agreed on with the client
C. When the standard does not seem to apply
D. Never

ANSWER: D

Explanation: The auditor should never deviate from the published standards. Deviation makes
the auditor liable for any misrepresentations or failure. The majority of corporate scandals
involve a deviation from standards. The perceived need for deviation is that your auditee would
otherwise fail or the audit may not be possible because of insufficient evidence for testing.

149. Which of the following controls is designed primarily to minimize the impact
after an event occurs?
A. Detective
B. Preventative
C. Mitigating
D. Corrective

ANSWER: D

Explanation: Corrective controls repair or minimize the damage after the event has occurred.
Detective controls identify when some error occurs. Preventative controls are designed to stop
an event from occurring. Mitigating is a general category that applies to anything.

150. Which of the following conditions likely represents a control failure, which is a
concern to the auditor?
A. A policy without an underlying standard of monitoring and enforcement
B. A policy based on guidelines
C. A general policy intended to be a catchall for things not specifically mentioned
D. Use of guideline with monitoring and no formal policy

ANSWER: A
Explanation: A policy without standards of enforcement is practically worthless. Monitoring is
required to determine whether the standard is met or violated. The lack of monitoring and
enforcement is a serious concern to the auditor.

-----------------------------------------------------------------------------------------------------------------------------
 CISA DOMAIN 3

1. An IS team has decided to code a new application in a 4GL software. What is the advantage of
this technology?
A. Spontaneously generates business logic, screens, and reports
B. Uses fuzzy logic and decision support systems
C. Permits time boxing and short development cycles
D. Cuts developmental time and effort for functions, but has no business logic rules built-in

ANSWER: D

Explanation: 4GL’s built-in script authoring and report writing utilities automates access to the database.

2. One of the primary responsibilities of a database team is to normalize the database. What does
this imply?
A. Speed up database response by creating normal data size
B. Assimilate all the system data into one normal table
C. Decrease data duplication by sizing smaller data tables
D. Reduce database response time by faster processing

ANSWER: C

Explanation: Database normalization minimizes data duplication by standardizing the database table
layout, and minimizing individual table sizes for quicker search.

3. The IS auditor has reviewed application security and found several inadequacies. Which of
these can the IS team use to fix the inadequacies without recurring issues?

A. Review configuration builder for the latest security software before release
B. Run a regression test before putting the final version into production
C. Include stringent coding conditions
D. Include pair programming practices

ANSWER: B

Explanation: To ensure the bugs are not introduced before a system goes into production, the IS team
must run a regression test to ensure the controls are not mitigated in a development environment prior
to implementation in production.
4. An IS auditor is not competent to review a technology product, and has requested expert help.
What should the auditor keep in mind?
A. Ensure an expert’s competence and independence
B. The client budget may increase
C. Audit reports should only contain the auditors work
D. The expert must be trained in auditing
ANSWER: A

Explanation: If the auditor is not an expert, other subject matter experts are used to audit after
reviewing their competence, experience, and independence. However, oversight is required and risk
assessment run on this service.

5. In expert systems, which of the following reflect an inference engine?

A. Heuristics are used for decision making
B. It refines its own knowledge base
C. It is easily portable
D. It is relatively inexpensive

ANSWER: A

Explanation: The inference engine uses heuristic programming, which is self-learning by sorting through
several knowledge bases for possible answers. It’s recorded in objects or semantic networks, and gets
better with experience.

6. Data warehousing is increasingly used for churning large amounts of data. Which of the
following best defines a data mart?
A. Can purchase relevant data
B. Is a substitute for data warehousing
C. Provides data mining rules
D. Stores data mining results

ANSWER: D

Explanation: Data mart stores the results of data mining, which drills down the data available in data
warehouses checking for associations.

7. Object-oriented database management systems normally indicate database capabilities

with object-oriented programming capabilities. For which of the following data types are they
designed?
A. Fixed length
B. Access with joins
C. Variable
D. Tabular implementation

ANSWER: C

Explanation: Object-oriented database management systems can manipulate data with variable data
formats, unlike relational databases that are tabular in implementation.

8. An IS auditor has undertaken a review of the configuration parameters in a software

development project. Why is this review done?
 A. Changes must be properly studied for impact analysis
B. Change settings must set the minimum requirements for adequate and essential security
C. Change requests should be approved by the Change Control Board (CCB)
D. The configuration management system reveals different directories where controls are not well
managed

ANSWER: B

Explanation: Change security settings define the accountability and integrity of data. Beyond this,
changes should be studied for impact analysis, and properly approved by the Change Control Board.
Evidence of inadequate security is revealed through the study of folders under configuration
management.

9. During a software development project audit, the CISA finds the requirements fuzzy. What
potential impact could this primarily have on the project quality?
A. Lack of adherence to specifications
B. Rework and bugs
C. A non-working software
D. Customer dissatisfaction

ANSWER: A

Explanation: Quality is primarily the result of conformance to specifications. Requirements must reflect
the specifications intended for use. The lack of requirement controls significantly impact the quality, and
lead to customer dissatisfaction.

10. Software systems need to be tested at various stages to ensure they are fit for use. In a target
environment, what type of testing is undertaken to ensure the system is not in conflict with
other systems?
A. Integration
B. Sociability
C. System
D. White-box

ANSWER: B

Explanation: Sociability testing tests a software system in the target environment. All other tests are run
to ensure the software systems and its functions are fit for use.
 11. In a software development project, which entity is accountable and responsible for the entire
project including its schedule, quality, and budget?
A. Quality team
B. Project Governance committee
C. Project Manager or Leader
D. All the project team members

ANSWER: B

Explanation: While all the project team members are responsible for project success, and the Project
Manager for operational project management, it is the Project Governance committee that controls the
requirements and overall scope and needs to bear accountability and responsibility for the project
schedule, scope, and budget.

12. Software Reverse Engineering occurs when a source code is taken apart to see how it operates
to replicate or improve. Which of the given risks are incurred when Reverse Engineering is
undertaken?
A. Confidentiality agreement
B. License agreement violation
C. Site agreement violation
D. Contradiction on the quality of substituted parts

ANSWER: B

Explanation: Reverse Engineering of the source or a compiled code is legally not permissible, and would
imply a legal violation of end-user licensing agreements. Legal issues also arise due to copyright
violation, and calls for legal action pertaining to theft of copyright.

13. ‘Segregation of duties’ is a cardinal security principle. Which category of employees under this
principle cannot move software system changes from the system development environment to
the production environment?
A. Configuration Administrator
B. Project Managers
C. Database Controller
D. Developers

ANSWER: D

Explanation: Under the ‘segregation of duties’ principle, developers do not have the write access into
the production system, as older versions or incorrectly compiled code might be put to live use by error.
The configuration administrator is responsible for checking the latest and correct system software into
the production environment.

14. During software development projects, estimation of size and scope are very significant factors.
Several methodologies are available to estimate the work during the initial phase. Which of
these methods use parameters such as user inputs, user outputs, reports, screens, and
interfaces to generate an estimate?
A. Story Points methodology
B. Code’s lines methodology
C. Configuration Points methodology
D. Function Point Analysis methodology

ANSWER: D

Explanation: Function Point Analysis methodology is used by several software organizations. It is

computed by taking various pertinent parameters such as the number of inputs, outputs, reports,
screens, and interfaces and their degree of complexity to arrive at a size estimate. This is further
translated into timelines based on the number of developers available and cost. The other
methodologies, Lines of Code and Story Points are used in Mainframe or legacy system, and Agile
Estimation respectively.

15. Systems and Data modeling have various diagramming methods of representation. A popular
method is the Entity-relationship diagrams (ERD). In which of the following options are these
methods used?
A. Flow diagram for data flow through the system
B. Security controls logical access diagrams
C. Schedule diagram to detail the activities sequence
D. Defining database design schema for requirements

ANSWER: D

Explanation: ERD diagrams are used to define the database structure. An entity-relationship diagram
(ERD) details how to structure the data, and the interrelationships with other data. Data flow diagrams
are then used to show the business logic and data-transformation procedures.

16. To simplify complex development systems, a variety of techniques are used. A popular
technique is the Unified Modeling Language (UML). What is it used for?
A. It is a notational language used for specifying and visualizing object-oriented software.
B. It provides an agile method model for fast track development.
C. It helps in modeling physical and logical controls.
D. It is a specialized programming language.

ANSWER: A
Explanation: Unified Modeling Language (UML) is a complex development tool for object-oriented
software development. It normally needs good domain understanding in addition to the development
techniques.

17. Software development projects with dynamic requirements, short schedules, quick wins, and
limited resources would use which of the given options?
A. Agile Software Development
B. Program Evaluation Review Technique
C. Critical Path Method
D. Gantt Charts

ANSWER: A

Explanation: Agile Software Development uses time-boxes management with fixed scope and identified
deliverables that trades-off between software quality and project schedule. Every additional iterations
provide additional software modules.

18. A project of software development has to be audited in its post-implementation phase by an IS

auditor development project. During which of the following stages should the actual software
certification testing be carried out?
A. Initiation and Requirements
B. Requirements and Design
C. Design, Development, and Implementation
D. Development, Implementation, and Post-implementation

ANSWER: D

Explanation: Software certification testing is run during development, implementation, and post-
implementation. First, certification tests are run during the development and repeated several times
during implementation before it goes live in production. The performance or requirements are
rechecked during post-implementation. After the documented improvements are implemented, the
system is recertified and must undergo at least one check annually.

19. An IS auditor is reviewing an IS operation that is substantially outsourced. Which of these is an

incorrect fact about outsourcing?
A. Creates economies of scale
B. Reversal is difficult and expensive
C. Minimizes key personnel loss
D. Provides large pool of highly skilled employees

ANSWER: C
Explanation: Highly skilled and experienced employees are down-scaled or made redundant, hence
would be difficult to replace. However, outsourcing also provides efficiencies through economies of
scale, but are difficult or expensive to bring back.

20. Which of these organizational structures gives the greatest power to a Project Manager?
A. Functional
B. Hybrid
C. Projectized
D. Matrix

ANSWER: C

Explanation:

It is in a projectized organization that the highest power can be enjoyed by a Project manager. Then,
comes the matrix. The functional structure has no involvement or power.

21. In software development, which of these is popularly used for showing a project’s critical
route?
A. Program Evaluation Review Technique
B. Activity sequence
C. Diagramming method
D. Gantt Chart

ANSWER: A

Explanation: Program Evaluation Review Technique networks show the critical path of a project.

22. Development projects can be complex, and plan their outputs and deliverables as a result of
work breakdown over several phases. What does a work breakdown structure imply?
A. Resource work plan
B. Milestones in the plan
C. Project authorities mapped to work
D. Activity decomposition into tasks for delivering an output

ANSWER: D

Explanation: A work breakdown structure decomposes the activities into tasks that are required to run
the project and produce deliverables.

23. What are the three parameters that projects need to balance to derive a successful outcome?
 A. Requirements, authority, and budget
B. Quality, resources, and communication
C. Requirements, coordination, and change management
D. Time, cost, and scope

ANSWER: D

Explanation: Scope, cost, and time are the three parameters known as the Iron Triangle in all projects.
The cost comprises personnel and resources whereas the scope encompasses the authority. The
project’s scope and cost is impacted by time, wherein the scope needs to be achieved as per the decided
plan.

24. Software projects can use either Gantt Charts or Program Evaluation Review Techniques. What
is the difference between using either of these techniques in a developmental project?
A. Gantt Charts represent the flow of project activities but PERT diagrams showcase a more
comprehensive and exhaustive structure of the work breakdown. The valuable details that are
needed to make the skills matrix are depicted by PERT diagrams.
B. Program Evaluation Review Techniques create work packages sequentially derived from the
work breakdown structure to show different paths. Gantt Charts are bar charts showing
sequence of activities on a calendar using Work Breakdown structures.
C. Program Evaluation Review Techniques are detailed work breakdowns of hierarchical tasks,
whereas Gantts Charts are high-level line diagrams.
D. Projects always use Gantt Charts. Program Evaluation Review Techniques may sometimes be
used.

ANSWER: B

Explanation: A Program Evaluation Review Technique diagram represents various paths a project can
take to complete its activities including the critical route. It is the shortest way possible to accomplish
the project. Project Managers use data from the Gantt chart, which has sequenced and scheduled
activities on a calendar to build a PERT diagram.

25. Which type of audit would the auditor use to check the characteristics against design
conditions?
A. Compliance
B. Project
C. Application
D. Product

ANSWER: D
Explanation: Product audits compare design specifications against the attributes of a finished product.
Auditors’ use this audit during certification of a customized software or before a software product
releases.

26. Which of these processes is not required by the configuration management?

A. Configure each item
B. Release schedule
C. Change control
D. Version control

ANSWER: B

Explanation: Configuration management requires three essential components: Configuration of each

item, version control of every change, and reporting of the current configuration as it is built and has
been facilitated to the customer. Release schedule is not required.

27. Which of these entities contains methods and programming that can be modified by the user or
operator?
A. Application interfaces
B. Open systems
C. Graphical user interfaces
D. Closed system

ANSWER: B

Explanation: An open system includes the source code that can be read as well as utilized to design
documents for the user or operator to make the required changes.

28. Which of the following business process re-engineering strategies requires large amounts of
time for reviewing the current process?
A. Step Model
B. Big Bang
C. Incremental
D. Interactive

ANSWER: C

Explanation: An incremental process requires longer time to review the current process, and therefore
has little or no impact.
 29. Which of these keys best ensures referential integrity between the data elements in different
database tables?
A. Secondary
B. Foreign
C. Hash
D. Primary

ANSWER: B

Explanation: A foreign key ensures linking of common data between different database tables, and is
used with tables to decompose information in the database.

30. Which of the following is the use of regression testing?

A. Tests individual software modules
B. Regresses the software to compensate for internal controls
C. Ensures that changes do not have undesirable effect on other components
D. Reverses the user acceptance testing to an earlier phase of development

ANSWER: C

Explanation: Regression testing checks the software for problems that would have a negative effect on
other components.

31. Which of the given tests checks the authorization and completeness of information contained in
a record?
A. Substantive
B. Regression
C. Data integrity
D. Systems

ANSWER: C

Explanation: A data integrity test checks the correctness of data traced through the processing cycle,
and reviews the input authorization and extensiveness of data processing. It also verifies if the results
are correct.

32. Which among these has the project ownership, and takes part in acceptance testing and user
training?
A. Quality assurance team
B. Testing team
C. Project team
D. User organization
ANSWER: D

Explanation: User organizations review software functions, and declares them fit for use at the end of
development phase.

33. When is user acceptance testing carried out in the Waterfall software development cycle?
A. Design
B. Implementation
C. Development
D. Requirement analysis

ANSWER: B

Explanation: User acceptance tests are run during the Implementation phase of the Waterfall cycle. The
user determines whether the requirements are met and the end product is acceptable.

34. What are the primary risks in a system development project?

A. Risk of indisciplined development and poor project management practices
B. Risks of end users not accepting deliverables
C. Risk of inadequate technology skills
D. Risk of unclear requirements

ANSWER: A

Explanation: Indiscipline in system development and poor project management practices are the
primary risks in a project.

35. Which of the given entities can initiate a change request in a process?
A. End users
B. Testing team
C. Development team
D. All of the above

ANSWER: D

Explanation: Any of the given entities can request changes to a development system. But change control
must be monitored and approved, and a risk assessment should be made before the change is
implemented.

36. How many phases are there in a Software Development Life Cycle?
A. Three
B. One
C. No fixed number
D. Seven

ANSWER: D
Explanation: The Software Development Life Cycle contains seven phases: Feasibility, Requirements,
Design, Development, Implementation, Post-implementation, and Disposal.

37. Which of these reflects the need for a system accreditation?

A. Management becomes accountable
B. Verification of tested systems
C. Access controls are accurate
D. Validated legally

ANSWER: A

Explanation: Management is responsible for the system to befit for use, and becomes accountable for
the success or liable for a failure.

38. How is the completed software development rendered for the end-users?
A. Through user acceptance testing
B. Through implementation
C. Through release management
D. Through configuration control

ANSWER: C

Explanation: Software development is compiled and released to the end-users through a formal release
procedure that reviews all changes and incorporates them into a final release. This is moved out of the
development environment to production, and made available to the end users.

39. What is the meaning of critical path in project scheduling?

A. Activities to complete the project in the shortest total time
B. Total time for critical activities
C. Successive activities with the longest total time
D. View the project in a critical fashion

ANSWER: C

Explanation: A critical path is a series of successive project activities necessary to fulfill the minimum
requirement, and is represented by the longest total time and the shortest route to completion.

40. User acceptance testing should occur in which of the following environments?
A. Stand-alone systems
B. In the configuration controlled testing or staging library
C. On development systems for program
D. Production systems

ANSWER: B
Explanation: One can perform acceptance testing in an ideal configuration controlled environment with
versioned software modules.

41. Which of these development methodologies do not require extensive planning and
requirement analysis for a major system?
A. Rapid Application Development
B. Waterfall Lifecycle
C. Agile Development
D. Prototyping

ANSWER: A

Explanation: Rapid Application Development enables building systems rapidly at low cost using time
boxed schedules.

42. In software analysis, why are the entity-relationship diagrams used?

A. To detail data relationships
B. To detail the architecture
C. To detail user requirements
D. To detail implementation needs

ANSWER: A

Explanation: The ERD are used to detail the relationships of data records and data attributes.

43. It is imperative to follow stringent change control processes, which are most complex in
_________?
A. Prototyping
B. Rapid Application Development
C. Web Development
D. Agile Development

ANSWER: A

Explanation: Change control is most complex during prototyping, because rapid changes are often not
documented, and do not go through formal approvals.

44. Why is the Function Point Analysis (FPA) methodology used?

A. Detail the functions in an organization
B. Forecast of resources, and the complexity of requirements
C. Use parameters to determine the requirement scope and complexity
D. Diagram of the organization chart with responsibilities

ANSWER: B
Explanation: Function Point Analysis technique uses parameters such as the inputs’ number or the total
count of outputs, and the intricacy to estimate all requirements in terms of size and schedule.

45. Define atomicity.

A. Transactions completed in entirety, or backed out of the database
B. Quantum memory chip
C. Fuzzy logic
D. Special tools used in Extreme Engineering

ANSWER: A

Explanation: Database integrity is assured by completely backing out transactions that could not be
completed in their entirety.

46. Why is reverse engineering considered unsafe for an organization?

A. Banned by international law
B. Is often in violation of the user license agreement
C. The practice may be unknown
D. Could be a litigation

ANSWER: B

Explanation: A user’s license agreements are directly violated by reverse engineering and this leads to
stringent legal actions.

47. Which of the following represents a search for correlations in the data?
A. Data mart
B. Data snapshot
C. Data mining
D. Data warehouse

ANSWER: C

Explanation: The process of data mining is to search the available data in the data warehouse for
correlations. Data is collected from various databases with a snapshot utility, and copied to the data
warehouse. The data is searched for correlations that may provide useful information. These
correlations are then stored in the data mart for the user to review.

48. An IS auditor evaluating some database controls finds out that the revisions made to the
database during regular working hours were managed with the help of standard procedures.
Eventually, it was discovered that the changes undertaken after the regular hours just needed
an abbreviated sequence of steps. In such a situation, which of the following would prove to be
a suitable set of compensating controls?
A. Allowing changes to the database administrator (DBA) user account only
B. Making changes to the database once an access is granted to a normal user account
 C. Using the normal user account to execute changes, log them, and review them in the logon the
next day
D. Using the DBA user account to execute changes, log them, and review them in the log on the next
day

ANSWER: D

Explanation: Using a DBA user account is usually meant for logging all the changes that have been made.
This is the most appropriate way of monitoring the changes made outside the regular hours. Therefore,
logging along with reviewing prove to be an applicable set of compensating controls.

49. In order to maintain data integrity in an online transaction processing system, it is important to
make sure that a transaction is either completed fully or not. This principle of data integrity
refers to:
A. Atomicity
B. Consistency
C. Durability
D. Isolation

ANSWER: A

Explanation: The principle of atomicity needs a transaction that is either fully completed or not. This is
required because in case an error or interruption takes place, all the changes that were undertaken to
that point would be backed out. Consistency surely maintains each integrity condition in the database
with each transaction. Isolation is done so that each transaction isolates from other transactions.
Therefore, a transaction will only able to access data that is within a steady database state. Durability
makes it a point that when a transaction is sent to a user in the complete status, the final changes to the
database are not impacted by the subsequent software or hardware failures.

50. Choose among the following to explain a program object in the best way when it is a part of an
object-oriented programming?
A. It comprises methods as well as data
B. The data separates itself from the methods
C. It has all the methods in 100 percent effectiveness that is required for every task
D. It does not give out any methods

ANSWER: A

Explanation: Program objects comprise methods as well as data so a desired task can be easily
performed. The object can be delegated to another object in OOP.

51. The main objective of a post-implementation review is:

A. Recognizing if forcing an installation is a success
B. Authorizing the final payment for the vendor from escrow
C. Determining if its organizational objectives are fulfilled
 D. Conducting quick and effective remedial actions

ANSWER: C

Explanation: Post-implementation review can manage to estimate if the organizational objectives are
fulfilled or not. The review will verify if the internal controls are existing and in use or not.

52. Which of the following does the RFP process considers as a major concern?
A. The RFP planning process is not needed for organizations that have a strong internal
programming capability.
B. The proposals of the vendor go through an objective review to ensure their alignment with
the objectives of the organization.
C. The vendor has to agree to escrow the program code in order to safeguard the buyer. This is
needed in case the vendor terminates the operation process.
D. The RFP process needs a substantial commitment in opposition with a request for
information (RFI).

ANSWER: B

Explanation: Each proposal has to go through an objective review to figure out whether the offer is is in
proper alignment with the organizational objectives. RFP review is the formal process that is supposed
to be handled as a project.

53. Which SDLC phase makes use of Function Point Analysis (FPA)?
A. SDLC phase 3: System Design
B. SDLC phase 5: Implementation
C. SDLC phase 4: Development
D. SDLC phase 1: Feasibility Study

ANSWER: D

Explanation: Function Point Analysis (FPA) helps in estimating the effort needed to develop the
software. FPA is used during SDLC phase 1 which is the Feasibility Study phase, to formulate estimates
by calculating the multiplication of the number of inputs and outputs against a mathematical factor.

54. When is a project’s management oversight needed?

A. When the percentage of time, scope, or cost vary above 5 percent from the estimate
B. At the time of the feasibility study being inconclusive
C. To validated if the total benefits of the program meet the anticipated projection
D. When major changes show up in assumptions, methodology, or requirements

ANSWER: D
Explanation: Management oversight review is important for the cases where there is an anticipation
that the estimates are not right by more than 10 percent. It is also needed if major changes appear in
the used assumptions, methodology, or requirements.

55. Describe the benefits of the integrated development environment (IDE).

A. Eliminating the testing requirement in SDLC phase 4
B. Generating and debugging the program code
C. Eliminating the majority of processes in SDLC phase 2
D. Preventing design errors in SDLC phase 3

ANSWER: B

Explanation: The integrated development environment runs a program code generation automatically
and ensures online debugging for certain types of errors. It does not substitute the traditional planning
process. IDE does not amend the testing requirements in SDLC phase 4. Full testing needs to take place.

56. Differentiate between accreditation and certification.

A. Accreditation is technical in nature while certification is managerial
B. Both are similar since both are technical in nature
C. Accreditation describes if a view of the management is fit or not and certification is a test
that is technical
D. Accreditation is technical process of testing while certification talks about the
management’s view and its apt usage

ANSWER: C

Explanation: Certification is a technical process of testing. Accreditation is a management process that

gives out any approval that is based on its aptness of usage.

57. In regard to life cycle management, which of the following make for the IS auditor’s primary
purpose.
A. Verifying if the evidence favors the organizational objective and that the management has
authorized all decisions
B. Verifying if the management has ensured to sign all business contracts to execute them
C. Verifying if management doesn’t need to always sign or execute all business contracts
D. Verifying if the management allocated a sufficient budget for paying for the software
development in a decided time period

ANSWER: A

Explanation: Evidence must favor the decided organizational objectives. Software that has been newly
created or bought needs to be properly researched. This is needed to ensure it meets the organization’s
objectives. The management has to review and approve each phase of the life cycle before moving on to
the next phase.
 58. Name the principle that comprises the concept of all or nothing.
A. Atomicity, consistency, isolation, and durability
B. Transaction processing monitor
C. Runtime processing
D. Referential integrity

ANSWER: A

Explanation: The ACID principle of database transaction talks about consistency, atomicity (all or
nothing), isolation (independent transactions that operate on their own), and durability (where data is
properly maintained).

59. Various types of testing is used in software development for ensuring proper functionality.
Name the type of testing for assessing the functionality on a commercially compiled software.
A. Code review
B. White-box
C. Crystal-box
D. Black-box

ANSWER: D

Explanation: We humans can’t read complied software. Black-box testing helps in running a sample
transaction all through the system. In order to verify if the output is correct or not; the original input is
compared then. This shows what the customer needed from the system.

60. Which of the following methods are referred by the programming software modules that use a
time-box style of management?
A. Spiral
B. Lower CASE
C. Agile
D. Fourth-generation (4GL)

ANSWER: C

Explanation: Agile uses time-box management for quick iterations of software prototypes. This is made
possible by small associations of talented programmers.

61. For how long a full system accreditation normally last?

A. One year
B. Two years
C. Nine months
D. As long as the system is used

ANSWER: A
Explanation: Full accreditation runs for one year. Annual renewal is needed. Management must
reaccredit systems on a yearly basis. Temporary or restricted accreditation lasts only for 90 or 180 days.

62. Several risks can become serious issues during the SDLC. The biggest problem for the auditor
will be:
A. User requirements and objectives were not fulfilled
B. The depth and breadth of user operation manuals is not enough
C. The project exceeded an overrun cost by 14 percent from the original budget
D. User acceptance testing existed for only 1 hour

ANSWER: A

Explanation: The biggest concern would be failure to meet the user requirements or user objectives.
Cost overruns can take place. Comparatively, the auditor’s interest would be to know why the overrun
that took place would be less important.

63. Name the terminology that defines a program’s coding by using a template within an integrated
software development environment?
A. Compiled coding
B. Micro-coding
C. Pseudocoding
D. Object coding

ANSWER: C

Explanation: Software developers make use of pseudocoding for writing programs into a project
template. This template lies within the integrated development environment (IDE).

64. In regard with the software escrow, which of the following is the most significant issue.
A. The vendor has to use a subcontractor for safely storing the original development software
B. The software comprises intellectual value that is communicated to the client
C. The client can only use the software and not own it, unless more amount is paid
D. Escrow will take up the commercial software if the vendor sells the rights to another vendor

ANSWER: C

Explanation: The client can only use the software and does not have the right of ownership. The client
may request for software escrow to gain full rights over the software if the vendor runs out of business.

65. How can one justify the price of designing with the management of a quality program?
A. Product profit margin
B. Price of failure
C. Prevention of regulatory changes and fines
D. Usage of the 100-point rule
ANSWER: B

Explanation: Quality conforms to specifications and is measured in the same way. Price of
nonconformance or cost of failure means when added costs for failing to meet the specification are
known. Costs of failure facilitate an excellent tool for justifying the funding of preventative controls.

66. Which of the following is the best method of assessing the logic used in software of a
programming script?
A. Black-box
B. Regression
C. User acceptance
D. Crystal box

ANSWER: D

Explanation: Crystal-box testing which is also called white-box testing helps in reviewing the logic in the
software that is formulated using a programming script. The script is readable till the time it is not
compiled. Compiled programs can be tested using a black-box method.

67. In the SDLC model, the software certification testing actually occurs in:
A. Phase 3 (System Design)
B. Phase 3 (System Design) and phase 4 (Development)
C. Phase 5 (Implementation)
D. Phase 4 (Development) and phase 5 (Implementation)

ANSWER: D

Explanation: Software certification testing starts during phase 4 that is the development phase and
continues into phase 5 which is implementation testing.

68. Why should one use the international standards such as ISO 15489 and ISO 9126:2003 with
SDLC?
A. To use them as inputs for starting specifications for the requirements in phase 2
B. To consider itself as an international reference for starting a quality assurance program
C. To provide guidance for its use in phase 4 development
D. To reduce the initial cost of software development

ANSWER: A

Explanation: These standards help to plan the secondary software specifications. International standards
such as ISO 15489 (record management), ISO 15504 (CMM/SPICE), and ISO 9126:2003 (quality
management) are best used as inputs for starting specifications in phase 2 requirements. Primary
specifications are achieved by gathering information from the user for defining their main objectives for
the software, specifying the steps in its intended mission.
 69. In software systems, relational databases are frequently used. What is the output of
normalizing the database?
A. Removing redundant and duplicate data
B. Making sure that tuples are correct
C. Evaluating the database for abnormal behavior against another
D. Making sure that all records are proper or normal

ANSWER: A

Explanation: In order to perform a meaningful search, database tables need to be optimized.

Normalization implies removing redundant or excessive data from the database tables. The requirement
here is to improve speed and efficiency during a database search. Each additional data is positioned in
other database tables, while referring links that allow retrieval when required.

70. At what phase of testing does user acceptance appear for a new app software?
A. System
B. Unit
C. Integration
D. Acceptance

ANSWER: D

Explanation: The last stage before installing the software which is available for use is the stage of
acceptance testing.

71. In a small organization, emergency changes may be suggested by the developers for release to
production directly. How will the risk in this scenario be BEST controlled?
A. Approving the change and documenting it on the next day
B. Limiting the access of the developer to production within a particular time slot
C. Obtaining secondary approval before the production release
D. Disabling the option for compiler in the production machine

ANSWER: A

Explanation: It may be apt to let programmers make emergency changes, provided they are approved
and documented in the first place.

72. The IS auditor is in the phase of a change control audit of a production system and realizes that
the change management process is not having a formal documentation and some of the
migration procedures have failed. What should be the next action that the IS auditor take?
A. Suggest designing the change management process again.
B. Using root cause analysis and gaining more security on the process.
C. Recommending to stop the program migration until the documentation for change process is
noted.
D. Note down the finding in a document and report it to management.
ANSWER: B

Explanation: A change management process is important for IT production systems. IS auditor should
gain confidence before suggesting that the organization can take any other action (e.g., ceasing
migrations, designing the change management process again), that the incidents taken in notice are
related to gaps in the change management process and because of any other process other than change
management.

73. When is the waterfall life cycle model most appropriately used? This cycle belongs to the
software development.
A. When requirements are well known and expect to stay stable, just like the business
environment wherein the system will operate
B. When requirements are well known and the project depends upon time pressures
C. When the project aspires to utilize an object-driven design and programming approach
D. When the project makes use of newer technology

ANSWER: A

Explanation: Historically, the waterfall model is most suitable to the stable conditions. When the degree
of system’s uncertainty that is to be delivered and the conditions where it will be used rise, it means
that the waterfall model was unsuccessful. In these scenarios, the various forms of iterative
development life cycle yearns the advantage of segregating the scope of the overall system that is to be
delivered. This makes the gathering of the requirements and design activities more manageable.

74. While assessing an organization's data file control procedures, an IS auditor realizes that
transactions are run for the most current files, while the restart procedures used previous
versions. What should the IS auditor recommend to imply?
A. Retaining source documentation
B. Securing data file
C. Controlling version usage
D. Checking one-for-one

ANSWER: C

Explanation: For correct processing, it is important that the file is used in its proper version. Transactions
should be run for the latest database and restart procedures should use previous versions.

75. What could be solved through denormalization?

A. Parallel access
B. Unauthorized access to data
C. Deadlocks
D. Loss of data integrity

ANSWER: D
Explanation: Normalization means getting rid of redundant data elements from the database structure.
Deactivating normalization in relational databases will result in redundancy and result in a risk of not
maintaining data consistency, following with the loss of data integrity.

76. What should be the log in procedure for a database administrator (DBA) who wants to make
emergency changes to a database after normal working hours?
A. Make the changes with their named account
B. Make the changes with login of the shared DBA account
C. Make the changes by logging in the server administrative account
D. Make the changes to the user's account

ANSWER: A

Explanation: Before making use of the DBA account, the named user account must be used for logging
in. This will provide accountability of the one who is incorporating the changes.

77. Online banking transactions are added to the database when the processing suddenly stops. By
what means can one ensure the integrity of the transaction processing?
A. Database integrity checks
B. Validation
C. Input controls
D. Database commits and rollbacks

ANSWER: D

Explanation: When the transaction is under process, the database commits ensure the data are getting
saved to the disk. Rollback makes sure that the already completed processing is reversed, and the data
that was already processed are not saved to the disk all over again when the transaction processing has
completed or failed.

78. Which technique should the IS auditor use as a testing process to identify specific program logic
that has not been tested?
A. A snapshot
B. Tracing and tagging
C. Logging
D. Mapping

ANSWER: D

Explanation: Mapping identifies specific program logic that has not been tested and analyzes programs
to signify whether program statements have been implemented during the execution or not.

79. What kind of software application testing is considered the final stage of testing and typically
includes users outside the development team?
A. Alpha
 B. White box
C. Regression
D. Beta

ANSWER: D

Explanation: Beta testing is the final stage of testing and typically includes users outside the
development area. Beta testing is a form of user acceptance testing (UAT), and generally involves a
limited number of users who are external to the development effort.

80. A project development team is considering using production data for their test deck. The team
scrubbed sensitive data elements from the bed before loading it into the test environment.
Which of the following additional concerns should an IS auditor have with this practice?
A. Not all functionality will be tested
B. Production data are introduced into the test environment
C. Specialized training is required
D. The project may run over budget

ANSWER: A

Explanation: A primary risk of using production data in a test deck is that not all transactions or
functionality may be tested if there are no data that meet the requirement.

81. An IS auditor is evaluating the effectiveness of the organization's change management process.
What is the MOST important control that the IS auditor should look for to ensure system
availability?
A. That changes are authorized by IT managers at all times
B. That user acceptance testing (UAT) is performed and properly documented
C. That test plans and procedures exist and are closely followed
D. That capacity planning is performed as part of each development project

ANSWER: C

Explanation: The most important control for ensuring system availability is to implement a sound testing
plan and procedures which are consistently followed.

82. An enterprise is developing a new procurement system, and things are behind schedule. As a
result, it is proposed that the time originally planned for the testing phase be shortened. The
project manager asks the IS auditor for recommendations to mitigate the risks associated with
reduced testing. Which of the following is a suitable risk mitigation strategy?
A. Test and release a pilot with reduced functionality
B. Fix and retest the highest-severity functional defects
C. Eliminate planned testing by the development team, and proceed straight to acceptance testing
D. Implement a testing tool to automate defect tracking
ANSWER: A

Explanation: Option A reduces risks in a number of ways. Reduced functionality should result in fewer
overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made
available to a select group of users will reduce the risks associated with a full implementation.

83. An IS auditor needs to review the procedures used to restore a software application to its state
prior to an upgrade. Therefore, the auditor needs to assess:
A. problem management procedures
B. software development procedures
C. fallback procedures
D. incident management procedures

ANSWER: C

Explanation: Fallback procedures are used to restore a system to a previous state and are important
elements of the change control process.

84. An enterprise uses privileged accounts to process configuration changes for mission-critical
applications. Which of the following would be the BEST and appropriate control to limit the risk
in such a situation?
A. Ensure that audit trails are accurate and specific
B. Ensure that personnel have adequate training
C. Ensure that personnel background checks are performed for critical personnel
D. Ensure that supervisory approval and review are performed for critical changes

ANSWER: D

Explanation: Supervisory approval and review of critical changes by accountable managers in the
enterprise are required to avoid any unauthorized change.

85. When selecting a supplier package, organizations should consider all of the following except:
A. Stability of the supplier company
B. Supplier’ s ability to provide support
C. Required modifications to the base software
D. Sales and marketing literature

ANSWER: D

Explanation: The Sales and marketing literature would provide all the facts required to make a judgment
decision for selecting a package. All other choices are pertinent.

86. Viruses pose all of the following risks except:

A. Loss of data
B. Loss of paper documents
 C. Loss of hardware
D. Loss of performance

ANSWER: B

Explanation: Virus affects only electronic forms and systems so paper documents would not be
impacted.

87. Interfaces are another form of:

A. Output
B. Report
C. Input
D. Processing

ANSWER: C

Explanation: Interfaces transmit data from one system to another and are therefore inputs.

88. An IT system that now allows the corporate office to view data from their individual sales
offices introduces the most change to:
A. Social relationships
B. Technical support
C. Inter-organizational relationships
D. Company politics

ANSWER: D

Explanation: This change would affect the dynamics of the organization giving more authority to
individual sales units leading inevitably to company politics.

89. In auditing an automated change control system, an auditor reviews all of the following except:
A. License agreements
B. Rules
C. Access lists
D. Log files

ANSWER: A

Explanation: The license agreement is not required to be reviewed by the auditor when reviewing the
change controls. All others are pertinent.

90. An IS auditor is reviewing an enterprise's system development testing policy. Which of the
following statements concerning use of production data for testing would the IS auditor
consider to be MOST appropriate?
A. Senior IS and business management must approve use before production data can be utilized for
testing
 B. Production data can be used if they are copied to a secure testing environment
C. Production data can never be used. All test data must be developed and based on documented
test cases
D. Production data can be used provided that confidentiality agreements are in place

ANSWER: A

Explanation: There are risks associated with the use of production data for testing. These include
compromising customer or employee confidentiality (which may also involve breaching legislation) and
corrupting production of the data. Additionally, there are certain cases in which effective testing
requires specifically designed data.

91. An enterprise is evaluating the adoption of cloud computing and web virtualization instead of
acquiring new IT infrastructure for a development environment. What is the IS auditor's
GREATEST concern?
A. Benchmarks with similar projects have not been considered
B. The security officer has not been consulted
C. The project's business case has not been established
D. The designed technical architecture does not consider hardware savings

ANSWER: C

Explanation: As with any IT investment, it is always recommended that the benefits and return on
investment (ROI) be documented with a clear business case that can be shared and approved by
management. All IT investments must support the business. Benchmarks are good indicators, but not
sufficient to demonstrate the optimal aspect of this IT investment.

92. During an application audit, an IS auditor is asked to provide assurance of the database
referential integrity. Which of the following should be reviewed?
A. Field definition
B. Master table definition
C. Composite keys
D. Foreign key structure

ANSWER: D

Explanation: Referential integrity in a relational database refers to consistency between coupled tables.
Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate
key) and a foreign key.

93. An IS auditor is reviewing system development for a healthcare organization with two
application environments- production and test. During an interview, the auditor notes that
production data are used in the test environment to test program changes. What is the MOST
significant potential risk from this situation?
A. The test environment may not have adequate controls to ensure data accuracy
 B. The test environment may produce inaccurate results due to use of production data
C. Hardware in the test environment may not be identical to the production environment
D. The test environment may not have adequate access controls implemented to ensure data on
confidentiality

ANSWER: D

Explanation: In many cases the test environment is not configured with the same access controls that
are enabled in the production environment.

94. An IS auditor needs to review the procedures used to restore a software application to its state
prior to an upgrade. Therefore, the auditor needs to assess:
A. problem management procedures
B. software development procedures
C. fallback procedures
D. incident management procedures

ANSWER: C

Explanation: Fallback procedures are used to restore a system to a previous state and are an important
element of the change control process. The other choices are not related to the change control
process—a process which specifies what procedures should be followed when software is being
upgraded.

95. A laptop computer belonging to a company database administrator (DBA) and containing a file
of production database passwords has been stolen. What should the organization do FIRST?
A. Send a report to the IS audit department
B. Change the name of the DBA account
C. Suspend the DBA account
D. Change the database password

ANSWER: D

Explanation: The password should be changed immediately since there is no way to know whether it has
been compromised. While the IS audit department should be notified, this should not be the first action.
Changing the DBA account name could impact production database servers and thus would not be a
good idea. Similarly, suspending the DBA account could impact the production database servers.

96. Which of the following situations is addressed by a software escrow agreement?

A. The system administrator requires access to software in order to recover from a disaster
B. A user requests to have software reloaded onto a replacement hard drive
C. The vendor of custom-written software goes out of business
D. An IT auditor requires access to software code written by the organization

ANSWER: C
Explanation: A software escrow is a legal agreement between a software vendor and a customer, to
guarantee access to source code. The application source code is held by a trusted third party, according
to the contract.

97. Which of the following should be an IS auditor's PRIMARY concern after discovering that the
scope of an IS project has changed and an impact study has not been performed?
A. The time and cost implications caused by the change
B. The risk that regression tests will fail
C. Users not agreeing with the change
D. The project team not having the skills to make the necessary change

ANSWER: A

Explanation: Any scope change might have an impact on duration and cost of the project; that is the
reason why an impact study is conducted and the client is informed of the potential impact on the
schedule and cost. A change in scope does not necessarily impact the risk that regression tests will fail,
that users will reject the change or that the project team will lack the skills to make the change.

98. An IS auditor noted that there was a system crash incident on the first day of fieldwork after a
security patch was installed. To provide reasonable assurance that this event would not recur,
an IS auditor should ensure that:
A. only systems administrators perform the patch process
B. the client's change management process is adequate
C. patches are validated using parallel testing in production
D. an approval process of the patch, including a risk assessment, is developed

ANSWER: B

Explanation: The change management process, which would include procedures regarding
implementing changes during production hours, helps to ensure this type of event does not recur. An IS
auditor should review the change management process, including patch management procedures, to
verify that the process has adequate controls and to make suggestions accordingly.

99. An IS auditor is to assess the suitability of a service level agreement (SLA) between the
organization and the supplier of outsourced services. To which of the following observations
should the IS auditor pay the MOST attention? The SLA does not contain a:
A. transition clause from the old supplier to a new supplier in the case of expiration or termination
B. late payment clause between the customer and the supplier
C. contractual commitment for service improvement
D. dispute resolution procedure between the contracting parties

ANSWER: A

Explanation: The delivery of IT services for a specific customer always implies a close linkage between
the client and the supplier of the service. If there are no contract terms to specify how the transition to
a new supplier may be performed, there is the risk that the old supplier may simply “pull the plug” if the
contract expires or is terminated.

100. The GREATEST advantage of rapid application development (RAD) over the traditional
system development life cycle (SDLC) is that it:
A. facilitates user involvement
B. allows early testing of technical features
C. facilitates conversion to the new system
D. shortens the development time frame

ANSWER: D

Explanation: The greatest advantage of RAD is the shorter time frame for the development of a system.
Choices A and B are true, but they are also true for the traditional systems development life cycle.
Choice C is not necessarily always true.

101. Which of the following would BEST prevent power outages?

A. A power transfer system
B. Dual power leads
C. A power generator
D. An uninterruptible power supply

ANSWER: B

Explanation: The best way to prevent power outages is to install power leads from two different power
substations. It is not uncommon for a power transfer switch to fail during a power outage; it would not
prevent a power outage, but is used to handle the impact of such outages.

102. An IS auditor needs to review the procedures used to restore a software application to
its state prior to an upgrade. Therefore, the auditor needs to assess:
A. problem management procedures
B. software development procedures
C. fallback procedures
D. incident management procedures

ANSWER: C

Explanation: Fallback procedures are used to restore a system to a previous state and are an important
element of the change control process.

103. A group of software designers are at a stage in their software development project
where they need to reduce the amount of code running, reduce entry points available to
 untrusted users, reduce privilege levels as much as possible, and eliminate unnecessary
services. Which of the following best describes the first step they need to carry out to
accomplish these tasks?
A. Attack surface analysis
B. Software development life cycle
C. Risk assessment
D. Unit testing

ANSWER: A

Explanation: The aim of an attack surface analysis is to identify and reduce the amount of code
accessible to untrusted users. The basic strategies of attack surface reduction are to reduce the amount
of code running, reduce entry points available to untrusted users, reduce privilege levels as much as
possible, and eliminate unnecessary services. Attack surface analysis is generally carried out through
specialized tools to enumerate different parts of a product and aggregate their findings into a numerical
value. Attack surface analyzers scrutinize files, registry keys, memory data, session information,
processes, and services details.

104. The new director of software development in a company would like to provide a way
that allows each of the services provided by the various applications to be centrally accessed
and controlled. Several proprietary applications offer individual services to the employees, but
the employees have to log into each and every application independently to gain access to
these discrete services. Which of the following best describes the architecture that should be
deployed?
A. Service-oriented architecture
B. Web services architecture
C. Single sign-on architecture
D. Hierarchical service architecture

ANSWER: A

Explanation: The use of web services in this manner also allows for organizations to provide service-
oriented architecture environments (SOA). SOA is a way to provide independent services residing on
different systems in different business domains in one consistent manner. This architecture is a set of
principles and methodologies for designing and developing software in the form of interoperable
services.

105. In the system design phase, system requirement specifications are gathered and a
modeling language is used. Which of the following best describes what a modeling language is
and what it is used for?
 A. A modeling language is commonly mathematical to allow for the verification of the system
components
B. A modeling language is commonly graphical to allow for threat modeling to be accomplished
through the understanding of system components
C. A modeling language is commonly graphical to allow for a system architecture to be built
D. A modeling language is commonly graphical to allow for visualization of the system components

ANSWER: D

Explanation: In the system design phase we gather system requirement specifications and use modeling
languages to establish how the system will accomplish design goals, such as required functionality,
compatibility, fault tolerance, extensibility, security, usability, and maintainability. The modeling
language is commonly graphical so that we can visualize the system from a static structural view and a
dynamic behavioral view.

106. The IS Head of an organization wants to deploy a server-side scripting language on his
company’s web server that will allow him to provide common code that will be used
throughout the site in a uniform manner. Which of the following best describes this type of
technology?
A. Sandbox
B. Server-side includes
C. Cross-site scripting
D. Java applets

ANSWER: B

Explanation: Server-side includes (SSI) is an interpreted server-side scripting language used mainly on
web servers. It allows web developers to reuse content by inserting the same content into multiple web
documents. This typically involves use of an include statement in the code and a file (.inc) that is to be
included.

107. An attacker can modify the client-side JavaScript that provides structured layout and
HTML representation. This commonly takes place through form fields within compromised web
servers. Which of the following best describes this type of attack?
A. Injection attack
B. DOM-based XSS
C. Persistent XSS
D. Session hijacking

ANSWER: B
Explanation: DOM (Document Object Model) based XSS vulnerability is also referred to as local cross-site
scripting. DOM is the standard structure layout to represent HTML and XML documents in the browser.
In such attacks the document components such as form fields and cookies can be referenced through
JavaScript. The attacker uses the DOM environment to modify the original client-side JavaScript. This
causes the victim’s browser to execute the resulting abusive JavaScript code.

108. During an audit, the IS auditor notes that the application developer also performs
quality assurance testing on a particular application. Which of the following should the IS
auditor do?
A. Recommend compensating controls
B. Review the code created by the developer
C. Analyze the quality assurance dashboards
D. Report the identified condition

ANSWER: D

Explanation: The software quality assurance role should be independent and separate from
development and development activities. The same person should not hold both roles because this
would cause a segregation of duties concern. The IS auditor should report this condition when
identified.

109. An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure
that the bank's financial risk is properly addressed, the IS auditor will most likely review which
of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks

ANSWER: B

Explanation: Wire transfer procedures include segregation of duties controls. This helps prevent internal
fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should
review the procedures as they relate to the wire system.

110. An IS auditor reviewing the process to monitor access logs wishes to evaluate the
manual log review process. Which of the following audit techniques would the auditor MOST
likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
 D. Re-performance

ANSWER: C

Explanation: Walk-through procedures usually include a combination of inquiry, observation, inspection

of relevant documentation and re-performance of controls. A walk-through of the manual log review
process follows the manual log review process from start to finish to gain a thorough understanding of
the overall process and identify potential control weaknesses.

111. Which of the following is the most important skill IS auditor should develop to
understand the constraints of conducting an audit?
A. Contingency planning
B. IS management resource allocation
C. Project management
D. Knowledge of internal controls

ANSWER: C

Explanation: Audits often involve resource management, deliverables, scheduling, and deadlines similar
to project management best practices.

112. General Ledger (GL) data are required for an audit. Instead of asking IT to extract the
data, the IS auditor is granted direct access to the data. What is the main advantage of this
approach?
A. Reduction of IT person-hours to support the audit
B. Reduction of the likelihood of errors in the extraction process
C. Greater flexibility for the audit department
D. Greater assurance of data validity

ANSWER: D

Explanation: If the IS auditor executes the data extraction, there is greater assurance that the extraction
criteria will not interfere with the required completeness and therefore all required data will be
collected.

113. An IS auditor is planning to evaluate the control design effectiveness related to an

automated billing process. Which of the following is the MOST effective approach for the
auditor to adopt?
A. Process narrative
B. Inquiry
 C. Re-performance
D. Walk-through

ANSWER: D

Explanation: Walk-throughs involve a combination of inquiry and inspection of evidence with respect to
business process controls. This is the most effective basis for evaluation of the design of the control as it
actually exists.

114. In evaluating programmed controls over password management, which of the following
is the IS auditor most likely to rely on?
A. A size check
B. A hash total
C. A validity check
D. A field check

ANSWER: C

Explanation: A validity check would be the most useful for the verification of passwords because it
would verify that the required format has been used—for example, not using a dictionary word,
including non-alphabetical characters, etc. An effective password must have several different types of
characters: alphabetical, numeric, and special.

115. Which of the following will MOST successfully identify overlapping key controls in
business application systems?
A. Reviewing system functionalities that are attached to complex business processes
B. Submitting test transactions through an integrated test facility (ITF)
C. Replacing manual monitoring with an automated auditing solution
D. Testing controls to validate that they are effective

ANSWER: C

Explanation: As part of the effort to realize continuous audit management (CAM), there are cases for
introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned
for systematic implementation; thus, analysts have the opportunity to come across unnecessary or
overlapping key controls in existing systems.

116. While performing an audit of an accounting application's internal data integrity controls,
an IS auditor identifies a major control deficiency in the change management software that
supports the accounting application. The most appropriate action for the IS auditor is to:
 A. continue to test the accounting application controls, verbally inform the IT manager about the
change management software control deficiency and offer consultation on possible solutions
B. complete the application controls audit, but not report the control deficiency in the change
management software because it is not part of the audit scope
C. continue to test the accounting application controls and include mention of the change
management software control deficiency in the final report
D. cease all audit activity until the control deficiency in the change management software is
resolved

ANSWER: C

Explanation: It is the responsibility of the IS auditor to report on findings that could have a material
impact on the effectiveness of controls—whether they are within the scope of the audit.

117. An enterprise is developing a strategy to upgrade to a newer version of its database

software. Which of the following tasks can an IS auditor perform without compromising the
objectivity of the IS audit function?
A. Advise on the adoption of application controls to the new database software
B. Provide future estimates of the licensing expenses to the project team
C. Recommend at the project planning meeting how to improve the efficiency of the migration
D. Review the acceptance test case documentation before the tests are carried out

ANSWER: D

Explanation: The review of the test cases will facilitate the objective of a successful migration and ensure
that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases.

118. An IS auditor suspects an incident (attack) is occurring while an audit is being performed
on a financial system. What should an IS auditor do first?
A. Request that the system be shut down to preserve evidence
B. Report the incident to management
C. Ask for immediate suspension of the suspect accounts
D. Immediately investigate the source and nature of the incident

ANSWER: B

Explanation: Reporting the suspected incident to management will help initiate the incident response
process, which is the most appropriate action. Management is responsible for making decisions
regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit.
 119. During a change control audit of a production system, the IS auditor finds that the
change management process is not formally documented and that some migration procedures
failed. What should the IS auditor do next?
A. Recommend redesigning the change management process
B. Gain more assurance on the findings through root cause analysis
C. Recommend that program migration be stopped until the change process is documented
D. Document the finding and present it to management

ANSWER: B

Explanation: A change management process is critical to IT production systems. Before recommending

the organization take any other actions (for example, stopping migrations, redesigning the change
management process), the IS auditor should gain assurance that the incidents reported are related to
deficiencies in the change management process and not caused by some process other than change
management.

120. What is the BEST method to facilitate successful user testing and acceptance of a
new enterprise resource planning (ERP) payroll system that is replacing an existing
legacy system?

A. System testing

B. Parallel testing

C. Integration testing

D. Prototype testing

The correct answer is B.

Parallel testing is the best method for testing data results and system behavior because it
allows the users to compare obtained results with both systems before decommission of the
legacy system and enables better user adoption of the new system. Multiple testing will not
compare results from the old and new systems. Integration testing refers to how the system
interacts with other systems, and Prototype testing does not compare results between the old
and new systems.

121. The manager of an IS department has discovered several application security

flaws as the result of a Root Cause Analysis review. What would be the best approach to
fix this without creating additional problems?
 A. Initiate immediate installation of the latest security patches to fix the defects
B. Assess the impact by regression-testing the patch prior to production use
C. Refrain from using vendors with buggy software
D. Ask the vendor’s technical support staff for advice

Answer: B

Explanation: The primary purpose of patch management is to ensure that software updates are
tested in a separate nonproduction environment prior to implementation in production.
Regression testing verifies the update but does not introduce any errors that alter or damage
the existing controls.

122. The audit team is debating that the time required for transaction processing
review is usually affected by properly implemented Electronic Data Interface (EDI).
What is the right view on this?
A. EDI usually increases the time necessary for review
B. Cannot be determined
C. EDI usually decreases the time necessary for review
D. EDI does not affect the time necessary for review

Answer: C

Explanation: Electronic Data Interchange (EDI) is the electronic interchange of business information
using a standardized format; a process which allows one company to send information to another
company electronically rather than with paper. Electronic data interface (EDI) supports inter-vendor
communication while decreasing the time necessary for review because it is usually configured to
readily identify errors requiring follow-up.

123. The IS auditor is reviewing the system console log. What is the review likely to
determine? Choose the BEST answer.
A. System errors
B. Evidence of data copy activities
C. Evidence of password sharing
D. Evidence of password spoofing
Answer: A

Explanation: A console is a Log viewer and would throw up all relevant details about the system. An IS
auditor is potentially likely to find system errors detailed in the console log.

124. The CISA observes that users have direct access to a database at the system level. What
risk (if any) can be envisaged?
A. Risk of unauthorized access increases, but risk of untraceable changes to the database decreases
B. Risk of unauthorized and untraceable changes to the database increases
C. Risk of unauthorized access decreases, but risk of untraceable changes to the database increases
D. Risk of unauthorized and untraceable changes to the database decreases

Answer: B

Explanation: If users have direct access to a database at the system level, risk of unauthorized and
untraceable changes to the database increases.

125. An IS auditor is reviewing several completed software development projects. What

should be the primary focus?
A. Focus on system controls
B. Focus on testing controls
C. Focus on development standards
D. Focus on adequate and complete documentation

Answer: D

Explanation: When reviewing systems-development projects, an IS auditor should also strive to ensure
that adequate and complete documentation exists for the projects.

126. An IS auditor during course of the audit has determined the application has been
modified several times. What tests would the IS auditor look for that has ensured the full
impact of the change?
A. Interface systems with other applications or systems
B. Mission-critical functions and any interface systems with other applications or systems
C. The entire program, including any interface systems with other applications or systems
D. All programs, including interface systems with other applications or systems

Answer: C
Explanation: Whenever an application is modified, the IS auditor will review if the entire program
including its interfaces with other applications or systems have been tested to determine the full impact
of the change.

127. During the audit, the CISA has found that projects have been approved without
conforming procedures. What should the CISA do?
A. Invest in sound project-management training for the staff
B. Create project-approval procedures for future project implementations
C. Review existing procedures and strengthen them
D. Recommend to management that formal approval procedures be adopted and documented

Answer: D

Explanation: If the CISA observes that approval procedures do not exist for projects, recommendation
must be made to management that formal approval procedures be adopted and documented.

128. An IS auditor is auditing the change management process for a software system and is
reviewing both the change logs and impact analysis of the change logs. Which one would better
support the auditor as evidence?
A. The change log is best because it is subjective
B. The change log is best because it is objective and unbiased
C. The written analysis is best because it interprets the change log
D. The written analysis is best because it is objective

Answer: B

Explanation: The change log is the best evidence because it is objective and not subject to human
judgment.

129. At what stage does user acceptance occur in the Waterfall SDLC model?
A. Analysis
B. Design
C. Development
D. Implementation
Answer: D

Explanation: User acceptance occurs during the Implementation when the user is involved in
determining whether the system functionality will be acceptable.

130. The audit team is reviewing an application software and its processing accuracy. Which
controls would the team use?
A. Range checks
B. Run-to-run totals
C. Limit checks on calculated amounts
D. Exception reports

Answer: B

Explanation: Run-to-run total verification is designed to provide the ability to verify data and record
values through the stages of application processing. It ensures that data read into the computer was
accepted and then applied to the updating process.

131. An organization that is implementing security policies has asked the IT team’s Database
Administrator to ensure the principle of Least Privilege is implemented in the RDBMS. Which of
these would be used?
A. View
B. Table
C. Record
D. Tuple

Answer: A

Explanation: In a relational database, a view implements least privilege. Data is stored, and tables and
views allow controlled access to tables. Tuple is a row in a database table.

132. The CISA is asked to audit a large Human Resource Management system as part of the
post-implementation review. What would be its first step?
A. review access control configuration
B. Review integration testing
C. Review requirements documentation
D. Review user acceptance testing

Answer: A

Explanation: Reviewing access control configuration would be the first step done to decide whether
security has been mapped appropriately in the system. Since a post-implementation review is
completed after user acceptance testing and actual implementation, one would not engage in reviews
of integration testing or requirements.

133. During a formal review of development of a critical software system, the review team
found the shadow organization or two groups performing similar tasks of requirements,
specification, and design under different departments. What observation and comments can
the review team attribute among the following?
A. Twice the support coverage
B. A relationship of trust and proper delegation of authority
C. Executive mistrust or failure to integrate
D. Sponsor ensuring success

Answer: C

Explanation: Shadow organizations indicate an integration failure caused by executive mistrust or

conflict. This would violate segregation of duties and duplication of effort with high costs.

134. A CISA is reviewing a simulation software development project during the systems
testing phase. Several changes are being made constantly as a result of the tests. What would
the CISA look for in terms of test methods?
A. Interfaces with other applications
B. The entire software development system including interfaces
C. All development projects interfacing with this project
D. Critical modules only of this project

Answer: B

Explanation: Whenever a software development project is modified, the entire software system
including interfaces to other applications or systems should be tested to determine the full impact of the
change.

135. An IS auditor has been asked as a primary audit objective to review the software
development hand offs to production environment as many unauthorized development
 changes of earlier versions are being put into production creating bugs and errors. Which
control would the auditor look for in preventing these unauthorized changes?
A. Comparison of released source code with production code
B. Change impact requests and logs
C. Check in and check out of source code and object code
D. Date and time-stamp review of development baseline and production code

Answer: D

Explanation: Date and time-stamp reviews of latest development baseline and production code would
ensure the latest approved source code matches the production object code. This is the most effective
way to ensure the approved production code is the one to be used.

136. The implementation team along with the QA team of an organization is conducting a
pre-mortem risk analysis of the software package which is a critical software system. Which of
the following could be the highest risk?
A. Multiple software versions
B. Latest version of package not available
C. Incorrect parameters
D. Software package bugs and errors

Answer: C

Explanation: Parameters that are not set properly would be the highest risk when implementing an
application software package as the system would have improper controls with incorrect parameter
settings.

137. The Architecture team has decided the development team use an object oriented
technology for software development of a new system. They believe security would also be
enhanced by the feature. Which of these is an object-oriented technology characteristic that
permits an enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism

Answer: C
Explanation: Encapsulation is an Object Oriented Programming concept that binds together the data and
functions that manipulate the data, and that keeps both safe from outside interference and misuse.
Encapsulation is a property of objects, which prevents accessing either properties or methods that have
not been previously defined as public.

138. A software development organization has been facing repeated issues with multiple
versions of code without an understanding of latest versions. After a Root Cause Analysis study,
it has been decided to implement a Library control software. How would this help?
A. Restricts source code to read-only access
B. Restricts source code to write-only access
C. Full access
D. Provides read-write access

Answer: A

Explanation: Library control software restricts source code to read-only access.

139. A software development team have made several changes to their source code through
development. In which stage would regression testing be useful to determine whether new
application changes have introduced any errors?
A. Software development and change management
B. Feasibility study
C. Software Design
D. User acceptance testing

Answer: A

Explanation: Regression testing is used during program development and change management to
determine whether new changes have introduced any errors in the remaining unchanged code.

140. A Software team who began with a schedule of 6 months and 10 team members finally
completed the project with 13 members over 11 months. The post implementation audit has
provided an audit comment to use estimating techniques before starting the next phase.
Which of these is a reliable technique for estimating scope and cost of a software development
project?
A. Function point analysis (FPA)
B. Critical path method (CPM)
C. GANTT
D. PERT
Answer: A

Explanation: A function point analysis (FPA) from IFPUG group is considered a reliable technique for
estimating the scope and cost of a software-development project and used across many organizations.

141. The purpose for establishing a stop or freezing point on the design of a new
system is to:

A. ensure duplication of requirements does not occur

B. ensure that project is not delayed

C. ensure that changes after that point be evaluated for cost-effectiveness.

D. provide control over the project design.

The correct answer is C.

Projects increase especially during the requirements definition phase and grow so that the
originally anticipated cost-benefits are reduced. Hence, the project must be stopped or frozen
to allow for an appraisal of all of the cost-benefits and the payback period.

142. The MAJOR advantage of a component-based development approach is:

A. manage disparate data types

B. manage multi-tier architecture

C. linking disparate software

D. support of multiple development environments

The correct answer is D.

Components written in one technology interact with components written in other technologies
or systems, thereby increasing the speed of development. The other choices are not benefits of
component-based development.
 143. Which of the following processes will be MOST effective in reducing the risk that
unauthorized software on a backup server is distributed to the production server?

A. Keep backups in a secure place

B. Review changes in the software version control system

C. Ensure that access to the backup server is restricted

D. Maintain access control logs

The correct answer is B.

Software changes are tracked and controlled using version control software which can be
reviewed by the auditor to identify the software put to production. The other choices would
not facilitate this.

144. An IS auditor finds that user acceptance testing of a new application is being
disturbed as defect fixes are implemented by the project team. Which of the following
would be the BEST recommendation for an IS auditor to make?

A. Use a different user acceptance environment

B. Ensure coders are not fixing defects during user testing

C. Implement a configuration control tool

D. Halt testing until system is fully developed

The correct answer is A.

A distinct development environment is normally required to ensure the integrity of production

code. It is important that the development and testing codes be kept distinct.

145. Which of the following should an IS auditor endorse for the defense of specific
sensitive information stored in the data warehouse?

A. Implement column-level and row-level permissions

B. Limited user access control rights to data warehouse

C. Limited systems that are integrated to the data warehouse

D. Limited reports to be generated for top management only

The correct answer is A.

Option A explicitly addresses the question of sensitive data by controlling what information
users can access through column-level security that prevents users from seeing one or more
aspects on a table and row-level security to ensure that a certain grouping of information on a
table is constrained.

146. An IS auditor needs to review the procedures used to restore a software

application to its state prior to an upgrade. Therefore, the auditor needs to assess:

A. problem management procedures

B. software development procedures

C. fallback procedures

D. incident management procedures

The correct answer is C.

Fallback procedures are used to restore a system to a previous state and are an important
element of the change control process. The other choices are not related to the change control
process—a process which specifies what procedures should be followed when software is being
upgraded.

147. When conducting a penetration test of an IT system, an organization should be

MOST concerned with:

A. the confidentiality of the report

B. finding defects in the system

C. restoring all systems to the original state

D. checking access controls and logs

The correct answer is C.

All systems must be restored to their original state and information that is created and/or
stored on the tested systems should be removed from these systems.

148. Management observed that the initial phase of a multiphase implementation was behind
schedule and over budget. Prior to commencing with the next phase, an IS auditor's
PRIMARY suggestion for a post implementation focus should be to:

A. assess whether the planned cost benefits are being measured, analyzed and reported

B. review control balances and verify that the system is processing data accurately

C. review subsequent program change requests for the first phase

D. determine whether the system's objectives were achieved

The correct answer is C.

Since management is aware that the project had problems, reviewing the subsequent fixes will
provide insight into the types and potential causes of the project issues. This will help to
identify whether IT has adequately planned for those issues in the subsequent phases. While all
choices are valid, the post implementation focus and primary objective should be assuring that
the issues of the initial phase are addressed.

149. Which of the following is a dynamic analysis tool for the purpose of testing software
modules?

A. Black-box test

B. Load and stress testing

C. Regression testing

D. White-box testing

The correct answer is A

A black-box test is a dynamic analysis tool for testing software modules in a consistent manner
as a single entity consisting of numerous modules and also with the user data that flows across
software modules.
150. Which is the MOST significant control that the IS auditor should look for to ensure system
availability while appraising the effectiveness of the organization's change management
process?

A. That a proper configuration management control tool exists

B. That system capacity is adequate

C. That test plans and procedures exist and are closely followed

D. That systems have enough surplus capacity

The correct answer is C.

The most important control for ensuring system availability is to implement a comprehensive
set of testing plans and procedures which are regularly followed.

--------------------------------------------------------------------------------------------------------------------------
 CISA DOMAIN 4
1. What type of metrics or measurement for IT services would be the most ideal type in
terms of optimum management?
A. External
B. Service
C. Internal
D. Performance

ANSWER: A

Explanation: External measurements report how the customer would review the delivery of IT
services. Performance and service metrics report on the external view of system availability,
capacity management, turnaround time to resolve problems, and so on. Metrics should reveal
the IT requirements of end users, not only internal metrics.

2. To facilitate a remote Internet user secure access into the network, which of the below
creates an encrypted communication tunnel across the Internet?

A. Dedicated line
B. Virtual private network
C. Tokens
D. Certificate authority

ANSWER: B

Explanation: The virtual private network (VPN) encrypts the user’s communication, provides
confidentiality and integrity of communications and ensures safe communication across the
Internet.

3. The IS team is building IS control objectives for an organization. Which of the below
would not be included?
A. Disaster recovery plan
B. Asset Data Owners and Register
C. Business Continuity plan
D. IS individual system threats

ANSWER: D

Explanation: IS control objectives protect the organization from loss due to IS control failures.
So, the team would not review individual system threats that are undertaken by individuals as
part of risk management.
 4. There are several types of intrusion detection prevention systems (IDPS). Which of the
below are the two most common?
A. VPN and Internet
B. Network and host
C. Forensic and analytical
D. Detective and predictive

ANSWER: B

Explanation: Intrusion detection systems are commonly implemented on the network or on a

particular host to traffic involving a particular host to observe traffic travelling a specific
communications link.

5. After a disaster, it is imperative for the organizational members to not only move to the
BCP site but also stay behind at the recovery site to monitor recovery operations. Who are
these members?
A. Top management
B. BCP team
C. Administration team
D. Emergency management team members

ANSWER: D

Explanation: The employees who are designated as Recovery team including its leaders, shift
supervisors and operators work to continue operations until recovery is fully restored.

6. An organization which has large number of suppliers wants to have an online update of
the material supply. Therefore, it wishes to provide limited network access to its suppliers.
Which of these options would be chosen?
A. Extranet
B. Dedicated line
C. Internet
D. Intranet

ANSWER: A

Explanation: When limited access to corporate systems and networks are required, an extranet
can be used which separates the internal systems from access. An intranet refers to the internal
network.
7. An organization wants to connect their workstations across all departments. Which of
these choices does the IT team take as the best choice?
A. Fiber optics
B. Unshielded Twisted Pair
C. Shielded Twisted Pair
D. Coaxial cable

ANSWER: B

Explanation: The unshielded twisted-pair known as UTP would be the best choice. Shielded
twisted-pair is usually used in an area prone to electronic noise where it would be more
resistant. Coaxial cables are defunct for connecting workstations. Currently, fiber optics are
commonly used to connect servers.

8. During data backup, which of the below would require special handling?
A. System files
B. Library files
C. Application Files
D. Database files

ANSWER: D

Explanation: Special backup procedures must be followed to ensure data integrity of database
files which could be open. Typically, users must exit out of the database prior to backup.
Otherwise, files are copied to a shadow database or second system where backups are
executed without conflict.

9. Which protocol is considered the Internet backbone and is a routable protocol?

A. IP
B. NetBIOS
C. OSI model
D. TCP

ANSWER: A

Explanation: IP or Internet Protocol is considered the Internet backbone, being a major routable
protocol TCP is typically layered on top of IP and results in reliable sessions. The NetBIOS
protocol from Microsoft is not suited to routing a broadcasting technique as it is based on layer
2 technology while OSI model is used to understand the layers in network communications.
10. Mandatory Access Controls (MAC) use labels. What happens when the label processing
is bypassed?
A. Override MAC security
B. Overcome RAS security
C. Resist RBAC security
D. Implement DAC security

ANSWER: A

Explanation: A Mandatory access control or MAC system uses labels to enforce security policies.
Bypassing label processing would imply that security controls are over ridden in mandatory
access control (MAC).

11. Governance needs to be measurable and derive metrics to understand degree of

success and possible improvements. Which metric below is commonly used as a
historical score?
A. RAG indicators
B. Key performance indicator
C. Balanced scorecard
D. Risk Heat Map

ANSWER: B

Explanation: The key performance indicator known as KPI is generated as a historical score
using quantifiable measurements and indicate performance typically over time periods such as
every quarter in a year.

12. To ensure controls are in place and used by the designated personnel, authentication is
a must. Two-factor authentication is commonly used by organizations. Which of the
below could refer to this type of authentication?
A. SSL
B. Biometrics
C. User ID and VPN token
D. User ID and unique characteristic

ANSWER: D

Explanation: SSL or single sign in refers to a single id or password. Two-factor authentication

typically implies the user must provide both a password and unique characteristic such as an ID
card or a physical biometric feature.
 13. Management is eventually responsible for putting in place appropriate and proper
internal controls. This includes ensuring right personnel gain physical and logical access.
Which of the below methods are used to ascertain the user’s identity?
A. Verification
B. Authentication
C. Scanning
D. Reference mapping

ANSWER: B

Explanation: Authentication compares the user’s claim to a known reference in a single search
and is therefore the best method to determine user’s identity.

14. There are various forms and types of communication protocols and methods. Which of
these is not charged by the message size, rather by the number of data packets sent?
A. Dedicated line
B. TCP/IP
C. Packet switching
D. DSL

ANSWER: C

Explanation: The communication protocols and methods that transmit data via different paths
by the number of packets sent, and not by the size of the message or distance traversed, is
called packet switching.

15. Communication lines are imperative in an IS organization and they should be available
all the time if possible. What are the issues regarding communication lines that are
permanently switched on?
A. Cost of operation probably is higher
B. There is an increased risk of system attack
C. Controls are required to prevent accidentally disabling the service
D. An investment in special communication hardware is required

ANSWER: B

Explanation: Systems that are always on will be more likely to suffer malicious attack. Standard
telephone circuits are turned off when not in use, which limits the window of opportunity for
an attacker. Communication lines that are always on provide 24-hour opportunity for the
attacker. Examples of “always on” services include DSL, T-1 leased lines, primary rate ISDN,
frame relay, and ATM.
 16. Which type of network device directs data packet transmission through the Internet?
A. Hub
B. Router
C. Repeater
D. Modem

ANSWER: B

Explanation: The function of the router is to route data packets throughout the network by
using the routing path designated by the network administrator. A router may use dynamic
routing software to ease the administrator burden. Static software routes are the safest to use.
Dynamic routes may be automatically updated by other network devices. Dynamic routing can
pose a security risk if the source of the routing update is not known and trusted.

17. At which layer of the OSI model does a gateway operate?

A. Networking
B. Session
C. Presentation
D. Application

ANSWER: D

Explanation: The gateway is an application running on OSI layer 7. The function of a gateway is
to solve the problem related to the formatting of data. A computer program running on layer 7
will extract the data in its original format, and then reformat the data and transmit it to the
new system.

18. What do the initials of the older terminology IPF represent?

A. Independent provider form
B. Internal processing facility
C. Information processing facility
D. Information-only policy for distribution

ANSWER: C

Explanation: The term IPF refers to an information processing facility, which is a synonym for a
datacenter.

19. Who is formally assigned, trained, equipped with appropriate tools, and are ready to
drop anything they might be doing whenever they are called?
A. Incident responder
B. IT governance manager
C. System developer
D. Decision support analyst

ANSWER: A

Explanation: An incident response team requires properly trained people to be available

24/7 to respond to any incident that may occur. A formally designated incident response team
(IRT) ensures the right people with expertise look into the problem.

20. Which is not an acceptable method of disposal for magnetic media?

A. Reformatting
B. Overwriting
C. Physical destruction
D. Electrical degaussing

ANSWER: A

Explanation: Reformatting and deleting files does not remove the contents from the drive; it
simply marks the space occupied by the files as eligible for overwriting. A disk wiping
(overwriting) utility should be used if the disk will be reused. Physical destruction and electrical
degaussing will also remove the data.

21. Which of the following is true concerning the roles of data owner, data user, and data
custodian?
A. The data user implements controls as necessary
B. The data custodian is responsible for specifying acceptable usage
C. The data owner specifies controls
D. The data custodian specifies security classification

ANSWER: C

Explanation: The data owner specifies controls, is responsible for acceptable use, and appoints
the data custodian. The data users will comply with acceptable use and report violations. The
data custodian will protect information and ensure its availability. The custodian will also
provide support to the users.

22. Which encryption key is not needed by the recipient to decrypt a message when using
public key infrastructure (PKI)?
A. Sender’s public key
B. Receiver’s public key
C. Sender’s private key
D. Receiver’s private key
ANSWER: C

Explanation: The sender’s private key is never used by the recipient. Only three of the four keys
are ever used on each end to encrypt and decrypt messages. Private keys remain absolutely
secret. The PKI algorithm is designed to allow the public key to unlock (decrypt) files that were
encrypted using the sender’s private key.

23. Which of the following is provided by digital signatures?

A. File encryption using the sender’s public key
B. Sender identity with nonrepudiation
C. File confidentiality using encryption
D. Sender identity without nonrepudiation

ANSWER: B

Explanation: Digital signatures provide an assurance of the sender’s identity with

nonrepudiation. The digital signature is created by using the sender’s private key to encrypt the
file hash value. The recipient tests the digital signature integrity by using the sender’s public key
to decrypt the hash file. The sender’s public key is freely available and mathematically related
to the private key.

24. The recovery point objective (RPO) is based on which of the following?
A. Acceptable time during which the recovery of operations must be completed
B. Time allowed for developing the business continuity plan
C. The point in time prior to the outage at which data will be recovered
D. The minimum time required to restore operations

ANSWER: C

Explanation: A typical recovery point objective (RPO) is to fall back to the last set of good
backup tapes. Unfortunately, any work since the last backup would be lost, including work in
progress. High-availability systems and remote electronic vaulting of data files can shorten the
recovery time.

25. When auditing to determine the IT operational capability, which of the following would
be the best evidence of whether adequate recovery and restart procedures exist?
A. Reviewing program documentation
B. Interviewing support personnel
C. Reviewing operations documentation
D. Checking the system configuration

ANSWER: C
Explanation: The presence of up-to-date recovery and restart procedures is an excellent source
of evidence. If the opportunity is available, it would be a good idea to observe the support
personnel using the procedure effectively. The auditor may inquire when the last time the
procedure was tested or used. The lack of documentation is a control failure.

26. Which of the following represents the weakest type of authentication?

A. User ID and password
B. Biometrics
C. Token-based access control
D. Voice-print analysis

ANSWER: A

Explanation: The user ID and password is the weakest type of authentication. The password
simply indicates that somebody typed the characters on the screen during login. It does not
provide an assurance about that individual.

27. In which of the below stages is user involvement most vital in the business continuity
planning?
A. Strategy selection
B. Risk analysis
C. Plan development
D. Business impact analysis

ANSWER: D

Explanation: Detailed information is collected during the business impact analysis (BIA) and
used to define the available time windows, the most critical resources, and alternatives. This
information provides an invaluable set of specifications for the strategy to fit. It would be
impossible to calculate an effective strategy without the in-depth data provided by a current
business impact analysis. Without the BIA, the best you can hope for is a disaster rebuilding
plan for the servers or the building. Without a BIA, the IT recovery plan will ultimately fail to
meet the organization’s needs.

28. Which of the following is a common form of data backup that uses the archive bit to
copy only the files that have changed since the last backup?
A. Multilevel
B. Incremental
C. Differential
D. RAID level 4
ANSWER: B

Explanation: The archive bit is a type of electronic flag to indicate which files have changed and
should be in the next backup. An archive bit value of 0 = no backup, and a value of 1 = backup
required. An incremental backup will read the archive bit to copy only those files that have
changed since the last backup (archive bit value = 1), regardless of whether the backup was a
full backup or an incremental backup. The incremental backup utility will reset the archive bit
(to 0) so that another incremental backup will not copy the same file. A differential backup will
copy every file that changed since the full backup was run (bit value = 1), never changing the
archive bit (bit value remains 1). This makes the backup run longer each time and provides
more copies of the data on backup tape. More is better in case a restore tape fails to work.

29. What is the principal issue regarding the use of biometrics?

A. Implementation cost
B. User acceptance
C. Enrollment process
D. System accuracy

ANSWER: B

Explanation: User acceptance is the primary issue to the widespread use of biometrics. Some
individuals regard the use of biometrics as an invasion of privacy or express health concerns
related to using the system.

30. Which of the following best defines the failure of a biometric system to keep out
unwanted intruders?
A. Equal error rate (ERR)
B. Type 2 error (FAR)
C. Type 1 error (FRR)
D. Crossover error rate (CER)

ANSWER: B

Explanation: The type 2 error refers to a false acceptance, which allows an unwanted intruder
to gain access to the system. A type 1 error rejects authorized users.

31. Which type of system attack is normally not visible to network monitoring systems?
A. Active
B. Brute force
C. Passive
D. Snipe
ANSWER: C

Explanation: Passive attacks are designed to collect data without being detected. Passive
attacks include eavesdropping to collect data by listening to the communication between
network devices. The results of passive attacks are used to launch an active attack.

32. This address is manufactured or burned into network equipment and is totally unique.
A. Domain name
B. IP
C. Street address
D. MAC

ANSWER: D

Explanation: The 48-bit MAC address is a serial number manufactured into network equipment.
Its purpose is to ensure the machine is unique on the network. It is possible to override the
MAC address by setting a locally defined MAC address. Locally defined addresses are used to
facilitate parts replacement in higher-security environments that use the MAC address as part
of the security settings.

33. Terminal emulation software is useful for which of the following?

A. Updating a database
B. Simulating an aircraft flight
C. Accessing a network device
D. Configuring a server or network device through a serial port

ANSWER: D

Explanation: Terminal emulation software provides a command-line screen to access a serial

port and is often used to configure network devices. The command line offers the highest level
of access when compared to menus and restricted user interfaces. The command line allows
the use of special command arguments that can change the system behavior.

34. What does the term multiprocessing refer?

A. Multiple people
B. Multiple computers
C. Multiple CPUs
D. Multiple programs

ANSWER: C
Explanation: The computer contains multiple central processing units (CPUs) that make the
computer capable of running different jobs at the same time. Multiple people on the computer
refers to a multiuser system.

35. Which of the following choices represents the best description of a proxy firewall?
A. Packet filter
B. Intrusion detection
C. Circuit level
D. Sixth generation

ANSWER: C

Explanation: The proxy firewall is designed to execute a request on behalf of the user without
granting direct access. The proxy runs on the firewall. A proxy selectively filters and relays
service requests between the internal and external networks. There is no direct connection
between the internal and external network, other than the proxy software program.

36. Which among these is the primary purpose of a business continuity plan?
A. Protect upper management from possible criminal prosecution
B. Ensure that information systems data is safely stored offsite and readily accessible in
crisis situations
C. Reduce the risk from unexpected disruption of critical functions and operations
D. Provide hot sites or other reasonable locations to continue information systems
operations

ANSWER: C

Explanation: The goal of business continuity planning is to ensure that critical functions are not
interrupted or they can be resumed in the shortest possible time frame. It is not necessary for
all systems to be recovered immediately. Efforts should be focused on core systems that
generate revenue.

37. What is the IPsec mode that hides network address?

A. Transport
B. Encrypted security payload
C. Tunnel
D. VPN

ANSWER: C

Explanation: The IPsec tunnel mode will hide the network address and route the packet by
using the address of the ISP.
 38. Which mode of IPsec encrypts both the network IP address and the data payload?
A. Encapsulated header
B. Transport
C. Security payload
D. Tunnel

ANSWER: D

Explanation: The IPsec tunnel mode encrypts the network IP address and encrypts the data. The
sending and receiving network address is hidden inside a data packet that displays the sending
and receiving address of an ISP. For example, our corporate sender and receiver would be
hidden inside a data transmission across the AT&T network. The data transmission would show
only the AT&T network addresses of our border routers. The purpose of tunnel mode is to hide
the existence of the transmission.

39. At which layer of the OSI model does the network routing occur?
A. Layer 2
B. Layer 3
C. Layer 4
D. Layer 5

ANSWER: B

Explanation: All network routing occurs in OSI layer 3. Layer 3 provides network addressing and
uses static or dynamic routing protocols to forward packets to their intended destination.
Network firewalls are implemented at OSI layer 3.

40. Which of the following is used to create a digital signature?

A. Symmetric key
B. Public key
C. Private key
D. Digital certificate

ANSWER: C

Explanation: The sender uses their private key to encrypt a message digest (file hash). The
encryption message digest becomes a digital signature that can be verified by decrypting it with
the sender’s public key.

41. Which of the following is not a virtual private network (VPN) technology?
A. Secure Sockets Layer
B. IPsec
 C. Secure Shell
D. Remote authentication server

ANSWER: D

Explanation: The remote authentication server is used to authenticate if the user is genuine. It
does not provide the encryption necessary for a virtual private network. The other three
options are valid VPN methods.

42. Which of the following is an acceptable suppression medium for use in a fire-control
system?
A. Halon
B. FM-200
C. FR-XS-III
D. Nitrogen

ANSWER: B

Explanation: Halon gas is now banned because of its damaging effects to the earth’s ozone.
Special exceptions exist for the use of halon in aircraft to extinguish fires during flight.
Acceptable replacements for halon gas in computer rooms include FM-200 and NAF-S-3. The
other two choices are distracters that are not acceptable for fire suppression.

43. Which of the following communications methods charges only for the data transmitted,
not the distance covered?
A. Packet-switched
B. Circuit-switched
C. Session-switched
D. Data-switched

ANSWER: A

Explanation: Packet-switched data transmissions are charged only for the data transmitted, not
the distance covered. Circuit-switched transmissions are charged by the distance covered. The
other two options are simply distracters.

44. What is the principal issue regarding symmetric-key encryption?

A. Time sensitivity
B. Crypto system variable
C. Work factor
D. Key distribution
ANSWER: D

Explanation: The primary issue is the difficulty of distributing a shared secret key without
exposing it to an outsider. Symmetric-key systems use the exact same key at both ends. A
compromise of the key will compromise data in the entire encryption system.

45. Which of these best ensures permanency of a wide area network (WAN) across the
organization?
A. Built-in alternative routing
B. Ensure daily backup of the entire system
C. A service provider providing a WAN with stringent SLA
D. Have all the servers continuously mirrored

ANSWER: A

Alternative routing ensures the network continues when a server loses connection, or if a link is
disconnected, as the message rerouting can be made automatic.

46. Which of these is caused by the line grabbing method?

A. Unauthorized data access
B. CPU memory getting overloaded
C. Memory outage
D. Systems in Wait state

ANSWER: A

Line grabbing enables eavesdropping and allows unauthorized data access.

47. Which among these minimizes the risk of communication failures in an e-commerce
environment?
A. Encrypted and secure data
B. Successful delivery receipts
C. Firewall with packet filter
D. Leased asynchronous transfer mode lines

ANSWER: D
Leased asynchronous transfer mode lines avoid using public and shared infrastructures from
the carrier or the Internet service provider with numerous communication failures.

48. While an intensive simulated test for system recovery is carried out over an entire
business day and has been successful, but the IS auditor is not convinced. Which of
these could be the reason?
A. system and IT operations team inability to sustain operations continuously
B. resources and systems handling transaction loads
C. system connectivity to the remote site
D. full business operations can be operated

ANSWER: A

Since the applications are intensively operated, choices B, C, and D have actually been tested,
but the capability of the system to sustain and support this environment has not been fully
tested by the IT operations team.

49. Which of the following is a type of data transmission often used with Internet video
signals?
A. Unicasting
B. Broadcasting
C. Multicasting
D. Pinging

ANSWER: C

Explanation: Multicasting is used to transmit packets to multiple systems simultaneously and is

often used with video. Unit testing is transmitting packets to only a single-destination system.

50. An IS auditor reviewing the operating system integrity of a server would PRIMARILY:
A. verify that user programs do not invoke privileged programs and services
B. determine whether administrator accounts have proper password controls
C. ensure that file permissions are correct on configuration files
D. verify that programs or services running on the server are from valid sources

Answer: A
If user-level programs affect privileged programs or services, then changes to system parameters and
operating system (OS) integrity issues may ensue. Privilege escalation attack happen when an
unapproved user is able to achieve actions.

51. Which of the following RAID levels does not improve fault tolerance?
A. RAID level 0
B. RAID level 1
C. RAID level 2
D. RAID level 5

ANSWER: A

Explanation: RAID level 0 can create an image of large logical drives by combing several small
disk drives, but it does not increase redundancy. RAID 0 is normally used in combination with
other levels to improve performance and redundancy. RAID 1 (full duplication on two sets) is
the highest margin of safety. RAID 5 stripes data, using less raw disk space.

52. Which of these is the most effective control over a guest wireless ID given to the vendor
staff?
A. Assignment of a renewable user ID which expires daily
B. A write-once log to monitor the vendor's activities on the system
C. Utilization of a user ID format similar to that used by employees
D. Ensuring that wireless network encryption is configured properly

Answer A

A renewable user ID which expires daily would be a good control since it would ensure that
wireless access is not used without authorization. While it is recommended to monitor vendor
activities while vendor staff are on the system, this is a detective control and thus is not as
strong as a preventive control. The user ID format does not change the overall security of either
connection and thus this is not the correct answer. Controls related to the encryption of the
wireless network are important; however, the access to that network is a more critical issue.

53. Which of these would concern an IS auditor while performing an audit of a disaster
recovery plan (DRP)?
A. The DRP has not been tested
B. New team members have not read the DRP
C. The manager responsible for the DRP has resigned
D. The DRP manual is not updated regularly
ANSWER: A

If the DRP has not been tested, it is very likely the plan is incomplete or inadequate. This
situation is a concern to the IS auditor, because the organization cannot accurately assess if the
plan is workable. If new members of the team are unfamiliar with the plan, the current
members would be able to assist them. While the loss of experienced personnel creates some
issues, if the plan is proven adequate, less experienced personnel would likely be able to
perform the required job functions in case of a disaster. A DRP manual that is not updated
regularly is a secondary concern to a DRP.

54. A CISA is reviewing the firewall security of an organization that provides extranet
connectivity to its supply chain partners and customers. Which of the below would be a
primary concern?
A. SSL is implemented for user authentication and remote administration of the
firewall
B. Firewall policies do not reflect this connectivity to external parties
C. Traffic type and connections are designated with permission
D. The firewall is placed on top of the commercial operating system with all installation
options

Answer D.

Implementing firewalls with installation options over commercial operating systems makes it
vulnerable and undermines the security of the firewall. Usage of SSL for firewall administration
is essential because changes in user and supply chain partners' roles and profiles could be
dynamic.

55. Which of these are the responsibilities of a disaster recovery relocation team?
A. Checking recovery facility appropriateness for offsite storage
B. finding a recovery site and coordinating the travel arrangements of employees to
the recovery site
C. managing relocation and assessing damage to IS facilities and equipment
D. coordinating movement from hot site to new location or restored original location

Answer D.
The disaster recovery relocation team primarily coordinate movement from hot site to new
location or restored original location

56. During an IS audit, the IS auditor discovers that a wireless network is used within the
enterprise's headquarters. What is the FIRST thing the auditor should check?
A. The signal strength outside of the building
B. The configuration settings
C. The number of clients connected
D. The IP address allocation mechanism

Answer B.

The IS auditor should first check the configuration settings for the current network layout and
connectivity and then, based on this, decide whether the security requirements are adequate.
The signal strength outside of the building would not be of concern if proper encryption and
security settings are in effect. The number of clients connected is not usually a major concern,
from a security perspective. The IP address allocation mechanism is not a security risk.

57. A CISA is auditing a proposed software acquisition. What should be kept in mind?
A. operating system in use is compatible with various hardware platforms
B. OS updates are scheduled before software to be acquired is implemented
C. OS has the latest versions and updates
D. the software system should be compatible with the current or planned OS

Answer D.

While reviewing the application, the auditor should confirm the products to be bought are
compatible with the current or planned OS.

58. Which disaster recovery technique is the MOST efficient way to determine the
effectiveness of a plan?
A. Preparedness tests
B. Paper tests
C. Full operational tests
D. Actual service disruption
Answer A.

Preparedness tests include simulation of the entire environment in stages, and they also help
the team prepare for the actual test scenario.

59. Which of the following is the GREATEST benefit to implementing open source software
(OSS)?
A. Reduction of the total cost of ownership (TCO)
B. Ability to more easily customize program source code
C. Mitigation of the risk of being locked into a single provider
D. Reduction of the effort of performing system upgrades

Answer C.

If an organization decides not to rely on a single provider for a software solution, they may go
for an Open Source Software strategy. There are multiple providers of OSS and while many are
available free of charge, although there may be some costs related to converting to OSS.
Generally, the overall TCO will be lower with OSS compared to using proprietary software.
Being able to customize source code is a benefit of OSS. Although the methods of performing
system upgrades are similar, the effort is not significantly lower when using OSS. It is possible
that OSS may come with frequent upgrades, and it is up to the organization to decide whether
the upgrades are necessary.

60. A security manager who needs to develop a solution to allow his company’s mobile
devices to be authenticated in a standardized and centralized manner using digital
certificates. The applications these mobile clients use require a TCP connection. Which
of the following is the best solution to implement?
A. SESAME using PKI
B. RADIUS using EAP
C. Diameter using EAP
D. RADIUS using TTLS

ANSWER: C

Explanation: Diameter is a protocol that has been developed to build upon the functionality of
RADIUS and to overcome many of its limitations. Diameter is a AAA protocol that provides the
same type of functionality as RADIUS and TACACS+ and also provides more flexibility and
capabilities, including working with EAP. RADIUS uses UDP, and cannot effectively deal well
with remote access, IP mobility, and policy control.
 61. A security manager for a credit card processing organization uses internal DNS servers,
which are placed within the LAN, and external DNS servers, which are placed in the
DMZ. The company also relies upon DNS servers provided by their service provider. He
has found out that attackers have been able to manipulate several DNS server caches,
which point employee traffic to malicious websites. Which of the following best
describes the solution this company should implement?
A. IPSec
B. PKI
C. DNSSEC
D. MAC-based security

ANSWER: C

Explanation: DNSSEC (DNS security, which is part of the many current implementations of DNS
server software) works within a PKI and uses digital signatures, which allows DNS servers to
validate the origin of a message to ensure that it is not spoofed and potentially malicious. If
DNSSEC were enabled on server A, then server A would, upon receiving a response, validate the
digital signature on the message before accepting the information to make sure the response is
from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS
server would discard it because the message would not contain a valid digital signature.
DNSSEC allows DNS servers to send and receive only authenticated and authorized messages
between themselves, and thwarts the attacker s goal of poisoning a DNS cache table.

62. Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within
the suite provides different functionality. Which of the following is not a function or
characteristic of IPSec?
A. Encryption
B. Link layer protection
C. Authentication
D. Protection of packet payloads and the headers

ANSWER: B

Explanation: IPSec is a protocol used to provide VPNs that use strong encryption and
authentication functionality. It can work in two different modes: tunnel mode (payload and
headers are protected) or transport mode (payload protection only). IPSec works at the
network layer, not the data link layer.

63. A typical PKI infrastructure would have which of the following transactions?
i. Receiver decrypts and obtains session key
ii. Sender requests receiver’s public key
 iii. Public key is sent from a public directory
iv. Sender sends a session key encrypted with receiver’s public key

A. 4, 3, 2, 1
B. 2, 1, 3, 4
C. 2, 3, 4, 1
D. 2, 4, 3, 1

ANSWER: C

Explanation: The sender would need to first obtain the receiver s public key, which could be
from the receiver or a public directory. The sender needs to protect the symmetric session key
as it is being sent, so she encrypts it with the receiver s public key. The receiver decrypts the
session key with his private key.

64. Instead of managing and maintaining different types of security products and solutions,
the IT manager wants to purchase a product that combines many technologies into one
appliance. This must comprise of a centralized control, a streamlined maintenance, and
a reduction in stove pipe security solutions. Which of the following would best fit the
needs?
A. Dedicated appliance
B. Centralized hybrid firewall applications
C. Hybrid IDS\IPS integration
D. Unified threat management

ANSWER: D

Explanation: The list of security solutions for companies include, and is not limited to, firewalls,
antimalware, anti-spam, IDS\IPS, content filtering, data leak prevention, VPN capabilities,
continuous monitoring, and reporting. Unified Threat Management (UTM) appliance products
have been developed that provide all (or many) of these functionalities into a single network
appliance. The goals of UTM are simplicity, streamlined installation and maintenance,
centralized control, and the ability to understand a network s security from a holistic point of
view.

65. Why is it important to have a clearly defined incident-handling process in place?

A. To avoid dealing with a computer and network threat in an ad hoc, reactive, and
confusing manner
B. In order to provide a quick reaction to a threat so that a company can return to normal
operations as soon as possible
C. In order to provide a uniform approach with certain expectations of the results
 D. All of the above

ANSWER: D

Explanation: A clearly defined incident-handling process can be more cost-effective, enable

recovery to happen more quickly, and provide a uniform approach with certain expectations of
the results. Incident handling should be closely related to disaster recovery planning and should
be part of the company s disaster recovery plan.

66. Employees in the company have received several e-mail messages from unknown
sources that try and entice her to click a specific link using a “Click Here” approach.
Which of the following best describes the most likely taking place in this situation?
A. DNS pharming attack
B. Embedded hyperlink is obfuscated
C. Malware back-door installation
D. Bi-directional injection attack

ANSWER: B

Explanation: HTML documents and e-mails allow users to attach or embed hyperlinks in any
given text, such as the Click Here links you commonly see in e-mail messages or webpages.
Attackers misuse hyperlinks to deceive unsuspecting users into clicking rogue links. The most
common approach is known as URL hiding.

67. The network administrator of a large retail company has Ethernet-based distributed
networks throughout the northwest region of the United States and would like to move
to an Ethernet-based multipoint communication architecture that can run over their
service provider’s IP/MPLS network. Which of the following would be the best solution
for these requirements?
A. Metro-Ethernet
B. L2TP/IPSec
C. Virtual Private LAN Services
D. SONET

ANSWER: C
Explanation: Virtual Private LAN Services (VPLS) is a multipoint layer 2 virtual private
network that connects two or more customer devices using Ethernet bridging techniques. In
other words, VPLS emulates a LAN over a managed IP/MPLS network. VPLS is a way to
provide Ethernet-based multipoint-to-multipoint communication over IP/MPLS networks.
 68. Which of the following multiplexing technologies analyzes statistics related to the
typical workload of each input device and makes real-time decisions on how much time
each device should be allocated for data transmission?
A. Time-division multiplexing
B. Wave-division multiplexing
C. Frequency-division multiplexing
D. Statistical time-division multiplexing

ANSWER: D
Explanation: Statistical time-division multiplexing (STDM) transmits several types of data
simultaneously across a single transmission line. STDM technologies analyze statistics
related to the typical workload of each input device and make real-time decisions on how
much time each device should be allocated for data transmission.

69. Which of the following best describes the difference between hierarchical storage
management (HSM) and storage area network (SAN) technologies?
A. HSM uses optical or tape jukeboxes, and SAN is a network of connected storage
systems.
B. SAN uses optical or tape jukeboxes, and HSM is a network of connected storage
systems.
C. HSM and SAN are one and the same. The difference is in the implementation.
D. HSM uses optical or tape jukeboxes, and SAN is a standard of how to develop and
implement this technology.

ANSWER: A

Explanation: Hierarchical storage management (HSM) provides continuous online backup

functionality. It combines hard disk technology with the cheaper and slower optical or tape
jukeboxes. Storage area network (SAN) is made up of several storage systems that are
connected together to form a single backup network.

70. Which of the following is an XML-based protocol that defines the schema of how web
service communication takes place over HTTP transmissions?
A. Service-Oriented Protocol
B. Active X Protocol
C. Simple Object Access Protocol
D. JVEE

ANSWER: C
Explanation: SOAP is an XML-based protocol that encodes messages in a web service
environment. SOAP actually defines an XML schema or a structure of how communication is will
take place. The SOAP XML schema defines how objects communicate directly.

71. A company that relies heavily on one specific operating system which is used in the
employee workstations and is embedded within devices that support the automated
production line software. It is discovered the operating system has a vulnerability that
could allow an attacker to force applications to not release memory segments after
execution. Which of the following best describes the type of threat this vulnerability
introduces?
A. Injection attacks
B. Memory corruption
C. Denial of service
D. Software locking

ANSWER: C

Explanation: Attackers have identified programming errors in operating systems that allow
them to starve the system of its own memory. This means the attackers exploit a software
vulnerability that ensures that processes do not properly release their memory resources.
Memory is continually committed and not released, and the system is depleted of this resource
until it can no longer function. This is an example of a denial-of-service attack.

72. What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
A. Provides a standard interface for the network layer protocol
B. Provides the framing functionality of the data link layer
C. Provides addressing of the packet during encapsulation
D. Provides the functionality of converting bits into electrical signals

ANSWER: A

Explanation: The data link layer has two sublayers: the Logical Link Control (LLC) and Media
Access Control (MAC) layers. The LLC provides a standard interface for whatever network
protocol is being used. This provides an abstraction layer so the network protocol does not
need to be programmed to communicate with all of the possible MAC level protocols (Ethernet,
Token Ring, WLAN, FDDI, and so on.).
 73. Which of the following best describes why classless interdomain routing (CIDR) was
created?
A. To allow IPv6 traffic to tunnel through IPv4 networks
B. To allow IPSec to be integrated into IPv4 traffic
C. To allow an address class size to meet an organization’s need
D. To allow IPv6 to tunnel IPSec traffic

ANSWER: C

Explanation: A Class B address range is usually too large for most companies, and a class C
address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes
as necessary. CIDR is the method to specify more flexible IP address classes.

74. The equal error rate (EER) or crossover error rate (CER) refers to which of the following?
A. Firewalls
B. Biometrics
C. Encryption
D. Separation of duties

ANSWER: B

Explanation: In biometrics, the trade-off between the false acceptance rate (FAR) and the false
rejection rate (FRR) is known as the equal error rate (EER) or crossover error rate (CER).

75. Which of the following is the best definition of minutiae?

A. Characteristics data
B. Detailed log data
C. High-definition scan
D. Minutes of meeting

ANSWER: A

Explanation: Minutiae is the collection of characteristics used in biometric data about a specific
user (a user’s biometric template). The process converts a high-resolution scan into a tiny count
of unique characteristics.

76. Why should the transportation and tracking of backup media be given a high priority?
A. Backup media has a limited shelf life.
B. Backups should be transported in a locked storage box.
C. Backup media contains the organization’s secrets.
D. Use of encryption eliminates transportation and tracking issues.
ANSWER: C

Explanation: Backup media must be tracked because it contains the utmost secrets of any
organization. Media leaving the facility must be kept in locked storage boxes at all times.
Tracking is required during transit to confirm its departure time and arrival. Some regulations
require the use of encrypted backup tapes to protect the standing data. Remember, encrypting
data increases security. Managing encryption requires more-involved handling procedures.

77. Which of the following VPN methods will transmit data across the local network in plain
text without encryption?
A. Secure Sockets Layer (SSL)
B. IPsec
C. Transport Layer Security (TLS)
D. Layer 2 Tunneling Protocol (L2TP)

ANSWER: B

Explanation: IPsec uses encryption between the VPN gateways. Data transmitted from the
gateway to the local computer is not encrypted.

78. Which encryption system is primarily used in private industry for transportation rather
than storage?
A. Symmetric-key encryption
B. Asymmetric-key encryption
C. Secret keys
D. Public keys

ANSWER: B

Explanation: Asymmetric-key encryption, also known as public-key encryption, is typically used

for the transmission of data (electronic transportation). The other options are closely related
distracters.

79. What priority would the BC/DR planner at a manufacturing company place upon
warranty repair services for clients during a recovery?

A. Core process
B. Discretionary process
C. Critical function
D. Supporting process
ANSWER: B

Explanation: Providing warranty repair services is discretionary and would be discontinued

during recovery. Core processes, such as sales, generate direct revenue. Supporting processes
such as invoicing also help the core process bring in money. Everything else may be
discontinued or shut down during recovery.

80. When can a warm site be used for recovery?

A. When the downtime is acceptable to the business without breaching any legal
requirements
B. When it’s not profitable to operate a hot site
C. When the recovery is of high priority
D. When the actual recovery exceeds the recovery time objective

ANSWER: A

Explanation: The warm site is acceptable to the business when the downtime is acceptable
without breaching any legal requirements. Making a profit is not the reason for using a warm
site.

81. Which of the following methods of testing BC/DR plans is not acceptable?

A. Desktop
B. Modular
C. Full interruption
D. Unannounced

ANSWER: D

Explanation: Unannounced testing is not acceptable because of the potential to create

additional harm. Some people are not able to deal with the extra stress or may exercise the
wrong response and create a real emergency.

82. When, and at what frequency should the media updates and announcements be made
during an incident?

A. From the CEO when new events occur

B. From the local disaster relief official in charge
C. From the PIO at regular intervals
D. From a senior manager or company officer
ANSWER: C

Explanation: All media updates and announcements should be handled by the public
information officer (PIO) during the event. This is necessary to prevent misinformation or
confusion. Providing information at regular intervals helps promote trust and confidence.

83. What is the best method for testing the effectiveness of specific recovery procedures?

A. Ask the participants their opinion of the exercise

B. Observe the procedure as it’s being executed
C. Time the procedure’s execution and compare it to the RTO
D. Follow the manufacturer/vendor’s recommended procedures

ANSWER: C

Explanation: The best method from the options provided is to compare the elapsed time to
execute the procedure against their stated recovery time objective (RTO). Participant opinions
are important for buy-in; however, some opinions may be too optimistic or too pessimistic.
Observing the procedure being executed will help determine its odds of being successfully
completed. What really matters is that recovery occurs within its specific time window since
other processes are depending on it.

84. Who is the incident commander?

A. First person on the scene

B. Manager or executive of the organization
C. Member of the police or fire department
D. A person with special training

ANSWER: A

Explanation: The first person on the scene is the incident commander, even if it’s a child who
calls the police, ambulance, or fire department. The person on the scene directs all efforts until
relieved by a more qualified person. Anyone can be an incident commander for which no
special training is required.

85. Which of the following is not a recommended criterion for invocation of the BC/DR
plan?
 A. Financial loss
B. Duration of outage is unknown
C. Cost of activation
D. Scope of problem cannot be determined

ANSWER: C

Explanation: Cost of activating is not an acceptable criterion for invocation of the BC/DR plan.
The plan should always be activated if the conditions are met. Conditions requiring invocation
of the plan include estimated financial loss, duration of outage, and the inability to determine
the loss or scope of impact.

86. Which of these is the primary output from the business impact analysis (BIA)?

A. Identification of alternate revenue opportunities

B. Analysis of dependencies and areas of overreliance
C. High-level understanding of definitions
D. Low-level blueprint of the business process

ANSWER: D

Explanation: A low-level blueprint (or schematic) of the business process is the primary output
from the business impact analysis (BIA). If performed correctly, the BIA will provide high-quality
supporting detail for the other possible answer choices.

87. Which of the following definitions is the best example of an RTO?

A. Target point of optimum data recovery

B. Target time for the user to be processing again
C. Target service level at a particular point in time
D. Target for recovery to be completed

ANSWER: B

Explanation: The recovery time objective (RTO) is the deadline for when the user must be
processing again. IT is expected to have completed the necessary level of technical recovery.
The user is able to resume processing work unless that RTO has failed.

88. At a minimum, when should the BIA be updated and the BC/DR plan be exercised
(tested)?
 E. Semiannually
F. Annually
G. When resources allow
H. Every two years

ANSWER: B

Explanation: Every organization should exercise the BC/DR plan at least once per year. Some
regulations, such as Gramm-Leach-Bliley, require live recovery exercises at least once every 90
days (quarterly). The BIA should be updated at least annually or whenever a change occurs to
the strategy, the organizational structure, or the business process protected by the plan.

89. Who should be the actual leader of business continuity planning?

A. Chief executive officer (CEO)

B. Chief financial officer (CFO)

C. Chief information officer (CIO)

D. Chief operating officer (COO)

ANSWER: A

Explanation: The chief executive officer (CEO) should be the actual leader of business continuity
planning. The second choice is the chief operating officer (COO) as the official delegate of the
CEO function. The CEO and COO have the agenda of generating revenue. They can force the
cooperation of all others in the organization. The CFO is the third choice. The CIO is the worst of
these choices because of the CIO’s distance from revenue activities and limited scope of
authority.

90. What is the biggest difference between disaster planning and business continuity
planning?
A. Disaster plans are usually specific to a department
B. Business continuity plans are run by IT
C. Business continuity plans span department boundaries
D. Disaster planning is an extension of facility plans

ANSWER: C
Explanation: Business continuity plans are focused on the processes for generating revenue.
This is the biggest difference when compared to rebuilding in disaster recovery. Plans of the
various departments such as IT, facilities, manufacturing, and sales may become smaller
components of the final BC plan. All decisions and activities are determined by the revenue
generated, not by the desires or goals of the department.

91. An organization needs to implement the right type of fencing in an area where there is
no foot traffic or observation capabilities and has decided to implement a Perimeter
Intrusion Detection and Assessment System. Which of the following is not a
characteristic of this type of fence?
1. It has sensors located on the wire mesh and at the base of the fence.
2. It cannot detect if someone attempts to cut or climb the fence.
3. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected.
4. It can cause many false alarms.

A. 1
B. 2
C. 3,4
D. 1,2, 4

ANSWER: B

Explanation: Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing
that has sensors located on the wire mesh and at the base of the fence. It is used to detect if
someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off
an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms.

92. Which of the following best fits the description that requires some assembly and can be
operational within days?

A. Redundant site
B. Warm site
C. Hot site
D. Cold site
ANSWER: B

Explanation: A warm site is a building preconfigured with utility services and may hold some
equipment. Hardware will usually need to be shipped in and assembled. Telephone circuits will
need to be switched over to the warm site and data loaded from backup tapes. Recovery time
is measured in days.

93. News media attention should be

A. Directed to a single designated spokesperson

B. Used to create awareness of the crisis and warn the public
C. Restricted to prevent any information from being released
D. Allowed full access to interview staff

ANSWER: A

Explanation: All inquiries and statements should be from the designated public information
officer (PIO), the spokesperson for the organization. The PIO uses predefined scripts to deliver
messages that have been vetted to ensure a positive image for the organization.

94. What factors signal if the business continuity plan needs to be updated?

A. Time and market conditions

B. Personnel changes
C. Significant changes in business objectives or direction
D. All of the above

ANSWER: D

Explanation: The plan should be reviewed quarterly and updated at least annually. Updates
should occur after each test, changes in personnel, or changes in business direction. Plans are
often updated for changes in key customers and products.

95. What is the best example of why plan testing is important?

A. To prove the plan worked the first time

B. To find and correct problems
C. To show the team that is not pulling their own weight
D. To verify that everyone shows up at the recovery site
ANSWER: B

Explanation: Plans are tested to train the staff in carrying out their work. The intention is to find
problems and correct any mistakes. A secondary benefit is to demonstrate improvement in the
response and recovery efforts.

96. Which of the following should be considered when setting your business continuity
strategy?

A. Recovery time objectives

B. Alternate sites available
C. Testing time available at alternate sites
D. All of the above

ANSWER: D

Explanation: The strategy will be selected based on information obtained during the risk
assessment and business impact analysis. All options should be considered when selecting the
business continuity strategy.

97. What is the process to activate the business continuity plan?

A. Members of the organization call the recovery site to activate.

B. Management designates decision criteria and appoints authorized personnel.
C. The facility manager receives a severe threat warning.
D. The senior manager on duty makes the decision.

ANSWER: B

Explanation: The purpose of planning is to establish decision criteria in advance. After the
criteria are met, the plan will be activated by the appointed personnel. The alternate site
invocation process allows a preauthorized manager to activate the alternate site. Invocation of
the alternate site will cost money and should occur only when it is required.

98. What is the fundamental difference between disaster recovery and business continuity?

A. Disaster recovery is focused on natural disasters; business continuity deals with

man-made events.
 B. Business continuity is focused on ensuring that none of the services are interrupted;
disaster recovery deals with restoring services.
C. Disaster recovery is focused on rebuilding; business continuity deals with revenue to
continue in the market.
D. Business continuity is focused on protecting the IT investment; disaster recovery
applies to the entire organization.

ANSWER: C

Explanation: Business continuity is intended to ensure that critical processes are restored in a
timely manner and that revenue is not interrupted. With revenue, the organization will acquire
the money necessary to survive

99. What indicators are used to identify the anticipated level of recovery and loss at a given
point in time?

A. RPO and RTO

B. RTO and SDO
C. RPO and ITO
D. SDO and IRO

ANSWER: A

Explanation: The recovery point objective (RPO) indicates the fallback position and duration of
loss that has occurred. A valid RPO example is to recover by using backup data from last night’s
backup tape, meaning the more recent transactions have been lost. The recovery time
objective (RTO) indicates a point in time where the restored data should be available for the
user.

100. What is the principal reason to use a hot site?

A. Expensive and configured for use

B. May not be available during a crisis
C. Expensive and have to install/configure the new equipment
D. Expensive and prevents us from using other warm or cold site alternatives

ANSWER: A

Explanation: The hot site is expensive, however it offers a better chance for recovery because it
is already configured for use.
 101. Expand the term MAO?

A. Minimum acceptable outage

B. Maximum acceptable outage
C. Minimum available on-hand
D. Maximum available overnight

ANSWER: B

Explanation: MAO is the maximum acceptable outage that can occur before critical deadlines
are missed or recovery is no longer feasible because of the amount of time lapsed. May be
referred to as maximum tolerable downtime (MTD).

102. Name one of the purposes of creating the business continuity plan.

A. To maximize the number of decisions made during an incident

B. To minimize decisions needed during a crisis
C. To lower business insurance premiums
D. To provide guidance for federal regulations

ANSWER: B

Explanation: The plan minimizes decisions needed during the crisis. Possible options would
have been researched and decisions made in advance by management. The recovery staff is
expected to follow the directions contained in the plan.

103. How often should a business continuity plan be tested?

A. At least every ten years
B. Only when the infrastructure or environment changes
C. At least every two years
D. Whenever there are significant changes in the organization and annually

ANSWER: D

Explanation: The plans should be tested if there have been substantial changes to the company
or the environment. They should also be tested at least once a year.

104. During a recovery procedure test, one important step is to maintain records of
important events that happen during the test. What other step is just as important?
A. Schedule another test to address issues that were identified during that procedure.
B. Make sure someone is prepared to talk to the media with the appropriate responses.
 C. Report the events to management.
D. Identify essential business functions.

ANSWER: C

Explanation: When recovery procedures are carried out, the outcome of those procedures
should be reported to the individuals who are responsible for this type of activity, which is
usually some level of management. If the procedures worked properly, management should
know it, and if problems were encountered, management should definitely be made aware of
them. Members of management are the ones who are responsible overall for fixing the
recovery system and will be the ones to delegate this work and provide the necessary funding
and resources.

105. Which of the following is the best way to ensure the company’s backup tapes
can be restored and used at a warm site?
A. Retrieve the tapes from the offsite facility, and verify the equipment at the original site
can read them.
B. Ask the offsite vendor to test them, and label the ones that were properly read.
C. Test them on the vendor’s machine, which won’t be used during an emergency.
D. Inventory each tape kept at the vendor’s site twice a month.

ANSWER: A

Explanation: A warm site is a facility that will not be fully equipped with the company s main
systems. The goal of using a warm site is that, if a disaster takes place, the company will bring
its systems with it to the warm site. If the company cannot bring the systems with it because
they are damaged, the company must purchase new systems that are exactly like the original
systems. So, to properly test backups, the company needs to test them by recovering the data
on its original systems at its main site.

106. An IS auditor is reviewing an MNC in the mission critical business. He finds

repeated failures in the network operations. Which topology is most appropriate to
avoid this?

A. A star network topology

B. A mesh network topology with packet forwarding enabled at each host
C. A bus network topology
D. A ring network topology
ANSWER: B

Explanation: A mesh network topology provides a point-to-point link between each network
host. If each host is configured to route and forward communication, this topology provides the
greatest redundancy in routes, and the greatest network fault tolerance. Star networks are one
of the most common computer networks, and consists of one central switch, a hub or
computer, which acts as a conduit to transmit messages. A bus network is an arrangement in
which each node is connected to a main cable or link called the bus. A ring network is a network
topology in which each node connects to two other nodes, forming a single continuous
pathway for signals through each node in a ring. Data travels from node to node, with each
node along the way handling every packet.

107. During an audit, the CISA reviews the Key Wrapping policy and is also assured by
the system administrator that cryptographic key wrapping is used for operating systems,
database field-level encryption, storage device-level encryption, and so on. What factor
below contributes to make the environment secure through Key wrapping?
A. Increased strength of the key
B. Rotating the encryption key
C. Testing the encryption algorithm
D. Obscuring the encryption key

ANSWER: D

Explanation: For safety, all encryption keys are re-encrypted with a different algorithm using a
different key. Key wrapping is intended to protect the actual encryption key from discovery or
harm. The key wrapping technique is used in key storage and during key exchange.

108. During an audit where scope includes server environments, an IS auditor would
be ensured with which of the below BEST providing the highest degree of server access
control?
A. A mantrap-monitored entryway to the server room
B. Host-based intrusion detection combined with CCTV
C. Network-based intrusion detection
D. A fingerprint scanner facilitating biometric access control
ANSWER: D

Explanation: A fingerprint scanner facilitating biometric access control can provide the highest
degree of server room access control.

109. Due to increased level of attacks on an organization’s Internet, it has asked its
audit team to recommend a detection and deterrent control against Internet attacks.
Which of the below would be the BEST option?
A. Honeypots
B. CCTV
C. VPN
D. VLAN

ANSWER: A

Explanation: Honeypots are often used as a detection and deterrent control against Internet
attacks. A honey pot is a computer system on the Internet that is expressly set up to attract and
"trap" people who attempt to penetrate other computer systems.

110. During an audit, an IS auditor is informed by the IT team that security has been
provided through a Firewall and DMZ to protect the host from an outside attack. Upon
examination, the auditor finds the ports the firewall allows connect to services such
WWW, SMTP, NetBIOS, and SQL. What would be the primary concern of the auditor?

A. A No concern as protection is adequate

B. Vulnerabilities in the firewall
C. Vulnerabilities in the DMZ
D. Deficiency on application layer security and unpatched server software

ANSWER: D

Explanation: Unpatched server software, poorly written application, and script code indicates
vulnerabilities within the application. In a pure seven-layer model, defense against this at the
lower levels as the controls at lower layers would only be able to address their respective layer
of protocol, and not issues that occur above.

111. An IS auditor has been asked to closely review network management as primary
part of audit scope. What is the first step to be reviewed?
A. A graphical map of the network topology
B. Security administrator access to systems
C. Systems logs of all hosts providing application services
D. Administrator access to systems

ANSWER: A

Explanation: Understanding existing network assets is the first step in planning an audit
encompassing all aspects of the deployed network components including detailed
documentation of the network topology and IP addressing employed at interface level as well
as providing information by device, location and site. A graphical interface to the map of the
network topology is therefore essential for the IS auditor to obtain a clear understanding of
network management.

112. The IT team has decided to implement a virtual private network. What purpose
does it serve?
A. A virtual private network (VPN) helps to secure access between the organization and its
partners when communicating over an otherwise unsecured channel such as the Internet.
B. A virtual private network (VPN) helps secure access between the organization and its
partners when communicating over a dedicated connection.
C. A virtual private network (VPN) helps secure access between the organization and its
partners when communicating over a wireless connection.
D. A virtual private network (VPN) helps secure organizational access when communicating over
a dedicated connection between network segments within the same facility.

ANSWER: A
Explanation: A virtual private network (VPN) helps to secure access between an organization
and its partners when communicating over an otherwise unsecured channel such as the
Internet and thereby reduces risk.

113. The IS team has been designated to formulate a good Firewall policy for
publication. What would be the FIRST step for its creation?
A. Identifying various network applications such as mail, web, or FTP servers
B. Using the principle of least privilege for assigning access to users
C. Reviewing appropriate firewall hardware and software
D. Configuration of firewall access rules

ANSWER: A

Explanation: The first step to creating a proper Firewall policy would be to identify network
applications such as mail, web, or FTP servers which are externally accessed.

114. The IT team has reviewed various options for confidentiality and finally agreed
the SSL network protocol would be most appropriate. Why is this true?
A. It provides symmetric encryption such as RSA
B. It provides asymmetric encryption such as Data Encryption Standard, or DES
C. It provides asymmetric encryption such as Advanced Encryption Standard, or AES
D. It provides symmetric encryption such as Data Encryption Standard, or DES

ANSWER: D

Explanation: The SSL protocol provides confidentiality through symmetric encryption such as
Data Encryption Standard, or DES.

115. The IS team wants to rule out the weakest type of authentication for usage in
the organization. Which of these can be termed as the most weak?
A. User ID and password
B. Biometrics
C. Token-based access control
D. Voice-print analysis
ANSWER: A

Explanation: The user ID and password is the weakest type of authentication as the password
indicates that somebody typed the characters on the screen during login and does not provide
an assurance as to who that individual actually is. Other choices are much stronger

116. In a Defense development unit, the access controls need to be extremely strong.
A biometrics sensor has been proposed. Why was it proposed?
A. Creates new biometric template data each time it's used
B. Compares biometric data samples
C. Detects intrusion into the biometric template database
D. Checks for the presence of an authorized user

ANSWER: A

Explanation: Biometric sensors create a new data template every time the sensor is used.
Initially, the user's unique biometric data template is saved to the database and with every
subsequent use, the sensor creates a brand new data template, which is compared to the
database by the template matcher. If it matches, the user is correctly authenticated.

117. An IS team is debating on implementing intrusion detection and prevention

systems (IDPS), but many members believe the firewall systems are adequate. What
factors could lean towards implementing the IDPS?
A. Firewalls always report attacks to the IDPS
B. Firewall blocks attacks, but IDPS provides information if the firewall was successful
C. IDPS notifies the system administrator about all actual attacks
D. IDPS logs and notifies the system administrator of all suspected attacks

ANSWER: D

Explanation: The IDPS preserves the transaction log and alerts of any suspected attacks. The
IDPS can also use statistics or signature files to determine whether an attack has occurred.
 118. The IS team finds they have incurred large expenses purchase of tapes due to
daily backup of files. Which form of data backup can be substituted for the archive bit to
copy only the files that have changed since the last backup?
A. Multi-level
B. Differential
C. RAID Level 4
D. Incremental

ANSWER: D

Explanation: An incremental backup will read the archive bit to copy only those files that have
changed since the last backup. The archive bit is a type of electronic flag to indicate which files
have changed and should be in the next backup. A differential backup will copy every file that
changed since the full backup was run.

119. What does Minutiae used in Biometrics mean?

A. Characteristics data
B. Log data details
C. High resolution scan
D. Persona indicator

ANSWER: A

Explanation: Minutiae is the collection of characteristics used in biometric data about a specific
user as a template. The process converts a high-resolution scan into a tiny count of unique
characteristics.

120. The audit team has been informed by the Operations team that encryption keys
have been provided for sensitive data. However, the auditors are still concerned about
the keys being susceptible to attack. Before recording the observation, what should the
auditors check for prevention of such attacks?
A. Key wrapping
B. Key generation
C. Symmetric-key algorithm
D. Asymmetric-key algorithm
ANSWER: A

Explanation: Key wrapping is used to protect encryption keys from disclosure. Otherwise,
encryption keys would be susceptible to the same attacks as data.

121. The IS team is reviewing various VPN methods for data transmission across local
networks. They want to rule out any method that uses plain text without encryption.
Which method would they exclude?
A. Secure Sockets Layer (SSL)
B. Transport Layer Security (TLS)
C. Layer 2 Tunneling Protocol (L2TP)
D. IPsec

ANSWER: D

Explanation: IPsec uses encryption between the VPN gateways. However, data transmitted
from the gateway to the local computer is not encrypted.

122. During an audit, the CISA wants to use a fast method for discovering the hosts on
the network and identify all available service ports. What method can be used?
A. Host enumeration with port scanning
B. Vulnerability scanning with port scanning
C. Penetration testing and host enumeration
D. File mount logs with vulnerability scanning

ANSWER: A

Explanation: Host enumeration provides a fast method for discovering all the hosts on the
network. Vulnerability scanning will only identify all the available service ports on the host
computers.

123. The IS team is reviewing VPN methods to transmit the payload and hide internal
network addresses with encryption. Which of the below methods would they use?
A. Secure Sockets Layer (SSL)
B. IPsec transport
C. Transport Layer Security (TLS)
D. IPsec tunnel

ANSWER: D

Explanation: The IPsec tunnel hides the messages and prevents identification of the sender and
recipient while the messages travel across the public Internet by encrypting both the payload
and local network addresses.

124. A new E Commerce site has been set up in an existing organization. The CEO has
asked the IS team to provide a recommendation on an encryption system is primarily for
data transportation which is expected to be heavy. What is their best recommendation?
A. Symmetric-key encryption
B. Asymmetric-key encryption
C. Secret keys
D. Public keys

ANSWER: B

Explanation: Asymmetric-key encryption or public-key encryption is typically used for the

transmission of data.

125. The IT team has detected that a malicious software which had revealed itself as
an auto date utility has subverted the kernel, bypassed operating system security and
has installed itself. Which of these does it refer?
A. Worm
B. Root kit
C. Denial of service
D. Virus

ANSWER: B

Explanation: Root kits are malicious software designed to subvert the operating system
security, installed itself and completely compromised the system.
 126. The IT team has recommended a DMZ for the organization for internet
communications. The top management wishes to understand its purpose. What would
be the best explanation?

A. Demilitarized refers to a safe zone that is protected from all Internet attacks
B. Protected subnet implemented using a fifth-generation firewall
C. Controls for communication allowing access to internal production servers
D. Subnet that is semi-protected and allows external access

ANSWER: D

Explanation: A DMZ or demilitarized zone is also called a perimeter network and is a physical or
logical sub-network that contains and exposes an organization's external-facing services to a
larger and untrusted network like the Internet. The purpose of a DMZ is to complement an
extra layer of security to an organization's local area network (LAN)

127. An onsite offshore development organization requires large amounts of frequent

data communication, some of which is sensitive. Which of the following methods would
be most appropriate to ensure confidentiality in data communications?

A. Digital certificates with public-key encryption

B. Secure hash algorithm (SHA-1)
C. Virtual private network (VPN)
D. Digital signatures

ANSWER: C

Explanation: The virtual private network (VPN) would ensure data confidentiality.

128. The IS internal team is undertaking a review to decide what kind of key and
encryption method should be used. They need a cost effective method with least
overhead. Which of the given methods would they rule out?
A. Long Advance Encryption Standard (AES) key
B. Long Data Encryption Standard (DES) key
C. Long symmetric encryption key
D. Long asymmetric encryption key

ANSWER: D
Explanation: Options A, B, and C are single shared symmetric keys with less overhead and costs.
Choice D is a long asymmetric encryption key or public key encryption which would increase
encryption overhead and cost.

129. Computer worms infect computers and the payload or actual damage done can
be significant. Which of the following best characterizes "worms"?
A. Malicious programs that can run independently and can propagate without the aid of a
carrier program such as email.
B. Creates code errors that causes corrupt data
C. Attaches itself to a program and moves through the network, leaving infections as it travels.
D. Subterfuges as a common application to infect systems

ANSWER: A

Explanation: Worms are malevolent programs that can run independently and can spread
without the aid of a carrier program such as email.

130. An organization that is performing extensive maintenance operations over the

internet for its partners has commissioned an audit to provide assurance about data
security. During the audit, the IS auditor requested evidence of data control and the IS
team remarked that PKI technology was being used for cryptography. Why should the
audit team feel reassured by PKI usage?
A. PKI is a combination of public-key cryptography and digital certificates and two factor
authentication
B. PKI is a combination of public-key cryptography and two-factor authentication
C. PKI is a combination of public-key cryptography and digital certificates
D. PKI is a combination of digital certificates and two-factor authentication

ANSWER: C

Explanation: PKI uses a combination of public-key cryptography and digital certificates to

provide some of the strongest overall control over data confidentiality, reliability, and integrity
for Internet transactions.
 131. ABC Inc. offers a number of services through its web site. During one day, senior
executives of ABC Inc. were surprised to discover that sensitive data on their servers
were being leaked to unauthorized individuals on the Internet. Post-incident
investigations revealed that ABC Inc.'s key servers were infected with a Trojan. The
incident occurred after deployment of a newly acquired module from a software
vendor, which was tested on test servers in accordance with functional specifications.
The incident had gone unnoticed for a period of about four weeks. A potential cause of
the leak may have been malware embedded in the new module. Which of the following
operational controls should have detected the incident sooner?

A. Intrusion detection system (IDS)

B. Vulnerability scan process

C. Firewall rule set review

D. Access control monitoring

ANSWER: A

Explanation: An IDS should detect network behavior anomalies, which may have led to earlier
detection. Vulnerability scanning identifies software vulnerabilities, but it does not detect
malware. Reviewing the firewall rule-set is an important activity, but it won’t help detect a data
leak. While access control monitoring may help determine access to various information assets,
malware may bypass the established access control process and would thus not be detected.

132. An advantage of using unshielded twisted-pair (UTP) cable for data

communication over other copper-based cables is that UTP cable:

A. reduces crosstalk between pairs.

B. provides protection against wiretapping

C. can be used in long-distance networks.

D. is simple to install.

ANSWER: A
Explanation: The use of UTP in copper will reduce the likelihood of crosstalk. While the twisted
nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded
copper wire does not provide adequate protection against wiretapping. Attenuation sets in if
copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a
repeater. The tools and techniques to install UTP are not simpler or easier than other copper-
based cables.

133. While copying files from an USB, a user hosted a virus into the network. Which of
the following would MOST effectively detect the existence of the virus?

A. Disable USB ports

B. Central virus checker on network file server

C. Scheduled scans of network drives

D. A virus monitor on the user's personal computer

ANSWER: D

Explanation: The most effective way to DETECT a virus would be through real-time antivirus
monitoring at the user's desktop which would detect the virus before it was transferred to the
system/network. All others are controls intended to prevent a computer virus from infecting
the system.

134. Which of the below is BEST suited for secure communications within a small
group?

A. VPN

B. Intranet

C. Web of trust

D. Authentication System

ANSWER: C

Explanation: Web of trust is a key distribution method suitable for communication in a small
group as it guarantees reasonably good privacy (PGP) and distributes the public keys of users
within a group. Other choices are for larger groups.
 135. A perpetrator who wants to gain access and gather information on encrypted
data transmitted over the network would use __________.

A. shoulder surfing

B. spoofing

C. traffic analysis

D. sniffing

ANSWER: C

Explanation: Traffic analysis is a passive attack when messages are encrypted whereby an
intruder determines the nature of the traffic flow between defined hosts. By analyzing session
length, frequency and message length, the intruder is able to assess the type of communication
being undertaken.

136. To arrange for protection for media backup stored at an offsite location, the
storage site should be:

A. located in a remote site

B. accessible only to top management

C. backed up daily

D. protected from unauthorized access.

ANSWER: D

Explanation: The offsite storage site should always be secure against unauthorized access and
have at the minimum, the same security requirements as the primary site.

137. The recurrent updating of which of the following is crucial to the continued
effectiveness of a disaster recovery plan (DRP)?

A. Contact information of key personnel

B. Systems and asset register

C. Business Continuity plan

D. Training employees regularly on the DRP

ANSWER: A
Explanation: In the occurrence of a disaster, it is significant to have a current and updated list of
personnel who are vital to the operation of the plan.

138. An organization has a combination of access points that cannot be upgraded to

stronger security and newer access points having advanced wireless security and has
decided to replace the non-upgradeable access points even though expensive. Which of
the below would BEST justify this choice?

A. The new access points would have current inbuilt security

B. The old access points would not match up with the new points

C. The organization's security would be as strong as its weakest vulnerabilities.

D. New access points would be robust

ANSWER: C

Explanation: The old access points should be rejected and replaced with products having strong
security; as they are prone to security weaknesses that could be taken advantage of by
attackers and make the entire network weak based on their own vulnerabilities.

139. An IS auditor performing a datacenter review for a large company discovers the
datacenter has a lead-acid battery room to provide power to its uninterruptable power
supply (UPS) during short-term outages and a diesel generator to provide long-term
power backup. Which of the following items would cause the IS auditor the GREATEST
concern?

A. The service contract on the diesel generator is not current.

B. The battery room does not contain hydrogen sensors.

C. The door to the battery room is kept locked.

D. The battery room is next to the diesel generator yard.

ANSWER: B

Explanation: Lead-acid batteries emit hydrogen, a highly explosive gas and therefore hydrogen
detectors are a compensating control which would notify datacenter personnel of a possible
gas buildup so they could take the suitable actions.
 140. An IS auditor performing a access control review should be concerned MAINLY
with the:

A. Access logs for various systems

B. authorization and authentication of the user prior to granting access to system resources.

C. process and procedures governing data usage

D. Data owners and access rights

ANSWER: B

Explanation: The authorization and authentication of users is the most major aspect in access
control review as it is a preventive control. Weak controls at this level can affect all other
features.

141. An IS auditor performing a telecommunications audit at a government research

facility noticed that some network connections used fiber-optic cable while others used
conventional unshielded twisted pair (UTP) copper cable. Which of the following is the
GREATEST risk of using UTP cable?

A. Performance issues may occur due to lack of bandwidth.

B. An attacker may tap into the cable to intercept data.

C. The installation may be delayed because fiber is more fragile and complex to install.

D. Information leakage may occur due to crosstalk.

ANSWER: B

Explanation: The characteristics of fiber-optic cable and the data transmission methods used
make it difficult to physically tap into the cable, which provides enhanced security. While UTP
cable can carry less bandwidth than fiber-optic cable, the concern about performance is not as
significant as the security risk due to tapping. Fiber-optic cable is more fragile than UTP cable
and is more difficult and time-consuming to install. UTP cable is more susceptible to crosstalk
than fiber-optic cable. Crosstalk causes performance degradation and potential loss of
connectivity, but is not known to cause any security issues.
142. What should the IS auditor initially identify while reviewing the configuration of network
devices?

A. type of network topology

B. Network diagram

C. the importance of the network device in the topology.

D. Firewalls and routers

ANSWER: C

Explanation: The IS auditor must understand the importance and role of the network device
within the organization's network topology and then, the best practice for using the same
should be reviewed to ensure there are no variances within the configuration.

143. An IS auditor finds that an enterprise does not restrict the use, nor have a policy
addressing the use, of universal serial bus (USB) storage devices. Which of the following
would be MOST important for the IS auditor to recommend?

A. Implementing security software to prevent the use of USB ports for data transfer

B. Introducing a policy to address the use of portable drives

C. Implementing a virtual private network (VPN) solution to ensure encrypted sessions

during transmission of data

D. Disabling USB ports on all machines

ANSWER: A

Explanation: The best method to prevent the use of portable media is through a hardware or
software solution. Since the enterprise does not have a policy to address the use of portable
drives, it is possible that management did not consider the risks associated with their use.
Because of the portable nature of these drives, they are prone to being misplaced or lost.
Option B is not correct because, while a policy would address use, it is not a strong enough
method to prevent use. If there were an indication that management accepts the risks, then
this would be the correct answer. Management should first understand the risks associated
with the drives, and a decision should be made as to how risks will be controlled. Option C is
not correct because a VPN solution does not address the use of portable media. A VPN is used
for a secure method of remote access to a private network. Option D is not correct because it is
not practical to disable all USB ports because they may be used for a mouse, local printer or
other legitimate device.

144. The IS auditor who is evaluating the user IDs for emergency access has found that fire call
accounts are granted without a predefined expiration date. What should the IS auditor
endorse?

A. Review the access control privilege authorization process

B. Implementation of identity management

C. Printing lists of user ids for emergency access

D. Granting of fire call accounts only to operating management

ANSWER: A

Explanation: The IS auditor should endorse reviewing the process of access control
management to ensure that emergency system administration-level access is given on an as-
needed basis and configured to a predefined expiration date.

145. An IS auditor reviews the logs of a remotely managed server backup for 24 hours and
finds a case where logging on a server has failed with the result that backup restarts
cannot be established. What should the IS auditor do?

A. Issue an audit comment

B. Ignore the one off case

C. Check the restart timings

D. Expand the sample of logs reviewed.

ANSWER: D

Explanation: The IS auditor needs to gather sufficient and appropriate audit evidence for the
prospective problem and conclude whether this is an isolated incident or a systematic control
failure.
146. An organization has terminated a database administrator (DBA). The organization
immediately removes all of the DBA's access to all company systems. The DBA threatens
the database will be deleted in two months unless he/she is paid a large sum of money.
Which of the following would the former DBA MOST likely use to delete the database?

A. Virus infection

B. Worm infection

C. Denial-of-service (DoS) attack

D. Logic bomb attack

ANSWER: D

Explanation: A logic bomb is hidden code that will activate when certain conditions are met; in
this example, after a certain period of time. A virus is another type of malicious code, but it
does not typically operate on a time delay. A worm also is a type of malicious code that does
not use a time delay, but is designed to spread as quickly as possible. A DoS attack would not
delete the database, but could make the service unavailable.

147. An IS auditor is performing a review of the disaster recovery hot site used by a financial
institution. Which of the following would be the GREATEST concern?

A. System administrators use shared accounts which never expire at the hot site.

B. Disk space utilization data is not kept current.

C. Physical security controls at the hot site are less robust than at the main site.

D. Servers at the hot site do not have the same specifications as at the main site.

ANSWER: B

Explanation: Not knowing how much disk space is in use and therefore how much is needed at
the disaster recovery site could create major issues in the case of a disaster. While it is not a
best practice for security administrators to share accounts that do not expire, the greater risk in
this scenario would be running out of disk space. Physical security controls are important and
this would be a concern, but the more important concern would be running out of disk space.
The particular physical characteristic of the disaster recovery site may call for different controls
that may appear to be less robust than the main site; however, such a risk could be addressed
through policy and procedures or by adding additional personnel if needed. As long as the
servers at the hot site are capable of running the programs that are required in a disaster
recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is
necessary to ensure that software configuration and settings match the servers at the main
site, but it is not unusual for newer and more powerful servers to exist at the main site for
everyday production use while the standby servers are less powerful.

148. Event log entries related to failed local administrator logon attempts are observed by the
IS auditor. Which of the following is the MOST likely cause of multiple failed login
attempts?

A. SYN flood attacks

B. Social engineering

C. Buffer overflow attacks

D. Malicious code attacks

ANSWER: D

Explanation: Malicious code and Trojans commonly attempt to log on to administrator

accounts. A SYN attack is a denial-of-service (DoS) attack on a particular network service and
does not log on to administrator accounts. Social engineering will help in discovering
passwords, but it is separate from brute-force attacks. A buffer overflow attack will not directly
result in multiple logon failures.

149. A multi-national corporation is geographically spread across the globe. What

recommendation can the IS auditor provide to ensure that all aspects of the disaster
recovery plan are evaluated cost effectively?
A. System recovery test
B. Insurance coverage for disaster recovery
C. BCP plan review
D. Preparedness test

The correct answer is D.

A preparedness test should be executed by each local office to examine the capability of the
readiness of local operations in the event of a disaster. This test should be executed regularly
on different aspects of the plan and can be a cost-effective way to progressively obtain
evidence of the plan's capability.
 150. Which of the following should an incident response team address FIRST after a
major incident in an information processing facility?

A. Restoration at the facility

B. Documentation of the facility

C. Containment at the facility

D. Monitoring of the facility

ANSWER: C

Explanation: The first priority is the containment of the incident at the facility so that spread of
the damage is minimized. The incident team must gain control of the situation. Restoration
ensures the affected systems or services are restored to a condition specified in the restore
point objective (RPO). This action will be possible only after containment of the damage.
Documentation of the facility should be prepared to inform management of the incident;
however, damage must be contained first. Monitoring of the facility is important, although
containment must take priority to avoid spread of the damage.

---------------------------------------------------------------------------------------------------------------------
 CISA DOMAIN 5
1. An IS auditor is undertaking an IS controls audit. Which of the below would be the most
significant document?
A. IT networks and firewall documents
B. Organizational blueprint showing entry and exit into the unit
C. Quality and Human Resource manual
D. IS asset inventory and register

ANSWER: B

Explanation: Change security setting define the accountability and integrity of the data. Beyond
this, changes must be studied for impact analysis and be properly approved by the change
control board. Evidence of inadequate security would be revealed through study of folders
under configuration management.

2. The IS team is building a business continuity plan. What would be the FIRST step?

A. Analysis of the business impact

B. Find the primary business continuity site
C. Study potential Disaster recovery possibilities
D. Qualitative and quantitative risk analysis

ANSWER: A

Explanation: The IS team must first analyze the business impact before building development a
business continuity plan. The risk assessment must be a precursor to this activity and disaster
recovery site and possibilities after the same.

3. Inherent risk is typically covered by Insurance. Bankers’ blanket bonds are used as a form of
insurance to cover losses due to employees. What does this refer to among the terms below?

A. Theft coverage
B. Business insurance
C. Fidelity coverage
D. Accident coverage

ANSWER: C

Explanation: Fidelity coverage protects an organization through insurance against theft losses
incurred through an employee. The fidelity bond is usually in the form of blanket bonds.
However, the company would have to legally convict the employee of theft before the bond
may be paid.

4. Identifying information assets and their owners is a significant control activity. Social
engineering methods can be used to compromise Information assets. Which of the below
methods represents social engineering?

A. Software hacking tool usage to circumvent security

B. Phishing of sensitive information by an employee
C. Not using software development standards
D. Deceiving a person into voluntarily cooperating with the attacker

ANSWER: D

Explanation: Social engineering refers to the using of tricks and deceit to ensure an otherwise
honest person voluntarily cooperates with the attacker. Passwords and access are often
procured by asking a user for assistance under guise of a genuine need. But the need would be
a covert activity to circumvent security controls.

5. An IS auditor is considered to provide the best evidence. Which of the following could be
termed as best evidence?

A. Subjective
B. Internal
C. Factual
D. Objective

ANSWER: D

Explanation: Objective evidence is Best evidence as it is unbiased, factual and proves the point
indicating the relationship to the audit area.

6. Management must implement appropriate internal controls as they are responsible for
detection of irregular and possibly illegal activity. Which of the below is not a method of
internal control?

A. Physical control
B. Logical control
C. Contractual control
D. Administrative control

ANSWER: C
Explanation: Administrative controls are broad and cover contractual controls. Therefore,
contractual controls are not a method, unlike physical, logical and administrative controls. The
common implementation methods are physical, logical (technical), and administrative.

7. Auditors are expected to be meticulous and unbiased during evaluation of audit evidence.
They apply professional judgment with an attitude of professional skepticism to prevent
negligence. Which of the below best indicate the application of professional judgment?

A. Secrecy
B. Due care
C. Confidentiality
D. Ethics

ANSWER: A

Explanation: Due care in professional judgment means concern given to protect from a loss. The
minimum level of attention needed to prevent fraud or neglect is known as due care.

8. CA or the certificate authority are used by several organizations for ensuring controls. What
is the primary role of CA’s in infrastructure using public keys?

A. Endorse user credentials

B. Provide security services
C. Review access controls
D. Certificate issue and record maintenance

ANSWER: D

Explanation: The CA is responsible for issuing digital certificate credentials and providing parties
with verification regarding digital certificate validity. The CA also maintains the records of
certificates, either valid, revoked or expired.

9. Management is eventually responsible for putting in place appropriate and proper internal
controls. Which of the below controls minimize the impact of an event that has already
occurred?

A. Detective
B. Corrective
C. Preventive
D. Forensics

ANSWER: B
Explanation: The category of corrective controls is primarily used to reduce or minimize damage
after an event has occurred.

10. Which of the following conditions is likely to represent a control failure and therefore be a
concern to the auditor?

A. A policy without an underlying standard of monitoring and enforcement

B. A policy based on guidelines
C. A general policy intended to be a catchall for things not specifically mentioned
D. Use of the guideline with monitoring, but no formal policy

ANSWER: A

Explanation: A policy without the standards of enforcement is practically worthless. Monitoring

is required to determine whether the standard is being met or violated. The lack of monitoring
and enforcement is a serious concern to the auditor.

11. What is the issue concerning the right to audit?

A. Every organization has a right to audit

B. Audit requests can be denied because of resources and time consumed
C. The audit charter should specify the authority to audit
D. Only certified auditors can execute an audit

ANSWER: B

Explanation: Audit requests of a vendor or contractor may be denied because of the cost of
resources required and time consumed. Every outsourced agreement should contain a specific
clause granting the right to audit. The service provider may respond with an SAS-70 report in
place of an audit, unless the right to audit clause specifically states the client may conduct their
own audit of the service provider organization.

12. Which of the following represents the biggest concern with regard to controls?
A. Identification of individuals
B. Authorization
C. Authorization
D. Independence

ANSWER: B

Explanation: Authorization must be separated from all other functions. Changes in activities
require separate authorization using the concept of separation of duties or compensating
controls. The objective is to prevent an individual from violating an internal control. All control
deviations should generate an audit trail, along with awareness of the deviation by
management.

13. What is meant by fiduciary responsibility?

A. Utilize the information that is obtained for own interests while taking care of the client
confidentiality
B. Work for another person’s benefit and keep the duties as honest and fair in front of
personal interests
C. Follow the client desires and keep it completely confidential even in case of illegal acts.
The audit information should never be disclosed by the auditor for protecting the client.
D. None of the above.

ANSWER: B

Explanation: Lawyers, accountants, and auditors work on behalf of the interests of their client
unless with this, they violate the law. As per law, it is the highest standard of duty for a
guardian and trustee.

14. Name the various audit types.

A. Accounting, forensic, regulatory, verification

B. Operational, integrated, administrative, compliance
C. SAS-74, financial, administrative, compliance
D. SAS-70, information systems, procedural, regulatory

ANSWER: B

Explanation: Apart from SAS-74, procedural, regulatory, and verification, all audit types are
valid. These audit types, which are valid, include operational (SAS-70), financial, compliance,
integrated (SAS-94), forensic, administrative, and information systems. For discovering the
information of a possible crime, a forensic audit is used.

15. State the difference between the words “shall” and “should” when they are used in the
context of regulations?

A. Shall signifies requirements that are discretionary, while should give an advice to the
reader.
B. Shall give advisory information that recommends actions whenever appropriate, while
should shows compulsory actions
 C. These two words can be compared in meaning and can be differentiated on the basis of
individual circumstances that are experienced the audit.
D. Shall implies the action is compulsory irrespective of the financial impact, while should
shows the discretionary actions as per the need.

ANSWER: D

Explanation: The key difference is that shall implies that compliance is compulsory irrespective
of loss or profit, while should represents information that is discretionary in a regulation...

16. Which among the following is not a non-audit role?

A. Operational staff member

B. Auditor
C. Organizational manager
D. System designer

ANSWER: B

Explanation: All roles apart from an auditor is a non-audit role. A person who is in a non-audit
role is not qualified for an independent auditor.

17. Why is protecting audit work papers and documentation necessary?

A. For the reason of regulatory compliance, the evidence that is collected in an audit need
to be disclosed.
B. To prove the auditee is wrong and the auditor is right, a paper trail is required.
C. In a court of law, for the auditor need to prove an illegal activity.
D. These can reveal information that is confidential and should not be disclosed or lost.

ANSWER: D

Explanation: The auditor may find some information that when disclosed, may cause a damage
to the client. A perpetrator could perform some additional actions with the information.
Additionally, the auditor need to undertake controls for ensuring the data backup and security
of their work.

18. Why are the standard terms of reference used?

A. For meeting the regulatory and legal compliance requirements

B. For proving the person responsible
C. For ensuring an unbiased and honest communication
 D. For ensuring that in a regulation, requirements are known

ANSWER: C

Explanation: The purpose of using standard terms of reference is to make sure an unbiased and
honest between the auditor and everyone else. Without this, knowing whether the same issue
is being discussed or the same outcome is being agreed would be difficult.

19. With what, you can relate the term auditor independence?

A. For auditors working in a consulting organization, it is not an issue.

B. It is needed for an external audit.
C. To be independent, an internal auditor need to take a certification training.
D. The auditor is bestowed independence by the audit committee.

ANSWER: B

Explanation: The auditor need to be independent. A biased opinion may result if a personal
relationship exists between the auditor and the organization being audited. If the organization
has influence over the auditor, the business relationship is also a problem. The purpose is to be
objective, fair, and not related with the audit subject.

20. In comparison to a guideline, what is the definition of a standard?

A. A standard is a control that is discretionary used with a guideline to help the decision
process of the reader.
B. A standard is a compulsory control for supporting a policy. It is discretionary to follow
guidelines.
C. A guideline is a control that is recommended and required for supporting discretionary
standards.
D. A guideline is intended for designating a policy, while a standard is used when a policy is
absent.

ANSWER: B

Explanation: Standards are implemented for ensuring uniform compliance at the minimum
level. A guideline is advisory information that is used when a standard is absent. It is mandatory
to comply to standards; while complying with guidelines is discretionary.

21. Who should be responsible for issuing the organizational policies?

A. They should initiate from the lowest level and then move up for approval to the
department manager.
 B. They should be issued by the auditor according to the standards. The highest
management level should authorize them for ensuring compliance.
C. They can be issued by any management level.
D. They should be enforced and signed by the highest management level.

ANSWER: D

Explanation: For ensuring compliance by the organization, policies should be issues, signed, and
enforced by the highest management level. Management (not the auditor) is responsible for
implementing internal controls.

22. On what basis, the final opinion of the auditor is made:

A. The verbal statements and objectives that are made by the management
B. The understanding of the expected audit results of the management
C. The specifications of the audit committee
D. The testing and evidence results

ANSWER: D

Explanation: An auditor is a questioner who performs the testing of management assertions

and provides an opinion on the basis of evidence found while performing the audit.

23. The objective of the professional ethics statement of ISACA is to:

A. Give procedural advisement to the new IS auditor

B. Specify the acceptable and unacceptable behavior clearly
C. Give instructions on dealing with illegal and irregularities acts by the client
D. Give advice on the conditions when the auditor can deviate from the standards of audit

ANSWER: B

Explanation: The professional ethics statement of ISACA states that IS auditors need to
complete their duties while taking care of highest standards of truthful and honest
representation. Violating the fiduciary relationship with the client cannot be accepted.

24. By what means the auditor develops the final opinion?

A. By the collected evidence and the observations of the auditor

B. By the assurances and representations of management
C. By the compliance testing of language that is used in the policies of the organization
D. By the audit committee’s advice
ANSWER: A

Explanation: The auditor derives a final opinion on the basis of collected evidence and testing.
An audit’s objective is to challenge the management assertions. An evidence is collected to
disprove or support claims.

25. Which among the following statement is not correct about the audit committee?

A. The executives of the organization itself manage the audit committee. They keep the
committee busy by making them work on compliance programs.
B. The audit committee can hire and fire executives, as it oversees management.
C. The members from the board of directors are included in the audit committee. The
committee can hire external auditors, who can have a quarterly meeting with the
committee in the absence of other executives.
D. The committee gives a method to senior executives to bring problems into a
confidential discussion to explore a solution.

ANSWER: A

Explanation: Except A, all answers are correct. The responsibility of the audit committee is to
oversee the management of the executives. This committee generally includes board members
who offer executives a forum for discussing problems to solve the problem. It has the authority
to fire or hire any person in the organization, usually concentrating on senior executives and
external auditors.

26. By which method the auditor should help solve problems found while auditing?

A. By taking the responsibility of the issue and contributing in the design of the plan to fix
the problem.
B. By deciding if the problem is minor or major, and then providing the advice and solution
to the auditee while taking the business impact into consideration
C. By helping the auditees in outlining the steps required to solve the problem.
D. By never taking the ownership of issues and providing advising the auditee in general,
including a clarification of what need to be looked while performing the audit.

ANSWER: D

Explanation: The auditor must never take the responsibility of the issues. It can advise auditee
in general and show what is being looked while performing the audit. The remediation plan
needs to be designed by the auditee. Auditors participating in the remediation planning at the
detail level are no longer independent nor objective.
27. In relation to an audit, which of the below statements gives the best assessment
description?

A. As compared to assessments, audits are more formal.

B. The difference lies in wording; otherwise, they are similar in nature.
C. They both give reports that are usable for the purpose of licensing.
D. The reports from assessment give a high assurance of the condition.

ANSWER: A

Explanation: As compared to an audit, an assessment is less formal. The assessment objective is

to find the value on the basis of relevance. The value of assessments is lower as they are not
regimented independent audits or independent.

28. The objective of the skills matrix is to:

A. Recognize the person to be interviewed while the audit

B. Explain the person required while the audit’s performance phase
C. Recognize the skills that are needed by the auditee to complete the audit within scope
D. Demonstrate the method to save money while the audit engagement to the client

ANSWER: B

Explanation: During preplanning, a skills matrix is made for identifying the skills essential to do a
competent audit. It justifies the personnel training or explains the skills required by the audit
team members. Additionally, it prevents the auditor from getting stuck with a “warm body”
that is unskilled

29. For regulatory compliance, which of the below is the best description of an ongoing audit
program?

A. An audit is done one time for the complete year, and for each successive year, is then
repeated with the same information.
B. With the use of an audit program software, an audit may be automated.
C. An audit is a sequence of exclusive projects of small duration that include all the steps
required for the annual compliance.
D. An audit is an assessments set required by the auditee for the objective of regulatory
and licensing compliance.

ANSWER: C

Explanation: Generally, projects are of limited duration and are exclusive. They have a fixed
time period and have a fixed start and stop date. The projects can be combined into a projects
series to meet an operational need that is ongoing, such as a perpetual quality program or an
annual audit program.

30. Which of the following is the best definition of user identity?

A. Match
B. Claim
C. Authority
D. Job role

ANSWER: B

Explanation: The user identity is a claim made by the user. This claim of identity must be
verified against a known record by using the authentication process. Authentication is a one-
time match attempt to determine whether access should be granted. A mismatch would result
in denied access.

31. Which statement is true concerning digital signatures?

A. The signer uses the recipient’s public key.

B. The recipient uses the signer’s public key
C. The signer uses the recipient’s private key.
D. The recipient uses the signer’s private key.

ANSWER: B

Explanation: The message file is hashed, and the hash is encrypted by the signer using the
signer’s private key. This creates a digital signature file that can be verified (unlocked) by the
recipient using the signer’s public key.

32. The probability of a material error that cannot be detected or prevented is an example of
which of the following risk?

A. Detection risk
B. Overall audit risk
C. Inherent risk
D. Control risk

ANSWER: D

Explanation: It is an example of a control risk that a material error is there or the auditor will
not be able to detect it when introduced. This risk shows a loss of control.
33. What is the best reason for creating a skills matrix?

A. To identify the different skills and their individual billing rate

B. To designate who will perform each specific task
C. To identify skills needed and justify training to fill the gaps
D. To comply with the minimum standards of project management

ANSWER: C

Explanation: The primary goal is to identify all the skills needed and to justify additional training
before conducting the audit. Adding new personnel may be an acceptable option if training
would not cure the problem in time. Using a skills matrix is one of the best practices in project
management; however, that was not the best available choice.

34. Which of the following is the best demonstration of the auditor independence
requirement?

A. Provide an external audit and help the client fix the system
B. Audit and advise without fixing or designing the solution
C. Audit as an internal participant
D. Audit and advise in the detailed design of the solution

ANSWER: B

Explanation: The auditor must be careful to remain neutral and free of potential conflict during
the audit process. Providing general advice to aid clients is encouraged, but the auditor must be
careful not to participate in the detailed design or remediation of the problem. To do so would
violate the independence objective.

35. Management is required to implement internal controls for the organization. Which of the
following represents a systematic process of mandatory steps required to accomplish the
objective?

A. Policies
B. Guidelines
C. Procedures
D. Baselines

ANSWER: A

Explanation: Policies provide a cookbook recipe of steps necessary to ensure compliance in

support of management’s objective. The hierarchy is management’s high-level policy,
supported by a mid-level standard, which is supported by a lower-level procedure. Compliance
to procedures is mandatory.

36. Which of the following systems simulates human brain and makes a decision on weighted
probabilities?

A. Inner reference engine

B. Knowledge base
C. Decision-support system
D. Neural network

ANSWER: D

Explanation: The neural network is patterned based on the design of the human brain, with
logic comparable to human synapses. Decisions are based on the program weight factors and
probabilities.

37. Which of the following is an approach that is not acceptable for gathering information for a
risk analysis?

A. Bringing relevant people into a meeting to discuss their concerns

B. Sending an email to all employees explaining the basics of risk analysis and asking for
their cooperation and suggestions
C. Interviewing key people in IT and the user community
D. Sending a questionnaire to key personnel

ANSWER: B

Explanation: Sending email to all employees is not an acceptable method. All the other answers
are appropriate methods for gathering information. The most effective methods are personal
interviews and workshops. The interviewer or facilitator can guide the live responses while
ensuring consistency of measurement and answers. Less effective is a survey, which tends to
generate inconsistent answers that may not be completely truthful.

38. Which of the following control classification tries to reduce the effect of a threat?

A. Corrective
B. Preventative
C. Deterrent
D. Detective

ANSWER: A
Explanation: Corrective controls solve a problem post its occurrence. A few examples are firing
a problem employee, restoring data from a tape backup, and cancelling a business contract
because of poor performance.

39. Which of the following types of downloadable programs is known to present the most
serious security risk?

A. VB script
B. ActiveX
C. Java
D. Servlet

ANSWER: B

Explanation: ActiveX is more dangerous because the Authenticode method of digitally signing a
program does not protect against malicious software nor does it protect the user from poorly
written programs. Malicious ActiveX programs can subvert security of the operating system.

40. Compensating controls are primarily intended to compensate for what issue?

A. Money
B. Separation
C. Training
D. Contractors

ANSWER: B

Explanation: Separate authorization, specifically separation of job duties. It may not be possible
to have separation of duties because of a small staff. Compensating controls—including audit
logs, job rotation, and audit and supervisory review—ensure that all activity is visible to another
employee or manager to prevent misuse.

41. Which of the following is a true statement concerning materiality?

A. All information related to the subject is material.

B. Materiality is a physical requirement of business records.
C. Information that would change the outcome of the audit is material.
D. Materiality refers to independence of evidence.

ANSWER: C

Explanation: Materiality refers to information that would have a direct bearing on the outcome
or final determination. It is not necessary to document all information related to the subject.
42. Following the evidence rule, what could the auditor use to best determine that a given
policy is actually being used?

A. Presence of the policy manual

B. Minutes of meetings
C. Enforcement emails
D. User awareness

ANSWER: C

Explanation: The presence of emails regarding enforcement of the policy would be the best
determination that a policy is in use. A second choice might be a random sampling of user
awareness, followed by the minutes of meetings where the policy was discussed.

43. As per ISACA, which of the following are the five of the six business process reengineering
(BPR) steps?

A. Envision, initiate, evaluate, diagnose, redesign

B. Initiate, envision, evaluate, redesign, reconstruct

C. Envision, initiate, diagnose, redesign, reconstruct

D. Initiate, envision, redesign, reconstruct, evaluate

ANSWER: C

Explanation: The six general steps are envisioning the goal, initiating a project, diagnosing the
current process, redesigning the process, reconstructing with the use of change management,
and evaluating results by checking the new process to find out if it met the original objective.

44. Which sampling method should be used when there is almost no margin of error or the risk
of failure is very high?

A. Variable
B. Random
C. Discovery
D. Difference estimation

ANSWER: C

Explanation: Discovery sampling is used when the risk of failure is very high. 100 percent of the
available evidence will be tested because there is almost no margin for error. This is the most
intensive type of testing
45. Which is the acronym used during recovery that denotes the expected level of service?

A. RPO
B. SDO
C. RTO
D. ITO

ANSWER: B

Explanation: During recovery, SDO or service delivery objective demonstrates the expected
level of service. Several SDO targets may exist for the organization on the basis of various
recovery phases. On the other hand, RPO is the recovery point objective, RTO is the recovery
time objective, and ITO is a distracter.

46. A critical success factor is explained as:

A. An asset that needs to be planned

B. A score or measure of efficiency

C. A factor calculated for the purpose of insurance
D. Something that need to happen perfectly each time

ANSWER: D

Explanation: Also known as a showstopper, a critical success factor need to go correct each
time for the success of recovery. A KPI or key performance indicator is a numerical score.

47. The final hurdles to business continuity are threats that may include:

A. Missed targets
B. Natural disasters
C. Profit loss
D. All of the above

ANSWER: D
Explanation: The business continuity concerns include missed targets, natural disasters, and
profit loss. The continuity objective is to make sure that revenue is not disturbed and critical
targets are not missed.

48. During the planning of team assignments, it is critical to remember that:

A. The number of people or teams is not as critical as ensuring all the duties are
performed.
B. A person should not hold more than one team assignment.

C. For each team, the number of duties is the same.

D. For consistency, only one key person can be assigned to all teams.

ANSWER: A

Explanation: When planning team assignments, the most critical point to remember is that all
duties are completed, irrespective of the number of people. The organization may require to
employ hundreds of extra personnel in major incidents for making sure that all duties are
completed.

49. Which of the following is a true statement pertaining to data encryption when it is used to
protect data?

A. It verifies the integrity and accuracy of the data.

B. It requires careful key management.
C. It does not require much system overhead in resources.
D. It requires keys to be escrowed.

ANSWER: B

Explanation: Data encryption always requires careful key management. Most algorithms are so
strong today it is much easier to go after key management rather than to launch a brute force
attack. Hashing algorithms are used for data integrity, encryption does require a good amount
of resources, and keys do not have to be escrowed for encryption.

50. What is it called when for the same message, different keys generate the same ciphertext?

A. Secure hashing
B. Collision
 C. Key clustering
D. MAC

ANSWER: C

Explanation: The result is ciphertext Y when message A is encrypted with key A. If key B is used
to encrypt the same message A, the result should be different from ciphertext Y because a
different key was used. However, the occurrence is called key clustering if the ciphertext is the
same.

51. After a system failure, which action should take place for restoring a system and its data
files?

A. Perform a parallel test.

B. Restore from storage media backup.

C. Perform a walk-through test.

D. Implement recovery procedures.

ANSWER: D

Explanation: Recovery procedures should be implemented in such situations, which in most of

the cases include data recovery from the backup media. These recovery procedures could
comprise of steps to rebuild a system from the start, apply the required configurations and
patches, and ensure what needs to happen for ensuring that productivity is not affected. A
redundant system may also need to be considered.

52. Which is the best description of remote journaling?

A. Backing up bulk data to an offsite facility

B. Backing up transaction logs to an offsite facility
C. Capturing and saving transactions to two mirrored servers in-house
D. Capturing and saving transactions to different media types

ANSWER: B

Explanation: Remote journaling is a technology used to transmit data to an offsite facility, but
this usually only includes moving the journal or transaction logs to the offsite facility, not the
actual files.

53. What is the expansion of DES?

 A. Data Encoding Standard
B. Data Encryption Standard
C. Data Encryption System

D. Data Encryption Signature

ANSWER: B

Explanation: NIST and the NASA developed Data Encryption Standard for encrypting sensitive
but unclassified data of government.

54. What indicates the modification of a message?

A. The change in the public key

B. The change in the private key
C. The change in the message digest
D. The proper encryption of the message

ANSWER: C

Explanation: To detect if a modification has taken place, hashing algorithms generate message
digests. Individual digests are generated by the sender and receiver, and these values are
compared by the receiver. In case of a difference, the receiver recognizes the modification in
the message.

55. Which of the following is not a property of the charged-coupled devices used by most CCTV
systems?

A. Captures signals in the infrared range

B. Receives input through the lenses and converts it into an electronic signal

C. Records data on hard drives instead of tapes

D. Provides better-quality images

ANSWER: C

Explanation: A CCD is defined as an electrical circuit converts light into an electronic signal
when it receives it from the lens. It then displays it on the monitor. A lens is used to focus
images onto the CCD chip surface, which creates the optical image’s electrical representation.
With the help of this technology, capturing surprising details of objects is possible. It is also
possible to have precise representation as it has sensors to work in the infrared range. This
extra data is picked up by CCD and integrated into images that are shown on the monitor. This
helps in better quality and granularity in the video. Data is not recorded by a CCD.

56. Various countries do not allow the export or use of cryptographic systems. Which of the
following is the reason to put these restrictions?

A. There would be various interoperability issues in the absence of standards when

attempting to implement various algorithms in different programs.

B. Encryption can be used by criminals for avoiding prosecution and detection.

C. Adding various encryption types would confuse the laws, as laws are way behind.
D. Some countries can use the systems against their local people.

ANSWER: B

Explanation: The government of the U.S. has minimized its restrictions to a great extent on
cryptography exportation, however some restrictions are still in place. The U.S has declared it
as an act of supporting terrorism if products that use encryption are sold to any country. The
country’s enemies can use encryption for hiding their communication. In that case, the
government would not be able to spy on their data transfers and break this encryption.

57. A digital signature is created using:

A. The sender’s public key

B. The receiver’s private key

C. The receiver’s public key

D. The sender’s private key

ANSWER: D

Explanation: The sender’s private key is used to encrypt a digital signature, which is a message
digest. Anyone, including the sender, should not have access to the private key of the receiver.

58. A digital signature is best described as a method to:

A. Encrypt confidential information

B. Transfer a handwritten signature to an electronic document
C. Provide an electronic encryption and signature
D. Allow the message receiver prove the integrity and source of a message
ANSWER: D

Explanation: A digital signature offers integrity (because of the involvement of a hashing

algorithm), authentication (as the message is known), and nonrepudiation (the message cannot
be denied by the sender).

59. Name the best examples of media and vital records.

A. Last year’s cancelled checks, past annual reports, HR policies, vacation forms
B. Financial records, specialized forms, backup tapes, how-to manuals
C. Office supplies, customer lists, corporate seal, maintenance manuals
D. Personal desk files, preferred vendor lists, extra blank paper for copy machine
ANSWER: B

Explanation: Backup tapes and financial records are very important. How-to manuals assist in
the recovery.

60. Which of the below property does not relate to a one-way hash function?

A. It need to infeasible to compute and find the corresponding message, given the digest
value.
B. It transforms a message with an arbitrary length to a fixed length value.
C. It transforms a message with a fixed length to a value of arbitrary length.
D. It should be rare or not possible to get the same digest from two different messages.

ANSWER: C

Explanation: A hashing algorithm inputs a variable-length string and the message of any size. It
computes a value of fixed length, which is the message digest. The SHA family creates the value
of fixed length of 160 bits, while the MD family creates it of 128 bits.

61. What is the goal of cryptanalysis?

A. To determine the strength of an algorithm

B. To increase the substitution functions in a cryptographic algorithm
C. To decrease the transposition functions in a cryptographic algorithm
D. To determine the permutations used

ANSWER: A

Explanation: Cryptanalysis is the process of trying to reverse-engineer a cryptosystem, with the

possible goal of uncovering the key used. Once this key is uncovered, all other messages
encrypted with this key can be accessed. Cryptanalysis is carried out by the white hats to test
the strength of the algorithm.

62. The effective length of the DES key consists how many bits?

A. 64
B. 56
C. 16
D. 32

ANSWER: B

Explanation: The key size of DES is 64 bits; however, it uses 8 bits for parity. Therefore, the
exact key size is 56 bits. The DEA algorithm is utilized for the DES standard. Therefore, its true
key size is 56 bits, is the same algorithm here is being discussed. DEA is the algorithm, while DES
is actually the standard. It is called DES in the industry, as it is easier.

63. What is the reason a certificate authority revokes a certificate?

A. The user uses the PEM model that utilizes a web of trust
B. The public key of the user has been compromised
C. The user has moved to a different location
D. The private key of the user has been compromised

ANSWER: D

Explanation: The authority revokes a certificate to warn people using the public key of the
person. The authority warns they should not trust the public key anymore, as the public key is
not bound to the identity of that particular individual anymore. The reason could be that an
employee has changed his/her name or left the company and required a new certificate. In
most of the cases, it happens as the private key of person has been compromised.

64. What are the five phases of business continuity planning according to ISACA?

A. Analyze business impact, develop strategy, develop plan, plan testing, implement

B. Analyze business impact, develop plan, implement, plan testing, write the plan
C. Analyze business impact, write the plan, test strategy, develop plan, implement
D. Analyze business impact, develop strategy, develop plan, implement, plan testing

ANSWER: D
Explanation: Notice that business impact is always the first step. Then criteria are selected to
guide the strategy selection. A detailed plan is written using the strategy. The written plan is
then implemented. After implementation, the plan and staff are tested for effectiveness. The
plan is revised, and then the testing and maintenance cycle begins.

65. Which technology can be considered for the identity management to accomplish few needs
of the company?

A. Digital identity provisioning

B. Active directory
C. LDAP directories for authoritative sources
D. Federated identity

ANSWER: D

Explanation: With the help of federation identification, the company and its partners can
enable themselves to share the authentication information of the customer. The retail company
can have the authentication information when a customer authenticates to a partner website.
Therefore, when visiting the website of the retail company, the customer needs to submit less
user profile information. As a result, the steps to of the purchase process get reduced. This type
of functionality and structure becomes feasible when companies possess and share the similar
or same settings of the federated identity management software under a set trust model.

66. Positive pressurization pertaining to ventilation implies:

A. Air comes in when a door opens

B. The power supply is disabled when a fire takes place
C. The smoke is diverted to one room when a fire takes place
D. The air goes out when a door opens

ANSWER: D

Explanation: Positive pressurization implies the air goes out when a door is opened. The air
from outside does not enter. If the doors of a facility were opened when it were on fire,
positive pressure causes the smoke to exit and not get pushed back inside the building.

67. A category of controls not belonging in a physical security program is:

A. Response and detection

B. Deterrence and delaying
C. Delaying and lighting
 D. Assessment and detection

ANSWER: C

Explanation: Apart from delaying and lighting, response, detection, deterrence, delaying, and
assessment, should make up any physical security program.

68. An administrative control that does not pertain to emergency procedures is:

A. Awareness and training

B. Intrusion detection systems
C. Delegation of duties
D. Drills and inspections

ANSWER: B

Explanation: Apart from intrusion detection systems, rest other controls directly correlate with
proper emergency procedures. The management needs to make sure that these controls are in
place, tested properly, and implemented. Intrusion detection systems are physical or technical
controls that are not administrative.

69. What does it default to if an access control does not have a fail-secure property?

A. No access
B. Being unlocked
C. Being locked
D. Sounding a remote alarm and not a local alarm

ANSWER: B

Explanation: If an access control has a fail-safe setting, it implies that in case a power
disruption, affects the automated locking system, by default, the doors will be unlocked. This
type of configuration implies that if there were any problems with power, a door would default
to being locked.

70. A system that is not considered as a delaying mechanism is:

A. Defense-in-depth measures
B. Locks
C. Access controls
D. Warning signs
ANSWER: D

Explanation: Each physical security program needs to have delaying mechanisms with the
objective to slow down an intruder for alerting the security personnel and arriving at the scene.
Warning signs are not delaying controls, but deterrence controls.

71. The two common proximity identification devices types are:

A. Swipe card devices and passive devices

B. Biometric devices and access control devices
C. User-activated devices and system sensing devices
D. Preset code devices and wireless devices

ANSWER: C

Explanation: With a user-activated system, the user needs to enter a code or swipe the card
using the reader. With a system sensing device, the presence of the card is recognized and
communicated, without the requirement of the user to perform any activity.

72. The goal of the strategy planning phase is to:

A. Select a response to cover every situation

B. Pick up a vendor that offers the best solution
C. Fulfill the interests of all the stakeholders to their satisfaction
D. Recognize time windows and minimum service

ANSWER: D

Explanation: The main goal of this phase is recognizing the time window that is available and
minimum service necessary that is required for recovery. A specific product or a vendor should
never be involved in this discussion. The objective is forcing to develop a specific specification
and find solutions fitting the specification.

73. With respect to the properties of facility construction, which of these are correct?

1. For various types of attacks and explosives, the approximate penetration time’s
calculations depend on the concrete walls thickness and the rebar gauged
 2. With the use of a thick rebar, and its proper placement in the concrete gives effective
protection
3. Rebar, reinforced walls, double walls can be utilized for delaying mechanisms
4. Rebar are steel rods encased in concrete

A. 3
B. 1, 2
C. All are correct
D. None is correct

ANSWER: C

Explanation: For various types of attacks and explosives, the approximate penetration time’s
calculations depend on the concrete walls thickness and the rebar gauged. (Rebar are steel rods
encased in concrete are referred to as rebar.) Therefore, the time to break or cut the rebar
would be long. With the use of a thick rebar and its proper placement in the concrete gives
effective protection. Rebar, reinforced walls, double walls can be utilized for delaying
mechanisms. TAs a result, the intruder will take a long time to break two reinforced walls.
Hence the response force gets enough time to reach the destination and stop the intruder.

74. The relationship between acceptable risk level, a risk analysis, countermeasures, baselines,
and metrics can be best defined as:

A. The output of risk analysis is utilized for determining the required proper
countermeasures. To measure these countermeasures, baselines are derived. To track
the performance of these countermeasures and make sure that baselines are met,
metrics are used.
B. The output of risk analysis is utilized for making the management know and set a risk
level that is acceptable. From this level, baselines are derived. To track the performance
of countermeasure and make sure baselines are met, metrics are used.
C. The output of risk analysis is utilized to for making the management know and set
baselines. From these baselines, a risk level is derived that is acceptable. To track the
performance of countermeasure performance and make sure baselines are met, metrics
are used.
D. The output of risk analysis output is utilized for making management know and set a risk
level that is acceptable. From the metrics, baselines are derived. To track the
performance of countermeasure performance and make sure baselines are met, metrics
are used.
ANSWER: B

Explanation: For performing risk analysis, the physical security team identifies the threats,
vulnerabilities and business impacts of the organization. These findings should be presented by
the team to the management and worked upon for defining a risk level that is acceptable for
the physical security program. The baselines and metrics should then be developed for
evaluating and determining if baselines are met using countermeasures. After this, the team
should continually evaluate and express countermeasures performance in the previously
created metrics. The values of performance are compared with the baselines set. The security
program is successful when the baselines are continually maintained as the acceptable risk level
of the organization is not being overdone.

75. When installing intrusion detection and monitoring systems, which of the following is not a
drawback?

A. Expensive installation
B. No penetration
C. Human response requirement
D. Subject to false alarms

ANSWER: B

Explanation: Monitoring and intrusion detection systems are expensive, require someone to
respond when they set off an alarm, and, because of their level of sensitivity, can cause several
false alarms. Like any other type of technology or device, they have their own vulnerabilities
that can be exploited and penetrated.

76. A cipher lock is a lock that uses:

A. Cryptographic keys
B. A key that cannot be reproduced
C. A token and perimeter reader
D. A keypad

ANSWER: D

Explanation: Also known as programmable locks, cipher locks make use of keypads for
controlling access into a facility or an area. They may need a card to swipe and a combination
that is specifically entered into the keypad.

77. What does it mean if a cipher lock includes a door delay option?

A. The alarm goes off when a door remains opened for a specific period.
 B. The lock can be opened only when emergency situations.
C. It supports the capability of hostage alarm.
D. It supports the capability of supervisory override.

ANSWER: A

Explanation: When a door remains opened for long period, the security guard would need to be
alerted. This may show that apart from a person exiting or entering the door, something is
taking place. A threshold is set for a security system so that an alarm sounds if the door remains
opened beyond the specific time period.

78. The difference between a tumbler and warded lock is best described as:

A. As compared to warded lock, a tumbler lock is easier to circumvent

B. A warded lock makes use of internal cylinders, while a tumbler lock makes use of an
internal bolt
C. As compared to a warded lock, a tumbler lock has more components
D. A tumbler lock is used internally, while a warded lock is primarily used externally

ANSWER: C

Explanation: As compared to a warded lock, a tumbler lock includes more parts and pieces. The
metal pieces of the lock are raised to the right height for the bolt to slide to the unlocked or
locked position. This happens when the key fits into a cylinder. As compared to a tumbler lock,
a warded lock is simpler to circumvent.

79. Light-frame construction material is utilized in building the internal walls of a company’s
facility. There are some concerns about this material. Why?

1. The least protection against fire is provided

2. The least protection against forcible attempts of entry is provided
3. It is of noncombustible nature
4. The least protection is provided to mount walls and windows

A. 1, 2
B. 1, 3
C. 2, 3, 4
D. 2, 3

ANSWER: A
Explanation: This material offers protection with the least amount against forcible attempts of
entry and fire. It has an untreated lumber that during a fire, would be combustible. The
material is generally utilized for building homes, as it is cheap and homes do not have threats of
intrusion threats and fire, as compared to office buildings.

80. When a post-implementation enterprise resource management system review is done, an IS

auditor generally:

A. reviews the configuration of access control

B. evaluates interface testing
C. reviews the documentation of the detailed design
D. evaluates system testing

ANSWER: A

Explanation: As the first step, the auditor reviews access control configuration for determining
if security has been mapped in the system appropriately. The review is performed once user
acceptance testing and actual implementation is complete. Therefore, no one engages in
documentation of detailed design and interface testing.

81. The most reliable form of single factor personal identification is:

A. Password
B. Smart card
C. Iris scan
D. Photo identification

ANSWER: C

Explanation: Identification and verification can be performed with confidence because no two
irises are same. It cannot be guaranteed that a correct person is using smart card because it can
be stolen, shared, lost and found. Additionally, if written, passwords can be shared or
discovered. In addition, photo IDs can be falsified or forged.

82. When reviewing the controls of a database, an IS auditor found that a set of procedures
were used to handle the changes while normal working hours. On other hand, after normal
hours, these changes needed a reduced number of steps only. Which of the below will be
considered as appropriate compensating controls in this situation?

A. Make changes with the user account of the database administrator (DBA).
B. Allow database changes once access to a normal user account is granted.
 C. Make database changes, log them, and the next day review the change log with
the user account of the DBA.
D. Make database changes, log them, and the next day review the change log with
the normal user account

ANSWER: C

Explanation: Generally, a DBA user account is set up for logging all the changes. This is most
suitable for the changes that are made beyond normal hours. Changes can be reviewed using
the change log that records the changes. Without logging, the DBA user account will allow
uncontrolled changes in databases as soon as account access is received. With a normal user
account and without any restrictions, it will permit uncontrolled changes to all databases. With
the log, information on changes can be obtained only. It does not limit the authorized changes.
Therefore, logging along with review help creating a suitable set of compensating controls.

83. A DSS or decision support system:

A. Aims to solve problems that are highly structured

B. Combines models with retrieval functions and nontraditional data access
C. Focuses flexibility in the users’ approach of decision making
D. Supports decision making tasks that are structured

ANSWER: C

Explanation: DSS focuses flexibility in the user’s approach of decision making. The objective is
to solve problems that are less structured by combining models and techniques used for
analytic with retrieval functions and traditional data access. It provides support to decision
making tasks that are semi-structured.

84. To manage a cyberattack risk, the first step is to:

A. Evaluate the likelihood of threats

B. Assess the vulnerability impact
C. Estimate potential damage
D. Identify critical information assets

ANSWER: D

Explanation: To manage the risk, the first step is to identify and classify assets or critical
information resources. After this, threats and vulnerabilities are identified and potential
damages are calculated.
85. To let employees enroll for benefits on the corporate Intranet through a website, the
human resources (HR) department has developed a system. What do you think protects the
data confidentiality?

A. Two-factor authentication
B. Secure Socket Layer (SSL) encryption
C. IP address verification
D. Encrypted session cookies

ANSWER: B

Explanation: The only option that can provide data confidentiality is SSL encryption. The other
options help with issues of authentication.

86. When an enterprise resource planning (ERP) financial system’s audit for the logical access
control was being done, an IS auditor discovered there were some user accounts that were
being shared by more than one users. The user IDs were made on the basis of roles rather and
not on individual identities. With these accounts, one could access the ERP financial
transactions. In this situation, the IS auditor should:

A. Review the logs of financial transactions

B. Find compensating controls
C. Ask to disable these accounts
D. Review the audit scope

ANSWER: B

Explanation: To define accountability, the best access control would be to create user IDs for
every user. One can do so only by creating a one-to-one relationship between users and IDs. On
the other hand, if the IDs have been created on the basis of role designations, the auditor must
first understand the objective behind this before evaluating the efficiency of the controls.

87. A modification test results in a system dealing with payment calculation are evaluated by an
IS auditor. The auditor discovers that 50% of the computations do not match with the
determined totals. Most likely, the next audit step would be to:

A. Identify variables that may have caused the test results to be inaccurate
B. Design further tests of the calculations that are in error
C. Document the results and prepare a report of findings, conclusions and
recommendations
D. Examine some of the test cases to confirm the results
ANSWER: D

Explanation: The auditor, as the next step, next examine and confirm the cases with incorrect
computations. Further tests can be then be performed and reviewed. Until all results are
confirmed, preparation of reports, findings and recommendations are not made.

88. The process that utilizes test data for an all-inclusive program controls test in a constant
online manner is:

A. Base-case system evaluation

B. Test data/deck
C. Parallel simulation
D. Integrated test facility

ANSWER: A

Explanation: In a base-case system evaluation, test data sets are used and developed for all-
inclusive testing programs. Before acceptance and periodic validation, this is done for verifying
the right systems operations. On the other hand, test data/deck mimics transactions with the
use of real programs. Parallel simulation is a process in which the production of processed data
takes place with the use of computer programs that mimic the program logic of application.
However, an ITF makes false files in the database and processes test transactions along with
live input.

89. Recently, a company has been downsized and, an IS auditor makes the decision of testing
logical access controls. In this context, what should be the main concern of the auditor?

A. Management has the required and authorized access for users who have been
newly hired
B. The entire system access is appropriate and authorized for the role and
responsibilities of an individual
C. For granting or modifying access to individuals, access authorization forms are
used
D. For granting or modifying access to individuals, only the system administrator
has the authority

ANSWER: B

Explanation: If a company has downsized, it means personnel actions in a large number over a
comparatively short time period. Some new duties can be assigned to employees while some of
the former duties are retained. A number of employees may go jobless. The concern of the IS
auditor should be to maintain an appropriate segregation of duties, limit the access to as per
the employee’s role and responsibilities, and revoke the access of employees who are no
longer in the organization.

90. The selection of a recovery strategy should MOST likely depend on the:

A. restoration cost for the infrastructure and systems

B. availability of a recovery site
C. criticality of the business process
D. incident response process

ANSWER: C

Explanation: The criticality of the business process is the most important element when
selecting a recovery strategy. The criticality and risk levels of various business processes and
supporting applications are determined during the business impact analysis (BIA). The cost to
restore infrastructure and systems is not a primary consideration used to determine the
recovery strategy. This does not imply that cost is not a concern, but rather that the strategy is
first driven by what is required to keep the business operational in the case of disaster. The
availability of a recovery site is not a factor, but a result of, developing a recovery strategy. The
incident response process is required in every organization to deal with any type of incident;
however, the selection of a recovery strategy would not depend on the process.

91. An IS auditor should use the following for detecting duplicate invoice records in an invoice
master file:

A. Generalized audit software (GAS)

B. Attribute sampling

C. Integrated test facility (ITF)

D. Test data

ANSWER: A

Explanation: With the help of GAS, an IS auditor can review the complete invoice file for items
meeting the selection criteria. On the other hand, attribute sampling helps in the identification
of records that meet specific conditions, not including the identification of duplicates. For the
detection of duplicate records, the auditor need to check all items meeting the criteria. With an
ITF, an IS auditor can test the transactions in the production system, and with the test data, it
can verify program processing.
92. An IS auditor makes observations about weaknesses in the tape management system that
exists at a datacenter. A few parameters are set for bypassing tape header records. The most
effective compensating control to handle this weakness is:

A. Supervisory review of logs

B. Regular back-up of tapes

C. Staging and job setup
D. Offsite storage of tapes

ANSWER: C

Explanation: A compensating control can be accepted if the IS auditor discovers there are job
setup processes and effective staging Supervisory review of logs is a detective control; the
other two are corrective controls.

93. An organization is planning to deploy an outsourced cloud-based application that is used to

track job applicant data for the human resources (HR) department. Which of the following
should be a GREAT concern to an IS auditor?

A. The service level agreement (SLA) ensures strict limits for uptime and
performance
B. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA
C. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of
the cloud provider
D. The cloud provider's datacenters are in multiple cities and countries

ANSWER: D

Explanation: Having data in multiple countries is the greatest concern because HR applicant
data could contain personally identifiable information (PII). There may be legal compliance
issues if these data are stored in a country with different laws regarding data privacy. While the
organization would be bound by the privacy laws where it is based, it may not have legal
recourse if a data breach happens in a jurisdiction where the same laws do not apply.

94. As the first step, an IS auditor who is assessing logical access controls should:

A. Test controls over access paths for determining their functionality

B. Document the controls that have been applied to the possible access paths
to the system
C. Get an understanding of the security risks to information processing
 D. Evaluate the security environment with respect to written policies and
practices

ANSWER: C

Explanation: To evaluate logical access controls, first the auditor understand the security risks
to information processing. The auditor can do so by inquiring, reviewing the appropriate
documentation, and performing a risk assessment. The next step to assess the adequacy and
efficiency and therefore, deficiencies or redundancy in controls, is documentation and
evaluation. Testing the access paths is the third step, which includes determining the
functionality of controls. At the end, the security environment is evaluated for assessing its
adequacy. This is done by observing and comparing the practices with appropriate best
practices of security and reviewing the written policies.

95. During a review of electronic data interchange (EDI) transactions, an IS auditor finds
unauthorized transactions. Most likely, the auditor would recommend to improve the:

A. Physical controls for terminals

B. EDI trading partner agreements
C. Program change control procedures
D. Authentication techniques to send and receive messages

ANSWER: D

Explanation: Option D is correct because authentication techniques to send and receive

messages have an important role to play to minimize the exposure to transactions that are
unauthorized. An EDI trading partner agreement helps in minimizing exposure to legal issues.

96. Which of the following is true with respect to digital signatures?

A. Offers message encryption

B. Needs the use of a one-time password generator
C. Makes sure the confidentiality of the message
D. Validates the message source

ANSWER: D

Explanation: Digital signatures help in verifying the sender’s identity, but do not offer message
encryption and therefore, are not sufficient for ensuring confidentiality. Another option can be
a one-time password generator; however, it is not necessary for the use of digital signatures.
97. An e-commerce application is running on local network, which is processing electronic fund
transfers (EFT) and orders. For preventing data integrity or confidentiality loss in such cases, the
best action would be to:

A. Use virtual private network (VPN) tunnels to transfer data

B. Audit the access control to the network
C. Enable data encryption within the application
D. Log all changes to access lists

ANSWER: A

Explanation: In such cases, the best method to prevent data and confidentiality loss would be
to encrypt it with the use of VPN tunnels. Within the application, data encryption is less
efficient as compared to VPN.

98. One can validate operating standards and procedures by:

A. Observing the operation of datacenter

B. Reviewing operating manuals
C. Testing a sample of transactions
D. Interviewing operations management

ANSWER: A

Explanation: The best way to be objective and collect evidence for validating operating
procedures is observing the operations.

99. Which among these restricts users to the functions required to perform their duties?

A. Data encryption
B. Application-level access control
C. Network monitoring device
D. Disabling floppy disk drives

ANSWER: B

Explanation: Application-level access control programs work best for management control as
they allow restricting access to the functions required for performing their duties by limiting the
users. Disabling floppy disk drives and data encryption are not the best choices, as they can only
restrict users to specific function. A network monitoring device is a detective control.

100. Without using computer tools or programs, a hacker can get passwords using:
 A. Sniffers
B. Social engineering
C. Trojan horses
D. Back doors
ANSWER: B
Explanation: A hacker can use social engineering, which is dependent on the private
information divulgence of by interviews, dialogues, and inquiries. During this, a user may be
careless about it or personal data of someone else. On the other hand, a sniffer is program for
monitoring the network traffic. Trojan horses pretend to be real programs and therefore, their
functionality is not authorized and is generally malicious. Back doors are the programs left by
hackers to exploit the vulnerabilities.

101. In an insurance company, an IT executive approached an external auditor to evaluate the

user IDs (fire call IDs) during emergency access. The auditor discovered those accounts were
granted without any specific expiration date. In this case, the auditor should recommend to:

A. implement an identity management system (IMS)

B. review the process of access control privilege authorization
C. grant fire call accounts to managers only
D. enhance procedures for auditing changes made to customer data that is
sensitive
ANSWER: B
Explanation: In such situations, the IS auditor should recommend to review the access control
management process. Permission to emergency system administration-level access should be
allowed as and when required. They should be configured to a specific expiration date. Strong
controls are required for accounts with temporary privileges for limiting the privileges lifetime
and the utilization of these accounts should be monitored closely.

102. An IS auditor is performing a review of the disaster recovery hot site used by a financial
institution. Which of the following will be of GREAT concern?

A. System administrators use shared accounts which never expire at the hot site
B. Disk space utilization data is not kept current
C. Physical security controls at the hot site are less robust than at the main site
D. Servers at the hot site do not have the same specifications as at the main site
ANSWER: B
Explanation: Not knowing how much disk space is in use and therefore how much is needed at
the disaster recovery site could create major issues in the case of a disaster. While it is not a
best practice for security administrators to share accounts that do not expire, the greater risk in
this scenario would be running out of disk space. Physical security controls are important and
this would be a concern, but the more important concern would be running out of disk space.
The particular physical characteristic of the disaster recovery site may call for different controls
that may appear to be less robust than the main site; however, such a risk could be addressed
through policy and procedures or by adding additional personnel if needed. As long as the
servers at the hot site are capable of running the programs that are required in a disaster
recovery situation, the precise capabilities of the servers at the hot site is not a major risk.

103. The most effective and environment-friendly method to suppress a fire in a datacenter is:

A. Wet-pipe sprinklers
B. Halon gas
C. Carbon dioxide gas
D. Dry-pipe sprinklers
ANSWER: D
Explanation: With the use of an automatic power shutoff system, water sprinklers become
efficient as they can release automatically with no life threat. In addition, water is environment
friendly. The dry-pipe prevents the leakage risk. Halon is effective because it does not cause any
human life threat. As a result, it can also be set for automatic release; however, it is not friendly
to the environment and is costly. Therefore, using a full system is not possible. Carbon dioxide
is an acceptable gas, however it is not too efficient, as one cannot set it to automatic release
because it causes life threats.

104. When reviewing an access control in a client-server environment, an IS auditor finds that
users can access all printing options. Most likely, in this situation, the will make a conclusion
that:

A. All users can print any report at any time and therefore, operating efficiency is
enhanced.
B. Information is available to unauthorized users and therefore, exposure is
greater.
C. There is a smooth information flow among users and therefore, user friendliness
and flexibility is facilitated.
D. Information is easily available and therefore, operating procedures are more
effective.
ANSWER: B
Explanation: All forms of information need to be protected from all type of unauthorized users.
An exposure is resulted when there is an unrestricted access to the report option. In this
situation, effectiveness and efficiency are not important. Information can be spread outside an
organization and greater control over reports are not accomplished because print options
consist of printing to an electronic file. Therefore, a data loss prevention (DLP) mechanism need
to be used as an aggregate control.

105. An IS auditor is reviewing access controls for a manufacturing organization. During the
review, the IS auditor discovers that data owners have the ability to change access controls for
a low-risk application. The BEST course of action for the IS auditor is to:

A. recommend that mandatory access control (MAC) be implemented

B. report this as an issue
C. report this issue to the data owners to determine whether it is an exception
D. not report this issue since discretionary access controls (DACs) are in place
ANSWER: D
Explanation: DAC allows data owners to modify access, which is a normal procedure and is a
benefit of DAC. Recommending MAC is not correct because it is more appropriate for data
owners to have DAC in a low-risk application. The use of DAC may not be an exception and,
until confirmed, should not be reported as an issue. While an IS auditor may consult with data
owners regarding whether this access is allowed normally, the IS auditor should not rely on the
auditee to determine whether this is an issue.

106. The possible effect of social engineering attacks can be reduced to:

A. promoting ethical understanding

B. compliance with regulatory requirements
C. effective performance incentives
D. security awareness programs

ANSWER: D

Explanation: Social engineering is dependent on the user deception. Therefore, the best
defense is a security awareness program. Other options are not user-focused.

107. The option that will reduce social engineering incidents most effectively is:
 A. Increased physical security measures
B. Security awareness training
C. Intrusion detection systems
D. E-mail monitoring policy

ANSWER: B

Explanation: Human weakness and nature and weaknesses is exploited by social engineering for
getting access rights and information. With an increase in employee awareness for security
issues, the number of social engineering incidents can be reduced. Generally, these incidents do
not need the intruder’s physical presence. As a result, intrusion would not be prevented with
increased physical security measures. Users are informed with an e-mail monitoring policy that
all emails are subject to monitoring. However, users are not protected from intruders and
potential security incidents. The systems of intrusion detection are used for detecting abnormal
or irregular traffic patterns.

108. The biometric with the lowest false-acceptance rate (FAR) and highest reliability is:

A. Face recognition
B. Palm scan
C. Hand geometry
D. Retina scan

ANSWER: C

Explanation: Retina scan is the best and reliable technology as it maps the capillary pattern of
the retina of an eye using the optical technology. Palm scanning includes the user to place a
hand on a scanner, which captures the physical characteristics of the palm. One of the ancient
techniques is hand geometry, which takes care of the three-dimensional perspective by
measuring the physical characteristics of the hands and fingers of the user. The biometric
techniques of palm and hand are not unique in the geometry data. With face biometrics, the
images are captured for common facial characteristics. However, it is a friendly and natural
biometric, its drawback is that it is not unique.

109. The access control procedure is:

A. An IS manager and the data owner create and make updates to the user
authorization tables.
B. The user authorization tables are implemented by authorized staff members and
approved by the data owner.
C. The user authorization tables are created and updated by the data owner.
 D. Formally, access is authorized by the data owner and the user authorization
tables are implemented by an administrator implements.

ANSWER: D

Explanation: The data owner can and is responsible for forming the access rights formally. The
user authorization tables are then implemented or updated by an IS administrator.

110. A lack of suitable security controls represents:

A. Asset
B. Threat
C. Vulnerability
D. Impact

ANSWER: C

Explanation: A lack of suitable security controls represents a vulnerability, as it exposes data

and sensitive information to the risk of attack, malicious damage, or unauthorized access. As a
result, a loss of sensitive information can happen, which can lead to goodwill loss for the
company. The Guidelines for the Management of IT Security provides a succinct definition of
risk, which is published by the International Organization for Standardization (ISO). It is defined
that risk is “potential that a given threat will exploit the vulnerability of an asset or group of
assets to cause loss or damage to the assets.” Its different elements include threat,
vulnerability, impact, and asset. In this context, lack of suitable security functionality is a
vulnerability.

111. An IS auditor has been assigned to conduct a test that compares job run logs to computer
job schedules. Which of the following observations would be of the GREATEST concern to the IS
auditor?

A. There are a growing number of emergency changes

B. There were instances when some jobs were not completed on time
C. There were instances when some jobs were overridden by computer operators
D. Evidence shows that only scheduled jobs were run

ANSWER: C

Explanation: The overriding of computer processing jobs by computer operators could lead to
unauthorized changes to data or programs. This is a control concern; thus, it is always critical.
The other options are not as critical because issues such as processing delays, errors or even
emergency changes are acceptable as long as they are properly documented as part of the
process.

112. The originator of a transaction is effectively verified by:

A. Encrypting the transaction using the public key of the receiver

B. Using a secret password between the originator and receiver
C. Signing the transaction digitally using the private key of the source
D. Using a portable document format (PDF) for encapsulating the content of the
transaction

ANSWER: C

Explanation: A digital signature is defined created with public key algorithm and represents an
electronic identification of a person. It is used for verifying the identity of the transaction
source to a recipient and the content integrity. Passwords are a “shared secret” between the
system and user. Therefore, they represent a weaker authentication means. Using the public
key of the recipient to encrypt the transaction provides data confidentiality, while a PDF probes
the content integrity but not necessarily authorship.

113. In a new business intelligence project, an IS auditor finds expanded needs and time
constraints as the root causes for corporate data definition standards violation. In this case, the
most suitable suggestion for an auditor would be to:

A. Delay the project till standards compliance can be achieved

B. After the project completion, align the data definition standards
C. Adopt punitive measures against violators to enforce standards compliance
D. Align standards by increasing the resources of the project

ANSWER: D

Explanation: Given the technical, data architecture, and operational needs are correctly
documented, the standards alignment can be treated as a particular work package that is
assigned to new resources of the project. With the use of nonstandard data definitions, the
efficiency of the new development will be decreased, and the risk of errors in important
business decisions will be increased.

114. The IS auditor is reviewing prior findings from an IT audit of a hospital. One finding
indicates the organization was using e-mail to communicate sensitive patient issues. The IT
manager indicates that to address this finding, the organization has implemented digital
signatures for all e-mail users. What should be the IS auditor's response?
 A. Digital signatures are not adequate to protect confidentiality
B. Digital signatures are adequate to protect confidentiality
C. The auditor should gather more information about the specific implementation
D. The auditor should recommend implementation of digital watermarking for
secure e-mail

ANSWER: A

Explanation: Digital signatures are designed to provide authentication and nonrepudiation for
e-mail and other transmissions, but are not adequate for confidentiality. This implementation is
not adequate to address the prior year's finding. Digital signatures do not encrypt message
contents, which means that an attacker who intercepts a message can read the message since
the data are in plain text.

115. When responding to a crisis, the qualifications of the incident commander are:

A. First responder
B. Member of management
C. First person on scene
D. Trained crisis manager

ANSWER: C

Explanation: The incident commander is the first person on the scene, irrespective of the
position or rank. As per the situation, with less or more experience, the incident commander
may be relieved. Throughout the crisis, the incident commander will change.

116. An auditor’s concern that the audit report needs to be explained with their findings is for:

A. The current auditor need of communicating with the prior auditor

B. Detailed list of audit objectives
C. Communicating the results to the audit committee chairperson directly
D. Undue restrictions from management on audit procedures or evidence use

ANSWER: D
Explanation: Management should not place restrictions on the auditor.

117. The indicators that are used for identifying loss at a given time and the anticipated level of
recovery are:

A. RPO and ITO

B. RTO and SDO
 C. SDO and IRO
D. RPO and RTO

ANSWER: D

Explanation: RPO or recovery point objective shows duration of loss and the fallback position.
An example is recovering with the use of backup data from the backup tape of the last night.
This means recent transactions get lost. RTO or recovery time objective shows a point in time
the data restored is available for the user access.

118. The bigger concerns with respect to asset disposal are:

A. Employees taking disposed property home

B. Residual asset value
C. Environmental regulations
D. Standing data

ANSWER: D

Explanation: Any data standing need to be eliminated from the equipment before its disposal.
This is the information recoverable from a device by any mean.

119. The most important issue to be considered with respect to insurance coverage is:

A. Premiums can be very costly

B. Salvage, and not replacement, may be dictated
C. Insurance can pay for all recovery costs
D. Coverage must consist of all business assets

ANSWER: B

Explanation: Salvage to save money may be dictated by the insurance company. It increases the
delay prior to recovery. Any replacement purchases the company makes may not be covered
under reimbursement.

120. Digital signatures provide additional electronic messages protection to determine:

A. Message sender verification

B. Message deletion
C. Message read by unauthorized party
D. Message modification

ANSWER: A
Explanation: Digital signatures offer assurance of the authentication of the email sender. They
utilize the sender’s private key for verifying identity.

121. The reason why continuity planners are capable of creating plans without a business
impact analysis (BIA) is indicated by:

A. Not possible; critical processes change constantly

B. All key processes to be used are already dictated by management
C. Risk assessment is okay
D. Business impact analysis is not needed

ANSWER: A

Explanation: Create business continuity plans is not possible without a current Business Impact
Analysis (BIA), which recognizes critical processes and the related dependencies. These
processes as per the business with new customers and products.

122. In a small environment, segregation of duties may not be feasible. Only one employee
might be performing both functions of an application programmer and server operator. In such
cases, an IS auditor should recommend controls for:

A. Procedures verifying that only program changes that are approved are implemented
B. Automated changes logging made to development libraries
C. Employing additional technical staff for forcing segregation of duties
D. Automated controls for preventing the operator logon ID to make changes in the
program

ANSWER: A

Explanation: To make sure the implementation of only approved program changes, procedures
should be implemented. The aim to separate duties is preventing unintentional or intentional
errors. If only one person performs two jobs, a logical separation of duties may exist. The final
aim is to make sure that another has reviewed and approved a change before its
implementation.

123. What are the five phases of business continuity planning according to ISACA, for use on the
CISA exam? (Select the answer showing the correct phases and order)

A. Analyze business impact, develop strategy, develop plan, implement, test plan
B. Analyze business impact, develop strategy, develop plan, test plan, implement
C. Analyze business impact, develop plan, implement, test plan, write the plan
D. Analyze business impact, write the plan, test strategy, develop plan, implement
ANSWER: A

Explanation: Notice that analyzing the business impact is always the first step. Then criteria are
selected to guide the strategy selection. A detailed plan is written by using the strategy. The
written plan is then implemented. After implementation, the plan and staff are tested for
effectiveness. The plan is revised, and then the testing and maintenance cycle begins.

124. With the use of public-key infrastructure (PKI) encryption, the sender uses which key for
the receiving party authentication?

A. Recipient’s private key

B. Sender’s private key
C. Recipient’s public key
D. Sender’s public key

ANSWER: C

Explanation: The public key of the recipient is used for encrypting a file that can be read only by
the recipient. The private key of the sender gives authenticity, while the public key gives
integrity. The key’s role depends on the transaction direction. When the original recipient
replies with a different message, the roles reverse and thereby the sender’s role is assumed.

125. The audit tool that include dummy transactions into the normal processing on a system is:

A. Snapshot
B. Integrated test facility (ITF)
C. Continuous and intermittent simulation (CIS)
D. Program audit hooks

ANSWER: B

Explanation: Also known as an integrated test facility, an auditor can makes use of an
embedded audit module for creating a dummy transactions set, which is processed with
genuine transactions. The output data is compared by the auditor with its own calculations. It
lets substantial testing to happen without any disruption in the normal processing schedule.

126. An auditor’s greatest concern in examining roles and responsibilities of an IT personnel is

when an IT member:

A. Monitors the performance of the system, makes the required program changes and
tracks all resultant problems
B. Reviews the workload requirements of the current server and predicts the future
needs
 C. Works with the user directly for improving the performance and response times
across the network
D. Assesses the current procedures effectiveness and suggests improvements

ANSWER: A

Explanation: The duties separation prevents a person from authorizing their own changes or
monitoring their own work. Self-authorization and self-monitoring become a problem as it
violates the IT governance intention. It would be required by the auditor to examine if the
change control board reviewed and approved the changes formally by before implementation.

127. The primary concern of the auditor when auditing the use of encryption is:

A. Strength of encryption algorithm

B. The control of management over the encryption use
C. The sizes of key used in the encryption and decryption process
D. The use of the correct encryption method for compliance

ANSWER: B

Explanation: How management controls the encryption use is the most important concern. It
needs to be checked if the encryption is managed under a complete life cycle governing the
creation of keys, keys storage, proper authorization of keys, the correct use of keys using the
correct algorithm, the keys usage tracking, keys reuse or archival, keys retirement, and finally
their destruction once all legal obligations are met.

128. The backup method that should be used on computer files before a forensic investigation
is:

A. Differential
B. Logical
C. Bit stream
D. Full

ANSWER: C

Explanation: Also known as physical imaging, the only backup method recording the deleted
files with the swap and slack space contents is bit stream imaging. Rest other methods do not
consider important files required as evidence.

129. The hierarchy of controls from highest level to lowest level is represented as:

A. Detailed, pervasive, application, detailed

 B. Pervasive, general, application, detailed
C. General, pervasive, detailed, application
D. Application, general, detailed, pervasive

ANSWER: C

Explanation: General controls show the highest controls class applicable to all within a
company. Pervasive controls signify the required protection necessary when the technology is
being used. In all departments that use computers, IS controls are pervasive. Irrespective of the
in charge, these controls need to make sure availability and integrity. Detailed controls stipulate
the execution procedure. Application controls work at the lowest level and are that govern its
use or built into the software. If the higher-level controls are absent, application controls are
compromised.

130. The key used for public key cryptography decryption for providing authentication of the
person that is transmitting the message is:

A. Recipient’s private key

B. Sender’s private key
C. Recipient’s public key
D. Sender’s public key

ANSWER: D

Explanation: The public key of the sender offers authentication from where the message has
come. A private key offers confidentiality.

131. In the third phase of incident response, the main objective is:

A. Lessons learned
B. Containment
C. Analysis
D. Eradication

ANSWER: B

Explanation: The incident handling phases are preparation, detection and analysis, containment
eradication and recovery, and post-incident activity, including lessons learned.

132. Once the report at the audit end is presented, the lead of auditors finds a procedure
omission. As the next step, the auditor should:

A. If audit alternatives are not able to compensate for the deficiency, cancel the report
 B. Log on to www.naukri.com and change the employment status to available
C. Do nothing as long as the procedure omitted is involved in the next audit
D. File an incident disclosure report with the audit association for minimizing any
liability

ANSWER: B

Explanation: The audit alternatives need to be reviewed for determining if the alternatives can
compensate for the omission. The report should be cancelled by the auditor if alternatives of
the audit cannot compensate for the shortage and the omitted procedures will change the
outcome

133. The management method that provides the greatest control and not discretionary
flexibility is:

A. Centralized
B. Distributed
C. Outsourced
D. In-house

ANSWER: A

Explanation: The greatest control is always provided by centralized management. Also known
as discretionary, distributed management allows local decisions that depend on various factors.
The lowest overall control is provided by distributed methods.

134. Verification during a tape backup is an example of:

A. Administrative control
B. Corrective control
C. Detective control
D. Preventative control

ANSWER: C

Explanation: Performing a data backup on a tape is a preventative control for preventing the
data loss. The verification function is detective for detecting any inconsistencies between the
hard disk and tape. It requires manual problem fixing. Verification and audits are detective
controls always.

135. With respect the control objectives of the IT governance, the occurrence for which the
auditor would be least concerned about during executing the audit is:
 A. Using proper change control
B. Practicing self-monitoring for reporting problems
C. Managing conflicts in the existing relationship of reporting
D. Considering production system without accreditation

ANSWER: A

Explanation: For the auditor, using proper change control is of the least concern. They need to
view change control procedures to separate duties. Rest other options signify violations
necessitating further investigation.

136. One of the main methods used for implementing detective controls, physical controls, and
corrective controls is NOT:

A. Logical
B. Legal
C. Administrative
D. Physical

ANSWER: B

Explanation: The primary implementation method is not legal. Physical, logical (technical), and
administrative methods are used to implement controls. Administrative methods consist of
policies, laws, contracts, and procedures. A combination of logical, physical, and administrative
methods helps in getting legal compliance.

137. Which the below statements is correct with respect to a software worm?

A. It is a synonym for a virus

B. It need to be executed by opening a file
C. It attaches itself to data and a programs by the file opening and closing
D. It travels freely across the network for infecting other systems

ANSWER: C

Explanation: In contrary to a virus, a worm can travel freely to infect other systems. It has the
capability to infect files without the file closing or opening.

139. The technique used to store and transmit a symmetric encryption key is:

A. Generating a unique encryption key

 B. Key rotation
C. Generating a shared encryption key
D. Key wrapping

ANSWER: D

Explanation: For protecting encryption keys to store and transmit keys, key wrapping is used.
The access to encryption keys should never be given to the user.

140. The situation that does not show a reporting conflict is:

A. Employees report a violation to their boss, who also managed compliance

B. Information security manager report to internal auditors
C. Reporting and self-monitoring of violations happen
D. IT security reports to the chief information officer

ANSWER: B

Explanation: It is a conflict if IT security manager’s report their problems to internal auditors. If

an IT-related employee is needed to create violation reports to their manager directly, it is
conflict. Some job pressures may exist for covering up problems. When your job needs
reporting violations to your superior, a built-in reporting conflict exists, when the same
authority is also responsible for compliance.

141. What is the purpose of a digital signature?

A. Electronic marker showing the recipient that a sender actually sent a document
B. Provides the recipient with a method of testing the document received from a
sender
C. Cyclic redundancy check to prove document integrity
D. Provides a copy of the sender’s public key along with the document

ANSWER: B

Explanation: An electronic signature is worthless unless the recipient actually tests the
signature by decrypting it. Electronic signatures should never be trusted by their presence.
Digital signatures must be tested by the recipient to verify their authenticity.

142. The best way of protecting encryption keys from getting compromised is:

A. Utilizing a physically isolated system for generating the keys

B. Storing the keys in a key vault rated server
C. Limiting the individual keys use
 D. Changing the encryption keys in each four months

ANSWER: C

Explanation: Limiting the encryption keys use helps in protecting them from being
compromised. Encryption keys are also applied by separation of duties. Every encryption key
should be used for a specific purpose.

143. With respect to the management and auditor roles, which of the below statement is true?

A. Management must make their assertions before report from the auditor
B. Management makes the use of the report before making assertions
C. The opinion of the auditor opinion will depend on the management desire
D. The auditor can see only evidence that management has predetermined

ANSWER: A

Explanation: The management must make their assertions before the report and independent
of the report. The auditor determines if the claims of the management can be verified correctly
with the help of evidence available.

144. During a business continuity audit, it is discovered the business impact analysis (BIA) was
not performed. What would this indicate to the auditor?

A. The business continuity plan is likely to be a failure

B. The customer was able to get their plan in place without using the BIA technique
C. Risk analysis and their selection of the strategy fulfill their most important objectives
D. It is not necessary to perform a business impact analysis

ANSWER: A

Explanation: The business continuity (BC) plan is likely to fail. It would be nearly impossible for a
BC plan to work without first performing a business impact analysis (BIA). Nobody can protect
business processes they were unable to define in a formal specification (BIA report).

145. The functional difference between authentication and identification is:

A. Identification is a verified match, while authentication is only a claim

B. Identification is only a claim until it gets verified, while authorization is a match
C. Identification is only a claim, while authorization is a match
D. Identification is only a claim until verified, while authentication is a match

ANSWER: D
Explanation: Identification is only a claim that need to be verified. However, authentication
happens when there is a match between the claim and reference, which indicates the identity is
correct.

146. The best way to prove an auditor’s competence for perform an audit is:

A. Quoting each point in a regulation with a specific test and an audit aim
B. Prior experience working in information technology
C. Prior experience in financial auditing
D. Getting auditor certification with ongoing training

ANSWER: A

Explanation: Each auditor should create a list of all points that are contained in a regulation,
while mentioning every point by page, paragraph, and line number. It is used for explaining how
the audit process is meeting the goal. Each item should have specific tests. In case the audit test
needs to be run again, the following auditor should always discover same or similar results with
the use of your documentation.

147. The main objective of the ISACA audit standards and professional ethics publication is to:

A. Explain the professional duties you could follow when building your practice
B. Provide consistency without embarrassing you or our profession
C. Provide a sample reference the auditor may use during their audit without copyright
restrictions
D. Provide a comprehensive audit toolkit

ANSWER: B

Explanation: These aim to provide consistency. With the help of these standards, you can well
understand the auditor’s duties.

148. By performing which of the following actions, a Certified Information Systems Auditor will
lose its certification?

A. Continue the participation in professional education

B. Educate the auditee regarding what is being looked in the audit
C. Use or own materials without any valid copyright license
D. Share blank audit checklists with the auditee

ANSWER: C
Explanation: They can lose their certification by using or owning materials without a valid
copyright license. This type of violation is a violation of law and ethics.

149. The auditor provides the following function:

A. Independent assurance claiming management are correct

B. Second set of eyes, which are external with respect to the subject reviewed
C. Following standards for fitting the client needs
D. Help by fixing problems discovered during the audit

ANSWER: B

Explanation: The auditor is a paid impartial observer during an external or internal audit. Rest
other statements are not true. The ownership of the problems is never taken by the auditor.
The client may meet the standards (compliant) or may not meet them (not compliant).

150. When the system shuts down in an improper manner, the dump file is created. Generally,
what does it include that proves useful in forensic investigations?

A. History of all the processed user transactions

B. Contents from RAM memory
C. All user account information
D. System startup settings

ANSWER: B

Explanation: This file includes the working memory (RAM) contents and the tasks list that were
being processed. During forensic investigations, this special diagnostic file is very helpful.

--------------------------------------------------------------------------------------------------------------------------