It Exam

1.
Which of the following BEST describes the purpose or character of an audit

charter?
a. An audit charter should be dynamic and change often to coincide with the
changing nature of technology and the audit profession.
b. An audit charter should clearly state audit's objectives for the delegation
of authority for the maintenance and review of internal controls.
c. An audit charter should document the audit procedures designed to
achieve the planned audit objectives.
d. An audit charter should outline the overall authority, scope and
responsibilities of the audit function.
2.Which of the following would NOT be a reason why an IS auditor would prepare
a formal audit program?
a. To structure the IS auditor's own planning
b. To guide assistants in performing planned procedures
c. C.To provide audit documentation for review reference
d. D.To assess the overall risk of operations within the organization
3.In a risk-based audit approach, an IS auditor is not only influenced by risk but
also by:
a. A.the availability of CAATs.
b. B.management's representations.
c. C.organizational structure and job responsibilities.
d. D.the existence of internal and operational controls.
4.The MAJOR advantage of the risk assessment approach over the baseline
approach to information security management is that it ensures that:
a. A.information assets are over protected.
b. B.a basic level of protection is applied regardless of asset value.
c. C.appropriate levels of protection are applied to information assets.
d. D.an equal proportion of resources are devoted to protecting all
information assets.
5.Which of the following procedures would an IS auditor NOT perform during pre-
audit planning to gain an understanding of the overall environment under
review?
a. A.Tour key organization activities
b. B.Interview key members of management to understand business risks
c. C.Perform compliance tests to determine if regulatory requirements are
met
d. D.Review prior audit reports
6.The use of risk assessment techniques will NOT help to determine the:
a. A.areas or business functions to be audited.
b. B.nature, extent and timing of audit procedures.
c. C.likely audit findings, conclusions and recommendations.
d. D.amount of time and resources to be allocated to an audit.
7.The primary purpose and existence of an audit charter is to:
a. A.document the audit process used by the enterprise.
b. B.formally document the audit department's plan of action.
c. C.document a code of professional conduct for the auditor.
d. D.describe the authority and responsibilities of the audit department.
8.Which of the following forms of evidence would be considered to be the MOST

reliable when assisting an IS Auditor develop audit conclusions?
A.A confirmation letter received from a third party for the verification of an
account balance
B.Assurance via a control self-assessment received from line management that
an application is working as designed
C.Trend data obtained from World Wide Web (Internet) sources
D.Ratio analysis developed by the IS auditor from reports supplied by line
management
9.Which of the following forms of evidence would be considered to be the MOST

reliable?
A.An oral statement from the auditee
B.The results of a test performed by an IS auditor
C.An internally generated computer accounting report
D.A confirmation letter received from an outside source
10.Which of the following is the MOST likely reason why e-mail systems have
become a useful source of evidence for litigation?
A.Poor housekeeping leads to excessive cycles of backup files remaining
available.
B.Strong access controls establish accountability for activity on the e-mail
system.
C.Data classification is often used to regulate what information should be
communicated via e-mail.
D.Clear policy for using e-mail within the enterprise ensures that the right
evidence is available.
11.Which of the following computer-based tools would assist an IS auditor when

performing a statistical sampling of financial transactions maintained in a
financial management information system?
A.Spreadsheet auditor
B.Parallel simulation
C.Generalized audit software
D.Regression testing
12.Which of the following would NOT be a use of generalized audit software

programs?
A.Verifying calculations and totals
B.Performing intricate calculations
C.Selecting data that an auditor defines as unusual
D.Producing multiple reports and machine-readable output files
13.Which of the following BEST describes an integrated test facility?
A.A technique that enables the IS auditor to enter test data into a live computer
run for the purpose of verifying correct processing
B.The utilization of hardware and/or software to review and test the functioning
of a computer system
C.A method of using special programming options to permit printout of the path
through a computer program taken to process a specific transaction
D.A procedure for tagging and extending transactions and master records that
are used by an IS auditor for tests
14.Which of the following statements regarding test data techniques is TRUE?

A.It tests only preconceived situations.
B.It requires the use of a test data generator.
C.It requires a high degree of technical IS knowledge.
D.It requires limited computer time and clerical effort.
15.Which of the following statements regarding sampling is TRUE?

A.Sampling is generally applicable when the population relates to an intangible
or undocumented control.
B.If an auditor knows internal controls are strong, the confidence coefficient may
be lowered.
C.An example of attribute sampling would be to estimate the number of obsolete
object code modules based upon a sample evaluation from the population of
object code library.
D.Variable sampling is a technique to estimate the rate of occurrence of a given
control or set of related controls.
16.Which of the following is NOT an advantage of using CAATs?

A.Reduces the level of audit risk
B.Provides broader and more consistent audit coverage
C.Saves time for source data input
D.Improves exception identification
17.An important distinction an IS auditor should make when evaluating and

classifying controls as preventive, detective or corrective is:
A.the point when controls are exercised as data flows through the system.
B.only preventive and detective controls are relevant.
C.corrective controls can only be regarded as compensating.
D.classification allows an IS auditor to determine which controls are missing.
18.Which of the following statements regarding an IS auditor's use of a

continuous audit approach is TRUE?
A.A continuous audit approach is desirable because it does not require an IS
auditor to collect evidence on system reliability while processing is taking
place, thus allowing more flexibility in approach.
B.When employing a continuous audit approach it is important that the IS audit
orreview and follow up immediately on all information collected.
C.The use of continuous auditing techniques can actually improve system
security when used in time-sharing environments that process a large amount
of transactions.
D.Since continuous audit techniques do not depend on the complexity of an
organization's computer systems, they are often used to detect control
problems in very complex systems.
19.An IS auditor's substantive test reveals evidence of fraud perpetrated from

within a manager's account. The manager had written his password, allocated
by the system administrator, inside his drawer, which was normally kept
locked. The IS auditor concludes that the:
A.manager's assistant perpetrated the fraud.
B.perpetrator cannot be established beyond doubt.
C.fraud must have been perpetrated by the manager.
D.system administrator could have perpetrated the fraud
20.Which of the following statements pertaining to the determination of sample

size is TRUE?
A.The larger the confidence level, the smaller the sample size
B.The larger the standard deviation, the larger the sample size
C.The smaller the precision amount, the smaller the sample size
D.Sample size is not affected by the expected error rate in the population
21.Which of the following would NOT normally be performed using CAATs?

A.Footing totals
B.Selecting testing samples
C.Reconciling account posting
D.Testing aging of receivables
22.To gain a full understanding of a LAN environment, an IS auditor should

document all of the following functions EXCEPT:
A.LAN topology and network design.
B.technical support/help desk functions.
C.duties and responsibilities of the LAN administrator.
D.the various computer applications used on the LAN.
23.During a review of a customer master file an IS auditor discovered numerous

customer name duplications arising from variations in customer first names. In
order to determine the extent of the duplication the IS auditor would use:
A.test data to validate data input.
B.test data to determine system sort capabilities.
C.generalized audit software to search for address field duplications.
D.generalized audit software to search for account field duplications.
24.A manufacturing company has implemented a new client/server system

enterprise resource planning (ERP) system. Local branches transmit customer
orders to a central manufacturing facility. Which of the following controls
would BEST ensure that the orders are accurately entered and the
corresponding products produced?
A.Verifying production to customer orders
B.Logging all customer orders in the ERP system
C.Using hash totals in the order transmitting process
D.Approving (production supervisor) orders prior to production
25.Which of the following would an IS auditor consider to be the BEST population

to take a sample from when testing program changes?
A.Test library listings
B.Source program listings
C.Program change requests
D.Production library listings
26.Which of the following tests is an IS auditor performing when a sample of

programs is selected to determine if the source and object versions are the
same?
A.A substantive test of program library controls
B.A compliance test of program library controls
C.A compliance test of the program compiler controls
D.A substantive test of the program compiler controls
27.An integrated test facility is considered a useful audit tool because it:
A.is a cost efficient approach to auditing application controls.
B.enables the financial and IS auditors to integrate their audit tests.
C.compares processing output with independently calculated data.
D.provides the IS auditor with a tool to analyze a large range of information.
28.The primary reason for enabling software audit trails is to:

A.improve response time for users.
B.establish accountability and responsibility for processed transactions.
C.improve system efficiency since audit trails do not occupy disk-space.
D.provide useful information to auditors who may wish to track transactions.
29.When performing a procedure to identify the value of inventory that has been
kept for more than eight weeks, an IS auditor would MOST likely use:
A.test data.
B.statistical sampling.
C.an integrated test facility.
D.generalized audit software.
30.Data flow diagrams are used by IS auditors to:

A.order data hierarchically.
B.highlight high-level data definitions.
C.graphically summarize data paths and storage.
D.portray step-by-step details of data generation.
31.A distinction that can be made between compliance testing and substantive
testing is:
A.compliance testing tests details, while substantive testing tests procedures.
B.compliance testing tests controls, while substantive testing tests details.
C.compliance testing tests plans, while substantive testing tests procedures.
D.compliance testing tests for regulatory requirements, while substantive testing
tests validations.
32.An IS auditors is expected to use due professional care when performing

audits, which requires that the individual exercise skill or judgment:
A.commonly possessed by practitioners of that specialty.
B.which includes programming skills in the software under review.
C.relating to the selection of audit tests and evaluation of test results.
D.where an incorrect conclusion based on available facts will not be drawn.
33.An internal audit department, that organizationally reports exclusively to the

chief financial officer (CFO) rather than to an audit committee, is MOST likely
to:
A.have its audit independence questioned.
B.report more business-oriented and relevant findings.
C.enhance the implementation of the auditor's recommendations.
D.result in greater effective action being taken on the auditor's
recommendations.
34.An IS auditor conducting a review of software usage and licensing discovers

that numerous PCs contain unauthorized software. Which of the following
actions should the IS auditor perform FIRST?
A.Personally delete all copies of the unauthorized software.
B.Inform auditee of the unauthorized software and follow-up to confirm deletion.
C.Report the use of the unauthorized software to auditee management and the
need to prevent recurrence.
D.Take no action, as it is a commonly accepted practice and operations
management is responsible for monitoring such use.
35.The risk that an IS auditor uses an inadequate test procedure and concludes
that material errors do not exist when, in fact, they do, is an example of:
A.inherent risk.
B.controlrisk.
C.detection risk.
D.audit risk.
36.A primary benefit derived from an organization employing control self

assessment (CSA) techniques is that it:
A.can identify high-risk areas that might need a detailed review later.
B.allows IS auditors to independently assess risk.
C.can be used as a replacement for traditional audits.
D.allows management to relinquish responsibility for control.
37.An IS auditor's first step when implementing continuous monitoring systems
is to identify:
A.reasonable target thresholds.
B.high-risk areas within the organization.
C.the location and format of output files.
D.applications that provide the highest potential payback.
38.Which of the following is an anti-virus detective control?

A.Route all links to external systems via a firewall.
B.Scan all diskettes and CDs brought in from outside the company before use.
C.Scan all files on all file server hard disks daily, moving suspect files to a safe
area.
D.Use anti-virus software to update users' anti-virus configuration files every
time they log in.
39.Which of the following represents the MOST significant exposure for an

organization that leases personal computers?
A.Accounting for shared peripherals
B.Frequent reassignment of hardware
C.Obsolescence prior to lease termination
D.Software licensing issues on leased machines
40.When reviewing a system development project at the project initiation stage,

an IS auditor finds that the project team is not proposing to strictly follow the
organization's quality manual. To meet critical deadlines the project team
proposes to fast track the validation and verification processes, commencing
some elements before the previous deliverable is signed-off. Under these
circumstances the IS auditor would MOST likely:
A.report this as a critical finding to senior management.
B.accept that different quality processes can be adopted for each project
C.report to IS management the team's failure to follow appropriate procedures.
D.report the risks associated with fast tracking to the project steering committee
41.During a review of the controls over the process of defining IT service levels
an IS auditor would MOST likely interview the:
A.systems programmer.
B.legal staff.
C.business unit manager.
D.programmer.
42.Which of the following sampling methods is MOST useful when testing for
compliance?
A.Attribute sampling
B.Variable sampling
C.Stratified mean per unit
D.Difference estimation
43.While performing an audit, an IS auditor used an application software
mapping technique and discovered an error in system processing. In preparing
the audit report the IS auditor should include:
A.a detailed (step-by-step) de-----ion of the mapping technique.
B.the detailed steps performed during the audit.
C.a listing of relevant parameters or source code of the system.
D.an overview of the application software mapping technique used.
44.Which of the following is a detective control?

A.Physical access controls
B.Segregation of duties
C.Back-up procedures
D.Audit trails
45.An IS auditor is assigned to perform a post implementation review of an

application system. Which of the following situations may have impaired the
independence of the IS auditor? The IS auditor:
A.implemented a specific control during the development of the application
system.
B.designed an embedded audit module exclusively for auditing the application
system.
C.participated as a member of the application system project team, but did not
have operational responsibilities.
D.provided consulting advice concerning application system best practices.
46.Detection risk refers to a:

A.conclusion that material errors do not exist, due to an inadequate test
procedure.
B.control that fails to detect an error.
C.control that detects a high-risk error.
D.control that detects an error but fails to report the same.
47.Information requirement definitions, feasibility studies, and user requirements

are significant considerations when:
A.defining and managing service levels.
B.identifying IT solutions.
C.managing changes.
D.assessing internal IT control.
48.Which of the following steps would an IS auditor normally perform FIRST in a

security review?
A.Evaluate physical access test results
B.Determine the risks/threats to the data center site
C.Review business continuity procedures
D.Test for evidence of physical access at suspect locations
49.Which of the following is the LEAST reliable audit evidence?

A.Results of data extractions
B.Results of test cases
C.Oral representations
D.Record of transactions
50.Which of the following types of information would an IS auditor find LEAST

valuable when gaining an understanding of the IT process?
A.IT planning and deployment of documents with deliverables and performance
results
B.Organization's policies and procedures relating to planning, managing,
monitoring and reporting on performances
C.Prior audit reports
D.Reports of IT functional activities
51. When an IS auditor obtains a listing of current users with access to the
selected WAN/LAN and verifies that those listed are active associates, the IS
auditor is performing a:
A. compliance test.
B. substantive test.
C. statistical sample.
D. risk assessment.
52. Ensuring regular password change, assigning a new one-time password when
a user forgets his/hers, and requiring users not to write down their passwords
are all examples of:
A. audit objectives.
B. audit procedures.
C. controls objectives.
D. control procedures.
53. The FIRST task an IS auditor should complete when performing a new audit in
an unfamiliar area is to:
A. design the audit programs for each system or function involved.

B. develop a set of compliance tests and substantive tests.
C. gather background information pertinent to the new audit.
D. assign human and economical resources.
54. Risk assessments performed by IS auditors is a critical factor for audit

planning. An assessment of risk should be made to provide:
A. reasonable assurance that material items will be covered during the audit
work.
B. sufficient assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered during the audit work.
D. sufficient assurance that all items will be covered during the audit work.
55. IS auditors must have a thorough understanding of the risk assessment
process. Risk assessment is a(n):
A. subjective process.
B. objective process.
C. mathematical process.
D. statistical process.
56. The BEST time to perform a control self-assessment involving line

management, line staff and the audit department would be during the:
A. compliance tests.
B. preliminary survey.
C. substantive tests.
D. preparation of the audit report.
57. While conducting a control self-assessment (CSA) program, an IS auditor

facilitated workshops involving management and staff in judging and
monitoring the effectiveness of existing controls. Which of the following is an
objective of a CSA program?
A. to enhance audit responsibilities.

B. to identify problems.
C. to brainstorm solutions.
D. to complete the entire audit.
58. The responsibility, authority and accountability of the information systems

audit functions is appropriately documented in an audit charter and MUST be:
A. approved by the highest level of management.

B. approved by audit department management.
C. approved by user department management.
D. changed every year before commencement of IS audits.
59. The IS auditor should be able to identify and evaluate various types of risks
and their potential effects. Accordingly, which of the following risks is
associated with trap doors?
A. Inherent risk.
B. Detection risk.
C. Audit risk.
D. Error risk.
60. IS auditors are MOST likely to perform tests of internal controls if, after their
evaluation of such controls, they conclude that:
A. a substantive approach to the audit are more cost-effective.

B. the control environment is poor.
C. inherent risk is low.
D. control risks are within the acceptable limits.
61.An IS auditor performing an audit of the company's information system

(IS)strategy would be LEAST likely to:
A. assess IS security procedures.

B. review both short and long-term IS strategies.
C. interview appropriate corporate management personnel.
D. ensure that the external environment has been considered.
62.Which of the following organizational goals would normally be mentioned in

an organization's strategic plan?
A. Test a new accounting package.

B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice within a given time period for the product
offered.
63.Which of the following conditions should exist in order for the local selection
and purchase of IS products to be acceptable?
A. Local offices are independent and exchange data on an occasional basis.

B. Managers undertake a full cost-benefit analysis before deciding what to
purchase.
C. The same type of data base management system is used throughout the
organization.
D. Acquisitions are consistent with the organization's short- and long-term IS
technology plans.
64.The initial step in establishing an information security program is the:
A. development and implementation of an information security standards

manual.
B. performance of a comprehensive security control review by the IS auditor.
C. adoption of a corporate information security policy statement.
D. purchase of security access control software.
65.Which of the following documentation would an IS auditor place LEAST

reliance on when determining management's effectiveness in communicating
information systems policies to appropriate personnel?
A. Interviews with user and IS personnel

B. Minutes of the IS Steering Committee meetings
C. User department systems and procedures manuals
D. Information processing facilities operations and procedures manuals
66.An IS auditor who is reviewing application run manuals would expect them to
contain:
A. details of source documents.

B. error codes and their recovery actions.
C. program logic flowcharts and file definitions.
D. change records for the application source code.
67.Which of the following statements pertaining to ISO 9000 is FALSE?
A. The standard covers all aspects of an organization that may affect customer
satisfaction.
B. The standard covers both internal and external business processes.
C. The standard defines a set of quality compliance requirements.
D. The standard focuses heavily on documentation of activities.
68.Which of the following procedures would normally be performed last by an IS

auditor who is auditing the outsourcing process?
A. Assess the business needs of the organization.

B. Perform a cost/benefit analysis including the assumptions behind it.
C. Perform a control risk assessment.
D. Review contracts with legal counsel.
69.A written security policy serves to heighten security awareness and should
include all of the following key components EXCEPT:
A. an index of computer hardware and software.

B. management's approved support of the policy.
C. authorization process for gaining access to computerized information.
D. awareness philosophy to security procedures on a need-to-know basis.
70.The function of general ledger setup in an enterprise resource package

(ERP)allows for the setting of accounting periods in the package. Access to this
function has been permitted to users in finance, warehouse and order entry.
The MOST likely reason for granting such broad access is the:
A. need to change accounting periods on aregular basis.

B. requirement to post entries for a closedaccounting period.
C. lack of proper policies and procedures forthe segregation of duties.
D. need to create/modify the chart of accountsand its allocations.
71.Which of the following procedures would MOST effectively detect

employeeloading of illegal software packages onto a network?
A. The use of diskless workstations

B. Periodic checking of hard drives
C. The use of current anti-virus software
D. Policies that result in instant dismissalif violated
72.Which of the following is LEAST likely to be associated with an

incidentresponse capability?
A. Developing a database repository of pastincidents and actions to facilitate

future corrective actions.
B. Declaring the incident, which not onlyhelps to carry out corrective measures,
but also to improve the awarenesslevel.
C. Developing a detailed operations plan thatoutlines specific actions to be
taken to recover from an incident.
D. Establishing multi-disciplinary teamsconsisting of executive management,
security staff, information systems staff,legal counsel, public relations, etc. to
carry out the response
73.Which of the following should NOT be included in an organization's IS

securitypolicy?
A. Access philosophy
B. Access authorization
C. Importance of security awareness
D. Identity of sensitive security features
74.Which of the following should NOT be a role of the security administrator?
A. Authorizing access rights

B. Implementing security rule
C. Allocating access rights
D. Ensuring that security policies have beenauthorized by management
75.Which of the following is a role of an information systems steering

committee?
A.Initiate computer applications.

B. Ensure efficient use of data processingresources.
C. Prepare and monitor system implementationplans.
D. Review the performance of the systemsdepartment.
76.Accountability for the maintenance of appropriate security measures
overinformation assets resides with the:
A. security administrator.
B. systems administrator.
C. data and systems owners.
D. systems delivery/operations group.
77.An IS auditor performing a review of the MIS department discovers that

formalproject approval procedures do not exist. In the absence of these
proceduresthe MIS manager has been arbitrarily approving projects that can
be completedin a short duration and referring other more complicated projects
to higherlevels of management for approval. The IS auditor should recommend
FIRST that:
A. users participate in the review andapproval process.

B. formal approval procedures be adopted anddocumented.
C. all projects are referred to appropriatelevels of management for approval.
D. the MIS manager job de-----ion be changedto include approval authority.
78.Responsibility and reporting lines cannot always be established when

auditingautomated systems since:
A. diversified control makes ownershipirrelevant.

B. staff traditionally change jobs withgreater frequency.
C. ownership is difficult to establish whereresources are shared.
D. duties change frequently in the rapiddevelopment of technology.
79.Which of the following criteria would an IS auditor consider to be the

MOSTimportant when evaluating the organization's IS strategy?
A. That it has been approved by linemanagement

B. That it does not vary from the ISDepartment preliminary budget
C. That it complies with procurementprocedures
D. That it supports the business objectives ofthe organization
80.Which of the following statements relating to separation of duties is TRUE?
A. Employee competence does not need to beconsidered when evaluating an

organization's policy on separation of duties.
B. An organization chart provides an accuratedefinition of separation of
employee duties.
C. A restrictive separation of duties policycan help improve an organization's
efficiency and communication.
D.Policies on separation of duties ininformation systems must recognize the
difference between logical and physicalaccess to assets.
81.Which of the following tasks is normally performed by a clerk in the

controlgroup?
A. Maintenance of an error log

B. Authorization of transactions
C. Control of non-information systems assets
D. Origination of changes to master files
82.Which of the following is NOT a responsibility of a database administrator?
A. Designing database applications

B. Changing physical data definition toimprove performance
C. Specifying physical data definition
D. Monitoring database usage
83.Which of the following is NOT a responsibility of computer operations?
A. Analyzing system schedules

B. Analyzing user specifications
C. Analyzing system degradation
D. Trouble-shooting teleprocessing problems
84.Which of the following functions should NOT be performed by scheduling

andoperations personnel in order to maintain proper segregation of duties?
A. Job submission
B. Resource management
C. Code correction
D. Output distribution
85.Which of the following functions is NOT performed by the IS control group?
A. Supervision of the distribution of output

B. Logging of input data
C. Scrutiny of error listings
D. Correction of errors
86.Which of the following exposures may result if an adequate separation of

dutiesbetween computer operators and application programmers is NOT
maintained?
A. Inadequate volume testing

B. Unauthorized program changes
C. Unintentional omissions of data
D. Data loss during program execution
87.Which of the following tasks would NOT normally be performed by a data

securityofficer?
A. Developing the data classificationmethodology

B. Implementing security measures (e.g.,password change procedures)
C. Monitoring the effectiveness of securityover data
D. Monitoring the completeness and accuracy ofthe data
88.An IS auditor has recently discovered that because of a shortage of

skilledoperations personnel, the security administrator has agreed to work one
latenight shift a month as the senior computer operator. The MOST
appropriatecourse of action that the IS auditor should take is to:
A. advise senior management of the riskinvolved.
B. agree to work with the security officer onthese shifts as a form of
preventative control.
C. develop a computer-assisted audit techniqueto detect instances of abuses of
this arrangement.
D. review the system log for each of thelate-night shifts to determine whether
any irregular actions occurred.
89.Many organizations require an employee to take a mandatory vacation of a

weekor more in order to:
A. ensure the employee maintains a quality oflife, which will lead to greater
productivity.
B. reduce the opportunity for an employee tocommit an improper or illegal act.
C. provide proper cross training for anotheremployee.
D. eliminate the potential disruption causedwhen an employee takes vacation
one day at a time.
90.The quality assurance group is typically responsible for:
A.ensuring that the output received fromsystem processing is complete.

B. monitoring the execution of computerprocessing tasks.
C. ensuring that programs and program changesand documentation adhere to
established standards.
D. designing standards and procedures toprotect data against accidental
disclosure, modification, or destruction.
91.Which of the following would NOT be associated with well-written and

concisejob de-----ions?
A. They are an important means of discouragingfraudulent acts.

B. They are often used as tools for use inperformance evaluation.
C. They provide little indication of thedegree of separation of duties.
D. They assist in defining the relationshipbetween various job functions.
92.Which of the following BEST describes the role and responsibilities of

asystems analyst?
A. Defines corporate databases

B. Determines user needs for applicationprogramming
C. Schedules computer resources
D. Tests and evaluates programmer andoptimization tools
93.Which of the following functions, if combined, would provide the GREATEST

riskto an organization?
A. Systems analyst and database administrator

B. Quality assurance and computer operator
C. Tape librarian and data entry clerk
D. Application programmer and tape librarian
94.Which of the following statements relating to application programmers is

FALSE?
A. They are responsible for maintainingsystems in production.

B. They should not move test versions into theproduction environment.
C. They are responsible for defining backupprocedures.
D. They should not have access to systemprogram libraries.
95.Which of the following is NOT an advantage of cross training employees?
A. It provides for succession planning.

B. It decreases dependence on one employee.
C. It provides back-up personnel in the eventof absence.
D. It allows individuals to understand allparts of a system.
96.Responsibility for programmers and analysts who implement new systems

andmaintain existing systems is typically the role of the:
A. operations manager.
B. database administrator.
C. quality assurance manager.
D. systems development manager.
97.Which of the following is NOT an activity associated with

informationprocessing?
A. Systems analysis
B. Telecommunications
C. Computer operations
D. Systems programming
98.A local area network (LAN) administrator is restricted from:
A. having end-user responsibilities.

B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN securityadministration.
99.Which of the following pairs of functions should not be combined to

provideproper segregation of duties?
A. Tape librarian and computer operator

B. Application programming and data entry
C. Systems analyst and database administrator
D. Security administrator and qualityassurance
100.An IS auditor is reviewing the data base administration function to
ascertainwhether adequate provision has been made for controlling data. The
IS auditorshould determine that the:
A. function reports to data processingoperations.

B. responsibilities of the function are welldefined.
C. database administrator is a competentsystems programmer.
D. audit software has the capability ofefficiently accessing the database.
101.A long-term IS employee with a strong technical background and broad
managerialexperience has applied for a vacant position in the IS audit
department.Determining whether to hire this individual for this position should
be basedon the individual's vast experience and:
A. the length of service since this will helpensure technical competence.

B. the individual's age as training in audittechniques may be impractical.
C. IS knowledge since this will bring enhancedcredibility to the audit function.
D. existing IS relationships where the abilityto retain audit independence may be
difficult.
102.An IS auditor reviewing the key roles and responsibilities of the

databaseadministrator (DBA) is LEAST likely to expect the job de-----ion of the
DBA toinclude:
A. defining the conceptual schema.

B. defining security and integrity checks.
C. liaising with users in developing datamodel.
D. mapping data model with the internalschema.
103.Which of the following provisions in a contract for external

informationsystems services would an IS auditor consider to be LEAST
significant?
A. Ownership of program and files

B. Statement of due care and confidentiality
C. Continued service of outsourcer in theevent of a disaster
D. Detailed de-----ion of computer hardwareused by the vendor
104.Is it appropriate for an IS auditor from a company which is

consideringoutsourcing its IS processing to request and review a copy of each
vendor'sbusiness continuity plan?
A. Yes, because the IS auditor will evaluatethe adequacy of the service bureau's
plan and assist his/her company inimplementing a complementary plan.
B. Yes, because, based on the plan, the ISauditor will evaluate the financial
stability of the service bureau and itsability to fulfill the contract.
C. No, because backup to be provided should beadequately specified in the
contract.
D. No, because the service bureau's businesscontinuity plan is proprietary
information to which users' IS auditors are notusually allowed access.
105.Which of the following indicators would LEAST likely indicate that complete
orselected outsourcing of computer operators should be considered ?
A. The applications development backlog isgreater than three years.

B. It takes one year to develop and implementa high-priority system.
C. More than 60 per cent of programming costsare spent on systems
maintenance.
D. Duplicate information systems functionsexist at two sites.
106.A probable advantage to an organization that has outsourced its data

processingservices is that:
A. greater IS expertise can be obtained fromthe outside.

B. more direct control can be exercised overcomputer operations.
C. processing priorities can be establishedand enforced internally.
D. greater user involvement is required tocommunicate user needs.
107.Service level agreements establish:
A. minimum service levels to be rendered by ISmanagement.

B. minimum service levels to be achieved inthe event of a disaster.
C. maximum service levels to be rendered by ISsupport services.
D.minimum levels of processing capabilitiesthat can be affected by a disaster.
108.An organization has outsourced network and desktop support. Although

therelationship has been reasonably successful, risks remain due to
connectivityissues. Which of the following controls should FIRST be performed
to assure theorganization reasonably mitigates these possible risks?
A. Network defense program

B.Encryption/Authentication
C. Adequate reporting between organizations
D. Adequate definition in contractualrelationship
109.An IS auditor reviewing an outsourcing contract of IT facilities would expectit

to define:
A. hardware configuration.
B. access control software.
C. ownership of intellectual property.
D. application development methodology.
110.While conducting an audit of management's planning of IS, what would an

ISauditor consider the MOST relevant to short-term planning for the
ISdepartment?
A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs
111.The data control department responsible for data entry should:
A. maintain access rules to data and other ITresources.

B. periodically review and evaluate the datasecurity policy.
C. ensure proper safekeeping of sourcedocuments until processing is complete.
D. monitor security violations and takecorrective action.
112.Which of the following IS functions may be performed by the same

individual,without compromising on control or violating segregation of duties?
A. Job control analyst and applicationsprogrammer

B. Mainframe operator and system programmer
C. Change/problem and quality controladministrator
D. Applications and system programmer
113.Which of the following is the MOST important function to be performed by IT

managementwithin an outsourced environment?.
A. Ensuring that invoices are paid to theprovider

B. Participating in systems design with theprovider
C. Renegotiating the provider's fees
D. Monitoring the outsourcing provider'sperformance
114.Which of the following key performance indicators would an IS manager be

LEASTlikely to systematically report to its board of directors?
A. Average response time to users requirements

B. Cost per transaction
C. IS costs per area
D. Disk storage space free
115.Employee termination practices should address all of the following EXCEPT:
A. arrangement for the final pay and removalof the employee from active payroll
files.
B. notification to other staff and facilitiessecurity to increase awareness of the
terminated employee's status.
C. employee bonding to protect against lossesdue to theft.
D. deletion of assigned logon-ID and passwordsto prohibit system access.
116.Various standards have emerged to assist IS organizations in achieving

anoperational environment that is predictable, measurable and repeatable.
Thestandard that provides the definition of the characteristics and
associatedquality evaluation process to be used when specifying the
requirements for andevaluating the quality of software products throughout
their life cycle is:
A. ISO 9001.
B. ISO 9002.
C. ISO 9126.
D. ISO 9003.
117.Which of the following would provide the LEAST justification for

anorganization's investment in a security infrastructure?
A. Risk analysis of internal/external threats

B. A white paper report on Internet attacks,companies attacked, and damage
inflicted
C. A penetration test of the organization'snetwork demonstrates that the threat
from intruders is high
D. Reports generated internally from use ofhigh-profile network tools
118.An IS auditor reviewing the organization IT strategic plan should FIRST

review:
A. the existing information technologyenvironment.

B. the business plan.
C. the present IT budget.
D. current technology trends.
119.Which of the following issues would be of LEAST concern when reviewing

anoutsourcing agreement in which the outsourcing vendor assumes
responsibility ofthe information processing function?
A. The organization's right to audit vendoroperations.

B. The loyalty of the third-party personnel.
C. The access control system that protects theoutsourcing vendor's data.
D. The outsourcing vendor's softwareacquisition procedures.
120.A database administrator is responsible for:
A. maintaining the access security of dataresiding on the computers.

B. implementing database definition controls.
C. granting access rights to users.
D. defining system's data structure.
121.The security administrator is responsible for providing reasonable

assuranceover the confidentiality, integrity and availability of information
systemcontrols. Another duty that could be considered compatible, without
causing aconflict of interest, would be:
A. quality assurance.
B. application programming.
C. systems programming.
D. data entry.
122.The development of an IS security policy is the responsibility of the:
A. IS department.
B. security committee.
C. security administrator.
D. board of directors.
123.A sound information security policy will MOST likely include a:
A. response program to handle suspectedintrusions.

B. correction program to handle suspectedintrusions.
C. detection program to handle suspectedintrusions.
D. monitoring program to handle suspectedintrusions.
124.Who of the following, who is responsible for network security operations?
A. Users, who periodically change theirpasswords.

B. Security administrators, who controlservices and computers.
C. Line managers, responsible for policies andprocedures.
D. Security officers, who administer thesecurity policy.
125.Which of the following would provide a mechanism whereby IS management

candetermine when, and if, the activities of the enterprise have deviated
fromplanned, or expected levels?
A. Quality management
B. IS assessment methods
C. Management principles
D. Industry standards/benchmarking
126.Which of the following independent duties is performed by the data

controlgroup?
A. Access to data
B. Authorization tables
C. Custody of assets
D. Reconciliation
127.Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementingchanges to production programs

B. Application programmers are implementingchanges to test programs
C. Operations support staff are implementingchanges to batch schedules
D. Data base administrators are implementingchanges to data structures
128.Which of the following is the BEST way to handle obsolete magnetic tapes
beforedisposing of them?
A. Overwriting the tapes

B. Initializing the tape labels
C. Degaussing the tapes
D. Erasing the tapes
129.An IS steering committee should:
A. include a mix of members from differentdepartments and management

levels.
B. ensure that IS security policies andprocedures have been properly executed.
C. have formal terms of reference and maintainminutes of its' meetings.
D. be briefed about new trends and products ateach meeting by a vendor.
130.Which of the following functions would represent a risk if combined with

thatof a system analyst, due to the lack of compensating controls?
A. Application programming
B. Data entry
C. Quality assurance
D. Data base administrator
131.Which of the following data entry controls provides the GREATEST assurance
thatdata entered does not contain errors?
A. Key verification
B. Segregation of the data entry function fromdata entry verification
C. Maintaining a log/record detailing thetime, date, employee's initials/user -id
and progress of various datapreparation and verification tasks
D. Check digits
132.Which of the following would an IS auditor be MOST concerned with

whenevaluating the effectiveness and adequacy of a computer preventive
maintenanceprogram?
A. System downtime log

B. Vendors' reliability figures
C. A log of regularly scheduled maintenance
D. A written preventive maintenance schedule
133.Which of the following provides the MOST effective means of determining

whichcontrols are functioning properly in an operating system?
A. Consulting with the vendor
B. Reviewing the vendor installation guide
C. Consulting with the system programmer
D. Reviewing the system generation parameters
134.Which of the following is NOT a common database structure?
A. Network
B. Sequential
C. Hierarchical
D. Relational
135.Which of the following computer system risks would be increased by

theinstallation of a database system?
A. Programming errors
B. Data entry errors
C. Improper file access
D. Loss of parity
136.The input/output control function is responsible for:
A. pulling and returning all tape files.

B. entering and key verifying data.
C. logging batches and reconciling hashtotals.
D. executing both production and test jobs.
137.Utility programs that assemble software modules needed to execute a

machineinstruction application program version are:
A. text editors.
B. program library managers.
C. linkage editors and loaders.
D. debuggers and development aids.
138.Which of the following statements pertaining to a data communication

system isFALSE?
A. It has multiple layers.

B. It interfaces with the operating system.
C. It operates on the content of theinformation.
D. It is concerned with the correcttransmission between two points.
139.Which of the following is NOT an advantage of an object-oriented approach

todata management systems?
A. A means to model complex relationships

B. The ability to restrict the variety of datatypes
C. The capacity to meet the demands of achanging environment
D. The ability to access only the informationthat is needed
140.Which of the following allow programmers to code and compile

programsinteractively with the computer from a terminal?
A. Firmware
B. Utility programs
C. Online programming facilities
D.Network management software
141.A data dictionary is an example of software that is used to:
A. describe application systems.

B. assist in fast program development.
C. improve operation efficiency.
D. test data quality.
142.Which of the following is NOT an advantage of image processing?
A. Verifies signatures
B. Improves service
C. Relatively inexpensive to use
D. Reduces deterioration due to handling
143.In a review of the operating system software selection and the

acquisitionprocess, an IS auditor would place more importance in finding
evidence of:
A. competitive bids.
B. user-department approval.
C. hardware-configuration analysis.
D. purchasing department approval.
144.Which of the following line media would be MOST secure in a

telecommunicationnetwork?
A. Broad band network digital transmission

B. Base band network
C. Dial up
D. Dedicated lines
145.What type of transmission requires modems in a network to be connected

toterminals from the computer?
A. Encrypted
B. Digital
C. Analog
D. Modulated
146.Which of the following is NOT a telecommunications control?
A. Trailer record
B. Common carrier
C. Diagnostic routine
D. Echo check
147.An IS auditor needs to link his/her microcomputer to a mainframe system

thatuses binary synchronous data communications with block data
transmission.However, the IS auditor's microcomputer, as presently
configured, is capable ofonly asynchronous ASCII character data
communications. Which of the followingmust be added to the IS auditor's
computer to enable it to communicate with themainframe system?
A. Protocol conversion and buffer capacity

B. Network controller and buffer capacity
C. Buffer capacity and parallel port
D. Parallel port and protocol conversion
148.Which of the following is a telecommunication device that translates data

fromdigital form to analog form and back to digital?
A. Multiplexer
B. Modem
C. Protocol converter
D. Concentrator
149.Which of the following is a network architecture configuration that links

eachstation directly to a main hub?
A. Bus
B. Ring
C. Star
D. Completed connected
150.Which of the following transmission media would NOT be affected by cross

talkor interference?
A. Fiber optic systems

B. Twisted pair circuits
C. Microwave radio systems
D. Satellite radiolink systems
151.In Wide Area Networks (WANs):
A. data flow can be half duplex or fullduplex.

B. communication lines must be dedicated.
C. circuit structure can be operated only overa fixed distance.
D. the selection of communication lines willaffect reliability.
152.Which of the following Local Area Network (LAN) physical layouts are subject
tovulnerability to failure if one device fails?
A. Star
B. Bus
C. Ring
D. Completely connected
153.Neural networks are effective in detecting fraud because they can:
A. discover new trends since they areinherently linear.

B. solve problems where large and general setsof training data are not
obtainable.
C. attack problems that require considerationof a large number of input
variables.
D. make assumptions about the shape of anycurve relating variables to the
output.
154.E-cash is a form of electronic money that:
A. can be used over any computer network.

B. utilizes reusable e-cash coins to makepayments.
C. does not require the use of an Internetdigital bank.
D. contains unique serial numbering to trackthe identity of the buyer.
155.An organization is about to implement a computer network in a new

officebuilding. The company has 200 users located in the same physical area.
Noexternal network connections will be required. Which of the following
networkconfigurations would be the MOST expensive to install?
A. Bus
B. Ring
C. Star
D. Mesh
156.An organization is about to implement a computer network in a new

officebuilding. The company has 200 users located in the same physical area.
Noexternal network connections will be required. Which of the following
networkconfigurations would be the easiest for problem resolution?
A. Bus
B. Ring
C.Star
D. Mesh
157.The following question refers to the diagram below.
Assumingthis diagram represents an internal facility and the organization

isimplementing a firewall protection program, where should firewalls
beinstalled?
A. No firewalls are needed

B. op-3 location only
C. MIS (Global) and NAT2
D. SMTP Gateway and op-3
158.Congestion control is BEST handled by which OSI layer?
A. Data link
B. Session layer
C. Transport layer
D. Network layer
159.Which of the following is NOT an element of a LAN environment?
A. Packet switching technology

B. Baseband (digital signaling)
C. Ring or short bus topology
D. Private circuit switching technology
160.Which of the following would an IS auditor NOT review when performing a

generaloperational control review?
A. User manuals
B. Re-run reports
C. Maintenance logs
D. Backup procedures
161.Which of the following is NOT a function of an online tape management

system?
A. Indicating which tapes should be cleaned

B. Maintaining an inventory listing of tapes
C. Allowing external tape labels to contain aserial number only
D. Controlling physical access to the tapelibrary area
162.Which of the following is NOT related to file identification?
A. Periodic file inventory

B. External label standards
C. Retention period standards
D. High-level qualifier restrictions
163.An IS auditor has discovered that the organization's existing computer
systemis no longer adequate for the demands being placed on it by data
processing, isnot compatible with new models and cannot be expanded. As a
result, arecommendation is made to use emulation. Emulation involves:
A. hardware which converts a new computer intoan image of the old computer.
B. writing the programs in modules whichsimplify the transition to a new
computer.
C. software which translates the old programinto one readable by a new
computer.
D. simulating a new computer on the oldcomputer to produce machine
independent code.
164.All of the following are properties of a relational database EXCEPT:
A. relational database technology separatesdata from applications

B. operational efficiencies are significantlyincreased with relational models
C. relational database models information inthe structure of a table with
columns and rows
D. in a relational model there is always aprimary key for a tuple and there are no
duplicate tuples
165.Which of the following is the operating systems mode in which all

instructionscan be executed?
A. Problem
B. Interrupt
C. Supervisor
D. Standard processing
166.During a review of a large data center an IS auditor observed

computeroperators acting as backup tape librarians and security
administrators. Whichof these situations would be MOST critical to report to
senior management?
A. Computer operators acting as tapelibrarians

B. Computer operators acting as securityadministrators
C. Computer operators acting as a tapelibrarian and security administrator
D. It is not necessary to report any of thesesituations to senior management
167.Which of the following functions would be acceptable for the

securityadministrator to perform in addition to his or her normal function?
A. Systems analyst
B. Quality assurance
C. Computer operator
D. Systems programmer
168.Which of the following is a hardware device that relieves the central
computerfrom performing network control, format conversion and message
handling tasks?
A. Spool
B. Cluster controller
C. Protocol converter
D. Front end processor
169.Which of the following tools for controlling input/output of data are used
toverify output results and control totals by matching them against the
inputdata and control totals?
A. Batch header forms

B. Batch balancing
C. Data conversion error corrections
D. Access controls over print spools
170.Which of the following tools is NOT used to monitor the efficiency

andeffectiveness of services provided by IS personnel?
A. Online monitors
B. Operator problem reports
C. Output distribution reports
D. Console logs
171.Which of the following would an IS auditor expect to find in a console log?
A. Names of system users

B. Shift supervisor identification
C. System errors
D. Data edit errors
172.Which of the following systems-based approaches would a financial

processingcompany employ to monitor spending patterns in order to identify
abnormalexpenditures?
A. A neural network
B. Database management software
C. Management information systems
D. Computer assisted audit techniques
173.Which of the following is the BEST form of transaction validation?
A. Use of key field verification techniques indata entry

B. Use of programs to check the transactionagainst criteria set by management
C. Authorization of the transaction bysupervisory personnel in an adjacent
department
D. Authorization of the transaction by adepartment supervisor prior to the batch
process
174.An IS auditor needs to link his/her microcomputer to a mainframe system

thatuses binary synchronous data communications with block data
transmission.However, the IS auditor's microcomputer, as presently
configured, is capable ofonly asynchronous ASCII character data
communications. Which of the followingmust be added to the IS auditor's
computer to enable it to communicate with themainframe system?
A. Buffer capacity and parallel port

B. Network controller and buffer capacity
C. Parallel port and protocol conversion
D. Protocol conversion and buffer capability
175.Which of the following audit techniques would an IS auditor place the

MOSTreliance on when determining whether an employee practices good
preventive anddetective security measures?
A. Observation
B. Detail testing
C. Compliance testing
D. Risk assessment
176.Which of the following is NOT a way that executive information systems

(EIS)are distinguished from other information systems?
A. EIS are much easier to use than othersystems.

B. EIS normally include user friendlyfeatures.
C. EIS normally include other features such ase-mail and word processing
abilities.
D. EIS focus on broad problems to a specificview.
177.An organization is considering installing a local area network (LAN) in a

siteunder construction. If system availability is the main concern, which of
thefollowing topologies is MOST appropriate?
A. Ring
B. Line
C. Star
D. Bus
178.Capacity monitoring software is used to ensure:
A. maximum use of available capacity.

B. future acquisitions meet user functionalitydemands.
C. concurrent use by a large number of users.
D. continuity of efficient operation.
179.Receiving an electronic data interchange (EDI) transaction and passing
itthrough the communications interface stage usually requires:
A. translating and unbundling transactions.

B. routing verification procedures.
C. passing data to the appropriate applicationsystem.
D. creating a point of receipt audit log.
180.Which one of the following types of firewalls would BEST protect a network
froman Internet attack?
A. Screened sub-net firewall

B. Application filtering gateway
C. Packet filtering router
D. Circuit level gateway
181.A large manufacturing firm wants to automate its invoice and payment
processingsystem with its suppliers. Requirements state that the system of
high integritywill require considerably less time for review and authorization.
The systemshould still be capable of quickly identifying errors that need follow
up.Which approach below is BEST suited in meeting these requirements?
A. Establishing an inter-networked system ofclient servers with suppliers for

increased efficiencies.
B. Outsourcing the function to a firmspecializing in automated payments and
accounts receivable/invoice processing.
C. Establishing an electronic data interchange(EDI) system of electronic business
documents and transactions with keysuppliers, computer to computer, in a
standard format.
D. Reengineering existing processing andredesigning the existing system.
182.Which of the following is widely accepted as one of the critical components

innetworking management?
A. Configuration management
B. Topological mappings
C. Application of monitoring tools
D. Proxy server trouble shooting
183.An IS auditor consulting on a project to develop a network management

system,would consider all of the following essential features EXCEPT:
A. the capacity to interact with the Internetfor problem solving.

B. a graphical interface to map the topology.
C. a relational database to store thereadings.
D. the ability to gather information fromvarious network devices.
184.In protocols like HTTP, FTP, and SMTP, the implementation of the TCP/IP
suiteis arranged in the following manner:
A. TCP works at the transport layer andhandles packets, while IP works at the
network layer and handles addresses.
B. TCP works at the transport layer andhandles addresses, while IP works at the
network layer and handles packets.
C. TCP works at the presentation layer andhandles proxies, while IP works at the
data link layer and handles applets.
D. TCP works at any of the OSI layers andhandles circuits, while IP also works at
any of the OSI layers but handlesmessages.
185.Public-key infrastructure (PKI) integrates all of the following into

anenterprise-wide network security architecture EXCEPT:
A. public-key cryptosystem.
B. digital certificates.
C. certificate authorities.
D. password key management.
186.All of the following are common problems with firewall implementations

EXCEPT:
A. inadequately protecting the network andservers from virus attacks.

B. incorrectly configuring access lists.
C. logging of connections is eitherinsufficient or not reviewed on a regular basis.
D. network services destined to internal hostsare passed through the firewall
unscreened.
187.When auditing operating software development, acquisition or maintenance,

theIS auditor would review system software maintenance activities to
determine:
A. fallback or restoration procedures are inplace in case of production failure.

B. impact of the product on processingreliability.
C. system software changes are scheduled whenthey least impact IS processing.
D. current versions of the software aresupported by the vendor.
188.While evaluating a file/table design, an IS auditor should understand that

areferential integrity constraint consists of:
A. ensuring the integrity of transactionprocessing.

B. ensuring that data are updated throughtriggers.
C. ensuring controlled user updates todatabase.
D. rules for designing tables and queries.
189.One of the responsibilities of the technical support function is:

A. ensuring job preparation, scheduling andoperating instructions.
B. establishing, enhancing and maintaining astable, controlled environment for
the implementation of changes within theproduction software environment.
C. defining, establishing and maintaining astandard, consistent and well-defined
testing methodology for computer systems.
D. obtaining detailed knowledge of theoperating system and other systems
software.
190.A universal serial bus (USB) port:
A. connects the network without a networkcard.

B. connects the network with an Ethernetadapter
C. replaces all existing connections.
D. connects the monitor.
191.How can an enterprise provide access to its intranet (i.e., extranet)

acrossthe Internet to its business partners?
A. Virtual private network

B. Client/server
C. Dial-in access
D. Network service provider
192.A hub is a device that connects:
A. two LANs using different protocols.

B. a LAN with a WAN.
C. a LAN with a MAN.
D. two segments of a single LAN.
193.Which of the following network configuration options, contains a direct

linkbetween any two host machines?
A. Bus
B. Ring
C. Star
D. Completely connected (mesh)
194.Which of the following can a local area network (LAN) administrator use
toprotect against exposure to illegal or unlicensed software usage by the
networkuser?
A. Software metering
B. Virus detection software
C. Software encryption
D. Software inventory programs
195.Which of the following controls will MOST effectively detect the presence
ofbursts of errors in network transmissions?
A. Parity check
B. Echo check
C. Block sum check
D. Cyclic redundancy check
196.Which of the following types of firewalls provide the GREATEST degree

andgranularity of control?
A. Screening router
B. Packet-filter
C. Application-gateway
D. Circuit-gateway
197.Which of the ISO/OSI model layers provides service for how to route
packetsbetween nodes?
A. Data link
B. Network
C. Transport
D. Session
198.In a TCP/IP based network, an IP address specifies a:
A. network connection.
B. router/gateway.
C. computer in the network.
D. device on the network such as agateway/router, host, server, etc.
199.Connection-oriented protocols in the TCP/IP suite are implemented in the:
A. transport layer.
B. application layer.
C. physical layer.
D. network layer.
200.The device to extend the network that must have storage capacity to
storeframes and act as a storage and forward device is a:
A. router.
B. bridge.
C. repeater.
D. gateway.
201.In a client/server architecture, a domain name service (DNS) is MOST
importantbecause it provides the:
A. address of the domain server.
B. resolution service for the name/address.
C. resolution on the Internet for thename/address.
D. domain name system.
202.In a web server, a common gateway interface (CGI) is MOST often used as
a(n):
A. consistent way for data transfer to theapplication program and back to the
user.
B. computer graphics imaging method for movieand TV.
C. graphic user interface for web design.
D. interface to access the private gatewaydomain.
203.Which of the following exposures associated with the spooling of

sensitivereports for off-line printing would an IS auditor consider to be the
MOSTserious?
A. Sensitive data may be read by operators.

B. Data can be amended without authorization.
C. Unauthorized report copies might beprinted.
D. Output would be lost in the event of systemfailure.
204.Applying a retention date on a file will ensure that:
A. data cannot be read until the date is set.

B. data will not be deleted before the date isset.
C. backup copies are not retained after thatdate.
D. datasets having the same name aredifferentiated.
205.Which of the following would NOT be considered a security threat to

Internetweb sites?
A. Hackers
B. Crackers
C. Virus writers
D. Asynchronous attacks
206.An IS auditor is assigned to help design the data security, data integrity
andbusiness continuity aspects of an application under development. Which of
thefollowing provides the MOST reasonable assurance that corporate assets
areprotected when the application is certified for production?
A. A certification review conducted by theinternal auditor.

B. A certification review conducted by theassigned IS auditor.
C. Specifications by the user on the depth andcontent of the certification review.
D. An independent review conducted by anotherequally experienced IS auditor.
207.The MOST effective method of preventing unauthorized use of data files is:
A. automated file entry.

B. tape librarian.
C. access control software.
D. locked library.
208.Which of the following would NOT be considered a terminal access control?
A. Use of dial-up lines only in the event ofan emergency

B. Disconnection of a terminal after it hasbeen inactive for a period of time
C. Validation of passwords and transactioncodes by the access control software
D. Logging of authorized and unauthorizedattempts to access the computer
systems
209.Which of the following factors is LEAST likely to allow a perpetrator

todiscover a valid password?
A. The number of characters in the password

B. The power of the computer used to break thepassword code
C. The number of incorrect access attemptsallowed before disconnect
D. The content of the character set from whichthe password is composed
210.Which of the following would be MOST effective in establishing access

controlthrough the use of sign-on procedures?
A. Authorization and authentication of theuser

B. Authentication and identification of theuser
C. Authorization, authentication and locationof the user
D. Authorization, authentication,identification and location of the user
211.Which of the following would BEST ensure the proper updating of critical
fieldsin a master record?
A. Field checks
B. Control totals
C. Reasonableness checks
D. Before and after maintenance report
212.Which of the following controls is LEAST likely to discover changes made

onlineto important master records?
A. Update access to master file is restrictedto supervisor independent of data

entry.
B. Clerks enter updates online, but these mustbe finalized by independent
supervisor.
C. Edit listing of all updates are produceddaily and reviewed by independent
supervisor.
D. Update authorization form must be approvedby independent supervisor
before clerks enter updates.
213.Which of the following is the MOST effective control procedure for security
ofa stand-alone small business computer environment?
A. Supervision of computer usage

B. Daily management review of the trouble log
C. Storage of computer media in a lockedcabinet
D. Independent review of an application systemdesign
214.Which of the following logical access exposures involves changing data

before,or as it is entered into the computer?
A. Data diddling
B. Trojan horse
C. Worm
D. Salami technique
215.When investigating a serious security access violation, the IS auditor

shouldNOT:
A. refer the violation to the securityadministrator since he/she may be a party to

the violation.
B. contact law enforcement to determine ifviolations have occurred elsewhere.
C. recommend corrective measures since this isthe role of the Security
Administrator.
D. perform a security access follow-up todetermine if other violations have
occurred.
216.Which of the following would be considered the BEST example of a

properpassword for use in system access?
A. XWA3
B. LARRY2
C. TWC2H
D. YRC45OPB
217.Data classification is important when identifying who should have access to:
A. test data and programs.

B. production data and programs.
C. production and test programs.
D. test and production data and programs.
218.Naming conventions for access controls are NOT:
A. setup by the owners of the data orapplication.

B. dependent on the importance and level ofsecurity that is needed.
C. established to promote the implementationof efficient access rules.
D. defined with the assistance of the databaseadministrator.
219.Digital signatures provide data integrity since they require the:
A. signer to have a public key, and thereceiver to have a private key.

B. signer to have a private key, and thereceiver to have a public key.
C. signer and receiver to have a public key.
D. signer and receiver to have a private key.
220.Automated teller machines (ATMs) are a specialized form of a point of

saleterminal which:
A. allow for cash withdrawal and financialdeposits only.

B. are usually located in populous areas todeter theft or vandalism.
C. utilize protected telecommunication linesfor data transmissions.
D. must provide high levels of logical andphysical security.
221.Which of the following processes would be performed FIRST by the system

whenlogging-on to an online system?
A. Initiation
B. Verification
C. Authorization
D. Authentication
222.Which of the following is a benefit of using callback devices?
A. Provide an audit trail

B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
223.Having established an application's access control process, an IS

auditor'snext step is to ensure:
A. passwords are not shared.

B. password files are encrypted.
C. redundant logon-IDs are deleted.
D. allocation of logon-IDs is controlled.
Forthe locations 3a, 1d, and 3d, the diagram indicates hubs with lines that
appearto be open and active. Assuming that is true, what control(s), if any,
shouldbe recommended to mitigate this weakness?
A. Intelligent hub
B. Physical security over the hubs
C. Physical security and an intelligent hub
D. No controls are necessary since this is nota weakness
Inthe 2c area on the diagram, there are 3 hubs connected to each other.
Whatpotential risk might this indicate?
A. Virus attack
B. Performance degradation
C. Poor management controls
D. Vulnerability to external hackers
226.In the ISO/OSI model, which of the following protocols is the FIRST to
performsecurity over the user application?
A. Session layer.
B. Transport layer
C. Network layer
D. Presentation layer
227.A feature of a digital signature that ensures that the claimed sender
cannotlater deny generating and sending the message is:
A. data integrity.
B. authentication.
C. non-repudiation.
D. replay protection.
228.An IS auditor who intends to use penetration testing during an audit

ofInternet connections would:
A. evaluate configurations.
B. examine security settings.
C. ensure virus-scanning software is in use.
D. use tools and techniques that are availableto a hacker.
229.Which of the following is NOT an employee security responsibility?
A. Keeping Logon-IDs and passwords secret

B. Helping other employees create passwords
C. Reading and understanding the securitypolicy
D. Questioning unfamiliar people who enter asecured area
230.Naming conventions for system resources are an important prerequisite

foraccess control because they ensure that:
A. resource names are not ambiguous.
B. users' access to resources is clearly anduniquely identified.
C. internationally recognized names are usedto protect resources.
D. the number of rules required to adequatelyprotect resources is reduced.
231.Passwords should be:
A. assigned by the security administrator.

B. changed every 30 days at the discretion ofthe user.
C. reused often to ensure the user does notforget the password.
D. displayed on the screen so that the usercan ensure that it has been properly
entered.
232.Logical access controls are used to protect:
A. operator consoles.
B. computer storage facilities.
C. data classification and ownership.
D. disks and tapes in the back-up library.
233.Which of the following is NOT a valid reason for using digital signatures
tosecure e-mail transmissions?
A. The signature is unforgeable.

B. Keys can be used indefinitely.
C. Signatures cannot be reused.
D. A signed document cannot be altered.
234.When performing an audit of access rights, an IS auditor should be

suspiciousof which of the following if allocated to a computer operator?
A. READ access to data

B. DELETE access to transaction data files
C. Logged READ/EXECUTE access to programs
D. UPDATE access to job controllanguage/----- files
235.An IS auditor who wishes to prevent unauthorized entry to the data

maintainedin a dial-up fast response system would recommend?
A. Online terminals be placed in restrictedareas.

B. Online terminals be equipped with keylocks.
C. ID cards be required to gain access toonline terminals.
D. Online access be terminated after threeunsuccessful attempts.
236.Which of the following controls would BEST serve to effectively

detectintrusion?
A. User creation and user privileges aregranted through authorized procedures.
B. Automatic logoff when a workstation isinactive for a particular period of time.
C. Automatic logoff of the system after aspecified number of unsuccessful
attempts.
D. Unsuccessful logon attempts are activelymonitored by the security
administrator.
237.Which of the following control weaknesses would an IS auditor performing

anaccess controls review be LEAST concerned with?
A. Audit trails are not enabled.

B. Programmers have access to the liveenvironment.
C. Group logons are being used for criticalfunctions.
D. The same user can initiate transactions andalso change related parameters.
238.Which of the following audit procedures would an IS auditor be LEAST likely

toinclude in a security audit?
A. Review the effectiveness and utilization ofassets.

B. Test to determine that access to assets isadequate.
C. Validate physical, environmental andlogical access policies per job profiles.
D. Evaluate asset safeguards and proceduresthat prevent unauthorized access
to the assets.
239.A firewall access control list may filter access based on each of the
followingparameters EXCEPT:
A. port.
B. service type.
C. network interface card (NIC).
D. internet protocol (IP) address.
240.Which of the following applet intrusion issues poses the GREATEST risk
ofdisruption to an organization?
A. A program that deposits a virus on a clientmachine.

B. Applets recording keystrokes and,therefore, passwords.
C. Downloaded code that reads files on aclient's hard drive.
D. Applets damaging machines on the network byopening connections from the
client machine.
241.Which of the following BEST describes the impact that effective firewall
designand implementation strategies have as an enabler for improved
informationsecurity?
A. A source of detailed information aboutnetwork security.

B. A focal point for security auditing, bothinternal and external.
C. A chance to significantly reduce the threatof internal hacking.
D. A chance to root out undocumentedconnections and bring all remote access
into line with written policy.
242.Which of the following information is LEAST likely to be contained in a

digitalcertificate for the purposes of verification by a Trusted Third
Party(TTP)/Certification Authority (CA)?
A. Name of the TTP/CA

B. Public key of the sender
C. Name of the public key holder
D. Time period for which the key is valid
243.Which of the following access control functions is LEAST likely to be

performedby a database management system (DBMS) software package?
A. User access to field data

B. User sign-on at the network level
C. User authentication at the program level
D. User authentication at the transactionlevel
244.An IS auditor reviewing operating system access discovers that the system
isnot properly secured. In this situation the IS auditor is LEAST likely to
beconcerned that the user might:
A. create new users.

B. delete database and log files.
C. access the system utility tools.
D. access the system writeable directories.
245.An IS auditor conducting an access controls review in a

client/serverenvironment discovers that all printing options are accessible by
all users. Inthis situation the IS auditor is MOST likely to conclude that:
A. exposure is greater since information isavailable to unauthorized users.

B. operating efficiency is enhanced sinceanyone can print any report, any time.
C. operating procedures are more effectivesince information is easily available.
D. user friendliness and flexibility isfacilitated since there is a smooth flow of
information among users.
246.An IS auditor discovers that programmers have update access to the

liveenvironment. In this situation the IS auditor is LEAST likely to be
concernedthat programmers can:
A. authorize transactions.
B. add transactions directly to the database.
C. make modifications to programs directly.
D. access data from live environment andprovide faster maintenance.
247.An IS auditor performing a telecommunication access control review would
focusthe MOST attention on the:
A. maintenance of access logs of usage ofvarious system resources.

B. authorization and authentication of theuser prior to granting access to system
resources.
C. adequate protection of stored data onservers by encryption or other means.
D. accountability system and the ability toproperly identify any terminal
accessing system resources.
248.An organization wants to introduce a new system to allow single-sign-

on.Currently, there are five main application systems, and users must sign on
toeach one separately. It is proposed that under the single-sign-on system,
userswill only be required to enter one user-ID and password for access to
allapplication systems. Under this type of single-sign-on system the risk
ofunauthorized access:
A. is less likely.
B. is more likely.
C. will have a greater impact.
D. will have a smaller impact.
249.Sign-on procedures include the creation of a unique user-ID and

password.However, an IS auditor discovers that in many cases the user name
and passwordare the same. The BEST control to mitigate this risk is to:
A. change the company's security policy.

B. educate users about the risk of weakpasswords.
C. build in validations to prevent this duringuser creation and password change.
D. require a periodic review of matching ofuser-ID and passwords for detection
and correction.
250.The PRIMARY objective of a logical access controls review assignment is to:
A. review access controls provided throughsoftware.

B. ensure access is granted per theorganization's authorities.
C. walkthrough and assess access provided inthe IT environment.
D. provide assurance that computer hardware isadequately protected against
abuse.
251.The scope of a logical access controls review would include the evaluation
of:
A. effectiveness and efficiency of IT securityand related controls.

B. confidentiality, integrity and availabilityof information to authorized users.
C. access to systems software and applicationsoftware to ensure compliance
with the access policy.
D. access to user authorization levels,parameters and operational functions
through application software.
252.Naming conventions for system resources are an important prerequisite

foraccess control because they:
A. ensure that resource names are notambiguous.

B. reduce the number of rules required toadequately protect resources.
C. ensure that user access to resources isclearly and uniquely identified.
D. ensure that internationally recognizednames are used to protect resources.
253.When a PC that has been used for the storage of confidential data is sold
onthe open market, the:
A. hard disk should be demagnetized.

B. hard disk should be mid-level formatted.
C. data on the hard disk should be deleted.
D. data on the hard disk should bedefragmented.
254.Which of the following exposures could be caused by a line-grabbing

technique?
A. Unauthorized data access

B. Excessive CPU cycle usage
C. Lockout of terminal polling
D. Multiplexor control dysfunction
255.Which of the following is an advantage of using a local area network (LAN)?
A. LANs protect against virus infection.

B. LANs protect against improper disclosure ofdata.
C. LANs provide program integrity fromunauthorized changes.
D. LANs provide central storage for a group ofusers.
256.Creation of an electronic signature:
A. encrypts the message.

B. verifies where the message came from.
C. cannot be compromised when using a privatekey.
D. cannot be used with e-mail systems.
257.Which of the following is a strength of a client/server security system?
A. Change control and change managementprocedures are inherently strong.

B. User can manipulate data withoutcontrolling resources on the mainframe.
C. Network components seldom become obsolete.
D. Access to confidential data or datamanipulation is strongly controlled.
258.Which of the following automated reports measure
telecommunicationtransmissions and determines whether transmissions are
accurately completed?
A. Online monitors
B. Down time reports
C. Help desk reports
D. Response time reports
259.Which of the following statements pertaining to Internet security is TRUE?
A. Firewalls cannot stop hackers from gainingaccess to the corporate network.

B. Firewalls should sit in the most commonlyused access point between a
corporate network and the Internet.
C. Encrypted corporate data is secure as ittransports across the Internet.
D. Not all corporate networks connected to theInternet are subject to attack.
260.An Internet secured gateway's domain name service:
A. prevents users outside a secure networkfrom seeing addresses of secure

hosts.
B. asks a user for the name of the host, andauthenticates it before making
contact.
C. offers a way to limit user access into orout of a secure network.
D. provides the ability to administer usernames on a network.
261.Which of the following statements is TRUE relating to the use of public

keyencryption to secure data while it is being transmitted across a network?
A. Under public key encryption both the key usedto encrypt and decrypt the
data are made public.
B. Under public key encryption the key used toencrypt is kept private but the
key used to decrypt the data is made public.
C. Under public key encryption the key used toencrypt is made public but the
key used to decrypt the data is kept private.
D. Under public key encryption both the keyused to encrypt and decrypt the
data are kept private.
262.Which of the following would NOT protect a system from computer viruses?
A. Write-protect all diskettes, once they havebeen virus-checked.

B. Scan any new software before it isinstalled.
C. Boot only from diskettes that wereinitially checked for viruses.
D. Do not allow vendors to run demonstrationson company owned machines.
263.During the audit of a telecommunications system the IS auditor finds that

therisk of data interception for communications with remote sites is very
high.The MOST effective control that would reduce this exposure is:
A. encryption.
B. call-back modems.
C. message authentication.
D. dedicated leased lines.
264.An Internet-based attack on commercial systems using password sniffing

can:
A. enable one party to act as if they areanother party.

B. cause modification to the contents ofcertain transactions.
C. be used to gain access to systemscontaining proprietary information.
D. result in major problems with billingsystems and transaction processing
agreements.
265.Which of the following controls would be MOST comprehensive in a remote

accessnetwork with multiple and diverse sub-systems?
A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration
266.Which of the following is NOT a principle applied in deriving the OSI layers?
A. Each layer should provide a well-definedfunction.

B. The integrity of data at each layer shouldbe assured.
C. A layer should be created only when adifferent level of abstraction is needed.
D. The layer boundaries should be chosen tominimize the information flow
across layer interfaces.
267.Which of the following is NOT a common function of application layer

services?
A. Host to host data integrity

B. Application programming interfaces (APIs)
C. Global directory services to locateresources on a network
D. A uniform way of handling a variety ofsystem monitors and devices
268.A decrease in amplitude as a signal propagates along a transmission

medium isknown as:
A. noise.
B. crosstalk.
C. attenuation.
D. delay distortion.
269.Use of data encryption is applicable to all of the following OSI layers EXCEPT:
A. physical layer.
B. data link layer.
C. application layer.
D. network and transport layer.
270.Which of the following is MOST affected by network performance

monitoringtools?
A. Integrity
B. Availability
C. Completeness
D. Confidentiality
271.Java applets and ActiveX controls are distributed executable programs

thatexecute in background of a web browser client. This is a reasonably
controlledpractice when:
A. a firewall exists.
B. a secure web connection is used.
C. the source of the executable is certain.
D. the host website is part of yourorganization.
272.Your organization has been an active Internet user for several years and
yourbusiness plan now calls for initiating e-commerce via web-based
transactions.You have decided to accept payment transactions by
implementing agreements withthe major credit card companies. They have
suggested certain parameters foryour firewall installation. Which of the
following parameters will LEAST impacttransactions in e-commerce?
A. Encryption is required
B. Timed authentication is required
C. Firewall architecture hides the internalnetwork
D. Traffic is exchanged through the firewallat the application layer only
273.Which of the following encrypt/decrypt steps provides the GREATEST

assurance inachieving confidentiality, message integrity and non-repudiation
by eithersender or recipient?
A. The recipient uses his/her private key todecrypt the secret key.
B. The encrypted pre-hash code and the messageare encrypted using a secret
key.
C. The encrypted pre-hash code is derivedmathematically from the message to
be sent.
D. The recipient uses the sender's public key,verified with a certificate authority,
to decrypt the pre-hash code.
274.Which of the following controls would provide the GREATEST assurance
overdatabase integrity?
A. Audit log procedures

B. Table link/reference checks
C. Query/table access time checks
D. Roll-back and roll-forward databasefeatures
275.Use of asymmetric encryption over an Internet e-commerce site, where

there isone private key for the hosting server and the public key is widely
distributedto the customers, is MOST likely to provide comfort to the:
A. customer over the authenticity of the hostingorganization.

B. hosting organization over the authenticityof the customer.
C. customer over the confidentiality ofmessages from the hosting organization.
D. hosting organization over theconfidentiality of messages passed to the
customer.
276.The database administrator (DBA) has recently informed you of his decision
todisable certain normalization controls in the database management system
(DBMS)software in order to provide users with increased query performance.
This willMOST likely increase the risk of:
A. loss of audit trails.

B. redundancy of data.
C. loss of data integrity.
D. unauthorized access to data.
277.Which of the following techniques provides the BEST protection of e-

mailmessage authenticity and confidentiality?
A. Signing the message using the sender'sprivate key and encrypting the
message using the receiver's public key.
B. Signing the message using the sender'spublic key and encrypting the
message using the receiver's private key.
C. Signing the message using the receiver'sprivate key and encrypting the
message using the sender's public key.
D. Signing the message using the receiver'spublic key and encrypting the
message using the sender's private key.
278.Which of the following is the MOST fundamental step in effectively

preventing avirus attack?
A. Executing the updated anti-virus softwarein the background on a periodic

basis.
B. Buying an effective standard anti-virussoftware, which is installed on all
servers and workstations with hard disks.
C. Ensuring that all new software through allmedia is first checked for a virus in
a separate PC before being loaded intothe production environment.
D. Adopting a comprehensive anti-virus policyto protect the organization's
computing facilities from virus attacks andcommunicating it to all users.
279.Confidential PC data is BEST protected by:
A. a password.
B. file encryption.
C. removable diskettes.
D. a key operated power source.
280.When auditing the security of a data center, an IS auditor would look for
thepresence of a voltage regulator to:
A. protect hardware against power surges.

B. maintain integrity if the main power isinterrupted.
C. maintain immediate power if the main poweris lost.
D. protect hardware against long-term power fluctuation.
281.Electromagnetic emissions from a terminal represent an exposure because

they:
A. affect noise pollution.

B. disrupt processor functions.
C. produce dangerous levels of electriccurrent.
D. can be detected and displayed.
282.Which of the following statements relating to power-off switches is FALSE?
A. They may need to immediately shut off powerto the computer and peripheral
devices.
B. Two emergency power switches should beinstalled inside the computer room
adjacent to exits.
C. Emergency power-off switches should beclearly labeled.
D. Emergency power-off switches should beshielded against accidental
activation.
283.Which of the following methods of suppressing a fire in a data center is

theMOST effective and environmentally friendly?
A. Halon gas
B. Wet-pipe sprinklers
C. Dry-pipe sprinklers
D. Carbon dioxide gas
284.Which of the following environmental controls is appropriate to

protectcomputer equipment against short-term reductions in electrical power?
A. Power line conditioners
B. A surge protective device
C. An alternative power supply
D. An interruptible power supply
285.Which of the following would be the LEAST important item in a

businesscontinuity plan?
A. Redundant facilities
B. Relocation procedures
C. Adequate insurance coverage
D. Current and available business continuitymanual
286.Which of the following physical access controls would provide the

highestdegree of security over unauthorized access?
A. Bolting door lock

B. Cipher lock
C. Electronic door lock
D. Fingerprint scanner
287.Which of the following is LEAST likely to be classified as a physical

accesscontrol?
A. Access to the work area is restrictedthrough a swipe card.

B. All physical assets have an identificationtag and are properly recorded.
C. Access to the premises is restricted andall visitors authorized for entry.
D. Visitors are issued a pass and escorted inand out by a concerned employee.
288.During the course of a physical verification of assets an IS auditor

discovereddiscrepancies in properly identifying and recording assets which
could beattributed to a lack of related procedures and policies. Which of the
followingwould NOT be a resultant exposure caused by this situation?
A. Assets do not have an adequateidentification tag.

B. Incorrect identification may affectwarranty claims.
C. Incorrect identification may affectinsurance claims.
D. Assets wrongly recorded may lead tomisappropriation.
289.Which of the following procedures can a biometric system perform?
A. Measure airborne contamination.

B. Provide security over physical access.
C. Monitor temperature and humidity levels.
D. Detect hazardous electromagnetic fields inan area.
290.Which of the following concerns associated with the World Wide Web would
beaddressed by a firewall?
A. Unauthorized access from outside theorganization

B. Unauthorized access from within theorganization
C. Delay in Internet connectivity
D. Delay in downloading using file transferprotocol
291.A digital signature contains a message digest to:
A. show if the message has been altered aftertransmission.

B. define the encryption algorithm.
C. confirm the identity of the originator.
D. enable message transmission in a digitalformat.
292.Which of the following fire suppressant systems would an IS auditor expect

tofind when conducting an audit of an unmanned computer center?
A. Carbon dioxide
B. Halon
C. Dry-pipe sprinkler
D. Wet-pipe sprinkler
293.The use of web site certificates achieve all of the following

objectivesEXCEPT:
A. authenticate the user.

B. authenticate the web site.
C. warranty that the terms for transactionsare properly revealed to the users.
D. ensure that the web site has effectivecontrols to protect private users'
information from entities that are notrelated to the business.
294.Which of the following types of transmission media provide the BEST

securityagainst unauthorized access?
A. Copper wire
B. Twisted pair
C. Fiber optic cables
D. Coaxial cables
295.Controls designed to ensure that unauthorized changes cannot be made

toinformation once it resides in a file are known as:
A. data security controls.

B. implementation controls.
C. program security controls.
D. computer operations controls.
296.Which of the following is the MOST effective technique for providing
securityduring data transmission?
A. Communication log
B. Systems software log
C. Encryption
D. Standard protocol
297.Which of the following is the MOST effective control over visitor access to
adata center?
A. Visitors are escorted

B. Visitor badges are required
C. Visitors sign in
D. Visitors are spot-checked by operators
298.Which of the following is a technique that could illegally capture network

userpasswords?
A. Encryption
B. Sniffing
C. Spoofing
D. Data destruction
299.All of the following are elements of a security infrastructure EXCEPT:
A. management commitment and support.

B. defined and documented security awarenesstraining programs.
C. legal notice banners displayed on terminalswith Internet connectivity.
D. defined and documented security policiesand procedures.
300.Which of the following is the BEST audit procedure when examining if a

firewallis configured in compliance with the organization's security policy?
A. Review the parameter settings

B. Interview the firewall administrator
C. Review the actual procedures
D. Review the device's log file for recentattacks
301.All of the following are significant Internet exposures EXCEPT:
A. loss of integrity.
B. denial of service.
C. insufficient resources to improve andmaintain integrity.
D. unauthorized access.
302.When an organization's network is connected with an external network in

anInternet client/server model not under that organization's control,
securitybecomes a concern. In providing adequate security in this
environment, which ofthe following assurance levels is LEAST important?
A. Server and client authentication

B. Data integrity
C. Data recovery
D. Data confidentiality
303.Programs that can run independently and travel from machine to machine
acrossnetwork connections, which may destroy data or utilize tremendous
computer andcommunication resources, are referred to as:
A. trojan horses.
B. viruses.
C. worms.
D. logic bombs.
304.Which of the following would LEAST likely prevent an information

securityfailure in a wide area network?
A. Conducting user training and awarenessprograms

B. Avoiding a single point of failure
C. Developing systems that are free fromvulnerabilities
D. Regular and rigorous monitoring the systemslogs
305.All of the following are common forms of Internet attacks EXCEPT:
A. exploitation of vulnerabilities in vendorprograms.

B. denial of service attacks.
C. sending hostile code and attack programs asmail attachments.
D. systematic hacker foot-printing of anorganization.
306.The management of an organization has encountered several security

incidentsrecently and has decided to establish a security awareness program.
Which ofthe following would be the LEAST effective in establishing a
successfulsecurity awareness program?
A. Reward employees who report suspiciousevents

B. Provide training on a regular basis to newemployees, support staff, users, and
managers
C. Stage mock incidents to see how well usersand support staff respond
D. Utilize an intrusion detection system toreport on incidents that occur
307.Password syntax rules should include all of the following EXCEPT:
A. be five to eight characters in length.

B. shadowed so they are not displayed.
C. allow for a combination of alphanumericcharacters.
D. not be particularly identifiable with anyuser.
308.Information for detecting unauthorized input from a terminal would be

BESTprovided by the:
A. console log printout.

B. transaction journal.
C. automated suspense file listing.
D. user error report.
309.An IS auditor attempting to determine whether access to program

documentationis restricted to authorized persons would MOST likely:
A. evaluate the record retention plans foroff-premises storage.

B. interview programmers about the procedurescurrently being followed.
C. compare utilization records to operationsschedules.
D. review data file access records to test thelibrarian function.
310.A systems analyst should have access to all of the following EXCEPT:
A. source code.
B. password identification tables.
C. user procedures.
D. edit criteria.
311.Authentication is the process by which the:
A. system verifies that the user is entitledto input the transaction requested.
B. system verifies the identity of the user.
C. user identifies himself to the system.
D. user indicates to the system that thetransaction was processed correctly.
312.The IS auditor has determined that protection of computer files is

inadequate.Which of the following is LEAST likely to have caused this problem?
A. Arrangements for compatible backup computerfacilities

B. Procedures for release of files
C. Offsite storage procedures
D. Environmental controls
313.If inadequate, which of the following would MOST likely contribute to a

denialof service attack?
A. Router configuration and rules

B. Design of the internal network
C. Updates to the router system software
D. Audit testing and review techniques
314.Which of the following is the MOST effective type of anti-virus software?
A. Scanners
B. Active monitors
C. Integrity checkers
D. Vaccines
315.The technique used to ensure security in virtual private networks (VPNs) is:
A. encapsulation.
B. wrapping.
C. transform.
D. encryption.
316.A critical function of a firewall is to act as a:
A. special router that connects the Internetto a LAN.

B. device for preventing authorized users fromaccessing the LAN.
C. server used to connect authorized users toprivate trusted network resources.
D. proxy server to increase the speed ofaccess to authorized users.
317.During an audit of an enterprise that is dedicated to e-commerce in

themodality of business-to-customer, the IS manager states that digital
signaturesare used in the establishment of its commercial relations. The
auditor mustprove that which of the following is used?
A. A biometric, digitalized and encryptedparameter with the customer's public

key
B. A hash of the data that is transmitted andencrypted with the customer's
private key
C. A hash of the data that is transmitted andencrypted with the customer's
public key
D. The customer's scanned signature, encryptedwith the customer's public key
318.Risk of hash compromise is BEST mitigated using:
A. digital signatures.
B. message encryption.
C. message authentication code.
D. cryptoanalysis.
319.Secure socket layer (SSL) protocol addresses the confidentiality of a

messagethrough:
A. symmetric encryption.
B. message authentication code.
C. hash function.
D. digital signature certificates.
320.An organization is considering connecting a critical PC-based system to
theInternet. Which of the following would provide the BEST protection
againsthacking?
A. Application level gateway

B. Remote access server
C. Proxy server
D. Port scanning
321.A "dry-pipe" fire extinguisher system is a system that uses:
A. water, but in which water does not enterthe pipes until a fire has been
detected.
B. water, but in which the pipes are coatedwith special watertight sealants.
C. carbon dioxide instead of water.
D. halon instead of water.
322.An enterprise is implementing a business-to-business (B-to-B)

networkinfrastructure to ensure efficient and effective communication and
supply chainmanagement with all international customers and suppliers. The
enterprise wouldlike to utilize the network infrastructure for secure
communication, paperlessnegotiations and agreements and to ensure
appropriate evidence for alltransactions. The MOST appropriate solution is:
A. asymmetric encryption and digitalsignatures.

B. symmetric encryption and digitalsignatures.
C. public key infrastructure (PKI).
D. message authentication code and digitalsignatures.
323.Electronic signatures can prevent messages from being:
A. suppressed.
B. repudiated.
C. disclosed.
D. copied.
324.Confidential data stored on a laptop is BEST protected by:
A. storage on optical disks.

B. log-on ID and password.
C. data encryption.
D. physical locks.
325.Security administration procedures require read-only access to:
A. access control tables.

B. security log files.
C. logging options.
D. user profiles.
326.Which of the following would an IS auditor consider a MAJOR risk of

usingsingle sign-on?
A. It enables access to single multipleapplications

B. It represents a single point of failure
C. It causes an administrative bottleneck
D. It leads to a lockout of valid users
327.Naming convention for access controls are usually set by:
A. data owners with the help of the securityofficer.

B. programmers with the help of the securityofficer.
C. system analysts with the help of thesecurity officer.
D. librarian with the help of the securityofficer.
328.Which of the following is the MOST secure way to connect a private network
overthe Internet in a small-to medium-sized organization?

B. Dedicated line
C. Leased line
D. Integrated services digital network
329.The potential for unauthorized system access, by way of terminals

orworkstations within the organization's facility, is increased when:
A. connecting points are available in thefacility to connect laptops to the

network.
B. users do not write their system passwordson, or near, their work areas.
C. terminals with password protection arelocated in unsecured locations.
D. terminals are located within the facilityin small clusters of a few terminals,
each under direct charge and supervisionof an administrator.
330.The BEST defense against eavesdropping into computer networks is:
A. encryption.
B. moving the defense perimeter outward.
C. reducing the amplitude of the communicationsignal.
D. masking the signal with noise.
331.A virtual private network (VPN) performs which of the following functions?
A. Hides information from sniffers on the net

B. Enforces security policies
C. Detects misuse or mistakes
D. Regulates access
332.Within an e-Commerce transaction through the Internet, the process of

applyinga digital signature to the data that travels in the network, provides
which ofthe following?
A. Confidentiality and integrity

B. Security and nonrepudiation
C. Integrity and nonrepudiation
D. Confidentiality and nonrepudiation
333.Which of the following would an IS auditor consider a weakness when

performingan audit of an organization that uses a public key infrastructure
with digitalcertificates for its business-to-consumer transactions via the
Internet?
A. Customers are widely dispersedgeographically, but not the certificate

authorities (CA).
B. Customers can make their transactions fromany computer or mobile device.
C. The certificate authority has several dataprocessing subcenters to
administrate certificates.
D. The organization is the owner of the CA.
334.Which of the following implementation modes would provide the GREATEST

amountof security to outbound data connecting to the Internet?
A. Transport mode with authentication header(AH) plus encapsulating security

payload (ESP)
B. SSL mode
C. Tunnel mode with AH plus ESP
D. Triple-DES encryption mode
335.Which of the following is the MOST reliable sender authentication method?
A. Digital signatures
B. Asymmetric cryptography
C. Digital certificates
D. Message authentication code
336.In the Internet encryption process, which of the following steps provides
theGREATEST assurance in achieving authenticity of a message?
A. The pre-hash code is derived mathematicallyfrom the message being sent.

B. The pre-hash code is encrypted using thesender's private key.
C. Encryption of the pre-hash code and themessage using the secret key.
D. Sender attains the recipient's public keyand verifies the authenticity of its
digital certificate with a certificateauthority.
337.An Internet security threat that could compromise integrity is:
A. theft of data from the client.

B. exposure of network configurationinformation.
C. a trojan horse browser.
D. eavesdropping on the net.
338.An IS auditor performing a review of the implemented security infrastructure

ofan organization that provides business-to-business activities, observes
thatPKI services are being used. The auditor's conclusion would be that they
use:
A. personal key information.

B. private key infrastructure.
C. public key infrastructure.
D. practical kerberos implementation.
339.In a public key infrastructure (PKI), the authority which is responsible forthe
identification and authentication of an applicant for a digital certificate(i.e.,
certificate subjects) is the:
A. registration authority (RA).

B. issuing certification authority.
C. subject certification authority.
D. policy management authority.
340.In which of the following situations would a checkpoint/restart procedure

NOTenable recovery?
A. Experiencing temporary failure of thehardware

B. Loading tapes out of sequence in amulti-volume file
C. Completing the run of an incorrect versionof the program
D. Suffering temporary power loss to the DataCenter during the run
341.If a database is restored using before image dumps, where should the
process berestarted following an interruption?
A. Before the last transaction

B. After the last transaction
C. The first transaction after the latestcheckpoint
D. The last transaction before the latestcheckpoint
342.Which of the following is an important consideration in providing backup

foronline systems?
A. Maintaining system software parameters

B. Ensuring periodic dumps of transaction logs
C. Ensuring grandfather-father-son filebackups
D. Maintaining important data at an off-sitelocation
343.As updates to an online order entry system are processed, the updates
arerecorded on a transaction tape and a hard copy transaction log. At the end
ofthe day, the order entry files are backed up onto tape. During the
backupprocedure, the disk drive malfunctions and the order entry files are
lost.Which of the following are necessary to restore these files?
A. The previous day's backup file and thecurrent transaction tape

B. The previous day's transaction file and thecurrent transaction tape
C. The current transaction tape and thecurrent hardcopy transaction log
D. The current hardcopy transaction log andthe previous day's transaction file
344.Which of the following business recovery strategies would require the

leastexpenditure of funds?
A. Warm site facility

B. Empty shell facility
C. Hot site sub-----ion
D. Reciprocal agreement
345.Which of the following alternative business recovery strategies would be

LEASTappropriate in a large database and online communications network
environmentwhere the critical business continuity period is 10 days?
A. Hot site
B. Cold site
C. Reciprocal agreement
D. Dual information processing facilities
346.For which of the following applications would rapid recovery be MOST

crucial?
A. Point-of-sale
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback
347.An organization's disaster recovery plan should address early recovery of:
A. all information systems processes.

B. all financial processing applications.
C. only those applications designated by theIS Manager.
D. processing in priority order, as defined bybusiness management.
348.An off-site information processing facility:

A. should have the same amount of physicalaccess restrictions as the primary
processing site.
B. should be easily identified from theoutside so that in the event of an
emergency it can be easily found.
C. should be located in proximity to theoriginating site so that it can quickly be
made operational.
D. need not have the same level ofenvironmental monitoring as the originating
site since this would be costprohibitive.
349.An advantage of the use of hot sites as a backup alternative is:
A. the costs associated with hot sites arelow.

B. that hot sites can be used for an extendedamount of time.
C. that hot sites can be made ready foroperation within a short period of time.
D. that hot sites do not require thatequipment and systems software be
compatible with the primary installationbeing backed up.
350.An IS auditor reviewing back-up procedures for software need only

determinethat:
A. object code libraries are backed up.

B. source code libraries are backed up.
C. both object and source codes libraries arebacked up.
D. program patches are maintained at theoriginating site.
351.Which of the following control concepts should be included in a

comprehensivetest of disaster recovery procedures?
A. Invite client participation.

B. Involve all technical staff.
C. Rotate recovery managers.
D. Install locally stored backup.
352.Which of the following tests would NOT apply to a review of the data
centerdisaster recovery plan?
A. Setting up alternative processingfacilities

B. Testing full functionality of restoredapplications
C. Installing key files from those stored inthe Media Library
D. Executing application programs from offsite backup copies
353.Which of the following is the business continuity planning and

reconstructionteam that is responsible for updating the applications database
working fromterminals at the user recovery site during a reconstruction?
A. Applications team
B. Network recovery team
C. Emergency operations team
D. Data preparation and records team
354.Which of the following procedures would an IS auditor perform to BEST

determinewhether adequate recovery/restart procedures exist?
A. Reviewing program code

B. Reviewing operations documentation
C. Turning off the UPS, then the power
D. Reviewing program documentation
355.A company performs full back-up of data and programs on a regular basis.
Theprimary purpose of this practice is to:
A. maintain data integrity in theapplications.

B. restore application processing after adisruption.
C. prevent unauthorized changes to programsand data.
D. ensure recovery of data processing in caseof a disaster.
356.An IS auditor conducting a review of disaster recovery planning at a

financialprocessing organization has discovered the following:
Theexisting disaster recovery plan was compiled two years ago by a systems
analystin the organization's IT department using transaction flow projections
from theoperations department.
Theplan was presented to the deputy CEO for approval and formal issue, but it
isstill awaiting his attention.
Theplan has never been updated, tested or circulated to key management and
staff,though interviews show that each would know what action to take for
their areain the event of a disruptive incident.
TheIS auditor's report should recommend that:
A. the deputy CEO be censured for his failureto approve the plan.
B. a board of senior managers be set up toreview the existing plan.
C. the existing plan be approved andcirculated to all key management and staff.
D. an experienced manager coordinate thecreation of a new plan or revised plan
within a defined time limit.
357.An IS auditor conducting a review of disaster recovery planning at a

financialprocessing organization has discovered the following:
Theexisting disaster recovery plan was compiled two years ago by a systems
analystin the organization's IT department using transaction flow projections
from theoperations department.
Theplan was presented to the deputy CEO for approval and formal issue, but it
isstill awaiting his attention.
Theplan has never been updated, tested or circulated to key management and
staff,though interviews show that each would know what action to take for
their areain the event of a disruptive incident.
Thebasis of the organization's disaster recovery plan is to re-establish
liveprocessing at an alternative site where a similar, but not identical
hardwareconfiguration is already established. The IS auditor should:
A. take no action as the lack of a currentplan is the only significant finding.

B. recommend that the hardware configurationat each site should be identical.
C. perform a review to verify that the secondconfiguration can support live
processing.
D. report that the financial expenditure onthe alternative site is wasted without
an effective plan.
358.Disaster recovery planning for a company's computer system usually

focuses on:
A. operations turnover procedures.

B. strategic long-range planning.
C. the probability that a disaster will occur.
D. alternative procedures to processtransactions.
359.The MAIN purpose for periodically testing off-site hardware back-up

facilitiesis to:
A. ensure the integrity of the data in thedatabase.

B. eliminate the need to develop detailedcontingency plans.
C. ensure the continued compatibility of thecontingency facilities.
D. ensure that program and systemdocumentation remains current.
360.During a business continuity planning review, the IS auditor discovered

thatsoftware back-up is being kept only by the IT department and that
seniormanagement is not aware of where back-ups are being kept. Which of
thefollowing recommendations is an IS auditor LEAST likely to make?
A. Validations in the application softwareshould be made to prevent

unauthorized access to data.
B. Off-site security and environmentalprotection systems should be similar to
the production environment.
C. There should be off-site storage ofsoftware company data, work product or
deliverables in a protected vault forsuch period as specified.
D. A comprehensive business continuity planshould be formulated to meet the
business needs and provide requiredcapabilities in the event of any failure of
IT systems.
361.A large chain of shops with electronic funds transfer (EFT) at point-of-
saledevices has a central communications processor for connecting with the
bankingnetwork. Which of the following is the BEST disaster recovery plan for
thecommunications processor?
A. Off-site storage of daily back-ups

B. Alternative standby processor onsite
C. Installation of duplex communication links
D. Alternative standby processor at anothernetwork node
362.The following table lists the estimate of the probability of a computer

systembeing destroyed in a natural disaster and the corresponding overall
businessloss. Which system has the greatest exposure to loss?
Likelihood Losses (in $)
A. 10% 6 million
B. 15% 5 million
C. 20% 2.5 million
D. 25% 4 million
363.Which of the following would an IS auditor consider to be the MOST

important toreview when conducting a business continuity audit?
A. A hot site is contracted for and availableas needed.

B. A business continuity manual is availableand current.
C. Insurance coverage is adequate and premiumsare current.
D. Media backups are performed on a timelybasis and stored off-site.
364.Which of the following methods of providing telecommunication

continuityinvolves routing traffic through split or duplicate cable facilities?
A. Diverse routing
B. Alternative routing
C. Redundancy
D. Long haul network diversity
365.Which of the following is NOT a feature of an uninterruptible power

supply(UPS)?
A. A UPS provides electrical power to acomputer in the event of a power failure.

B. A UPS system is an external piece ofequipment or can be built into the
computer itself.
C. A UPS should function to permit an orderlycomputer shutdown.
D. A UPS uses a greater wattage into thecomputer to ensure enough power is
available.
366.Most business continuity tests should:
A. be conducted at the same time as normalbusiness operations.

B. address all system components.
C. evaluate the performance of personnel.
D. be monitored by the IS auditor.
367.Which of the following would BEST ensure continuity of a wide area

network(WAN) across the organization?
A. Built-in alternative routing

B. Full system back-up taken daily
C. A repair contract with a service provider
D. A duplicate machine alongside each server
368.The MOST significant level of business continuity planning program

developmenteffort is generally required during the:
A. testing stage.
B. evaluation stage.
C. Maintenance stage.
D. early stages of planning.
369.An IS auditor reviewing an organization's information systems disaster

recoveryplan should verify that it is:
A. tested every 6 months.

B. regularly reviewed and updated.
C. approved by the chief executive officer(CEO).
D. communicated to every departmental head inthe organization.
370.Which of the following implementations of digital encryption standard is

thesimplest implementation?
A. Electronic code block (ECB)

B. Cipher block chaining (CBC)
C. Cipher feedback (CFB)
D. Output feedback (OFB)
371.Which of the following manages the certificate life cycle of public key pairsto
ensure adequate security and controls exist in e-commerce applications?
A. Registration authority
B. Certificate authority
C. Certification relocation list
D. Certification practice statement
372.An IS auditor performing a review of the back-up processing facilities would

beMOST concerned that:
A. adequate fire insurance exists.

B. regular hardware maintenance is performed.
C. offsite storage of transaction and masterfiles exists.
D. backup processing facilities are fullytested.
373.Which of the following findings would an IS auditor be MOST concerned

aboutwhen performing an audit of backup and recovery and the offsite storage
vault?
A. There are three individuals with a key toenter the area

B. Paper documents are also stored in theoffsite vault
C. Data files, which are stored in the vault,are synchronized
D. The offsite vault is located in a separatefacility
374.Which of the following represents the GREATEST risk created by a

reciprocalagreement for disaster recovery made between two companies?
A. Developments may result in hardware andsoftware incompatibility

B. Resources may not be available when needed
C. The recovery plan cannot be tested
D. The security infrastructures in eachcompany may be different
375.All of the following are security and control concerns associated with
disasterrecovery procedures EXCEPT:
A. loss of audit trail.

B. insufficient documentation of procedures.
C. inability to restart under control.
D. inability to resolve system deadlock.
376.Losses can be minimized MOST effectively by using outside storage facilities

todo which of the following?
A. Include current, critical information inbackup files

B. Ensure that current documentation ismaintained at the backup facility
C. Test backup hardware
D. Train personnel in backup procedures
377.Which of the following BEST describes the difference between a

disasterrecovery plan and a business continuity plan?
A. The disaster recovery plan works fornatural disasters whereas the business
continuity plan works for non-plannedoperating incidents such as technical
failures.
B. The disaster recovery plan works forbusiness process recovery and
information systems whereas the businesscontinuity plan works only for
information systems.
C. The disaster recovery plan defines allneeded actions to restore to normal
operation after an un-planned incidentwhereas the business continuity plan
only deals with critical operations neededto continue working after an un-
planned incident.
D. The disaster recovery plan is the awarenessprocess for employees whereas
the business continuity plan contains theprocedures themselves to recover the
operation.
378.Which of the following would warranty a quick continuity of operations when

therecovery time window is short?
A. A duplicated back-up in an alternate site

B. Duplicated data in a remote site
C. Transfer of data the moment a contingencyoccurs
D. A manual contingency procedure
379.Which of the following is MOST important to have in a disaster recovery

plan?
A. Backup of compiled object programs

B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms
380.At the end of a simulation of an operational contingency test, the IS

auditorperformed a review of the recovery process. The IS auditor concluded
that therecovery was more than the critical time frame that was necessary.
Which of thefollowing actions would the auditor recommend?
A. Widen the physical capacity to accomplishbetter mobility in a shorter time.

B. Shorten the distance to reach the hot site.
C. Perform an integral review of the recoverytasks.
D. Increase the number of human resourcesinvolved in the recovery process.
381.An IS auditor inspects an organization's offsite storage and plans to

samplethe system and program documentation. The IS auditor is MOST likely
interestedin reviewing:
A. error conditions and user manuals.

B. application run books.
C. job stream control instructions.
D. exception processing instructions.
382.While reviewing the business continuity plan of an organization, the IS

auditorobserved that the organization's data and software files are backedup
on aperiodic basis. Which characteristic of an effective plan does
thisdemonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. Response
383.Which of the following disaster recovery/continuity plan components

providesthe GREATEST assurance for recovery after a disaster?
A. The requirement that the alternate facilitybe available until the original
information processing facility is restored.
B. User management involvement in theidentification of critical systems and
their associated critical recovery timesand the specification of needed
procedures.
C. Copies of the plan kept at the homes of keydecision making personnel.
D. Adequate feedback to management to assurethat the business continuity
plans are indeed workable and that the proceduresare current.
384.Which of the following principles must exist to ensure the viability of

aduplicate information processing facility?
A. The site is near the primary site to ensurequick and efficient recovery is
achieved.
B. The site contains the most advancedhardware available from the chosen
vendor.
C. The workload of the primary site ismonitored to ensure adequate backup is
complete.
D. The hardware is tested when it isestablished to ensure it is working properly.
385.There are several methods of providing telecommunications continuity.

Themethod of routing traffic through split cable or duplicate cable facilities is:
A. alternative routing.
B. diverse routing.
C. long haul network diversity.
D. last mile circuit protection.
386.Which of the following offsite information processing facility conditions

wouldcause an IS auditor the GREATEST concern?
A. The facility is clearly identified on theoutside with the company name.

B. The facility is located more than an hourdriving distance from the originating
site.
C. The facility does not have any windows tolet in natural sunlight.
D. The facility entrance is located in theback of the building rather than the
front.
387.Which of the following is a continuity plan test that uses actual resources
tosimulate a system crash to cost-effectively obtain evidence about the
plan'seffectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walkthrough
388.An offsite backup facility having electrical writing, air conditioning,flooring,

etc., but no computer or communications equipment, intended tooperate an
information processing facility is better known as a:
A. cold site.
B. warm site.
C. dial up site.
D. duplicate processing facility.
389.Which of the following methods of results analysis, during the testing of

thebusiness continuity plan (BCP), provides the BEST assurance that the plan
isworkable?
A. Quantitatively measuring the results of thetest

B. Measurement of accuracy
C. Elapsed time for completion of prescribedtasks
D. Evaluation of the observed test results
390.A large organization with numerous applications running on its mainframe

systemis experiencing a growing backlog of undeveloped applications. As part
of amaster plan to eliminate this backlog, end-user computing with
prototyping isbeing introduced, supported by the acquisition of an interactive
applicationgenerator system. Which of the following areas is MOST critical to
the ultimatesuccess of this venture?
A. Data control
B. Systems analysis
C. Systems programming
D. Application programming
391.Which of the following general control items would NOT normally be found in
anaudit of user programming procedures in an end-user computing
environment?
A. Console log procedures

B. Change control procedures
C. Back-up and recovery procedures
D. Documentation standards and procedures
392.Which of the following represents a typical prototype of an

interactiveapplication?
A. Screens and process programs

B. Screens, interactive edits and samplereports
C. Interactive edits process programs andsample reports
D. Screens, interactive edits, processprograms and sample reports
393.Which of the following statements relating to the use of spreadsheets is

FALSE?
A. An essential control feature is theperformance of adequate testing.

B. It is important to develop complete andappropriate documentation.
C. In the designing process, it is importantthat data be limited to one
spreadsheet.
D. The reference area should include the filename, the version number, and the
creation date and time.
394.Which of the following tasks would NOT be performed by an IS auditor

whenreviewing systems development controls in a specific application?
A. Attend project progress meetings.

B. Review milestone documents for appropriatesign-off.
C. Compare development budgets with actualtime and dollars spent.
D. Design and execute testing procedures foruse during acceptance testing.
395.Which of the following represents the MOST pervasive control over

applicationdevelopment?
A. IS auditors
B. Standard development methodologies
C. Extensive acceptance testing
D. Quality assurance groups
396.A computerized information system frequently fails to meet the needs of

usersbecause:
A. user needs are constantly changing.

B. the growth of user requirements wasinaccurately forecast.
C. the hardware system limits the number ofconcurrent users.
D. user participation in defining the system'srequirements is inadequate.
397.Which of the following are objectives of using a system development life

cyclemethodology?
A. Ensuring that appropriate staffing iscomplete and providing a method of

controlling costs and schedules.
B. Providing a method of controlling costs andschedules and ensuring
communication among users, IS auditors, management andIS personnel.
C. Providing a method of controlling costs andschedules and an effective means
of auditing project development.
D. Ensuring communication among users, ISauditors, management and
personnel and ensuring that appropriate staffing iscomplete.
398.A primary reason for an IS auditor's involvement in the development of a

newapplication system is to determine that:
A. adequate controls are built into thesystem.

B. user requirements are satisfied by thesystem.
C. sufficient hardware is available to processthe system.
D. data are being developed forpre-implementation testing of the system.
399.In which of the following phases of the system development life cycle of a
newapplication system is it the MOST important for the IS auditor to
participate?
A. Design
B. Testing
C. Programming
D. Implementation
400.During a detailed system design, the IS auditor would be LEAST concerned

with:
A. adequacy of audit trails.

B. handling of rejected transactions.
C. adequacy of hardware to handle the system.
D. procedures to ensure that all transactionsare received.
401.Which of the following groups/individuals assume ownership of
systemsdevelopment life cycle projects and the resulting system?
A. User management
B. Senior management
C. Project steering committee
D. Systems development management
402.Which of the following statements regarding the function of a

systemsdevelopment life cycle steering committee is FALSE?
A. Review project progress regularly.

B. Report only to senior management on projectstatus.
C. Serve as a coordinator and advisor to answerquestions about system and
program design.
D. Take corrective action regarding personnelchanges on the project team.
403.The responsibility of assuring that the systems development life cycle

designadheres to corporate security policies and tests system security prior
toimplementation is that of the:
A. security officer.
B. project manager.
C. quality assurance.
D. project steering committee.
404.An IS auditor who is participating in a systems development life cycle

projectshould:
A. recommend appropriate control mechanismsregardless of cost.

B. obtain and read project team meetingminutes to determine the status of the
project.
C. ensure that adequate and completedocumentation exists for all project
phases.
D. not worry about his/her own ability toproduce key deliverables by the
promised dates since work will progressregardless.
405.The phases and deliverables of a systems development life cycle project

shouldbe determined:
A. during the early planning stages of theproject.

B. after early planning has been completed,but before work has begun.
C. during the work stages as deliverables aredetermined based on risks and
exposures.
D. only after all risks and exposures havebeen identified and the IS auditor has
recommended appropriate controls.
406.Where a systems development life cycle methodology is inadequate, the

MOSTserious immediate risk is that the new system will:
A. be completed late.
B. exceed the cost estimates.
C. not meet business and user needs.
D. be incompatible with existing systems.
407.Which of the following is a management technique that enables

organizations todevelop strategically important systems faster while reducing
development costsand maintaining quality?
A. Function point analysis

B. Critical path methodology
C. Rapid application development
D. Program evaluation review technique
408.Which of the following is NOT an advantage of using structured analysis

(SA)?
A. SA supports CASE tools.

B. SA addresses users concerns quickly.
C. SA is more applicable to problem-orientedanalysis than design.
D. SA addresses the issue of structuringsystems into concurrent tasks.
409.Which of the following is an advantage of prototyping?
A. The finished system normally has stronginternal controls.

B. Prototype systems can provide significanttime and cost savings.
C. Change control is often less complicatedwith prototype systems.
D. It ensures that functions or extras are notadded to the intended system.
410.The use of fourth generation languages (4GLs) should be weighed

carefullyagainst using traditional languages because 4GLs:
A. can lack lower level detail commandsnecessary to perform data intensive

operations.
B. cannot be implemented on both the mainframeprocessors and
microcomputers.
C. generally contain complex language subsetswhich must be used by skilled
users.
D. cannot access database records and producecomplex Online outputs.
411.Which of the following is NOT a feature of structured programming for

definingapplications?
A. Programs are written using a bottom-upapproach.

B. Programs are easy to develop and maintain.
C. Design modules are independent of eachother.
D. Design is accomplished through a series ofdiagrams, showing relationships.
412.Which of the following computer aided software engineering (CASE) products

isused for developing detailed designs, such as screen and report layouts?
A. Super CASE
B. Upper CASE
C. Middle CASE
D. Lower CASE
413.Which of the following is a characteristic of a decision support system (DSS)?
A. DSS is aimed at solving highly structuredproblems.

B. DSS combines the use of models withnon-traditional data access and retrieval
functions.
C. DSS emphasizes flexibility in the decisionmaking approach of users.
D. DSS supports only structureddecision-making tasks.
414.Which of the following statements pertaining to data warehouses is FALSE?
A. A data warehouse is designed specificallyfor decision support.

B. The quality of the data in a data warehousemust be very high.
C. Data warehouses are made up of existingdatabases, files and external
information.
D. A data warehouse is used by seniormanagement only because of the
sensitivity of the data.
415.The primary role of an IS auditor in the system design phase of an

applicationdevelopment project is to:
A. advise on specific and detailed controlprocedures.

B. ensure the design accurately reflects therequirement.
C. ensure all necessary controls are includedin the initial design.
D. advise the development manager on adherenceto the schedule.
416.Which of the following would be considered to be the MOST serious

disadvantageof prototyping systems development?
A. The prototyping software is expensive.

B. Prototyping demands excessive computer usage.
C. Users may perceive that the development iscomplete.
D. The users' needs may not have beencorrectly assessed.
417.An advantage of using sanitized live transactions in test data is that:
A. all transaction types will be included.

B. every error condition is likely to betested.
C. no special routines are required to assessthe results.
D. test transactions are representative oflive processing.
418.An IS auditor's primary concern when application developers wish to use a

copyof yesterday's transaction file from the production process to show that
thedevelopment can cope accurately with the required volume is that:
A. users may prefer to use contrived data fortesting.

B. unauthorized access to sensitive data mayresult.
C. error handling and credibility checks maynot be fully proven.
D. full functionality of the new process isnot necessarily tested.
419.Many IT projects experience problems because the development time

and/orresource requirements are underestimated. Which of the following
techniqueswould improve the estimation of the resources required in system
constructionafter the development of the requirements specification?
A. PERT chart
B. Recalibration
C. Cost-benefit analysis
D. Function point estimation
420.Which of the following is the MOST important reason for the IS auditor to
beinvolved in the system development life cycle process?
A. Evaluate the efficiency of resourceutilization.

B. Develop audit programs for subsequentaudits of the system.
C. Evaluate the selection of hardware to beused by the system.
D. Ensure that adequate controls are builtinto the system during development.
421.Which of the following is a primary purpose for conducting parallel testing?
A. To determine if the system is morecost-effective.

B. To enable comprehensive unit and systemtesting.
C. To highlight errors in the programinterfaces with files.
D. To ensure the new system meets all userrequirements.
422.Unit testing is different from system testing because:
A. unit testing is more comprehensive.

B. programmers are not involved in systemtesting.
C. system testing relates to interfacesbetween programs.
D. system testing proves user requirements areadequate.
423.Which of the following audit procedures would an IS auditor normally

performFIRST when auditing the current documented systems development
life cycle?
A. Determine procedural adequacy.

B. Analyze procedural effectiveness.
C. Evaluate level of compliance withprocedures.
D. Compare established standards to observedprocedures.
424.An IS auditor who has participated in the development of an application

systemmight have their independence impaired if they:
A. perform an application development review.

B. recommend control and other system enhancements.
C. perform an independent evaluation of theapplication after its implementation.
D. are actively involved in the design andimplementation of the application
system.
425.Which of the following tools would NOT be used in program debugging

duringsystem development?
A. Compiler
B. Memory dump
C. Output analyzer
D. Logic path monitor
426.Which of the following statements relating to structured query language
(SQL)is TRUE?
A. SQL is harder to use than a programminglanguage.

B. A user must know where the information islocated to gain access.
C. A user must know how the information isstructured to gain access.
D. SQL serves as an interface between theclient, computer, and server.
427.A significant problem in planning and controlling a software

developmentproject is determining:
A. project slack times.

B. a project's critical path.
C. time and resource requirements forindividual tasks.
D. precedent relationships which preclude thestart of certain activities until
others are complete.
428.Which of the following is NOT a role of a project sponsor who is involved in

asystems development project?
A. Provides funding for the project

B. Responsible for data and applicationownership
C. Monitors and controls costs and projecttimetable
D. Works with the project manager to definesuccess parameters
429.Large scale systems development life cycle (SDLC) efforts:
A. are not affected by the use of prototypingtools.

B. can be carried out independent of otherorganizational practices.
C. require that business requirements bedefined before the project begins.
D. require that project phases anddeliverables be defined during the duration of
the project.
430.Which of the following is a reason to involve an IS auditor in systems

designactivities?
A. Post-application reviews do not need to beperformed.

B. Total budgeted system development costs canbe reduced.
C. It is extremely costly to institutecontrols after a system becomes operational.
D. The extent of user involvement in designactivities is significantly reduced.
431.Which of the following would NOT normally be part of a feasibility study?
A. Identifying the cost savings of a newsystem.

B. Defining the major requirements of the newsystem.
C. Determining the productivity gains ofimplementing a new system.
D. Estimating a pay-back schedule for costincurred in implementing the system.
432.Detailed systems specifications do NOT normally include:
A. overviews of each program in the system.

B. program, operations and user documentation.
C. a systems flowchart showing the systemlogic, data files and reports of the
system.
D. a systems narrative depicting the systemsobjectives, the major functions to
be performed and the relationships of themajor functions.
433.The purpose of the system development life cycle program and

proceduredevelopment phase is to:
A. prepare, test and document all computerprograms and manual procedures.

B. document a business or system problem to alevel at which management can
select a system solution.
C. prepare a high-level design of a proposedsystem solution and present reasons
for adopting a solution.
D. expand the general design of an approvedsystem solution so that
programming and procedure writing can begin.
434.The knowledge base of an expert system that uses questionnaires to lead

theuser through a series of choices before a conclusion is reached is known as:
A. rules.
B. decision trees.
C. semantic nets.
D. data flow diagrams.
435.Structured programming is BEST described as a technique that:
A. provides knowledge of program functions toother programmers via peer

reviews.
B. reduces the maintenance time of programs bythe user of small-scale program
modules.
C. makes the readable coding reflect asclosely as possible the dynamic
execution of the program.
D. controls the coding and testing of thehigh-level functions of the program in
the development process.
436.Peer reviews that detect software errors during each program development
cycleresulting in faster implementation, better documentation, easier
maintenanceand higher programmer morale are called:
A. emulation techniques.
B. structured walkthroughs.
C. modular program techniques.
D. top-down program construction.
437.An IS auditor who plans on testing the connection of two or more
systemcomponents that pass information from one area to another would use:
A. pilot testing.
B. parallel testing
C. interface testing.
D. regression testing.
438.An advantage in using a bottom-up versus a top-down approach to

softwaretesting is that:
A. interface errors are detected earlier.

B. confidence in the system is achievedearlier.
C. errors in critical modules are detectedearlier.
D. major functions and processing are testedearlier.
439.During which phase of a system development process would an IS auditor

firstconsider application controls?
A. Construction
B. System design
C. Acceptance testing
D. Functional specification
440.Which of the following quality mechanisms is MOST likely to occur when a

systemdevelopment project is in the middle of the construction stage?
A. Unit tests
B. Stress tests
C. Regression testing
D. Acceptance testing
441.An IS auditor reviewing a system development project would be MOST

concernedwhether:
A. business objectives are achieved.

B. security and control procedures areadequate.
C. the system utilized the strategic technicalinfrastructure.
D. development will comply with the approvedquality management processes.
442.A large number of system failures are occurring when corrections to

previouslydetected faults are resubmitted for acceptance testing. This would
indicatethat the development team is probably not adequately performing
which of thefollowing types of testing?
A. Unit testing
B. Integration testing
C. Design walkthroughs
D. Configuration management
443.An organization is developing a new business system. Which of the

followingwill provide the MOST assurance that the system provides the
requiredfunctionality?
A. Unit testing
B. Regression testing
D. Integration testing
444.Which of the following techniques would provide the BEST assurance that
theestimate of program development effort is reliable?

B. Estimates by business area
C. Computer based project schedule
D. Estimate by experienced programmer
445.An IS auditor reviewing an organization's test strategy discovers that it

isproposed that the test database be refreshed weekly from a section of
theproduction database. Which of the following would MOST likely be affected
bythis approach?
A. Completeness of testing
B. Test processing efficiency
C. Documentation of test results
D. Integrity of the production data
446.Which of the following would be a major DISADVANTAGE of using prototyping

as asystems development methodology?
A. User expectations of project timescales maybe over-optimistic.

B. Effective change control and management isimpossible to implement.
C. User participation in day-to-day projectmanagement may be too extensive.
D. Users are not usually sufficientlyknowledgeable to assist in system
development.
447.An IS auditor involved as a team member in the detailed system design

phase ofa system under development would be MOST concerned with:
A. internal control procedures.

B. user acceptance test schedules.
C. adequacy of the user training program.
D. clerical processes for resubmission ofrejected items.
448.The PRIMARY reason for separating the test and development environments
wouldbe to:
A. restrict access to systems under test.
B. segregate user and development staff.
C. control the stability of the testenvironment.
D. secure access to systems under development.
449.The use of coding standards is encouraged by IS auditors because they:
A. define access control tables.

B. detail program documentation.
C. standardize dataflow diagram methodology.
D. ensure compliance with field namingconventions.
450.During which of the following phases in systems development would

useracceptance test plans normally be prepared?
A. Feasibility study
B. Requirements definition
C. Implementation planning
D. Post-implementation review
451.In the development of an important application affecting the entire

organization,which of the following would be the MOST appropriate project
sponsor?
A. The information systems manager

B. A member of executive management
C. An independent management consultant
D. The manager of the key user department
452.Which of the following is LEAST likely to be included in the feasibility study?
A. Statutory requirements
B. Operating system implications
C. Control and audit specifications
D. Hardware capacity considerations
453.Which of the following development methods uses a prototype that

cancontinually be updated to meet changing user or business requirements?
A. Data oriented development (DOD)

B. Object oriented development (OOD)
C. Business process reengineering (BPR)
D. Rapid application development (RAD)
454.Which of the following should be included in a feasibility study for a projectto

install electronic data interchange (EDI)?
A. The encryption algorithm format
B. The detailed internal control procedures
C. The necessary communication protocols
D. The proposed trusted third-party agreement
455.When reviewing the quality of an IS department's development process, the

ISauditor finds that they do not use any formal, documented methodology
andstandards. The IS auditor's MOST appropriate action would be to:
A. complete the audit and report the finding.

B. investigate and recommend appropriateformal standards.
C. document the informal standards and testfor compliance.
D. withdraw and recommend a further audit whenstandards are implemented.
456.Which of the following testing methods is MOST effective during the

initialphases of prototyping?
A. System testing
B. Parallel testing
C. Volume testing
D. Top-down testing
457.IS management has decided to rewrite a legacy customer relations system

usingfourth generation languages (4GLs). Which of the following risks is MOST
oftenassociated with system development using 4GLs?
A. Inadequate screen/report design facilities

B. Complex programming language subsets
C. Lack of portability across operatingsystems
D. Inability to perform data intensiveoperations
458.Which of the following audit procedures would MOST likely be used in an

auditof a systems development project?
A. Develop test transactions

B. Use code comparison utilities
C. Develop audit software programs
D. Review functional requirementsdocumentation
459.When a new system is to be implemented within a short timeframe, it is

MOSTimportant to:
A. finish writing user manuals.

B. perform user acceptance testing.
C. add last-minute enhancements tofunctionalities.
D. ensure that code has been documented andreviewed.
460.The PERT diagram below should be used to answer the following question.
Thearrows and letters A through H in the diagram represent:
A. events.
B. activities.
C. successor points.
D. predecessor points.
Whichof the following project completion paths represents the critical path?
A. AEH
B. AFGH
C. CGH
D. BDGH
Whichof the following activities must be completed on time to ensure that

theproject is not delayed?
A. Activity B
B. Activity C
C. Activity E
D. Activity F
463.Which of the following should NOT be criteria related to the decision

toacquire system software?
A. Hard and soft costs

B. Integration with the existing environment
C. Similarity of the acquired system softwareto that currently in use
D. Appropriateness of the proposed software tothe desired computer
environment
464.Which of the following is NOT considered an advantage of packaged

software?
A. Reduced development cost

B. Reduced risk of logic error
C. Increased processing efficiencies
D. Increased flexibility due to optionalfeatures
465.Which of the following would NOT be a reason for IS Audit involvement

ininformation systems contractual negotiations?
A. Often hardware does not interface in anacceptable manner.

B. Many information systems projects incuradditional costs over the contract
cost.
C. Vendors may go out of business anddiscontinue service support on their
products.
D. Only the IS auditor can determine whetherthe controls in the system are
adequate.
466.If the decision has been made to acquire software rather than develop
itinternally, this decision is normally made during the:
A. requirements definition phase of theproject.

B. feasibility study phase of the project.
C. detailed design phase of the project.
D. programming phase of the project.
467.Which of the following is NOT an advantage of concurrent software

licensing?
A. The license is based on the number of usersthat can access the software at
one time.
B. Network administrators can identify theneed to purchase software based on
need and use.
C. It is a method that can be used to preventillegal duplication of software.
D. Users must wait for access, if allconcurrent access sessions are in use.
468.Which of the following BEST describes the necessary documentation of

anenterprise product reengineering (EPR) software installation?
A. Specific developments only

B. Business requirements only
C. All phases of the installation must bedocumented
D. No need to develop a customer specificdocumentation
469.When auditing the requirements phase of a software acquisition, an IS

auditorwould:
A. assess the adequacy of audit trails.

B. identify and determine the criticality ofthe need.
C. verify cost justifications and anticipatedbenefits.
D. ensure that control specifications havebeen defined.
470.A company has contracted an external consulting firm to implement a

commercialfinancial system to replace its existing in-house developed system.
Inreviewing the proposed development approach, which of the following would
be ofGREATEST concern?
A. Acceptance testing is to be managed byusers.

B. A quality plan is not part of thecontracted deliverables.
C. Not all business functions will beavailable on initial implementation.
D. Prototyping is being used to confirm thatthe system meets business
requirements.
471.Which of the following should be in place to protect the purchaser of

anapplication package in the event that the vendor ceases to trade?
A. Source code held in escrow.

B. Object code held by a trusted third party.
C. Contractual obligation for softwaremaintenance.
D. Adequate training for internal programmingstaff.
472.Change management procedures are established by IS management to:
A. control the movement of applications from thetest environment to the

production environment.
B. control the interruption of businessoperations from lack of attention to
unresolved problems.
C. ensure the uninterrupted operation of thebusiness in the event of a disaster.
D. verify that system changes are properlydocumented.
473.Which of the following system software elements enables complex

systemmaintenance?
A. System exits
B. Special system logon-IDs
C. Network change controls
D. Bypass label processing
474.Which of the following program change controls is NOT the responsibility of

theuser department?
A. Updating documentation to reflect allchanges

B. Initiating requests within its scope ofauthority
C. Approving changes before implementation,based on the results of testing
D. Approving changes before implementation,based on review of changes to
manual procedures
475.Which of the following is MOST effective in controlling

applicationmaintenance?
A. Informing users of the status of changes

B. Establishing priorities on program changes
C. Obtaining user approval of program changes
D. Requiring documented user specificationsfor changes
476.Which of the following should be tested if an application program is

modifiedin an authorized maintenance procedure?
A. The integrity of the database
B. The segment of the program which has beenamended
C. The access controls for the applicationsprogrammer
D. The complete program, including anyinterface systems
477.A post-implementation review of a new or extensively modified system is

usuallyperformed by:
A. end-users and IS auditor

B. IS auditor and project development team.
C. project steering committee and projectdevelopment team.
D. project development team and end-users.
478.In regard to moving an application program from the test environment to

theproduction environment, the BEST control would be provided by having the:
A. application programmer copy the sourceprogram and compiled object module

to the production libraries.
B. application programmer copy the sourceprogram to the production libraries
and then have the production control groupcompile the program.
C. production control group copy the sourceprogram and compile the object
module to the production libraries.
D. production control group copy the sourceprogram to the production libraries
and then compile the program.
479.Utilizing audit software to provide code comparisons of production programs

isan audit technique used to test program:
A. logic.
B. changes.
C. efficiency.
D. computations.
480.Which of the following BEST describes the process used to solve a year or
dateproblem in a current operating system?
A. Development of a requirements definitiondocument and performance of a

feasibility study for all critical businessfunctions
B. Definition of detailed designspecifications for applications based on the
general design and userspecifications
C. Testing, verification, and validation ofconverted or replaced platforms,
applications, databases, and utilities
D. Authoring of user procedure manuals andtraining developed during the time
that coding begins
481.Which of the following would NOT represent a strong test approach for
anorganization attempting to solve a year or date problem in a current
operatingsystem?
A. A phased approach for testing andvalidation that includes unit, integration,

systems, and acceptance testing.
B. Use of a program logic analyzer to assessand identify key data paths of
critical applications in prioritizing conversionand testing efforts.
C. A robust test facility separate from theproduction environment to avoid
contamination or interference with theoperation of the productions systems.
D. Use of integrated power tools that supporttesting of critical application
prototypes and establishment of a centralrepository for requirements coming
out of this process.
482.An advantage to setting a stop or freezing point on the design of a new

projectis to:
A. prevent further changes to a project inprocess.

B. indicate the point when the design is to becompleted.
C. require changes after that point bereviewed and evaluated for cost-
effectiveness.
D. provide the project management team withmore control over the project
design.
483.All of the following system maintenance controls are the responsibility of

theuser department EXCEPT:
A. initiating requests within its scope ofauthority.

B. updating systems documentation to reflectall changes.
C. approving changes before implementation,based on the results of testing.
D. approving changes before implementation,based on review of changes to
manual procedures.
484.If an application program is modified and proper system maintenance

proceduresare in place, which of the following should be tested?
A. The integrity of the database.

B. The access controls for the applicationsprogrammer
C. The complete program, including anyinterface systems
D. The segment of the program containing therevised code
485.An IS auditor performing an application maintenance audit would review

amanually prepared log of program changes to determine the:
A. number of authorized program changes.

B. creation date of a current object module.
C. number of program changes actually made.
D. creation date of a current source program.
486.Ideally, stress testing should only be carried out in a:
A. test environment using test data.

B. production environment using liveworkloads.
C. test environment using live workloads.
D. production environment using test data.
487.When auditing the proposed acquisition of a new computer system, the IS

auditorshould FIRST establish that:
A. a clear business case has been approved bymanagement.

B. corporate security standards will be met.
C. users will be involved in theimplementation plan.
D. the new system will meet all required userfunctionality.
488.Which of the following is an object-oriented technology characteristic

thatpermits an enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism
489.The objective of software test designs is to provide the highest likelihood

offinding most errors with a minimum of time and effort. Which of the
followingmethods is LEAST likely to meet the design objective?
A. Black box tests which are used to determinethat software functions are
operational.
B. White box testing predicated on a closeexamination of procedural detail of all
software logical paths.
C. Regression testing in conducting previoustests to ensure that new errors have
not been introduced.
D. Software test design that provides forunit, integration, systems, and
acceptance testing.
490.All of the following are used as cost estimating techniques during the
projectplanning stage EXCEPT:
A. PERT charts.
B. function points.
C. delphi technique.
D. expert judgment.
491.Which of the following is a dynamic analysis tool for the purpose of testing
ofsoftware modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
492.The primary purpose of a system test is to:
A. test the generation of the designed controltotals.

B. determine that the documentation of thesystem is accurate.
C. evaluate the system functionally.
D. ensure that the system operators getfamiliar with the new system.
493.When implementing an application software package, which of the

followingpresents the GREATEST risk?
A. Multiple software versions are notcontrolled

B. Source programs are not synchronized withobject code
C. Parameters are not set correctly
D. Programming errors
494.For the design and programming of an information system, which is the

typicalsequence in which participation of these individuals should occur?
A. Technical analyst, functional analyst,programmer

B. Technical analyst, programmer, computeroperator
C. Functional analyst, technical analyst,programmer
D. Technical analyst, technical support,programmer
495.In the design of an application system, the IS auditor:
A. should participate to ensure appropriatecontrols are included in the system.

B. should not get involved because it wouldaffect his/her objectivity.
C. should be able to code some of the controlroutines that should be included in
the programs.
D. defines all the controls that need to beincluded in the system.
496.Which of the following controls would be MOST effective in ensuring

thatproduction source code and object code are synchronized?
A. Release-to-release source and objectcomparison reports

B. Library control software restrictingchanges to source code
C. Restricted access to source code and objectcode
D. Date and time-stamp reviews of source andobject code
497.Following the development of an application system, it is determined

thatseveral design objectives have not been achieved. This is MOST likely to
havebeen caused by:
A. insufficient user involvement.
B. early dismissal of the project manager.
C. inadequate quality assurance (QA) tools.
D. non-compliance with defined approvalpoints.
498.During a post-implementation review of an enterprise resource management

systeman IS auditor would MOST likely:
A. review access control configuration.

B. evaluate interface testing.
C. review detailed design documentation.
D. evaluate system testing.
499.An executable module is about to be migrated from the test environment to

theproduction environment. Which of the following controls would MOST
likelydetect an unauthorized modification to the module?
A. Object code comparison

B. Source code comparison
C. Timestamps
D. Manual inspection
500.The use of object-oriented design and development techniques would MOST

likely:
A. facilitate the ability to reuse modules.

B. improve system performance.
C. enhance control effectiveness.
D. speed up the system development life cycle.1. Which of the following
BESTdescribes the purpose or character of an audit charter?
The correct answer is:
D. An audit charter shouldoutline the overall authority, scope and responsibilities
of the auditfunction.
Explanation:
An audit charter should clearlystate management's objectives for, and delegation
of authority to IS Audit.This charter should not change much over time and
should be approved at thehighest level of management. The audit charter is not
so detailed as to includespecific audit objectives.
Area: 1
2. Which of the following wouldNOT be a reason why an IS auditor would prepare
a formal audit program?
D. To assess the overall risk ofoperations within the organization
Explanation:
The IS Auditor must first assessthe overall risk of operations within an
organization before an audit programconsisting of control objectives and audit
procedures can be developed. Thus Dis not a reason for developing an audit
program. Answers A, B, and C are allreasons, or components of a formal audit
program.
Area: 1
3. In a risk-based auditapproach, an IS auditor is not only influenced by risk but
also by:
D. the existence of internal andoperational controls.
Explanation:
The existence of internal andoperational controls will have a bearing on the IS
auditor's approach to theaudit. In a risk-based approach the IS auditor is not just
relying on risk, butalso on internal and operational controls as well as knowledge
of the companyand the business. This type of risk assessment decision can help
relate thecost/benefit analysis of the control to the known risk, allowing
practicalchoices. The nature of audit testing techniques available and
management'srepresentations have little impact on the risk based audit
approach. Althoughorganizational structure and job responsibilities need to be
considered in arisk-based approach, they are not directly considered unless they
impactinternal and operational controls.
Area: 1
4. The MAJOR advantage of therisk assessment approach over the baseline
approach to information securitymanagement is that it ensures that:
C. appropriate levels ofprotection are applied to information assets.
Explanation:
Full risk assessment determinesthe level of protection most appropriate given
the level of risk, while thebaseline approach merely applies a standard set of
protection regardless ofrisk. There is a cost advantage in not over protecting
information. However, aneven bigger advantage is making sure that no
information assets are over orunder protected. The risk assessment approach will
ensure that an appropriatelevel of protection is applied commensurate with the
level of risk and assetvalue and therefore considers asset value. The baseline
approach allows moreresources to be directed towards the assets at greater risk
rather than equallydirecting resources to all assets.
Area: 1
5. Which of the followingprocedures would an IS auditor NOT perform during pre-
audit planning to gain anunderstanding of the overall environment under review?
C. Perform compliance tests todetermine if regulatory requirements are met
Explanation:
Answers A, B and D are allpre-audit planning steps. Compliance tests would not
be performed until afterall pre-audit planning is completed.
Area: 1
6. The use of risk assessmenttechniques will NOT help to determine the:
C. likely audit findings,conclusions and recommendations.
Explanation:
The IS Auditor should use riskassessment techniques in developing the overall
audit plan and in planningspecific audits. Risk assessment facilitates planning
decisions such as: thenature, extent and timing of audit procedures, the areas or
business functionsto be audited and the amount of time and resources to be
allocated to an audit.Risk assessment techniques will assist in identifying
significant exposures andthe corresponding risks, but will not in itself lead to a
predication of likelyaudit findings, conclusions and recommendations.
Area: 1
7. The primary purpose andexistence of an audit charter is to:
D. describe the authority andresponsibilities of the audit department.
Explanation:
The audit charter typically setsout the role and responsibility of the internal audit
department. It shouldclearly state management's objectives for and delegation
of authority to theaudit department. It is rarely changed and does not contain
the audit plan oraudit process which is usually part of annual audit planning, nor
does itdescribe a code of professional conduct since such conduct is set by
theprofession and not by management.
Area: 1
8. Which of the following formsof evidence would be considered to be the MOST
reliable when assisting an ISAuditor develop audit conclusions?
A. A confirmation letter receivedfrom a third party for the verification of an
account balance
Explanation:
Evidence obtained fromindependent, third parties is almost always considered to
be the most reliable.Answers B, C and D would not be considered as reliable.
Area: 1
9. Which of the following formsof evidence would be considered to be the MOST
reliable?
D. A confirmation letter receivedfrom an outside source
Explanation:
Evidence obtained from outsidesources is usually more reliable than that
obtained from within theorganization. Confirmation letters received from outside
parties, such as toverify accounts receivable balances, are usually highly reliable.
Testingperformed by an auditor may not be reliable if the auditor did not have a
goodunderstanding of the technical area under review. That is, the testing is
onlyreliable if the auditor fully understood the test performed.
Area: 1
10. Which of the following is theMOST likely reason why e-mail systems have
become a useful source of evidencefor litigation?
A. Poor housekeeping leads toexcessive cycles of backup files remaining
available.
Explanation:
Poor housekeeping leads to excessivecycles of backup files remaining available
and is by far the most frequentproblem as copies of documents which have
supposedly been deleted are recoveredfrom previous copies of the backup files.
Access controls may help withestablishing accountability for the issuance of a
particular document but thisis not the main reason. Data classification standards
may be in place withregards to what should be communicated via e-mail, but this
is only thecreation of the policy and not the creation of the information required
forlitigation purposes.
Area: 1
11. Which of the followingcomputer-based tools would assist an IS auditor when
performing a statisticalsampling of financial transactions maintained in a
financial managementinformation system?
C. Generalized audit software
Explanation:
All generalized audit softwarehas facilities for statistical analysis. Spreadsheets
don't lend themselves tothe extraction and analysis of transaction data. Parallel
simulation is a processof replicating computer-based processes. Regression
testing is a technique toretest changes after amendments are made during
system testing.
Area: 1
12. Which of the following wouldNOT be a use of generalized audit software
programs?
B. Performing intricatecalculations
Explanation:
Generalized audit software isused to verify the integrity of data carried on
computer files. It is used toperform routine or general audit tasks such as
verifying calculations andtotals, selecting data and producing reports and files.
Answer B is correctsince specialized audit software would be used to perform
intricatecalculations.
Area: 1
13. Which of the following BESTdescribes an integrated test facility?
A. A technique that enables theIS auditor to enter test data into a live computer
run for the purpose ofverifying correct processing
Explanation:
Answer A best describes anintegrated test facility, which is a specialized
computer, assisted auditprocess that allows an IS Auditor to test an application
on a continuous basis.Answer B is an example of a systems control audit review
file; Answer C and Dare examples of snapshots
Area: 1
14. Which of the followingstatements regarding test data techniques is TRUE?
A. It tests only preconceivedsituations.
Explanation:
Test data are prepared based onthe IS Auditor's understanding of how a system
functions. This understandingmay be based on out-dated documentation, or end-
user perception, both of whichare subject to preconceived situations and errors.
Area: 1
15. Which of the followingstatements regarding sampling is TRUE?
B. If an auditor knows internalcontrols are strong, the confidence coefficient may
be lowered.
Explanation:
Statistical sampling quantifieshow closely the sample should represent the
population, usually as apercentage. If the auditor knows internal controls are
strong, the confidencecoefficient may be lowered. Sampling is generally
applicable when thepopulation relates to a tangible or documented control.
Answer C is an exampleof variable sampling that is used to estimate a unit of
measure. Answer D is adefinition of attribute sampling.
Area: 1
16. Which of the following is NOTan advantage of using CAATs?
C. Saves time for source datainput
Explanation:
Answers A, B and D are alladvantages of using CAATs. Answer C, source data
input, is not related toauditing or the use of CAATs.
Area: 1
17. An important distinction anIS auditor should make when evaluating and
classifying controls as preventive,detective or corrective is:
A. the point when controls areexercised as data flows through the system.
Explanation:
An IS Auditor should focus onwhen controls are exercised as data flows through a
computer system. Answer Bis incorrect since corrective controls may also be
relevant. Answer C isincorrect since corrective controls remove or reduce the
effects of errors orirregularities and are exclusively regarded as compensating
controls. Answer Dis incorrect and irrelevant since the existence and function of
controls isimportant, not the classification.
Area: 1
18. Which of the followingstatements regarding an IS auditor's use of a
continuous audit approach isTRUE?
C. The use of continuous auditingtechniques can actually improve system
security when used in time-sharingenvironments that process a large amount of
transactions.
Explanation:
The use of continuous auditingtechniques can actually improve system security
when used in time-sharingenvironments that process a large amount of
transactions, but leave a scarcepaper trail. Answer A is incorrect since the
continuous audit approach oftendoes require an IS Auditor to collect evidence on
system reliability whileprocessing is taking place. Answer B is incorrect since an
IS Auditor wouldnormally only review and follow up on material deficiencies or
errors detected.Answer D is incorrect since the use of continuous audit
techniques does dependon the complexity of an organization's computer
systems.
Area: 1
19. An IS auditor's substantivetest reveals evidence of fraud perpetrated from
within a manager's account. Themanager had written his password, allocated by
the system administrator, insidehis drawer, which was normally kept locked. The
IS auditor concludes that the:
B. perpetrator cannot beestablished beyond doubt.
Explanation:
The password control weaknessesmeans that any of the other three options
could be true. Password securitywould normally identify the perpetrator. In this
case, it does not establishguilt beyond doubt.
Area: 1
20. Which of the followingstatements pertaining to the determination of sample
size is TRUE?
B. The larger the standarddeviation, the larger the sample size
Explanation:
The larger the standard deviationin a population the larger the required sample
size. Standard deviationmeasures the relationship to the normal distribution. A
direct relationshipalso exists for the confidence level and expected error rate as
they pertain tosample size. The greater the confidence level or expected error
rate, thegreater the sample size. Conversely, an inverse relationship exists
betweenprecision and sample size. The smaller the precision amount, the larger
therequired sample size.
Area: 1
21. Which of the following wouldNOT normally be performed using CAATs?
C. Reconciling account posting
Explanation:
Computer-assisted audittechniques are usually used by auditors to automate the
testing andverification of data elements within a computer report or file. CAATs
canverify footed amounts, re-extend totals, compare data among files, and
selectsamples. However, manual procedures are usually used to test file
completenessand test whether totals were correctly posted to the general ledger.
Area: 1
22. To gain a full understandingof a LAN environment, an IS auditor should
document all of the following functionsEXCEPT:
B. technical support/help deskfunctions.
Explanation:
Technical support/help deskfunctions are a data center production support
function that does not supportLAN functions. This activity provides technical
oversight and support for datacenter production systems and to identify and
assist in system problemresolution. A, C and D are all relevant and necessary to
an IS Auditor'sunderstanding of a LAN environment.
Area: 1
23. During a review of a customermaster file an IS auditor discovered numerous
customer name duplicationsarising from variations in customer first names. In
order to determine theextent of the duplication the IS auditor would use:
C. generalized audit software tosearch for address field duplications.
Explanation:
Since the name is not the same(due to name variations), one method to detect
duplications would be to compareother common fields, such as addresses.
Subsequent review to determine commoncustomer names at these addresses
could then be conducted. Searching forduplicate account numbers would not
likely find duplications since customerswould most likely have different account
numbers for each variation. Test datawould not be useful to detect the extent of
any data characteristic, but simplyto determine how the data were processed.
Area: 1
24. A manufacturing company hasimplemented a new client/server system
enterprise resource planning (ERP)system. Local branches transmit customer
orders to a central manufacturingfacility. Which of the following controls would
BEST ensure that the orders areaccurately entered and the corresponding
products produced?
A. Verifying production tocustomer orders
Explanation:
Verification will ensure thatproduction orders match customer orders. Logging
can be used to detectinaccuracies, but does not in itself guarantee accurate
processing. Hash totalswill ensure accurate order transmission, but not accurate
processing centrally.Production supervisory approval is a time consuming manual
process that doesnot guarantee proper control.
Area: 1
25. Which of the following wouldan IS auditor consider to be the BEST population
to take a sample from whentesting program changes?
D. Production library listings
Explanation:
The best source from which todraw any sample or test of system information is
the automated system. Theproduction libraries represent executables that are
approved and authorized tomanipulate organizational data. Source program
listings would be too timeintensive to use for this type of test. Program change
requests are thedocuments used to initiate change. There is no guarantee that
the request hasbeen completed for all changes. Test library listings do not
represent theapproved and authorized executables.
Area: 1
26. Which of the following testsis an IS auditor performing when a sample of
programs is selected to determineif the source and object versions are the
same?
B. A compliance test of programlibrary controls
Explanation:
A compliance test determines ifcontrols are operating as designed and are being
applied in a manner thatcomplies with management policies and procedures. For
example, if the ISAuditor is concerned whether program library controls are
working properly, theIS Auditor might select a sample of programs to determine
if the source andobject versions are the same. In other words, the broad
objective of anycompliance test is to provide auditors with reasonable assurance
that aparticular control on which the auditor plans to rely is operating as
theauditor perceived it in the preliminary evaluation.
It is important that the ISAuditor understand the specific objective of a

compliance test and the controlbeing tested. Most of the time compliance tests
will be used when there is atrail of documentary evidence, such as written
authorization to implement amodified program. A substantive test substantiates
the integrity of actualprocessing. It provides evidence of the validity and
propriety of the balancesin the financial statements and the transactions that
support these balances.Auditors would use substantive tests to test for monetary
errors directlyaffecting financial statement balances.
Area: 1
27. An integrated test facilityis considered a useful audit tool because it:
C. compares processing outputwith independently calculated data.
Explanation:
An integrated test facility isconsidered a useful audit tool because it uses the
same programs to compareprocessing output with independently calculated
data. This involves setting updummy entities on an application system and
processing test or production dataagainst the entity as a means of verifying
processing accuracy.
Area: 1
28. The primary reason forenabling software audit trails is to:
B. establish accountability andresponsibility for processed transactions.
Explanation:
Enabling audit trails helps inestablishing the accountability and responsibility of
processed transactions bytracing transactions through the system. The objective
of enabling software toprovide audit trails is not to improve system efficiency,
since it ofteninvolves additional processing which may in fact reduce response
time forusers. Enabling audit trails does involve storage and thus occupies disk
space.Choice D is also a valid reason; however it is not the primary reason.
Area: 1
29. When performing a procedureto identify the value of inventory that has been
kept for more than eightweeks, an IS auditor would MOST likely use:
D. generalized audit software.
Explanation:
Generalized audit software willfacilitate reviewing the entire inventory file to look
for those items thatmeet the selection criteria. Generalized audit software
provides direct accessto data and provides for features of computation,
stratification, etc. Testdata are used to verify programs, but will not confirm
anything about thetransactions in question. The use of statistical sampling
methods are notintended to select specific conditions, but are to select on a
random basisthrough the file. In this case the IS Auditor would want to check all
of theitems that meet the criteria and not just a sample of them. An integrated
testfacility allows the IS Auditor to test transactions through the
productionsystem.
Area: 1
30. Data flow diagrams are usedby IS auditors to:
C. graphically summarize datapaths and storage.
Explanation:
Data flow diagrams are used asgraphical aids to data flow and storage. They
trace the data from itsorigination to destination, highlighting the paths and
storage of data. They donot order data in any hierarchy. The flow of the data will
not necessarilymatch any hierarchy or data generation order.
Area: 1
31. A distinction that can bemade between compliance testing and substantive
testing is:
B. compliance testing testscontrols, while substantive testing tests details.
Explanation:
Compliance testing involvesdetermining whether controls exist as envisaged
whereas substantive testingrelates to detailed testing of
transactions/procedures. Compliance testing doesnot involve testing of plans.
Regulatory requirements are not by themselvestested directly in compliance
testing, but controls in place to ensureregulatory compliance are checked.
Area: 1
32. An IS auditors is expected touse due professional care when performing
audits, which requires that theindividual exercise skill or judgment:
A. commonly possessed bypractitioners of that specialty.
Explanation:
Due professional care requires anindividual to exercise that skill to a level
commonly possessed bypractitioners of that specialty. Due professional care
does not imply that theprofessional is infallible. Situations may arise where an
incorrect conclusionmay be drawn from a diligent review of the available facts
and circumstances;and therefore, the subsequent incorrect conclusion. Due
professional care does notrequire ultimate expertise or programming capabilities,
but does extend toevery aspect of the audit, including the evaluation of audit
risk, theformulation of audit objectives, the establishment of the audit scope,
theselection of audit tests and the evaluation of test results
Area: 1
33. An internal audit department,that organizationally reports exclusively to the
chief financial officer (CFO)rather than to an audit committee, is MOST likely to:
A. have its audit independencequestioned.
Explanation:
According to a recent ISACAbenchmarking survey most internal audit
departments report directly to an auditcommittee. However, many organizations
also choose to have the internal auditdepartment either jointly or solely report to
the chief financial officer(CFO). In this same survey, the IS audit function almost
exclusively reportsdirectly to the director of internal audit. The IS Auditor or the
internalauditor who reports to the head of an operational department would have
theappearance of a compromised independence of the auditor. Generally, an
auditoror IS Auditor should report one level above the reporting level of the
auditee.Reporting to the CFO may not have an impact on the content of audit
findings,which should normally be business-oriented and relevant as an auditor
isexpected to understand the business that is being audited. Taking
effectiveaction on an auditor's recommendation should be the responsibility of
seniormanagement and will not be enhanced by the fact that the audit
departmentreports to the CFO. Follow up of the implementation of audit
recommendations isalways conducted by the auditor and/or by the
administration department andwill not be enhanced by reporting to the CFO.
Area: 1
34. An IS auditor conducting areview of software usage and licensing discovers
that numerous PCs containunauthorized software. Which of the following actions
should the IS auditorperform FIRST?
C. Report the use of theunauthorized software to auditee management and the
need to prevent recurrence.
Explanation:
The use of unauthorized orillegal software should be prohibited by an
organization. Software piracyresults in inherent exposure and can result in
severe fines. The IS Auditormust convince the user and user management of the
risk and the need toeliminate the risk. An IS Auditor should not assume the role
of the enforcingofficer and take on any personal involvement in removing or
deleting theunauthorized software.
Area: 1
35. The risk that an IS auditoruses an inadequate test procedure and concludes
that material errors do notexist when, in fact, they do, is an example of:
C. detection risk.
Explanation:
This is an example of detectionrisk.
Area: 1
36. A primary benefit derivedfrom an organization employing control self
assessment (CSA) techniques is thatit:
A. can identify high-risk areasthat might need a detailed review later.
Explanation:
CSA is predicated on the reviewof high-risk areas that either need immediate
attention, or a more thoroughreview at a later date. Answer B is incorrect
because CSA requires theinvolvement of both auditors and line management.
What occurs is that theinternal audit function shifts some of the control
monitoring responsibilitiesto the functional areas. Answer C is incorrect because
CSA is not a replacementfor traditional audits. CSA is not intended to replace
audit'sresponsibilities, but to enhance them. Answer D is incorrect because CSA
doesnot allow management to relinquish its responsibility for control.
Area: 1
37. An IS auditor's first stepwhen implementing continuous monitoring systems
is to identify:
B. high-risk areas within theorganization.
Explanation:
The first and most critical stepin the process is to identify high-risk areas within
the organization. Businessdepartment managers and senior executives are in the
best positions to offerinsight as to these areas. Once potential areas of
implementation have beenidentified, an assessment of potential impact should
be completed to identifyapplications that provide the highest potential payback
to the organization. Atthis point tests and reasonable target thresholds should be
determined prior toprogramming. During systems development the location and
format of the outputfiles generated by the monitoring programs should be
defined.
Area: 1
38. Which of the following is ananti-virus detective control?
C. Scan all files on all fileserver hard disks daily, moving suspect files to a safe
area.
Explanation:
Detective controls are controlsthat detect that an error, omission or malicious act
has occurred and reportsthe occurrence. Choice B could also be correct.
Scanning diskettes and CDsbrought in from outside the company before use may
also be considered ananti-virus detective control as well as a preventive control.
As such, scanningall files on all file server hard disks daily and moving suspect
files to asafe area is an anti-virus detective control. Routing all links to
externalsystems via a firewall and scanning all diskettes and CDs brought in
fromoutside the company before use are anti-virus preventive controls. The use
ofanti-virus software to update users' anti-virus configuration files every timethey
log in is also a preventive check to ensure controls are working.
Area: 1
39. Which of the followingrepresents the MOST significant exposure for an
organization that leasespersonal computers?
B. Frequent reassignment ofhardware
Explanation:
The frequent reassignment ofhardware may lead to an inability to track and
locate hardware, which could inturn lead to the loss of equipment and the
resulting economic consequences. Theother choices, although critical to the
proper accounting for leased equipment,can be controlled by assigning one
person or area to be the responsible party.The accounting for shared peripherals
is not normally a problem since this canbe done on a usage or some other
equitable basis. Obsolescence of equipment andthe replacement there of is often
built into the contract with the lessor.Choice D could also be correct. However
under current circumstances the loss ofhardware may have less of an impact
than software piracy. Software meteringdoes not prevent people from copying
software from the leased machine onto aprivate machine.
Area: 1
40. When reviewing a systemdevelopment project at the project initiation stage,
an IS auditor finds thatthe project team is not proposing to strictly follow the
organization's qualitymanual. To meet critical deadlines the project team
proposes to fast track thevalidation and verification processes, commencing
some elements before theprevious deliverable is signed-off. Under these
circumstances the IS auditorwould MOST likely:
D. report the risks associatedwith fast tracking to the project steering committee
Explanation:
It is important that qualityprocesses are appropriate to individual projects.
Attempts to applyinappropriate processes will often find their abandonment
under pressure. Afast-tracking process is an acceptable option under certain
circumstances.However, it is important that the project steering committee is
informed of therisks associated with this (i.e. possibility of rework if changes
arerequired).
Area: 1
41. During a review of thecontrols over the process of defining IT service levels
an IS auditor wouldMOST likely interview the:
C. business unit manager.
Explanation:
Understanding the businessrequirements is key in defining the service levels.
While each of the otherentities listed may provide some definition, the best
choice here is thebusiness unit manager, because of the broad knowledge that
this person has overthe related requirements of the organization.
Area: 1
42. Which of the followingsampling methods is MOST useful when testing for
compliance?
A. Attribute sampling
Explanation:
Attribute sampling is the primarysampling method used for compliance testing.
Attribute sampling is a samplingmodel that is used to estimate the rate of
occurrence of a specific quality(attribute) in a population and is used in
compliance testing to confirmwhether this quality exists or not. The other
choices are used in substantivetesting which involve testing of details or
quantity.
Area: 1
43. While performing an audit, anIS auditor used an application software
mapping technique and discovered anerror in system processing. In preparing
the audit report the IS auditor shouldinclude:
D. an overview of the applicationsoftware mapping technique used.
Explanation:
The de-----ion of the computerassisted audit technique used should be included
in the report where thespecific finding discovered is discussed. The other choices
are alldocumentation required for the audit workpapers, but are not normally
includedin the audit report.
Area: 1
44. Which of the following is adetective control?
D. Audit trails
Explanation:
Audit trails capture information,which can be used for detecting errors.
Therefore, they are considered to bedetective controls. Physical access controls
and segregation of duties areexamples of preventive controls whereas back-up
procedures are correctivecontrols.
Area: 1
45. An IS auditor is assigned toperform a post implementation review of an
application system. Which of thefollowing situations may have impaired the
independence of the IS auditor? TheIS auditor:
A. implemented a specific controlduring the development of the application
system.
Explanation:
Independence may be impaired ifthe IS auditor is, or has been, actively involved
in the development,acquisition and implementation of the application system.
Choices B and C aresituations that do not impair the IS auditor's independence.
Choice D isincorrect because the IS auditor's independence is not impaired by
providingadvice on known best practices.
Area: 1
46. Detection risk refers to a:
A. conclusion that materialerrors do not exist, due to an inadequate test
procedure.
Explanation:
Detection risk refers to the riskthat an IS auditor may use an inadequate test
procedure and conclude that no materialerror exists when in fact errors do exist.
Area: 1
47. Information requirementdefinitions, feasibility studies, and user requirements
are significantconsiderations when:
B. identifying IT solutions.
Explanation:
Each of the items listed is aresearch step in identifying potential processes to
supply information.Feasibility studies are not typically used to define service
levels, managingchanges to current systems or assessing IT controls. The
combination shouldpoint directly to satisfying a problem.
Area: 1
48. Which of the following stepswould an IS auditor normally perform FIRST in a
security review?
B. Determine the risks/threats tothe data center site
Explanation:
During planning, the IS auditorshould get an overview of the functions being
audited and evaluate the auditand business risks. Choices A and D are part of
the audit fieldwork processthat occurs subsequent to this planning and
preparation. Choice C is not partof a security review.
Area: 1
49. Which of the following is theLEAST reliable audit evidence?
C. Oral representations
Explanation:
Evidence has to be relevant,reliable, sufficient and useful. However, some
evidence is more reliable thanothers. In this case, oral representations would be
the least reliable evidenceunless they are documented and can be substantiated.
This type of evidenceoften depends on the independence of the provider of the
evidence, his/herexpertise and his/her objectivity. The other evidence choices
listed aredocumentary in nature and therefore considered more reliable.
Area: 1
50. Which of the following typesof information would an IS auditor find LEAST
valuable when gaining anunderstanding of the IT process?
C. Prior audit reports
Explanation:
Prior audit reports would be ofleast value because they provide historical
information about the areas of thecontrol weaknesses. Each of the other choices
represent current activity andprovide information for understanding the process.
Area: 1
51. When an IS auditor obtains alisting of current users with access to the
selected WAN/LAN and verifies thatthose listed are active associates, the IS
auditor is performing a:
A. compliance test.
Explanation:
Compliance tests determine ifcontrols are being applied in accordance with
management policies andprocedures. In this case, verifying that only active
associates are presentprovides reasonable assurance that a control is in place
and can be reliedupon. Choice B, substantive tests, relate to quantitative
reviews, such asbalances and transactions and their accuracy. Choice C does not
relate sinceall current user records were verified, while choice D is part of a risk
basedaudit approach.
Area: 1
52. Ensuring regular passwordchange, assigning a new one-time password when
a user forgets his/hers, andrequiring users not to write down their passwords are
all examples of:
D. control procedures.
Explanation:
Control procedures are practicesestablished by management to achieve specific
objectives (control objectives,choice C). The above examples are all control
procedures intended to achievethe control objective of ensuring compliance with
policies, procedures andstandards. Choices A and B refer to the audit process
that is used to verifythe effectiveness and adequacy of the control procedures.
Area: 1
53. The FIRST task an IS auditorshould complete when performing a new audit in
an unfamiliar area is to:
C. gather background informationpertinent to the new audit.
Explanation:
Proper planning is the necessaryfirst step in performing effective audits. The IS
auditor's first task shouldbe to gather background information, such as business
sector, appliedbenchmarks, specific trends and regulatory and legal
requirements. This willallow the auditor to better understand what to audit. After
gathering initialinformation, the auditor would then identify the audit subject and
auditobjective, define the scope, establish the information systems and
functionsinvolved and define the resources that are needed.
Area: 1
54. Risk assessments performed byIS auditors is a critical factor for audit
planning. An assessment of risk shouldbe made to provide:
A. reasonable assurance thatmaterial items will be covered during the audit
work.
Explanation:
The IS auditing guideline onplanning the IS audit states: "As assessment of risk
should be made toprovide reasonable assurance that material items will be
adequately coveredduring the audit work. This assessment should identify areas
with relativelyhigh risk of existence of material problems." Sufficient assurance
thatmaterial items will be covered during the audit work is an
impracticalproposition. Reasonable assurance that all items will be covered
during theaudit work is not the correct answer as material items need to be
covered, notall items.
Area: 1
55. IS auditors must have athorough understanding of the risk assessment
process. Risk assessment is a(n):
A. subjective process.
Explanation:
The IS auditing guideline on theuse of a risk assessment in audit planning states
"All risk assessmentmethodologies rely on subjective judgments at some point in
the process (e.g.,for assigning weightings to the various parameters). The IS
auditor shouldidentify the subjective decisions required in order to use a
particularmethodology and consider whether these judgments can be made and
validated toan appropriate level of accuracy."
Area: 1
56. The BEST time to perform acontrol self-assessment involving line
management, line staff and the auditdepartment would be during the:
B. preliminary survey.
Explanation:
Control self-assessment is aprocess in which the auditor can get the auditee
together, understand thebusiness process, define where the controls are and
generate an assessment ofhow well the controls are working. This ideally is
accomplished during thepreliminary data gathering phase. Choices A, C, D are
audit steps that areperformed after the control self-assessment has been
performed.
Area: 1
57. While conducting a controlself-assessment (CSA) program, an IS auditor
facilitated workshops involvingmanagement and staff in judging and monitoring
the effectiveness of existingcontrols. Which of the following is an objective of a
CSA program?
A. to enhance auditresponsibilities.
Explanation:
An objective associated with a CSAprogram is the enhancement of audit
responsibilities (not a replacement).Choices B, and C are advantages that accrue
from a CSA program, but are notobjectives. A CSA program is helpful in
determining audit steps by gaining anoverall understanding of the audit subject
and audit objective. Performance ofa CSA will not replace audit steps such as
testing, verification and validation(choice D.)
Area: 1
58. The responsibility, authorityand accountability of the information systems
audit functions is appropriatelydocumented in an audit charter and MUST be:
A. approved by the highest levelof management.
Explanation:
The standard on responsibility,authority and accountability states "The
responsibility, authority andaccountability of the information systems audit
function are to beappropriately documented in an audit charter or engagement
letter." ChoiceB and C are incorrect because the audit charter should be
approved by thehighest level of management, not merely by the information
systems auditdepartment, or the user department. The resulting planning
methodologies shouldbe reviewed and approved by senior management and by
the audit committee.Choice D is incorrect because the audit charter, once
established, is not routinelyrevised and should be changed only if change can be,
and is, throughlyjustified.
Area: 1
59. The IS auditor should be ableto identify and evaluate various types of risks
and their potential effects.Accordingly, which of the following risks is associated
with trap doors?
A. Inherent risk.
Explanation:
Inherent risk is thesusceptibility of an audit area to an error that could be
material,individually or in combination with other errors, assuming that there
were norelated internal controls. Trap doors are such risks that exit out of
anauthorized program and allow insertion of specific logic, such as
programinterrupts, to permit a review of data during processing. These doors
alsopermit insertion of unauthorized logic. Detection risk (choice B) is the
riskthat IS auditors substantive procedures will not detect an error which could
bematerial, indivually or in combination with other errors. Audit risk (choice C)is
the risk of giving an incorrect audit opinion, while choice D, error risk,is the risk
of errors occuring in the area being audited.
Area: 1
60. IS auditors are MOST likelyto perform tests of internal controls if, after their
evaluation of suchcontrols, they conclude that:
D. control risks are within theacceptable limits.
Explanation:
IS auditors perform test ofcontrols (compliance testing) to assess whether the
control risks are withinthe acceptable limits. The results of the compliance
testing would influencethe IS auditor's decisions as to the extent of tests of
balance (substantivetesting). If compliance testing confirms that the control risks
are within theacceptable level, then the extent of substantive testing would be
reduced. Theobjective of compliance testing is to reduce more costly substantive
testing.During the testing phase of an audit, an IS auditor does not know
whether thecontrols identified operate effectively. Tests of controls, therefore,
evaluatewhether specific, material controls are, in fact reliable. Performing test
ofcontrols may conclude that the control environment is poor, but it is not
theobjective with which these tests are performed. Inherent risks cannot
bedetermined by performing test of controls.
Area: 1
61. An IS auditor performing anaudit of the company's information system (IS)
strategy would be LEAST likelyto:
A. assess IS security procedures.
Explanation:
When performing an audit of ISstrategic planning it is unlikely that the IS Auditor
would assess specificsecurity procedures. During an IS strategy review overall
goals and businessplans would be reviewed to determine that the organization's
plans areconsistent with the organization's goals.
Area: 2
62. Which of the followingorganizational goals would normally be mentioned in
an organization's strategicplan?
D. Become the supplier of choicewithin a given time period for the product
offered.
Explanation:
Strategic planning sets corporateor departmental objectives into motion.
Comprehensive planning helps ensure aneffective and efficient organization.
Strategic planning is time and projectoriented, but must also address and help
determine priorities to meet businessneeds. In order to assure its contribution to
the organization's successfulrealization of overall goals, an organization should
have long range (i.e.,greater than one year or business cycle, typically 3-5 years)
and short range(i.e., one year or business cycle) plans. These plans should be
consistent withthe organization's broader plans for attaining the organization's
goals. ChoiceD represents a business objective that is intended to focus the
overalldirection of the business and would thus be a part of the
organizations'strategic plan. The other choices do not address business
objectives and areproject oriented.
Area: 2
63. Which of the followingconditions should exist in order for the local selection
and purchase of ISproducts to be acceptable?
D. Acquisitions are consistentwith the organization's short- and long-term IS
technology plans.
Explanation:
Investment in IS products shouldbe oriented towards achieving business
objectives, which are set up through astrategic plan, long-term and short-range,
with the specifics of hardware andsoftware being documented in a technology
plan. Choice B could also be correct.Managers must undertake a full cost-benefit
analysis before deciding what topurchase. This is an accepted condition that
should exist. Allowing variousoffices to be independent and exchange data on an
occasional basis isacceptable if it complies with overall organizational policy and
procedures,but is not advisable from a cost perspective. The use of the same
type of database management system throughout the organization is not related
to localselection and the purchase of IS products.
Area: 2
64. The initial step inestablishing an information security program is the:
C. adoption of a corporateinformation security policy statement.
Explanation:
A policy statement reflects theintent and support provided by executive
management for proper security, andestablishes a starting point for developing
the security program.
Area: 2
65. Which of the followingdocumentation would an IS auditor place LEAST
reliance on when determiningmanagement's effectiveness in communicating
information systems policies toappropriate personnel?
B. Minutes of the IS SteeringCommittee meetings
Explanation:
Minutes of the IS Steering Committeemeetings are not objective measures of the
effectiveness of management. Theygenerally represent the views of
management, not staff, and thus may notindicate how effective policies have
been communicated to appropriatepersonnel.
Area: 2
66. An IS auditor who isreviewing application run manuals would expect them to
contain:
B. error codes and their recoveryactions.
Explanation:
Application run manuals shouldinclude actions taken on reported errors that are
essential for the operator tofunction properly. Source documents and source code
are irrelevant to theoperator. Although dataflow diagrams may be useful,
detailed program diagramsand file definitions are not.
Area: 2
67. Which of the followingstatements pertaining to ISO 9000 is FALSE?
B. The standard covers bothinternal and external business processes.
Explanation:
The standard does not cover thosebusiness processes that are purely internal to
an organization. All otherAnswers are true as they pertain to ISO 9000.
Area: 2
68. Which of the followingprocedures would normally be performed last by an IS
auditor who is auditingthe outsourcing process?
C. Perform a control riskassessment.
Explanation:
Once the outsourcer has beenchosen, the IS Auditor should perform ongoing
application audits and controlrisk assessments. All of the other answers refer to
procedures that an ISAuditor can perform prior to this selection.
Area: 2
69. A written security policy servesto heighten security awareness and should
include all of the following keycomponents EXCEPT:
A. an index of computer hardwareand software.
Explanation:
Policy is independent of thehardware and software used in general, but policy
must define the awarenessplanning and philosophy, although it would normally
be fairly high level suchas 'awareness will be done every three months and
failure to attend sessionswithout justification, would be a reason for dismissal.'
Management mustdemonstrate a commitment to the policy by approving
security awareness andtraining. The data owner or manager who is responsible
for the accurate use andreporting of information should provide written
authorization for users to gainaccess to computerized information.
Area: 2
70. The function of generalledger setup in an enterprise resource package (ERP)
allows for the setting ofaccounting periods in the package. Access to this
function has been permittedto users in finance, warehouse and order entry. The
MOST likely reason forgranting such broad access is the:
C. lack of proper policies andprocedures for the segregation of duties.
Explanation:
Setting of accounting periods isone of the critical activities of the finance
function. Granting access to thisfunction to the personnel in warehouse and
order entry could be because of alack of proper policies and procedures for the
segregation of duties.Accounting periods should not be changed at regular
intervals, but establishedpermanently. The requirement to post entries for a
closed accounting period isa risk. If necessary this would normally be done by
someone in the finance oraccounting area. The need to create/modify the chart
of accounts and itsallocations is the responsibility of the finance department and
is not afunction that should be performed by warehouse or order entry
personnel.
Area: 2
71. Which of the followingprocedures would MOST effectively detect employee
loading of illegal softwarepackages onto a network?
B. Periodic checking of harddrives
Explanation:
The periodic checking of harddrives would be the most effective method of
identifying illegal softwarepackages loaded to the network. Anti-virus software
will not necessarilyidentify illegal software unless the software contains a virus.
Disklessworkstations act as a preventative control and are not effective since
userscould still download software from other than diskless workstations.
Policieslay out the rules about loading the software, but will not identify the
actualoccurrence.
Area: 2
72. Which of the following isLEAST likely to be associated with an incident
response capability?
A. Developing a databaserepository of past incidents and actions to facilitate
future correctiveactions.
Explanation:
Developing a database repositoryof past incidents and actions to facilitate future
corrective actions to takeas a post-mortem process would be of least value in
restoring service from an incidentcurrently underway. The creation of a detailed
operations plan, amulti-disciplinary team and the declaration of incidents are all
necessaryparts of having an incident response capability which must be carried
outimmediately before, or during the incident in order to handle it properly.
Area: 2
73. Which of the following shouldNOT be included in an organization's IS security
policy?
D. Identity of sensitive securityfeatures
Explanation:
The security policies provided toall employees should not identify such sensitive
security features such aspassword file names, technical security configurations,
methods to bypasselectronic security or system software files. They should
include all of theother components listed in this question.
Area: 2
74. Which of the following shouldNOT be a role of the security administrator?
A. Authorizing access rights
Explanation:
For proper segregation of duties,the security administrator should not be
responsible for authorizing accessrights, nor be an end-user. Authorizing access
rights is usually theresponsibility of user management, while allocating would be
done by thesecurity administrator.
Area: 2
75. Which of the following is arole of an information systems steering
committee?
B. Ensure efficient use of dataprocessing resources.
Explanation:
Ideally an IS steering committeeshould consist of members from all significant
business areas in anorganization. Their goal is to review and act upon all
requests for new systemneeds in accordance with the corporate mission and
objectives. To this end itis the responsibility of the committee to ensure the
efficient use of dataprocessing resources and set the priorities, examine costs
and provide supportfor various projects.
Area: 2
76. Accountability for themaintenance of appropriate security measures over
information assets resideswith the:
C. data and systems owners.
Explanation:
Management should ensure that allinformation assets (data and systems) have
an appointed owner who makesdecisions about classification and access rights.
System owners typicallydelegate day-to-day custodianship to systems
delivery/operations group anddelegate security responsibilities to a security
administrator. Owners,however, remain accountable for the maintenance of
appropriate securitymeasures.
Area: 2
77. An IS auditor performing areview of the MIS department discovers that formal
project approval proceduresdo not exist. In the absence of these procedures the
MIS manager has beenarbitrarily approving projects that can be completed in a
short duration andreferring other more complicated projects to higher levels of
management forapproval. The IS auditor should recommend FIRST that:
B. formal approval procedures beadopted and documented.
Explanation:
It is imperative that formalwritten approval procedures be established to set
accountability. This is trueof both the MIS manager and higher levels of
management. Choices A, C and Dwould be subsequent recommendations once
authority has been established.
Area: 2
78. Responsibility and reportinglines cannot always be established when auditing
automated systems since:
C. ownership is difficult toestablish where resources are shared.
Explanation:
Because of the diversified natureof both data and application systems, the actual
owner of data and applicationsmay be hard to establish. Answers A and D are
incorrect since it is essentialthat ownership has been established. Answer B is an
irrelevant distracter.
Area: 2
79. Which of the followingcriteria would an IS auditor consider to be the MOST
important when evaluatingthe organization's IS strategy?
D. That it supports the businessobjectives of the organization
Explanation:
Strategic planning sets corporateor department objectives into motion. Both
long-term and short-term strategicplans should be consistent with the
organization's broader plans and businessobjectives for attaining these goals.
Answer A is incorrect since linemanagement prepared the plans.
Area: 2
80. Which of the followingstatements relating to separation of duties is TRUE?
D.Policies on separation ofduties in information systems must recognize the
difference between logical andphysical access to assets.
Explanation:
Policies should be clearlydefined and recognize the difference between logical
and physical access toassets. This is necessary to ensure compliance. Employee
competence would beconsidered when evaluating an organization's policy on
separation of duties.
Area: 2
81. Which of the following tasksis normally performed by a clerk in the control
group?
A. Maintenance of an error log
Explanation:
Maintaining an error log is theonly task identified in this question that a clerk in
the control group wouldnormally perform.
Area: 2
82. Which of the following is NOTa responsibility of a database administrator?
A. Designing databaseapplications
Explanation:
The database administrator is notresponsible for the design and development of
the applications. This is thefunction of the programming staff and provides for
adequate separation ofduties between the two groups.
Area: 2
83. Which of the following is NOTa responsibility of computer operations?
B. Analyzing user specifications
Explanation:
Analyzing user specifications isthe responsibility of the systems programming
group who are involved in newsystems development.
Area: 2
84. Which of the followingfunctions should NOT be performed by scheduling and
operations personnel inorder to maintain proper segregation of duties?
C. Code correction
Explanation:
Code correction is aresponsibility of the programming staff, not the scheduling
and operationspersonnel.
Area: 2
85. Which of the followingfunctions is NOT performed by the IS control group?
D. Correction of errors
Explanation:
These are all functions of thecontrol group, with the exception of correction of
errors. It is theresponsibility of the control group to log errors, call them to the
attentionof the originating department for correction, and monitor their
timelyresubmission.
Area: 2
86. Which of the followingexposures may result if an adequate separation of
duties between computeroperators and application programmers is NOT
maintained?
B. Unauthorized program changes
Explanation:
In this situation, theapplication programmer has been authorized to make
program changes. Thisfunction should not be a computer operator task, as this
individual already hasaccess to the entire system and all its resources. The
computer operatorfunction should be restricted and monitored.
Area: 2
87. Which of the following taskswould NOT normally be performed by a data
security officer?
D. Monitoring the completenessand accuracy of the data
Explanation:
The data security officer (orsecurity administrator) should have no responsibility
for authorizing,inputting, or reviewing application data. Such activities would
inhibit his/herindependence and not provide an adequate segregation of duties.
Area: 2
88. An IS auditor has recentlydiscovered that because of a shortage of skilled
operations personnel, thesecurity administrator has agreed to work one late
night shift a month as thesenior computer operator. The MOST appropriate
course of action that the IS auditorshould take is to:
A. advise senior management ofthe risk involved.
Explanation:
The IS Auditor's first andforemost responsibility is to advise senior management
of the risk involved inhaving the security administrator perform an operations
function. This is aviolation of separation of duties. The IS Auditor should not get
involved inprocessing, but may wish to employ some type of monitoring system
to review theintegrity of transactions.
Area: 2
89. Many organizations require anemployee to take a mandatory vacation of a
week or more in order to:
B. reduce the opportunity for anemployee to commit an improper or illegal act.
Explanation:
Required vacations of a week ormore duration in which someone other than the
regular employee performs the jobfunction is often mandatory for sensitive
positions. This reduces theopportunity to commit improper or illegal acts, and
during this time it may bepossible to discover any fraudulent activity that was
taking place. Answers A,C and D all could be organizational benefits from a
mandatory vacation policy,but not the reason why it is established.
Area: 2
90. The quality assurance groupis typically responsible for:
C. ensuring that programs andprogram changes and documentation adhere to
established standards.
Explanation:
The quality assurance group istypically responsible for ensuring that programs
and program changes anddocumentation adhere to established standards.
Answer A is the responsibilityof the data control group; Answer B is the
responsibility of computeroperations; and Answer D is the responsibility of data
security.
Area: 2
91. Which of the following wouldNOT be associated with well-written and concise
job de-----ions?
C. They provide little indicationof the degree of separation of duties.
Explanation:
Well written and concise jobde-----ions should provide an indication of the degree
of separation of dutieswithin the organization and, in fact, may assist in
identifying possibleconflicting duties. All other answers are aspects of well-
written jobde-----ions.
Area: 2
92. Which of the following BESTdescribes the role and responsibilities of a
systems analyst?
B. Determines user needs forapplication programming
Explanation:
The systems analyst designssystems based on the needs of the user. This
individual interprets the needsand determines the programs and the
programmers necessary to create the particularapplication. Answers A and D are
roles of a database administrator, whileanswer C is a role of production control.
Area: 2
93. Which of the followingfunctions, if combined, would provide the GREATEST
risk to an organization?
D. Application programmer andtape librarian
Explanation:
Application programmers shouldnot have access to system program libraries. All
other combinations, althoughnot preferred, would normally include some type of
compensating control tomitigate the lack of separation of duties.
Area: 2
94. Which of the followingstatements relating to application programmers is
FALSE?
C. They are responsible fordefining backup procedures.
Explanation:
Defining and initiating backupand recovery procedures is the responsibility of the
database administrator.All other statements are true as they relate to application
programmers.
Area: 2
95. Which of the following is NOTan advantage of cross training employees?
D. It allows individuals tounderstand all parts of a system.
Explanation:
An advantage of cross training isto decrease dependence on one employee and
can be part of succession planning.It also provides backup for personnel in the
event of their absence. However,cross training may also be risky if it provides an
employee with knowledge ofall parts of a system that can later be used to
circumvent controls.
Area: 2
96. Responsibility forprogrammers and analysts who implement new systems
and maintain existingsystems is typically the role of the:
D. systems development manager.
Explanation:
The systems development manageris responsible for programmers and analysts
who implement new systems andmaintain existing systems. An operations
manager is responsible for computeroperations personnel, while the
administrator is responsible for managing dataas a corporate asset, and the
quality assurance manager is responsible forinformation technology quality
initiatives.
Area: 2
97. Which of the following is NOTan activity associated with information
processing?
A. Systems analysis
Explanation:
The structure of an IT departmentvaries but is normally divided into two main
areas of activity; informationprocessing and system development. Information
processing is mostly concernedwith the operational aspects of the information
processing environment andoften includes computer operations, systems
programming, telecommunications andlibrarian functions. Systems development
is concerned with the development,acquisition and maintenance of computer
application systems and performssystems analysis and programming functions.
Area: 2
98. A local area network (LAN)administrator is restricted from:
C. having programmingresponsibilities.
Explanation:
A local area network (LAN)administrator is restricted from having programming
responsibilities, but mayhave end-user responsibilities. The LAN administrator
may report to thedirector of the IPF or, in a decentralized operation, to the end-
user manager.In small organizations, the LAN administrator may also be
responsible forsecurity administration over the LAN.
Area: 2
99. Which of the following pairsof functions should not be combined to provide
proper segregation of duties?
B. Application programming anddata entry
Explanation:
The role of applicationprogramming and data entry should not be combined
since no compensatingcontrols exist that can mitigate the segregation of duties
risk. All othercombined pairs of functions are acceptable.
Area: 2
100. An IS auditor is reviewingthe data base administration function to ascertain
whether adequate provisionhas been made for controlling data. The IS auditor
should determine that the:
B. responsibilities of thefunction are well defined.
Explanation:
The IS Auditor should not onlydetermine that the responsibilities of the data base
administration functionare well defined but also assure that the database
administrator (DBA) reportsdirectly to the data processing manager or executive
to provide independence,authority and responsibility. The DBA should not report
to either dataprocessing operations or systems development management. The
DBA need not be acompetent systems programmer. Answer D is not as important
compared to answerA.
Area: 2
101. A long-term IS employee witha strong technical background and broad
managerial experience has applied for avacant position in the IS audit
department. Determining whether to hire thisindividual for this position should
be based on the individual's vastexperience and:
D. existing IS relationshipswhere the ability to retain audit independence may be
difficult.
Explanation:
Independence should becontinually assessed by the auditor and management.
This assessment shouldconsider such factors as changes in personal
relationships, financial interestsand prior job assignments and responsibilities.
The fact that the employee hasworked in IS for many years may not in itself
ensure credibility. The auditdepartment's needs should be defined and any
candidate should be evaluatedagainst those requirements. In addition, the length
of service will not ensuretechnical competency and evaluating an individual's
qualifications based on theage of the individual is not a good criterion and is
illegal in many parts ofthe world.
Area: 2
102. An IS auditor reviewing thekey roles and responsibilities of the database
administrator (DBA) is LEASTlikely to expect the job de-----ion of the DBA to
include:
D. mapping data model with theinternal schema.
Explanation:
A DBA only in rare instancesshould be mapping data elements from data model
to the internal schema (physicaldata storage definitions). To do so would
eliminate data independence forapplication systems. Mapping of the data model
occurs with the conceptualschema since the conceptual schema represents the
enterprise-wide view of datawithin an organization and is the basis for deriving
an end user departmentdata model.
Area: 2
103. Which of the followingprovisions in a contract for external information
systems services would an ISauditor consider to be LEAST significant?
D. Detailed de-----ion ofcomputer hardware used by the vendor
Explanation:
The least significant answerwould be the de-----ion of computer hardware. The
organization would need tohave compatible and sufficient hardware to be
considered as an external site wellbefore contract provisions are reviewed.
Area: 2
104. Is it appropriate for an ISauditor from a company which is considering
outsourcing its IS processing torequest and review a copy of each vendor's
business continuity plan?
A. Yes, because the IS auditorwill evaluate the adequacy of the service bureau's
plan and assist his/hercompany in implementing a complementary plan.
Explanation:
The primary responsibility of theIS Auditor is to assure that the company assets
are being safeguarded. This istrue even if the assets do not reside on the
immediate premises. Reputableservice bureaus will have a well-designed and
tested business continuity plan.The contract for services should provide for third
party audit rights of the informationprocessing facility and business continuity
plan.
Area: 2
105. Which of the followingindicators would LEAST likely indicate that complete
or selected outsourcing ofcomputer operators should be considered ?
B. It takes one year to developand implement a high-priority system.
Explanation:
The development andimplementation of a high priority system typically would
take from one year to18 months. Having it take one year would not be an
indicator that outsourcingwould improve the development time. Answers A, C
and D would all be indicatorsthat outsourcing computer operations might be
warranted.
Area: 2
106. A probable advantage to anorganization that has outsourced its data
processing services is that:
A. greater IS expertise can beobtained from the outside.
Explanation:
Outsourcing is a contractualarrangement whereby the organization relinquishes
control over part or all ofthe information processing to an external party. This is
usually done toacquire additional resources or expertise that is not obtainable
from insidethe organization.
Area: 2
107. Service level agreementsestablish:
B. minimum service levels to beachieved in the event of a disaster.
Explanation:
Service level agreements areestablished between the user department and IS
management for assuring minimumlevels of processing capabilities in an event
of a disaster. Minimum servicelevels to be rendered by IS management would
normally be contained in acharter. The other choices are not relevant.
Area: 2
108. An organization hasoutsourced network and desktop support. Although the
relationship has beenreasonably successful, risks remain due to connectivity
issues. Which of thefollowing controls should FIRST be performed to assure the
organizationreasonably mitigates these possible risks?
D. Adequate definition incontractual relationship
Explanation:
The most effective and necessarycontrol that has to be in place first when a
partnering arrangement is used isthe contract. The other answers are all good
techniques used tominimize/mitigate controls. However, these may not be
enforceable unlessdetailed in the contractual arrangement.
Area: 2
109. An IS auditor reviewing anoutsourcing contract of IT facilities would expect
it to define:
C. ownership of intellectualproperty.
Explanation:
The primary reason foroutsourcing is usually to reduce costs while maintaining
system availability,confidentiality, functionality etc. Of the choices, the hardware
and accesscontrol software is generally irrelevant as long as the
functionality,availability and security can be affected, which would be a
specificcontractual obligation. Similarly, the development methodology should be
of noreal concern. The contract must, however, specify who owns the
intellectualproperty (i.e., information being processed, application programs
etc.).Ownership of intellectual property will have a significant cost and is a
keyaspect to be defined in an outsourcing contract.
Area: 2
110. While conducting an audit ofmanagement's planning of IS, what would an IS
auditor consider the MOSTrelevant to short-term planning for the IS department?
A. Allocating resources
Explanation:
The planning stage of the ISdepartment should specifically consider the manner
in which resources areallocated in the short-term. Investments in IT need to be
aligned with topmanagement strategies, rather than focusing on technology for
technology'ssake. Conducting control self-assessments and evaluating hardware
needs are notas critical as allocating resources during short-term planning for the
ISdepartment
Area: 2
111. The data control departmentresponsible for data entry should:
C. ensure proper safekeeping ofsource documents until processing is complete.
Explanation:
The data control departmentperforming data entry is responsible for receiving
source documents fromvarious departments and ensuring proper safekeeping of
such until processing iscomplete and source documents and output are returned.
Choices A, B and D arethe responsibility of the security administration
department.
Area: 2
112. Which of the following ISfunctions may be performed by the same
individual, without compromising oncontrol or violating segregation of duties?
C. Change/problem and qualitycontrol administrator
Explanation:
The change/problem and qualitycontrol administrator are two compatible
functions that would not compromisecontrol or violate segregation of duties. The
other functions listed, ifcombined, would result in compromising control.
Area: 2
113. Which of the following isthe MOST important function to be performed by IT
management within anoutsourced environment?.
D. Monitoring the outsourcingprovider's performance
Explanation:
In an outsourcing environment,the company is dependent on the performance of
the service provider. Thereforeit is critical to monitor the outsourcing provider's
performance to ensure thatit delivers services to the company as required.
Payment of invoices is afinance function which would be done per contractual
requirements.Participating in systems design is a by-product of monitoring the
outsourcingprovider's performance, while renegotiating fees is usually a one-
timeactivity.
Area: 2
114. Which of the following keyperformance indicators would an IS manager be
LEAST likely to systematicallyreport to its board of directors?
D. Disk storage space free
Explanation:
The board of directors isinterested in key performance indicators that are
associated with theoperation, and that are significant to the business. These are
important to theboard when deciding how to maximize the benefits of
investments in IS.Functional details such as CPU, memory, disk and line speed
would not be ofsignificant interest to the board.
Area: 2
115. Employee terminationpractices should address all of the following EXCEPT:
C. employee bonding to protectagainst losses due to theft.
Explanation:
Employee bonding to protectagainst losses due to theft is an important hiring
practice to ensure that themost effective and efficient staff is chosen and that
the company is incompliance with legal recruitment requirements, but not a
termination practice.Choices A, B and D are all adequate termination practices.
Area: 2
116. Various standards haveemerged to assist IS organizations in achieving an
operational environment thatis predictable, measurable and repeatable. The
standard that provides thedefinition of the characteristics and associated quality
evaluation process tobe used when specifying the requirements for and
evaluating the quality ofsoftware products throughout their life cycle is:
C. ISO 9126.
Explanation:
ISO 9126 is the standard thatfocuses on the end result of good software
processes, i.e., the quality of theactual software product. ISO 9001 contains
guidelines about design,development, production, installation or servicing. ISO
9002 containsguidelines about production, installation or servicing, and ISO 9003
containsguidelines final inspection and testing.
Area: 2
117. Which of the following wouldprovide the LEAST justification for an
organization's investment in a securityinfrastructure?
B. A white paper report onInternet attacks, companies attacked, and damage
inflicted
Explanation:
Occurrences of security attacksfrom other organizations would have the least
impact on a decision made bymanagement to establish a security infrastructure
(versus analysis and/ordemonstrated threats directly affecting the organization).
A risk analysiswould enable an organization to assess severity of risks posed to
informationassets by both internal and external perpetrators. A penetration test
showingthe ability to compromise the organization's network and reports
generatedinternally from use of high profile network tools would also
sufficientlyjustify investment in a network security infrastructure.
Area: 2
118. An IS auditor reviewing theorganization IT strategic plan should FIRST
review:
B. the business plan.
Explanation:
The IT strategic plan exists tosupport the organization's business plan. In order to
evaluate the IT strategicplan the IS auditor would first need to familiarize him/her
self with thebusiness plan.
Area: 2
119. Which of the followingissues would be of LEAST concern when reviewing an
outsourcing agreement inwhich the outsourcing vendor assumes responsibility of
the informationprocessing function?
D. The outsourcing vendor'ssoftware acquisition procedures.
Explanation:
The outsourcing vendor's softwareacquisition procedures would be of least
concern. Choices A, B, and C areimportant concerns for any organization after
signing an outsourcing contract.
Area: 2
120. A database administrator isresponsible for:
B. implementing databasedefinition controls.
Explanation:
Implementing database definitioncontrols is one of the critical functions of the
database administrator.Maintaining access security of data and granting access
rights to users asdefined by management is the responsibility of the security
administrator.Defining system's data structure in the responsibility of the
systems analyst.
Area: 2
121. The security administratoris responsible for providing reasonable assurance
over the confidentiality,integrity and availability of information system controls.
Another duty thatcould be considered compatible, without causing a conflict of
interest, wouldbe:
A. quality assurance.
Explanation:
Quality assurance can also be anadditional responsibility of the security
administrator. The securityadministrator, being responsible for application
programming, systemsprogramming or data entry, does not provide for proper
segregation of dutiessince he/she would be in a position to openly introduce
fraudulent or maliciouscode or data causing damage to the organization.
Area: 2
122. The development of an ISsecurity policy is the responsibility of the:
D. board of directors.
Explanation:
Unlike other corporate policies,information systems security policy framing is the
responsibility of topmanagement, board of directors. The IS department is
responsible for theexecution of the policy, having no authority in framing the
policy. Thesecurity committee also functions within the broad security policy
framed bythe board of directors. The security administrator is responsible
forimplementing, monitoring and enforcing the security rules that management
hasestablished and authorized.
Area: 2
123. A sound information securitypolicy will MOST likely include a:
A. response program to handlesuspected intrusions.
Explanation:
A sound IS security policy willmost likely outline a response program to handle
suspected intrusions.Correction, detection and monitoring programs are all
aspects of informationsecurity, but will not likely be included in an IS security
policy statement.
Area: 2
124. Who of the following, who isresponsible for network security operations?
B. Security administrators, whocontrol services and computers.
Explanation:
Security administrators aregenerally held responsible for day-to-day network
security operations, whilealso balancing security operations with overall network
performance. This mayinclude managing user accounts, implementing security
patches and other relatedsystem software upgrades, writing -----s for routinely
archiving log files toa centralized secured server set up for this purpose and
managing the systemsworkload to maintain performance within acceptable
thresholds. Securityadministrators are responsible for assuring that management
policies andprocedures are implemented on all systems, participating with senior
systemadministrators in the development of standard system "builds"
andmonitoring on a periodic basis the effectiveness of controls established.
Area: 2
125. Which of the following wouldprovide a mechanism whereby IS management
can determine when, and if, theactivities of the enterprise have deviated from
planned, or expected levels?
B. IS assessment methods
Explanation:
Assessment methods provide amechanism, whereby IS management can
determine when and if the activities ofthe organization have deviated from
planned or expected levels. These methodsinclude IS budgets, capacity and
growth planning, industrystandards/benchmarking, financial management
practices and goal accomplishment.Quality management is the means by which
IS department-based processes arecontrolled, measured and improved.
Management principles differ depending uponthe nature of the IS department.
They focus on areas such as people, change,processes, security, etc. Industry
standards/benchmarking provide a means ofdetermining the level of
performance provided by similar information processingfacility environments.
These standards, or benchmarking statistics can beobtained from vendor user
groups, industry publications and professionalassociations.
Area: 2
126. Which of the followingindependent duties is performed by the data control
group?
D. Reconciliation
Explanation:
Reconciliation is aresponsibility of the user, performed by the data control group
with the use ofcontrol totals and balancing sheets. This type of independent
verificationincreases the level of confidence that the application ran successfully
andthat the data are in proper balance. Access to data are controls provided by
acombination of physical system and application security in both the user
areaand the information processing facility. Authorization tables are built by theIS
department, based on the authorization forms provided by the user. Thesewill
define who is authorized to update, modify, delete and/or view data.
Theseprivileges are provided at the system, transaction or field level. Custody
ofassets must be determined and assigned appropriately. The data owner is
usuallyassigned to a particular user department and duties should be specific
andwritten. The owner of the data has responsibility for determining
authorizationlevels required to provide adequate security, while the data
securityadministration group is often responsible for implementing and enforcing
thesecurity system.
Area: 2
127. Which of the followingsituations would increase the likelihood of fraud?
A. Application programmers areimplementing changes to production programs
Explanation:
Production programs are used forprocessing the actual and current data of the
enterprise. It is imperative toensure that controls on changes to production
programs are as stringent as fororiginal programs. Lack of control in this area
could result in applicationprograms being modified so as to manipulate the data.
Application programmersare required to implement changes to test programs.
These are only used indevelopment, and do not directly impact the live
processing of data. Operationssupport staff implementing changes to batch
schedules will only affect thescheduling of the batches. This does not impact the
live data. Database administratorsare required to implement changes to data
structures. This is required forreorganization of the database to allow for
additions, modifications ordeletion of fields or tables in the database. The
likelihood of fraud becauseof such changes is remote as these changes impact
the future data and affectall the related fields for all the records in the database.
Therefore, it isnot feasible to make changes to the data structures.
Area: 2
128. Which of the following isthe BEST way to handle obsolete magnetic tapes
before disposing of them?
C. Degaussing the tapes
Explanation:
The best way to handle obsoletemagnetic tapes is to degauss them, because this
action prevents theunauthorized or accidental divulgation of information, and it
also preventsfrom the reutilization of the obsolete tapes. Overwriting or erasing
the tapesmay cause magnetic errors (considering they are obsolete), thus,
inhibitingdata integrity. Initializing the tape labels could mean the potential
reutilizationin some cases.
Area: 2
129. An IS steering committeeshould:
C. have formal terms of referenceand maintain minutes of its' meetings.
Explanation:
It is important to keep detailedsteering committee minutes to document the
decisions and activities of the ISsteering committee, and the board of directors
should be informed on a timelybasis. Choice A is incorrect because only senior
management, or high stafflevels should be members of this committee because
of its strategic mission.Choice B is not a responsibility of this committee but the
responsibility ofthe security administrator. Choice D is incorrect because in order
to approvean acquisition of hardware or software, a vendor should be invited to
meetings,but not on a regular basis.
Area: 2
130. Which of the followingfunctions would represent a risk if combined with that
of a system analyst, dueto the lack of compensating controls?
C. Quality assurance
Explanation:
A system analyst should notperform quality assurance (QA) duties as
independence would be impaired, sincethe systems analyst is part of the team
developing/designing the software. Asystem analyst can perform the other
functions. The best example is a 'citizenprogrammer.' A citizen (name related to
'citizen', since they have the right todo all or anything) programmer who has
access to powerful development tools cando all aspects while developing
software (design, development, testing,implementation). Only good
compensatory controls would be able tomonitor/control these activities.
Compensating controls will ensure theseadditional functions have been
effectively performed. Even if an analystcompromises on certain functions in
these roles, it can be detected immediatelywith the help of compensating
controls. However, a system analyst should bestrongly discouraged from
performing the role of QA, since quality assurancelevels could be compromised if
it does not meet the standards agreed upon. QAlevels should never be
compromised.
Area: 2
131. Which of the following dataentry controls provides the GREATEST assurance
that data entered does notcontain errors?
A. Key verification
Explanation:
Key verification or one-to-oneverification will yield the highest degree of
confidence that data entered iserror free. However, this could be impractical for
large amounts of data.Segregation of data entry functions from data entry
verification is anadditional data entry control. Maintaining a log/record detailing
the time,date, employee's initials/user-ID and progress of various data
preparation andverification tasks, provides an audit trail. A check digit is added
to data toensure that original data have not been altered. If a check digit is
wronglykeyed, this would lead to accepting incorrect data. A one-to-one
verificationcould detect this category error also, by providing the highest degree
ofassurance.
Area: 2
132. Which of the following wouldan IS auditor be MOST concerned with when
evaluating the effectiveness andadequacy of a computer preventive
maintenance program?
A. System downtime log
Explanation:
A system downtime log providesinformation regarding the effectiveness and
adequacy of computer preventivemaintenance programs.
Area: 3
133. Which of the followingprovides the MOST effective means of determining
which controls are functioningproperly in an operating system?
D. Reviewing the systemgeneration parameters
Explanation:
System generation parametersdetermine how a system runs, physical
configuration and its interaction withthe workload.
Area: 3
134. Which of the following isNOT a common database structure?
B. Sequential
Explanation:
Database structures can be eithernetwork, hierarchical or relational.
Area: 3
135. Which of the followingcomputer system risks would be increased by the
installation of a databasesystem?
C. Improper file access
Explanation:
Because of the sharing of datawith a database, improper file access is of the
greatest concern. Programmingand data entry errors should not increase the
installation of a database. Lossof parity can affect data transmission whether
database or non-database.
Area: 3
136. The input/output controlfunction is responsible for:
C. logging batches andreconciling hash totals.
Explanation:
The logging of batches providesinput control while the reconciling of hash totals
provides output controls.
Area: 3
137. Utility programs thatassemble software modules needed to execute a
machine instruction applicationprogram version are:
C. linkage editors and loaders.
Explanation:
Utility programs that assemblesoftware modules needed to execute a machine
instruction application programversion are linkage editors and loaders.
Area: 3
138. Which of the followingstatements pertaining to a data communication
system is FALSE?
C. It operates on the content ofthe information.
Explanation:
Data communication systems do notoperate on the content of the information.
All other statements are true.
Area: 3
139. Which of the following isNOT an advantage of an object-oriented approach
to data management systems?
B. The ability to restrict thevariety of data types
Explanation:
All of the above are advantagesof an object-oriented approach to data
management systems except that itprovides the ability to manage an
unrestricted variety of data types.
Area: 3
140. Which of the following allowprogrammers to code and compile programs
interactively with the computer from aterminal?
C. Online programming facilities
Explanation:
An online programming facilityallows programmers to code and compile
programs interactively with the computerfrom a terminal. Firmware is operating
system program code that can be storedin read-only memories; utility programs
are systems software that performssystems maintenance; and network
management software controls and maintains thenetwork.
Area: 3
141. A data dictionary is anexample of software that is used to:
A. describe application systems.
Explanation:
A data dictionary is an exampleof utility program software that is used to
understand application systems.Other examples are flowcharter, transaction
profile analyzer and execution pathanalyzer.
Area: 3
142. Which of the following isNOT an advantage of image processing?
C. Relatively inexpensive to use
Explanation:
All of the above are advantagesof image processing systems except that image
processing systems are veryexpensive and companies do not invest in them
lightly.
Area: 3
143. In a review of the operatingsystem software selection and the acquisition
process, an IS auditor wouldplace more importance in finding evidence of:
C. hardware-configurationanalysis.
Explanation:
The purchase of operating systemsoftware is dependent on the fact that software
is compatible with existinghardware. Choices A and D, although important, are
not as important as answerC. Users do not normally approve the acquisition of
operating systems software.
Area: 3
144. Which of the following linemedia would be MOST secure in a
telecommunication network?
D. Dedicated lines
Explanation:
Dedicated lines are set apart fora particular user or organization. Since there is
no sharing of lines orintermediate entry points, the risk of interception or
disruption oftelecommunications messages is lower.
Area: 3
145. What type of transmissionrequires modems in a network to be connected to
terminals from the computer?
C. Analog
Explanation:
Modems convert data from digitalto analog because most of the communications
switches are analog.
Area: 3
146. Which of the following isNOT a telecommunications control?
B. Common carrier
Explanation:
Common carrier refers to thecarrier or telephone company that provides the
circuits and switches tofacilitate data transmission.
Area: 3
147. An IS auditor needs to linkhis/her microcomputer to a mainframe system
that uses binary synchronous datacommunications with block data transmission.
However, the IS auditor's microcomputer,as presently configured, is capable of
only asynchronous ASCII character datacommunications. Which of the following
must be added to the IS auditor'scomputer to enable it to communicate with the
mainframe system?
A. Protocol conversion and buffercapacity
Explanation:
In order for the IS Auditor'smicrocomputer to communicate with the mainframe,
the IS Auditor must use aprotocol converter to convert the asynchronous and
synchronous transmission.Additionally, the message must be spooled to the
buffer to compensate fordifferent rate of data flow.
Area: 3
148. Which of the following is atelecommunication device that translates data
from digital form to analog formand back to digital?
B. Modem
Explanation:
A modem is a device thattranslates data from digital to analog and back to
digital.
Area: 3
149. Which of the following is anetwork architecture configuration that links each
station directly to a mainhub?
C. Star
Explanation:
A star network architectureconfiguration links each station directly to a main
hub. Bus configurationslink all stations along one transmission medium; ring
configurations attach allstations to a point on a circle; and completely connected
configurationsprovide a direct link between two host machines.
Area: 3
150. Which of the followingtransmission media would NOT be affected by cross
talk or interference?
A. Fiber optic systems
Explanation:
Of the systems listed only fiberoptic systems would not be subject to noise or
interference.
Area: 3
151. In Wide Area Networks(WANs):
D. the selection of communicationlines will affect reliability.
Explanation:
The selection of communicationlines, modems, software, etc. will have a great
effect on network reliability.Choice A could also be correct. In wide area
networks, data flow can be halfduplex or full duplex, though incomplete.
Area: 3
152. Which of the following LocalArea Network (LAN) physical layouts are subject
to vulnerability to failure ifone device fails?
C. Ring
Explanation:
The ring network is vulnerable tofailure if one device fails
Area: 3
153. Neural networks areeffective in detecting fraud because they can:
C. attack problems that requireconsideration of a large number of input
variables.
Explanation:
Neural networks can be used toattack problems that require consideration of
numerous input variables, Theyare capable of capturing relationships and
patterns often missed by otherstatistical methods. Neural networks will not
discover new trends. They areinherently non-linear and make no assumption
about the shape of any curverelating variables to the output. Neural networks
will not work well at solvingproblems for which sufficiently large and general sets
of training data are notobtainable.
Area: 3
154. E-cash is a form ofelectronic money that:
A. can be used over any computernetwork.
Explanation:
E-cash is a form of electronicmoney that can be sent from any computer to any
other computer using anynetwork, including the Internet. E-cash uses coins that
can be used only once,after which they are taken out of circulation. These coins
are anonymous andcarry no traceable information. Each transaction in which e-
cash is usedrequires the participation of an Internet connected digital bank.
Area: 3
155. An organization is about toimplement a computer network in a new office
building. The company has 200users located in the same physical area. No
external network connections willbe required. Which of the following network
configurations would be the MOSTexpensive to install?
D. Mesh
Explanation:
Under these circumstances thecompletely connected (mesh configuration) would
be the most expensive of thesolutions to implement. It would require every
machine on the network to beconnected to every other machine on the network.
This requires more cable thanany other configuration. The bus configuration
requires the least amount ofcable to connect the computers together, the ring
configuration is next, andthe star configuration may require the same cabling
distance as the ringconfiguration, especially new ring devices that are identical
in shape andinstallation as star Ethernet switches or hubs.
Area: 3
156. An organization is about toimplement a computer network in a new office
building. The company has 200users located in the same physical area. No
external network connections willbe required. Which of the following network
configurations would be the easiestfor problem resolution?
C.Star
Explanation:
The star configuration would bethe easiest network for problem resolution. In a
star configuration all linesare connected to the central hub. A problem can occur
if the central hub fails.A bus configuration can be difficult to troubleshoot since a
cable break can bedifficult to find. Ring configurations are also difficult to trouble
shoot.Problems in a mesh configuration are also easy to diagnose, but not as
easy asin a star configuration.
Area: 3
157. The following questionrefers to the diagram below.
Assuming this diagram representsan internal facility and the organization is

implementing a firewall protectionprogram, where should firewalls be installed?
D. SMTP Gateway and op-3
Explanation:
Firewall objectives are toprotect a trusted network from an untrusted network. If
the assumption werevalid, the only locations needing firewall implementations
would be at theexistence of external connections. All other answers are
incomplete orrepresent internal connections.
Area: 3
158. Congestion control is BESThandled by which OSI layer?
C. Transport layer
Explanation:
The transport layer isresponsible for reliable data delivery. This layer implements
sophisticatedflow control mechanism that can detect congestion and reduce data
transmissionrates and also increase transmission rates when the network
appears to nolonger be congested (e.g., TCP flow controls). The network layer is
not correctbecause congestion control (flow control) occurs based on
routerimplementations of flow control at the sub-net level (i.e., source quench
messagessent out when router memory or buffer capacity reaches capacity;
however nomessage to cancel or discard messages, which in actually may
increasecongestion problems). Session layer and data link do not have any
functionalityfor network management.
Area: 3
159. Which of the following isNOT an element of a LAN environment?
D. Private circuit switchingtechnology
Explanation:
Private circuit switchingtechnology is associated with WAN usage, not LANs.
Typically, such a network isset up by a corporation or other large organization to
interconnect its varioussites. Such a network usually consists of PBX systems at
each siteinterconnected by dedicated leased lines obtained from a carrier.
Packetswitching technology is the means for transmitting data between devices
on aLAN. Baseband is a commonly used LAN data transmission signaling
technique(digital signaling). Ring or short bus topologies are methods
forinterconnecting devices on a LAN.
Area: 3
160. Which of the following wouldan IS auditor NOT review when performing a
general operational control review?
A. User manuals
Explanation:
A review of the generaloperational controls does not include evaluation of user
manuals. Re-runreports, maintenance logs and backup procedures should be
examined during anoperational review.
Area: 3
161. Which of the following isNOT a function of an online tape management
system?
D. Controlling physical access tothe tape library area
Explanation:
An online management system is anautomated tool and cannot provide control
for physical access to the tapelibrary area.
Area: 3
162. Which of the following isNOT related to file identification?
C. Retention period standards
Explanation:
File identification controlsinclude periodic file inventory, external label standards
and high-levelqualifier restrictions. Retention period standards are not part of
fileidentification.
Area: 3
163. An IS auditor has discoveredthat the organization's existing computer
system is no longer adequate for thedemands being placed on it by data
processing, is not compatible with newmodels and cannot be expanded. As a
result, a recommendation is made to useemulation. Emulation involves:
C. software which translates theold program into one readable by a new
computer.
Explanation:
This question requires theknowledge of the emulation technique, which is
performed by an emulator. Itimitates one system with another such that the
imitating system accepts thesame data, executes the same programs and
achieves the same results as theimitated system. The other choices are not
relevant to the emulation technique.
Area: 3
164. All of the following areproperties of a relational database EXCEPT:
B. operational efficiencies aresignificantly increased with relational models
Explanation:
Operational inefficiencies (notefficiencies) are significantly increased with use of
a relational model. Therefore,this answer represents a disadvantage in using a
relational database approach.The other choices are properties of a relational
database.
Area: 3
165. Which of the following isthe operating systems mode in which all
instructions can be executed?
C. Supervisor
Explanation:
The supervisor mode answers therequest for all instructions and refers to most
types of equipment. In theproblem mode, privileged instructions cannot be
executed. The other choices arenot relevant.
Area: 3
166. During a review of a largedata center an IS auditor observed computer
operators acting as backup tapelibrarians and security administrators. Which of
these situations would be MOSTcritical to report to senior management?
B. Computer operators acting assecurity administrators
Explanation:
Computer operators should not begiven security administrator access. Computer
operators acting as securityadministrators can manipulate the security system to
give themselves excessivepowers. These powers can be used not only to set up
fictitious accounts, butalso to eliminate any record of it from the log. Computer
operators in largedata centers are often called upon to back up as tape librarians
in case ofneed. As long as the operator cannot manipulate the system logging, it
isacceptable for the librarian to track what has taken place.
Area: 3
167. Which of the followingfunctions would be acceptable for the security
administrator to perform inaddition to his or her normal function?
B. Quality assurance
Explanation:
The quality assurance dutiescould be performed by the security administrator
and not cause a conflict withrespect to segregation of duties. This is because
they deal in totally differentaspects of the system with little overlap. The systems
analyst function couldpotentially allow the security administrator to obtain
valuable knowledge,which in turn could be used to bypass security procedures.
The computeroperations function could allow the security administrator to
bypass ordeactivate security procedures. The systems programmer function
couldpotentially allow the security administrator to bypass or deactivate
securityprocedures for their own benefit.
Area: 3
168. Which of the following is ahardware device that relieves the central
computer from performing networkcontrol, format conversion and message
handling tasks?
D. Front end processor
Explanation:
A front end processor is ahardware device that connects all communication lines
to a central computer torelieve the central computer from performing.
Area: 3
169. Which of the following toolsfor controlling input/output of data are used to
verify output results andcontrol totals by matching them against the input data
and control totals?
B. Batch balancing
Explanation:
Batch balancing is used to verifyoutput results and control totals by matching
them against the input data andcontrol totals. This can be performed by the
computer program where the controltotals were input into the computer with the
batch input. Batch header formscontrol data preparation; data conversion error
corrections correct errors thatoccur due to duplication of transactions and
inaccurate data entry; and accesscontrols over print spools prevent reports from
being accidentally deleted formprint spools or directed to a different printer.
Area: 3
170. Which of the following toolsis NOT used to monitor the efficiency and
effectiveness of services provided byIS personnel?
A. Online monitors
Explanation:
All of the answers are examplesof tools used to monitor the efficiency and
effectiveness of services providedby IS personnel, except Online monitors. These
monitor telecommunicationtransmissions and determine whether transmissions
are accurately completed.
Area: 3
171. Which of the following wouldan IS auditor expect to find in a console log?
C. System errors
Explanation:
System errors are the only onesthat you would expect to find in the console log.
Area: 3
172. Which of the followingsystems-based approaches would a financial
processing company employ to monitorspending patterns in order to identify
abnormal expenditures?
A. A neural network
Explanation:
A neural network will monitor andlearn patterns, reporting exceptions for
investigation. Database managementsoftware is a method of storing and
retrieving data. MIS provides managementstatistics but does not normally have a
monitoring and detection function.Computer assisted audit techniques detect
specific situations, but are notintended to learn patterns and detect
abnormalities.
Area: 3
173. Which of the following isthe BEST form of transaction validation?
B. Use of programs to check thetransaction against criteria set by management
Explanation:
Use of programs to check thetransaction against criteria set by management is
the best answer becausevalidation involves comparison of the transaction
against predefined criteria.
Area: 3
174. An IS auditor needs to linkhis/her microcomputer to a mainframe system
that uses binary synchronous datacommunications with block data transmission.
However, the IS auditor'smicrocomputer, as presently configured, is capable of
only asynchronous ASCIIcharacter data communications. Which of the following
must be added to the ISauditor's computer to enable it to communicate with the
mainframe system?
D. Protocol conversion and buffercapability
Explanation:
In order for the IS Auditor'smicrocomputer to communicate with the mainframe,
the IS Auditor must use aprotocol converter to convert the asynchronous and
synchronous transmission.Additionally, the message must be spooled to the
buffer to compensate fordifferent rates of data flow.
Area: 3
175. Which of the following audittechniques would an IS auditor place the MOST
reliance on when determiningwhether an employee practices good preventive
and detective security measures?
A. Observation
Explanation:
Observation is considered to bethe best test to ensure that an employee
understands and practices goodpreventive and detective security.
Area: 3
176. Which of the following isNOT a way that executive information systems (EIS)
are distinguished from otherinformation systems?
D. EIS focus on broad problems toa specific view.
Explanation:
EIS systems include all of theabove with the exception of answer D. An important
characteristic of EIS isthat they focus on detailed problems to a larger view. That
is, the informationis presented at a summary level using detailed underlying
data.
Area: 3
177. An organization isconsidering installing a local area network (LAN) in a site
under construction.If system availability is the main concern, which of the
following topologiesis MOST appropriate?
A. Ring
Explanation:
A ring or loop topology wouldenable messages to be re-routed should the
network cabling be severed at anypoint or a hardware element failed. With the
correct settings in networkhardware, the loss of any link could be invisible to the
users. In line and busnetworks, which are essentially the same thing, terminals
are connected to asingle cable. If this cable is severed, all terminals beyond the
point ofseverance will be unavailable. A star network clusters terminals around
hubs,connected to the server by separate lines in the form of a star. If any line
issevered, all terminals in the cluster at the end of that line would
bedisconnected.
Area: 3
178. Capacity monitoring softwareis used to ensure:
D. continuity of efficientoperation.
Explanation:
Capacity monitoring softwareshows, usually in the form of red, amber and green
lights or graphs, the actualusage of online systems versus their maximum
capacity. The aim is to enablesoftware support staff to take action should use
begin to exceed the percentageof available capacity to ensure that efficient
operation, in the form ofresponse times, is maintained. Systems should never be
allowed to operate atmaximum capacity. Monitoring software is intended to
prevent this. Although thesoftware may well be used to support a business case
for future acquisitions interms of capacity requirements, it would not provide
information on the effectof user functionality demands and it does not ensure
concurrent usage of thesystem by users, other than to highlight levels of user
access.
Area: 3
179. Receiving an electronic datainterchange (EDI) transaction and passing it
through the communicationsinterface stage usually requires:
B. routing verificationprocedures.
Explanation:
The communications interfacestage requires routing verification procedures. EDI
or ANSI X12 is a standardthat must be interpreted by an application for
transactions to be processed andthen to be invoiced, paid and sent, whether
they are for merchandise orservices. SWIFT is an example of how EDI has been
implemented and adopted.There is no point in sending and receiving EDI
transactions if they cannot beprocessed by an internal system. Unpacking
transactions and recording auditlogs are both important elements that help
follow business rules and establishcontrols, but are not part of communications
interface stage.
Area: 3
180. Which one of the followingtypes of firewalls would BEST protect a network
from an Internet attack?
A. Screened sub-net firewall
Explanation:
A screened sub-net firewall wouldprovide the best protection. The screening
router can be a commercial router ora node with routing capabilities that can
filter packages, having the abilityto let or avoid traffic between nets or nodes
based on addresses, ports,protocols, interfaces, etc. Application level gateways
are mediators betweentwo entities that want to communicate, also known as
proxy gateways. Theapplication level (proxy) works at application level, not only
at a packagelevel. The screening only controls at package level, addresses,
ports, etc. butdo not see the contents of the package. Packet filtering router
examines theheader of every packet or data traveling between the Internet and
the corporatenetwork.
Area: 3
181. A large manufacturing firmwants to automate its invoice and payment
processing system with its suppliers.Requirements state that the system of high
integrity will require considerablyless time for review and authorization. The
system should still be capable ofquickly identifying errors that need follow up.
Which approach below is BESTsuited in meeting these requirements?
C. Establishing an electronicdata interchange (EDI) system of electronic business
documents and transactionswith key suppliers, computer to computer, in a
standard format.
Explanation:
EDI is the best answer. Properlyimplemented (e.g., agreements with trading
partners transaction standards,controls over network security mechanisms in
conjunction with applicationcontrols) EDI is best suited to identify and follow up
on errors more quicklygiven reduced opportunities for review and authorization.
Area: 3
182. Which of the following iswidely accepted as one of the critical components
in networking management?
A. Configuration management
Explanation:
Configuration management iswidely accepted as one of the key components of
any network since itestablishes how the network will function both internally and
externally. Italso deals with management of configuration and monitoring
performance.Topological mappings provide outline of the components of the
network and itconnectivity. This is critical to manage and monitor the network. It
is notessential that monitoring tools should be used. Proxy server
troubleshooting isused for trouble shooting purposes.
Area: 3
183. An IS auditor consulting ona project to develop a network management
system, would consider all of thefollowing essential features EXCEPT:
A. the capacity to interact withthe Internet for problem solving.
Explanation:
Capabilities to interact with theInternet for problem solving is not an essential
aspect of a network managementsystem, while choices B, C and D are all
essential features of an effectivenetwork management system.
Area: 3
184. In protocols like HTTP, FTP,and SMTP, the implementation of the TCP/IP suite
is arranged in the followingmanner:
A. TCP works at the transportlayer and handles packets, while IP works at the
network layer and handles addresses.
Explanation:
TCP works at the transport layerand handles packets, while IP works at the
network layer and handles addresses
Area: 3
185. Public-key infrastructure(PKI) integrates all of the following into an
enterprise-wide network securityarchitecture EXCEPT:
D. password key management.
Explanation:
PKI is the combination ofsoftware, encryption technologies and services that
enables enterprises toprotect the security of their communications and business
transactions on theInternet. A typical enterprise's PKI encompasses the issuance
of digitalcertificates (public keys) to individuals, integration with
corporatecertificate directories and use of public key cryptography systems
inestablishing trust relationships with customers. Password key management is
nota technique used in PKI to distribute keys to individuals. Instead,
certificateauthorities digitally sign certificates using their own private key,
andthereby protecting the certificate or key against tampering and vouching
forthe holder's identity.
Area: 3
186. All of the following arecommon problems with firewall implementations
EXCEPT:
A. inadequately protecting thenetwork and servers from virus attacks.
Explanation:
Firewalls offer no protectionagainst virus attacks, since the coding of viruses is
typically embedded inuser data (i.e., firewalls provide protection against misuse
of networkmanagement data contained in data packets in preventing or
detectingunauthorized access). Common methods used to protect against
viruses includeregularly running virus software as data integrity checkers,
scanners lookingfor sequence of bits-called signatures-that are typical of virus
programs, andactive monitors which interpret operating system and ROM basic
input-outputsystem (BIOS) calls, looking for virus-like actions. The other choices
arecommon problems with firewall implementations that when left uncorrected
mayresult in unauthorized access into an organization's network systems.
Area: 3
187. When auditing operatingsoftware development, acquisition or maintenance,
the IS auditor would reviewsystem software maintenance activities to determine:
D. current versions of thesoftware are supported by the vendor.
Explanation:
The IS auditor would reviewsystem software maintenance activities to determine
that current versions ofthe software are supported by the vendor and that
changes made to the systemsoftware are documented. Choice A would be
determined if an IS auditor wasperforming a review of controls over the
installation of changed systemsoftware. Impact of the product on processing
reliability would be determinedwhen a review of cost/benefit analysis of system
software procedures isperformed. Choice C would be determined when a review
of controls over theinstallation of changed system software takes place.
Area: 3
188. While evaluating afile/table design, an IS auditor should understand that a
referential integrityconstraint consists of:
B. ensuring that data are updatedthrough triggers.
Explanation:
Referential integrity constraintsensure that a change in a primary key of one
table is automatically updated ina matching foreign key of other tables. This is
done using triggers.
Area: 3
189. One of the responsibilitiesof the technical support function is:
D. obtaining detailed knowledgeof the operating system and other systems
software.
Explanation:
The responsibility of thetechnical support function is to provide specialist
knowledge of productionsystems to identify and assist in system
change/development and problemresolution. The support functions include
obtaining detailed knowledge of theoperating system and other systems
software. Program change control isresponsible of ensuring that job preparation,
scheduling and operatinginstructions have been established. Specific objectives
of the qualityassurance function include establishing, enhancing and maintaining
a stable,controlled environment for the implementation of changes within the
productionsoftware environment. They are also responsible for defining,
establishing andmaintaining a standard, consistent and well-defined testing
methodology forcomputer systems.
Area: 3
190. A universal serial bus (USB)port:
B. connects the network with anEthernet adapter
Explanation:
The USB port connects the networkwithout having to install a separate network
interface card inside a computerby using a USB Ethernet adapter.
Area: 3
191. How can an enterpriseprovide access to its intranet (i.e., extranet) across
the Internet to itsbusiness partners?
Explanation:
A virtual private network (VPN)allows external partners to securely participate in
the extranet using publicnetworks as a transport or shared private networks.
Because of its low cost,using public networks (Internet) as a transport is the
principal method. VPNsrely on tunneling/encapsulation techniques, which allow
the Internet protocol(IP) to carry a variety of different protocols (e.g., SNA, IPX,
NETBEUI). Aclient/server (choice B) does not address extending the network to
businesspartners (i.e., client/servers refers to a group of computers within
anorganization connected by a communications network where the client is
therequest machine and the server is the supplying machine). Choice C refers
toremote users accessing a secured environment. It is the means, not the
methodof providing access to a network. A network service provider (choice D)
mayprovide services to a shared private network in providing Internet
services,but not extended to an organization's intranet.
Area: 3
192. A hub is a device thatconnects:
D. two segments of a single LAN.
Explanation:
A hub is a device that connectstwo segments of a single LAN. A hub is a repeater.
It provides transparentconnectivity to users on all segments of the same LAN. It
is a level 1 device.A bridge operates at level 2 of the OSI layer and is used to
connect two LANsusing different protocols (e.g., joining an ethernet and token
network) to forma logical network. A gateway, which is a level 7 device, is used
to connect aLAN to a WAN. A LAN is connected with a MAN using a router, which
operates inthe network layer.
Area: 3
193. Which of the followingnetwork configuration options, contains a direct link
between any two hostmachines?
D. Completely connected (mesh)
Explanation:
The network configuration wherethere is a direct link between any two host
machines is the completelyconnected (mesh). Bus configuration is where all
stations are linked along onetransmission line. A ring configuration is where the
transmission medium formsa circle, and all stations are attached to a point on
the circle. A starconfiguration is where each station is linked directly to a main
hub.
Area: 3
194. Which of the following can alocal area network (LAN) administrator use to
protect against exposure to illegalor unlicensed software usage by the network
user?
D. Software inventory programs
Explanation:
The control that a LANadministrator can use to protect against the use of illegal
or unlicensedsoftware inventory programs. Software inventory programs ensure
the accurateuse of the authorized number of licenses. Software metering would
only countthe number of licenses, whereas virus detection software prevents
from virusinfection, but does not pertain to licenses. Software encryption is not
usefulbecause its function is to cipher messages.
Area: 3
195. Which of the followingcontrols will MOST effectively detect the presence of
bursts of errors innetwork transmissions?
D. Cyclic redundancy check
Explanation:
The cyclic redundancy check (CRC)can check for a block of transmitted data. The
workstations generate the CRCand transmit it with the data at the same time.
The receiving workstationcomputes a CRC and compares it with the sender-
workstation. If both of them areequal then the block is assumed error free. In this
case (such as in parityerror or echo check) multiple errors can be detected. There
are severalstandards, CRC-16, CRC-32 CRC-CCITT etc. In general CRC can detect
allsingle-bit and bubble-bit errors, detect errors in cases in which odd numbersof
bits are erroneous, detect all burst errors of 16 bits or fewer (32 bits orfewer in
the case of CRC-32) and detect over 99.999 percent of all burstsgenerated
greater than 16 bits (32 bits of CRC-32). Parity check also (known asvertical
redundancy check) involves adding a bit-known as the parity bit toeach
character during transmission. In this case, where there is a presence ofbursts of
errors, (i.e., impulsing noise during high transmission rates) it hasa reliability of
approximately 50 percent; and in higher transmission ratesthis limitation is
significant. Echo checks detect line errors byretransmitting data back to the
sending device for comparison with the originaltransmission.
Area: 3
196. Which of the following typesof firewalls provide the GREATEST degree and
granularity of control?
C. Application-gateway
Explanation:
The application gateway issimilar to a circuit gateway, but it has specific proxies
for each service. Tobe able to handle web services it has an HTTP proxy, which
acts as anintermediary between externals and internals, but specifically for HTTP.
Thismeans that it not only checks the packet IP addresses (layer 3) and the
portsit is directed to (in this case port 80, layer 4), it also checks every
httpcommand (layer 5 and 7). Therefore, it works in a more detailed way than
theothers (granularity). Screening router and packet filter (choices A and
B)basically work at the protocol, service and/or port level. This means that
theyanalyze packets from layers 3 and 4 (not from higher levels). A circuit-
gateway(choice D) is no longer used, and is based on a proxy or program that
acts asan intermediary between external and internal accesses. This means that,
duringan external access, instead of opening a single connection to the
internalserver, two connections are established. One from the external to the
proxy(which conforms the circuit-gateway) and one from the proxy to the
internal. Layers3 and 4 (IP and TCP) and some general features from higher
protocols are usedto perform these tasks.
Area: 3
197. Which of the ISO/OSI modellayers provides service for how to route packets
between nodes?
B. Network
Explanation:
The network layer switches androutes information (network layer header). Node-
to-node data link services areextended across a network by this layer. The
network layer also providesservice for how to route packets (units of information
at the network layer)between nodes connected through an arbitrary network.
The data link layertransmits information as groups of bits (logical units called a
frame) toadjacent computer systems (node-to-node). The bits in a frame are
divided intoan address field (media access control MAC 48 bit hardware address),
controlfield, data field and error control field. The transport layer, providesend-to-
end data integrity. To ensure reliable delivery, the transport layerbuilds on the
error control mechanisms provided by lower layers. If lowerlayers do not do an
adequate job, the transport layer is the last chance forerror recovery. The session
layer provides the control structure forcommunications between applications. It
establishes, manages and terminatesconnections (sessions) between
cooperating applications and performs accesssecurity checking.
Area: 3
198. In a TCP/IP based network,an IP address specifies a:
A. network connection.
Explanation:
An IP address, specifies anetwork connection. Since an IP address encodes both a
network and a host onthat network, they do not specify an individual computer,
but a connection to anetwork. A router/gateway connects two networks and will
have two IP addresses.Hence, an IP address cannot specify a router. A computer
in the network can beconnected to other networks as well. It will then use many
IP addresses. Suchcomputers are called multi-homed hosts. Here again an IP
address cannot referto the computer. As already explained, IP addresses do not
refer to individualdevices on the network, but refer to the connections by which
they areconnected to the network.
Area: 3
199. Connection-orientedprotocols in the TCP/IP suite are implemented in the:
A. transport layer.
Explanation:
Connection-oriented protocolsprovide reliability of the service provided to the
higher layer. It is theresponsibility of such protocols in the transport layer to
enhance the qualityof service provided by the network layer. The application
layer is concernedwith applications that are closer to the user. Reliable transport
of packets byconnection-oriented protocols is transparent to this layer. The
physical layeris concerned with transmitting only raw bits of data. The network
layer is concernedwith routing of packets based on routing information provided
by the transportlayer protocol.
Area: 3
200. The device to extend thenetwork that must have storage capacity to store
frames and act as a storageand forward device is a:
B. bridge.
Explanation:
Bridges connect two separatenetworks to form a logical network (e.g., joining an
ethernet and tokennetwork). This hardware device must have storage capacity to
store frames andact as a storage and forward device. Bridges operate at the OSI
data link layerby examining the media access control header of a data packet.
Routers areswitching devices that operate at the OSI network layer by examining
networkaddresses (i.e., routing information encoded in an IP packet). The router,
byexamining the IP address, can make intelligent decisions in directing thepacket
to its destination. Repeaters amplify transmission signals to reachremote devices
by taking a signal from a LAN, reconditioning and retiming it,and sending it to
another. This functionality is hardware encoded and occurs atthe OSI physical
layer. Gateways provide access paths to foreign networks.
Area: 3
201. In a client/serverarchitecture, a domain name service (DNS) is MOST
important because it providesthe:
C. resolution on the Internet forthe name/address.
Explanation:
DNS is primarily utilized on theInternet for resolution of the name/address of the
web site. It is an Internetservice that translates domain names into IP addresses.
As names arealphabetic, they are easier to remember. However, the Internet is
based on IPaddresses. Every time a domain name is used, a DNS service must
translate thename into the corresponding IP address. The DNS system has its
own network. Ifone DNS server does not know how to translate a particular
domain name, it asksanother one, and so on, until the correct IP address is
returned.
Area: 3
202. In a web server, a commongateway interface (CGI) is MOST often used as
a(n):
A. consistent way for datatransfer to the application program and back to the
user.
Explanation:
The common gateway interface(CGI) is a standard way for a web server to pass a
web user's request to anapplication program and to receive data back and forth
to the user. When theuser requests a web page (for example, by clicking on a
highlighted word orentering a web site address), the server sends back the
requested page.However, when a user fills out a form on a Web page and sends
it in, it usuallyneeds to be processed by an application program. The web server
typicallypasses the form information to a small application program that
processes thedata and may send back a confirmation message. This method, or
convention forpassing data back and forth between the server and the
application is calledthe common gateway interface (CGI). It is part of the web's
HTTP protocol.
Area: 3
203. Which of the followingexposures associated with the spooling of sensitive
reports for off-lineprinting would an IS auditor consider to be the MOST serious?
C. Unauthorized report copiesmight be printed.
Explanation:
Spooling for off-line printingmay enable additional copies to be printed unless
controlled. Print files areunlikely to be available for online reading by operators.
Data on spool filesare no easier to amend without authority than any other file.
There is usuallya lesser threat of unauthorized access in sensitive reports in the
event of asystem failure.
Area: 4
204. Applying a retention date ona file will ensure that:
B. data will not be deletedbefore the date is set.
Explanation:
A retention date will ensure thata file cannot be purged or overwritten before
that date has passed. Theretention date will not affect the ability for the file to be
read. Backupcopies may well be retained after the file has been purged or
overwritten. Thecreation data will differentiate files with the same name.
Area: 4
205. Which of the following wouldNOT be considered a security threat to Internet
web sites?
D. Asynchronous attacks
Explanation:
Data in a multiprocessingenvironment is subject to an asynchronous attack via
hardware. This is notassociated with web site exposures. Conversely hackers will
try to break intothe computer for their own entertainment, Crackers will try to
break into thecomputer with malicious intent and virus writers are a constant
concern to allInternet connections.
Area: 4
206. An IS auditor is assigned tohelp design the data security, data integrity and
business continuity aspectsof an application under development. Which of the
following provides the MOSTreasonable assurance that corporate assets are
protected when the applicationis certified for production?
D. An independent reviewconducted by another equally experienced IS auditor.
Explanation:
If the IS Auditor assigned to theSDLC process actually contributes to the design
of the system, thenindependence has been compromised. Therefore, to insure an
adequate independentreview of the system, a different IS Auditor should review
the system prior toproduction or within a reasonable time frame after
implementation.
Area: 4
207. The MOST effective method ofpreventing unauthorized use of data files is:
C. access control software.
Explanation:
Access control software has thefollowing automated features:
1. Access rules based onindividual identification (logon-ID)
2. Individual authentication(logon-ID and passwords)
3. Logging and reporting ofunauthorized access attempts
Also, because access controlsoftware is an automated feature, it is an active
control that should always bepresent.
Area: 4
208. Which of the following wouldNOT be considered a terminal access control?
A. Use of dial-up lines only inthe event of an emergency
Explanation:
Dial-up lines controltelecommunications links, not terminal access.
Area: 4
209. Which of the followingfactors is LEAST likely to allow a perpetrator to
discover a valid password?
B. The power of the computer usedto break the password code
Explanation:
A, C and D all contribute to thecomplexity and difficulty of guessing a password.
Area: 4
210. Which of the following wouldbe MOST effective in establishing access
control through the use of sign-onprocedures?
D. Authorization, authentication,identification and location of the user
Explanation:
Sign-on procedures typicallyinclude a person entering a logon-ID and password.
In addition, the sign-onprocess can include identifying the terminal being used.
These measures permitthe computer to determine if the user is authorized to
gain access.
Area: 4
211. Which of the following wouldBEST ensure the proper updating of critical
fields in a master record?
D. Before and after maintenancereport
Explanation:
"Before and aftermaintenance report" is the best answer because a visual review
wouldprovide the most positive verification that updating was proper.
Area: 4
212. Which of the followingcontrols is LEAST likely to discover changes made
online to important masterrecords?
D. Update authorization form mustbe approved by independent supervisor
before clerks enter updates.
Explanation:
Approval by an independentsupervisor prior to entry cannot control changes
made online. All otherresponses prevent or detect the circumvention of controls.
Area: 4
213. Which of the following isthe MOST effective control procedure for security of
a stand-alone smallbusiness computer environment?
A. Supervision of computer usage
Explanation:
Since small stand-alone businesscomputer environments lack such basic controls
as a trained IS staff, asegregation of duties, and access control software, strong
disciplinarycontrols should be applied. In this situation, supervision of computer
usagemust be relied upon. This takes the form of monitoring office
activity,reviewing key accounting and control reports, and sampling employee
work toensure it is appropriate and authorized.
Area: 4
214. Which of the followinglogical access exposures involves changing data
before, or as it is enteredinto the computer?
A. Data diddling
Explanation:
Data diddling involves changingdata before, or as it is entered into the computer.
A trojan horse involvesunauthorized changes to a computer program. A worm is
also a destructiveprogram that destroys data; and the salami technique is a
program modificationthat slices off small amounts of money from a computerized
transaction.
Area: 4
215. When investigating a serioussecurity access violation, the IS auditor should
NOT:
B. contact law enforcement todetermine if violations have occurred elsewhere.
Explanation:
The IS Auditor should perform allof the steps indicated in this question except
that he/she should not contactlaw enforcement officials. Executive management
is responsible for such notification.
Area: 4
216. Which of the following wouldbe considered the BEST example of a proper
password for use in system access?
C. TWC2H
Explanation:
Passwords should be anywhere fromfive to eight characters in length and not be
easy to guess. They shouldcontain both alpha and numeric characters.
Area: 4
217. Data classification isimportant when identifying who should have access to:
D. test and production data andprograms.
Explanation:
Data classification is extremelyimportant when identifying who should have
access to production versus testdata and programs. Production data is the
business owner's or the business'live or historical data used to run the business.
It is important that allcomputer files be classified according to their sensitivity.
Area: 4
218. Naming conventions foraccess controls are NOT:
D. defined with the assistance ofthe database administrator.
Explanation:
All of the choices refer toaspects of naming conventions for access controls
except that they are oftendefined and established with the assistance of the
security officer, not thedatabase administrator.
Area: 4
219. Digital signatures providedata integrity since they require the:
B. signer to have a private key,and the receiver to have a public key.
Explanation:
Digital signatures are encryptionmethods that provide data integrity. The digital
signature standard is a publickey digital. This requires the signer to have a
private key, and the receiverto have a public key.
Area: 4
220. Automated teller machines(ATMs) are a specialized form of a point of sale
terminal which:
D. must provide high levels oflogical and physical security.
Explanation:
Automated teller machines (ATMs)are a specialized form of a point of sale
terminal and their system mustprovide high levels of logical and physical
security for both customer and themachinery. ATMs allow for a variety of
transactions including cash withdrawaland financial deposits, are usually located
in unattended areas and utilizeunprotected telecommunication lines for data
transmissions.
Area: 4
221. Which of the followingprocesses would be performed FIRST by the system
when logging-on to an onlinesystem?
D. Authentication
Explanation:
The user's identity is confirmedbefore any of the other processes. Initiation is
technically an answerdistracter as the system must already have been initiated
for the user to log-on.Verification is normally performed after an event.
Authorization will normallyfollow confirmation of the user's identity.
Area: 4
222. Which of the following is abenefit of using callback devices?
A. Provide an audit trail
Explanation:
A callback feature hooks into theaccess control software and logs all authorized
and unauthorized accessattempts, permitting follow-up and further review of
potential violations.Please note that call forwarding (Answer D) is a means of
potentially bypassingcallback control. By dialing through an authorized phone
number from anunauthorized phone number, a perpetrator can gain computer
access. Thisvulnerability can now be controlled through more sophisticated
callback systemsthat have recently become available.
Area: 4
223. Having established anapplication's access control process, an IS auditor's
next step is to ensure:
B. password files are encrypted.
Explanation:
While evaluating the technicalaspects of password control, unencrypted files
represent the greatest risk. Thesharing of passwords is a compliance test and
performed later. Checking for theredundancy of logon-IDs is a technical test, and
is less important. Properlogon-ID procedures are essential, but this is reviewed
later as a proceduralcompliance test.
Area: 4
For the locations 3a, 1d, and 3d,the diagram indicates hubs with lines that
appear to be open and active.Assuming that is true, what control(s), if any,
should be recommended tomitigate this weakness?
C. Physical security and anintelligent hub
Explanation:
Open hubs represent a significantcontrol weakness because of the potential to
access a network connectioneasily. An intelligent hub would allow the
deactivation of a single port whileleaving the remaining ports active. Additionally
physical security would alsoprovide a reasonable protection over hubs with
active ports.
Area: 4
In the 2c area on the diagram,there are 3 hubs connected to each other. What
potential risk might thisindicate?
B. Performance degradation
Explanation:
Hubs are internal devices thatusually have no direct external connectivity and
thus are not prone to hackers.There are no known viruses that are specific to hub
attacks. While thissituation may be an indicator of poor management controls,
answer B is morelikely when the practice of stacking hubs and creating more
terminalconnections is done.
Area: 4
226. In the ISO/OSI model, whichof the following protocols is the FIRST to perform
security over the userapplication?
A. Session layer.
Explanation:
At the higher layers, softwarecontrol becomes more pervasive. The session layer
is very important formicrocomputer applications since it provides functions that
allow twoapplications to communicate across the network. The functions include
security,recognition of names, logons and so on. The session layer is the first
layerwhere security is established for user applications. The transportation
layerprovides transparent transfer of data between end points. The network
layercontrols the packet routing and switching within the network, as well as to
anyother network. The presentation layer provides common communication
servicessuch as encryption, text compression, and reformatting.
Area: 4
227. A feature of a digitalsignature that ensures that the claimed sender cannot
later deny generating andsending the message is:
C. non-repudiation.
Explanation:
All of the above are features ofa digital signature. Non-repudiation ensures that
the claimed sender cannotlater deny generating and sending the message. Data
integrity refers to changesin the plaintext message that would result in the
recipient failing to computethe same message hash. Authentication ensures that
the message has been sent bythe claimed sender since only the claimed sender
has the key. Replay protectionis a method that a recipient can use to check that
the message was notintercepted and replayed.
Area: 4
228. An IS auditor who intends touse penetration testing during an audit of
Internet connections would:
D. use tools and techniques thatare available to a hacker.
Explanation:
Penetration testing is atechnique used to mimic an experienced hacker attacking
a live site by usingtools and techniques available to a hacker. The other choices
are proceduresthat an IS Auditor would consider undertaking during an audit of
internetconnections, but are not aspects of penetration testing techniques.
Area: 4
229. Which of the following isNOT an employee security responsibility?
B. Helping other employees createpasswords
Explanation:
Helping other employees createtheir passwords may materially affect the
integrity of the password. That is,the employee giving the advice may later be
able to guess the password and gainaccess to the system. All the other options
are employee securityresponsibilities.
Area: 4
230. Naming conventions forsystem resources are an important prerequisite for
access control because theyensure that:
D. the number of rules requiredto adequately protect resources is reduced.
Explanation:
Access control is implementedthrough rules, which are more easily implemented
when resources are named andgrouped in an appropriate manner. The other
choices are not related to accesscontrol or provide no access control advantage.
Area: 4
231. Passwords should be:
A. assigned by the securityadministrator.
Explanation:
Initial password assignmentshould be done discretely by the security
administrator. Passwords should bechanged often (e.g. every 30 days). However,
changing is not voluntary andshould be forced by the system. Systems should
not permit previous passwords(s)to be used again after they are changed. Old
passwords may have beencompromised and would thus permit unauthorized
access. Passwords should not bedisplayed in any form.
Area: 4
232. Logical access controls areused to protect:
C. data classification andownership.
Explanation:
Data classification and ownershipis a procedure established to ensure adequate
segregation of duties. Logicalaccess controls ensure that such segregation is
maintained. The other choicesare all protected by physical controls.
Area: 4
233. Which of the following isNOT a valid reason for using digital signatures to
secure e-mail transmissions?
B. Keys can be used indefinitely.
Explanation:
The use of a digital signaturefor e-mail transmission may present problems since
signatures used for anindefinite period of time may become compromised. This
could later lead to theacceptance of messages from old, and possibly broken,
keys.
Area: 4
234. When performing an audit ofaccess rights, an IS auditor should be
suspicious of which of the following ifallocated to a computer operator?
B. DELETE access to transactiondata files
Explanation:
Deletion of transaction datafiles should be a function of the application support
team, not operationsstaff. Read access to production data is a normal
requirement of a computeroperator, as well as logged access to programs and
access to JCL in order tocontrol job execution.
Area: 4
235. An IS auditor who wishes toprevent unauthorized entry to the data
maintained in a dial-up fast responsesystem would recommend?
D. Online access be terminatedafter three unsuccessful attempts.
Explanation:
The most appropriate control toprevent unauthorized entry is to terminate
connection after a specified numberof attempts. This will deter access through
guessing at the ID and password.The other choices are physical controls which
are not effective in deterringunauthorized accesses via the telephone lines.
Area: 4
236. Which of the followingcontrols would BEST serve to effectively detect
intrusion?
D. Unsuccessful logon attemptsare actively monitored by the security
administrator.
Explanation:
Intrusion is detected by theactive monitoring and review of unsuccessful logons.
User creation and grantingof user privileges defines a policy, not a control.
Automatic logoff is amethod of preventing access on inactive terminals and is not
a detectivecontrol. Unsuccessful attempts to logon is a method for preventing
intrusion,not detecting.
Area: 4
237. Which of the followingcontrol weaknesses would an IS auditor performing an
access controls review beLEAST concerned with?
A. Audit trails are not enabled.
Explanation:
Audit trails being enabled is ofleast concern, as it will not result in an exposure as
compared to the othercontrol weaknesses. Programmers having access to the
live environment couldresult in unauthorized transactions. Group logons used for
critical functionsis also a major concern. The same user who has access to and
can initiatetransactions, as well as change the related parameters, is also an
area of highconcern.
Area: 4
238. Which of the following auditprocedures would an IS auditor be LEAST likely
to include in a security audit?
A. Review the effectiveness andutilization of assets.
Explanation:
Reviewing the effectiveness andutilization of assets is not within the purview of a
security audit. Securityaudits primarily focus on the evaluation of the policies
and procedures thatensure the confidentiality, integrity and availability of data.
During an auditof security the IS auditor would normally review access to assets,
and validatethe physical and environmental controls to the extent necessary to
satisfy theaudit requirements. The IS Auditor would also review logical access
policiesand compare them to job profiles to ensure that excessive access has not
beengranted. The review would also include an evaluation of asset safeguards
andprocedures which are intended to prevent unauthorized access to assets.
Area: 4
239. A firewall access controllist may filter access based on each of the following
parameters EXCEPT:
C. network interface card (NIC).
Explanation:
The NIC is a device in eachworkstation which identifies a workstation to an
internal network and thatinformation is not typically in an externally transmitted
message. Port numbersrepresent activities or services such as web services,
telnet and file transferprotocol. Service type is basically the same as the port.
The IP address is therequired routing information to move traffic.
Area: 4
240. Which of the followingapplet intrusion issues poses the GREATEST risk of
disruption to anorganization?
D. Applets damaging machines onthe network by opening connections from the
client machine.
Explanation:
An applet is a program downloadedfrom a web server to the client, usually
through a web browser that providesfunctionality for database access,
interactive web pages and communications withother users. Applets opening
connections from the client machine to othermachines on the network and
damaging those machines as a denial of serviceattack pose the greatest threat
to an organization and could disrupt businesscontinuity. A program that deposits
a virus on a client machine is referred toas a malicious attack (specifically meant
to cause harm to a client machine),but may not necessarily result in a disruption
of service. Applets recordingkeystrokes and, therefore passwords and
downloaded code that reads files on aclient's hard drive relate more to
organizational privacy issues, and althoughsignificant, are less likely to cause a
significant disruption of service.
Area: 4
241. Which of the following BESTdescribes the impact that effective firewall
design and implementationstrategies have as an enabler for improved
information security?
C. A chance to significantlyreduce the threat of internal hacking.
Explanation:
Designing and implementing afirewall provides an opportunity to greatly improve
an organization'sinformation security policy. Effective firewall design and
implementationstrategies can notably reduce the threat of external as well as
internalhacking and unauthorized access by authorized users, a problem
whichconsistently outranks external hacking in all information security surveys.
Area: 4
242. Which of the followinginformation is LEAST likely to be contained in a digital
certificate for thepurposes of verification by a Trusted Third Party
(TTP)/Certification Authority(CA)?
C. Name of the public key holder
Explanation:
The public key is stored in thekey servers and can be accessed by anyone and
therefore the holders of thepublic key are unlikely to be included in the
certificate. In addition, thepublic key holder is not needed for validation of the
certificate. The name ofthe CA is needed for validation of the certificate since the
public key of theCA is needed to verify the public key of the message sender,
before it, inturn, can be used to verify the message. The public key of the sender
is neededto verify the message hash, while the time period for which the key is
valid isneeded to ensure the key is still valid.
Area: 4
243. Which of the following accesscontrol functions is LEAST likely to be
performed by a database managementsystem (DBMS) software package?
B. User sign-on at the networklevel
Explanation:
User sign-on is carried out bythe access control software, not by DBMS software.
The other choices are allprimary tasks of DBMS software.
Area: 4
244. An IS auditor reviewingoperating system access discovers that the system
is not properly secured. Inthis situation the IS auditor is LEAST likely to be
concerned that the usermight:
A. create new users.
Explanation:
Access to the operating systemdoes not necessarily result in granting access to
creating new users. Hence, itis not a likely concern. The other choices are likely
concerns if the operatingsystem is not properly defined. In this case users can
access the systemwriteable directories, delete database and log files, and access
system utilitytools.
Area: 4
245. An IS auditor conducting anaccess controls review in a client/server
environment discovers that allprinting options are accessible by all users. In this
situation the IS auditoris MOST likely to conclude that:
A. exposure is greater sinceinformation is available to unauthorized users.
Explanation:
Information in all its formsneeds to be protected from unauthorized access.
Unrestricted access to thereport option results in an exposure. Efficiency and
effectiveness are notrelevant factors in this situation. Greater control over
reports will not be accomplishedsince reports need not be in a printed form only.
Information could betransmitted outside as electronic files without printing as
print options allowfor printing in an electronic form as well.
Area: 4
246. An IS auditor discovers thatprogrammers have update access to the live
environment. In this situation theIS auditor is LEAST likely to be concerned that
programmers can:
A. authorize transactions.
Explanation:
Authorizing transactions wouldimply that transactions have been initiated by
another person and hence wouldprovide the least risk. The other situations
where programmers on their own canaccess data and make modifications or add
transactions to database all presenta greater risk that would be of concern to the
IS Auditor.
Area: 4
247. An IS auditor performing atelecommunication access control review would
focus the MOST attention on the:
B. authorization andauthentication of the user prior to granting access to system
resources.
Explanation:
The means of authorization andauthentication of users is the most significant
aspect in a telecommunicationsaccess control review as it is a preventive control
of granting access. Weakcontrols at this level can affect all other aspects. The
maintenance of accesslogs of usage of various system resources deals with
detective controls. Theadequate protection of data being transmitted to and from
servers by encryptionor otherwise is a secondary means of protecting
information during transmission.The accountability system and the ability to
properly identify any terminalaccessing system resources deal with controlling
access through identificationof access through a terminal.
Area: 4
248. An organization wants tointroduce a new system to allow single-sign-on.
Currently, there are five mainapplication systems, and users must sign on to
each one separately. It isproposed that under the single-sign-on system, users
will only be required toenter one user-ID and password for access to all
application systems. Underthis type of single-sign-on system the risk of
unauthorized access:
C. will have a greater impact.
Explanation:
The impact will be greater sincethe hacker only needs to know one password to
gain access to five systems, andcan therefore cause greater mischief than if only
the password to one of thefive systems is known. Less likely would be the correct
answer if thesingle-sign-on system were to be introduced with a stronger form
ofauthentication, such as a smart card/challenge response system. There is
noindication that the probability of someone attempting to gain access to
systemsafter introduction of single-sign-on is greater than before. The impact
canonly be greater not smaller since the access gained is wider than before
(fivesystems rather than one).
Area: 4
249. Sign-on procedures includethe creation of a unique user-ID and password.
However, an IS auditor discoversthat in many cases the user name and password
are the same. The BEST control tomitigate this risk is to:
C. build in validations toprevent this during user creation and password change.
Explanation:
The compromise of the password isthe highest risk. The best control is a
preventive control through validationat the time of user creation and at the time
of password change, so that therisk is eliminated. Changing the company's
security policy and educating usersabout the risk of weak passwords only
provides information to users, but doeslittle to enforce this control. Requiring a
periodic review of matching ofuser-ID and passwords for detection and ensuring
correction is a detectivecontrol.
Area: 4
250. The PRIMARY objective of alogical access controls review assignment is to:
B. ensure access is granted perthe organization's authorities.
Explanation:
The scope of logical accesscontrols review is primarily to review whether access
is granted as per theorganization's authorizations. Choices A and C relate to
procedures of alogical access controls review, rather than objectives. Choice D is
relevant toa physical access control review.
Area: 4
251. The scope of a logicalaccess controls review would include the evaluation
of:
C. access to systems software andapplication software to ensure compliance with
the access policy.
Explanation:
The scope of a logical accesscontrols review would be to review and evaluate the
logical access controls atthe various layers of software for access which includes
system and applicationsoftware. Access controls facilitated through this software,
for individualswithin and from outside the organization, will have to be reviewed
from theperspective of security. Effectiveness and efficiency are not the key
criteriaevaluated in a logical access controls review. IT security and related
controlsalso include physical and environmental access which are not reviewed
in alogical access controls review. Access to user authorization levels,
parametersand operational functions through application software is restricted
toapplication software, whereas logical access control reviews extend to
accessthrough all the layers of software in an IT environment.
Area: 4
252. Naming conventions forsystem resources are an important prerequisite for
access control because they:
B. reduce the number of rulesrequired to adequately protect resources.
Explanation:
Naming conventions for systemresources are an important prerequisite for
efficient administration ofsecurity controls. Naming conventions can be
structured so that resourcesbeginning with the same high-level qualifier can be
governed by one or moregeneric rules. This reduces the number of rules required
to adequately protectresources, which in turn facilitates security administration
and maintenanceefforts. Reducing the number of rules required to adequately
protect resourcesallows for the grouping of resources and files by application,
which makes iteasier to provide access. Ensuring that resource names are not
ambiguous is notdone by naming conventions. Ensuring that user access to
resources is clearlyand uniquely identified is handled by access control rules not
namingconventions. Internationally recognized names are not required to
controlaccess to resources. It tends to be based on how each organization wants
toidentify its resources.
Area: 4
253. When a PC that has been usedfor the storage of confidential data is sold on
the open market, the:
A. hard disk should bedemagnetized.
Explanation:
The hard disk should bedemagnetized since this will cause all of the bits to be
set to 0 thuseliminating any chance of information, which was previously stored
on the disk,being retrieved. A mid-level format does not delete information from
the harddisk. It only resets the directory pointers. The deletion of data from the
diskremoves the pointer to the file, but in actual fact leaves the data in placeso,
with the proper tools, the information can be retrieved. The defragmentationof
the disk does not cause information to be deleted, but simply moves itaround to
make it more efficient to access.
Area: 4
254. Which of the followingexposures could be caused by a line-grabbing
technique?
A. Unauthorized data access
Explanation:
Line grabbing will enableeavesdropping, thus allowing unauthorized data access.
It will not necessarilycause multiplexor dysfunction, excessive CPU usage or
lockout of terminalpolling.
Area: 4
255. Which of the following is anadvantage of using a local area network (LAN)?
D. LANs provide central storagefor a group of users.
Explanation:
LANs facilitate the storage andretrieval of programs and data used by a group of
people. They do not facilitateor provide protection against the other items listed
in this question.
Area: 4
256. Creation of an electronicsignature:
B. verifies where the messagecame from.
Explanation:
Creation of an electronicsignature does not in itself encrypt the message or
secure it from compromise.It only verifies where the message came from.
Area: 4
257. Which of the following is astrength of a client/server security system?
B. User can manipulate datawithout controlling resources on the mainframe.
Explanation:
The only strength associated witha client/server system listed in this question is
that the user can manipulateand change data without controlling resources on
the mainframe. All otheranswers are false and are disadvantages of a
client/server system.
Area: 4
258. Which of the followingautomated reports measure telecommunication
transmissions and determineswhether transmissions are accurately completed?
A. Online monitors
Explanation:
Online monitors measuretelecommunication transmissions and determine
whether transmissions areaccurately completed. Down time reports track the
availability oftelecommunication lines and circuits; help desk reports handle
problemsoccurring in the normal course of operations; and response time
reportsidentify the time it takes for a command entered at a terminal to be
answeredby the computer.
Area: 4
259. Which of the followingstatements pertaining to Internet security is TRUE?
C. Encrypted corporate data issecure as it transports across the Internet.
Explanation:
Encrypted corporate data issecure as it transports across the Internet. Firewalls
are built to stophackers from gaining access to the corporate network, they
should sit in themost vulnerable point between a corporate network and the
Internet and allcorporate networks connected to the Internet are subject to
attack.
Area: 4
260. An Internet securedgateway's domain name service:
A. prevents users outside asecure network from seeing addresses of secure
hosts.
Explanation:
A domain name service controlsaccess to addresses. All other answers are
incorrect. Choice C could also becorrect. With the current changes in technology
an Internet secured gateway'sdomain name service offers a way to limit user
access into or out of a securenetwork.
Area: 4
261. Which of the followingstatements is TRUE relating to the use of public key
encryption to secure datawhile it is being transmitted across a network?
C. Under public key encryptionthe key used to encrypt is made public but the key
used to decrypt the data iskept private.
Explanation:
Public key encryption, also knownas asymmetric key cryptography, uses a public
key to encrypt the message and aprivate key to decrypt it.
Area: 4
262. Which of the following wouldNOT protect a system from computer viruses?
C. Boot only from diskettes thatwere initially checked for viruses.
Explanation:
All of the above would control oreliminate the potential for a computer virus,
except booting from diskettesthat were initially checked for viruses. Answer C
would be true if the disketteis always checked for viruses using virus detection
software. It should not beassumed that a diskette that was once checked for
viruses cannot contract avirus at a later date.
Area: 4
263. During the audit of atelecommunications system the IS auditor finds that
the risk of datainterception for communications with remote sites is very high.
The MOSTeffective control that would reduce this exposure is:
A. encryption.
Explanation:
Encryption of data is the mostsecure method. The other methods are less secure,
with leased lines being possiblythe least secure method.
Area: 4
264. An Internet-based attack oncommercial systems using password sniffing
can:
C. be used to gain access tosystems containing proprietary information.
Explanation:
Password-sniffing attacks can beused to gain access to systems on which
proprietary information is stored.Spoofing attacks can be used to enable one
party to act as if they are anotherparty. Data modification attacks can be used to
modify the contents of certaintransactions. Repudiation of transactions can
cause major problems with billingsystems and transaction processing
agreements.
Area: 4
265. Which of the followingcontrols would be MOST comprehensive in a remote
access network with multipleand diverse sub-systems?
D. Password implementation andadministration
Explanation:
The most comprehensive control inthis situation is password implementation and
administration. While firewallinstallations are the primary line of defense, they
cannot protect all accessand therefore an element of risk remains. A proxy server
is a type of firewallinstallation and thus the same rules apply. The network
administrator may serveas a control, but typically would not be comprehensive
enough to serve on multipleand diverse systems.
Area: 4
266. Which of the following isNOT a principle applied in deriving the OSI layers?
B. The integrity of data at eachlayer should be assured.
Explanation:
The integrity of data at eachlayer is not a principal applied in deriving OSI layers.
The other choices areprincipals applied to layers. Other principles include the
function of eachlayer should be chosen so that it defines internationally
standardizedprotocols, and distinct functions should be defined in separate
layers, but thenumber of layers should be small enough that the architecture
does not becomeunwieldy.
Area: 4
267. Which of the following isNOT a common function of application layer
services?
A. Host to host data integrity
Explanation:
Host to host data integrity isthe primary function of the transport layer. Global
directory services tolocate resources on a network and a uniform way of handling
a variety of systemmonitors and devices are common application layer services.
APIs is what manyapplication services' functions are called. Other services are
protocols forproviding remote file services and shared access to files, file
transferservices and remote database access, message handling for email
applications,and remote job execution.
Area: 4
268. A decrease in amplitude as asignal propagates along a transmission
medium is known as:
C. attenuation.
Explanation:
Attenuation is a signaldegradation (decrease in amplitude) that occurs as a
signal propagates along atransmission medium. This is particularly seen when
the medium is copper wire.Noise is also a signal degradation that refers to a
large amount of electricalfluctuation that can interfere with the interpretation of
the signal by thereceiver. Crosstalk is one example of noise where unwanted
electrical couplingbetween adjacent lines causes the signal in one wire to be
picked up by thesignal in an adjacent wire. Delay distortion can result in a
misinterpretation ofa signal that results from transmitting a digital signal with
varying frequencycomponents. The various components arrive at the receiver
with varying delays.
Area: 4
269. Use of data encryption isapplicable to all of the following OSI layers EXCEPT:
A. physical layer.
Explanation:
The physical layer is responsiblefor transmitting data bits over physical media
(twisted pair, coaxial,co-axial, fiber optics) using an appropriate signaling
technique that is agreedupon by the devices that communicate over that
physical media. Because of thislimited functionality, the physical layer has no
knowledge of the structure ofthe data that it is required to transmit or receive
and therefore, can provideno functional use of data encryption. Data link
encryption is the method ofchoice for protecting strictly local traffic (i.e., on one
shared cable) or forprotecting a small number of highly vulnerable lines (e.g.,
satellite circuits,transoceanic cable circuits. Network and transport layer is the
most useful wayto protect conversations allowing systems to converse over
existing insecureInternet lines and are transparent to most applications.
Application layer isthe most intrusive option from a user level and the most
flexible because thescope and strength of the protection can be tailored to meet
the specific needsof the application.
Area: 4
270. Which of the following isMOST affected by network performance monitoring
tools?
B. Availability
Explanation:
One of the key functions ofnetwork performance monitoring tools, in case of a
disruption in service due toany reason (including external intrusion), is to ensure
that the informationhas remained unaltered. Additionally, it is a function of the
security monitoringto assure confidentiality by using such tools as encryption.
However, the mostimportant aspect of network performance is assuring the
ongoing dependence onconnectivity to run the business. Therefore, the
characteristic that benefitsthe most from network monitoring is availability.
Area: 4
271. Java applets and ActiveXcontrols are distributed executable programs that
execute in background of aweb browser client. This is a reasonably controlled
practice when:
C. the source of the executableis certain.
Explanation:
Acceptance of these mechanismsshould be based on established trust. Only
knowing the source, and allowing theacceptance of the applets are controlled.
Hostile applets can be received fromanywhere. It is virtually impossible to filter
at this level at this time. Asecure web connection or firewall are considered
external defenses. A firewallwill find it more difficult to filter a specific file from a
trusted source. Asecure web connection provides confidentiality. Neither can
identify anexecutable as "friendly". Hosting the website as part of
yourorganization is impractical. Enabling the acceptance of Java and /or Active
Xis an all or nothing proposition. The client will accept the program if
theparameters are established to do so.
Area: 4
272. Your organization has beenan active Internet user for several years and your
business plan now calls forinitiating e-commerce via web-based transactions. You
have decided to acceptpayment transactions by implementing agreements with
the major credit cardcompanies. They have suggested certain parameters for
your firewallinstallation. Which of the following parameters will LEAST impact
transactionsin e-commerce?
C. Firewall architecture hidesthe internal network
Explanation:
The only control that does notdirectly impact the e-commerce transactions is the
actual architecture of thefirewall and whether or not it hides the internal
network. All other optionsare key requirements for ensuring security transactions
in e-commerce. The useof encryption will have an impact on the system
performance as transactions gothrough the encryption/decryption process.
Timed authentication requires that aresponse is received within a specific
amount of time which will have an effecton system performance. The exchange
of traffic will have an effect on systemperformance.
Area: 4
273. Which of the followingencrypt/decrypt steps provides the GREATEST
assurance in achievingconfidentiality, message integrity and non-repudiation by
either sender orrecipient?
D. The recipient uses thesender's public key, verified with a certificate authority,
to decrypt thepre-hash code.
Explanation:
Most encrypted transactions todayuse a combination of private keys, public keys,
secret keys, hash functions anddigital certificates to achieve confidentiality,
message integrity andnon-repudiation by either sender or recipient. The recipient
uses the sender'spublic key to decrypt the pre-hash code into a post-hash code
which whenequaling the pre-hash code verifies the identity of the sender and
that themessage has not been changed in route and would provide the greatest
assurance.Each sender and recipient has a private key, known only to him/her
and a publickey, which can be known by anyone. Each encryption/decryption
process requiresat least one public key and one private key and both must be
from the sameparty. A single secret key is used to encrypt the message, because
secret keyencryption requires less processing power than using public and
private keys. Adigital certificate, signed by a certificate authority, validates
senders' andrecipients' public keys.
Area: 4
274. Which of the followingcontrols would provide the GREATEST assurance over
database integrity?
B. Table link/reference checks
Explanation:
Performing table link/referencechecks serve to detect table linking errors
(completeness and accuracy of thecontents of the database) and thus provide
the greatest assurance on databaseintegrity. Audit log procedures enable
recording of all events which have beenidentified and help in tracing the events.
However, they only point to theevent and do not ensure completeness or
accuracy of the contents of thedatabase. Querying/monitoring table access time
checks help designers improvedatabase performance, but not integrity. Roll-back
and roll-forward databasefeatures ensure recovery from an abnormal disruption.
However, they assure theintegrity of transaction which was being processed at
the time of disruptionbut do not provide assurance on the integrity of the
contents of the database.
Area: 4
275. Use of asymmetric encryptionover an Internet e-commerce site, where
there is one private key for the hostingserver and the public key is widely
distributed to the customers, is MOSTlikely to provide comfort to the:
A. customer over the authenticityof the hosting organization.
Explanation:
Any false site will not be ableto encrypt using the private key of the real site, so
the customer would not beable to decrypt the message using the public key.
Many customers have access tothe same public key so the host cannot use this
mechanism to ensure theauthenticity of the customer. The customer cannot be
assured of confidentialityof messages from the host as many people have access
to the public key so candecrypt the messages from the host. The host cannot be
assured of theconfidentiality of messages sent out, as many people have access
to the publickey and can decrypt them.
Area: 4
276. The database administrator(DBA) has recently informed you of his decision
to disable certainnormalization controls in the database management system
(DBMS) software inorder to provide users with increased query performance. This
will MOST likelyincrease the risk of:
B. redundancy of data.
Explanation:
Normalization is the removal ofredundant data elements from the data base
structure. Disabling features ofnormalization in relational databases will increase
the likelihood of dataredundancy. Audit trails are a feature of DBMS software,
which can be lost bynot enabling them. These are not connected to
normalization controls. Theintegrity of data is not directly affected by disabling
normalization controls.Access to data is set through defining of user rights and
control access toinformation. These are not affected by normalization controls.
Area: 4
277. Which of the followingtechniques provides the BEST protection of e-mail
message authenticity andconfidentiality?
A. Signing the message using thesender's private key and encrypting the
message using the receiver's publickey.
Explanation:
By signing the message with thesender's private key, the receiver can verify its
authenticity using thesender's public key. By encrypting the message with the
receiver's public key,only the receiver can decrypt the message using his/her
own private key. Thereceiver's private key is confidential, and therefore unknown
to the sender.Messages encrypted using the sender's private key can be read by
anyone (withthe sender's public key).
Area: 4
278. Which of the following isthe MOST fundamental step in effectively
preventing a virus attack?
D. Adopting a comprehensiveanti-virus policy to protect the organization's
computing facilities from virusattacks and communicating it to all users.
Explanation:
The formulation of acomprehensive anti-virus policy and education of the users
are the mostfundamental steps in preventing virus attacks. These provide the
broadframework and policy from which relevant operating procedures and
practiceswill be developed. If no policy exists, or the policy is not
communicated,ineffective ad-hoc procedures may be practiced. The other
choices areprocedures within the overall policy which direct measures to be
adopted toprevent, detect and recover from virus attacks.
Area: 4
279. Confidential PC data is BESTprotected by:
B. file encryption.
Explanation:
The best means of protectingconfidential data in a PC is through file encryption,
since this results in anunreadable file to unauthorized users. Key operated power
source, a password,or removable diskettes will only restrict access. Yet, the data
can still beviewed using sophisticated electronic eavesdropping techniques. Only
encryptionprovides confidentiality. A password may also not be the best method
ofprotection since passwords can be compromised. Removable diskettes do
providesome security for information if they are locked away so that only
authorizedindividuals can gain access. However if obtained by unauthorized
individualsinformation can be easily accessed. A key operated power source can
be bypassedby obtaining power from another source.
Area: 4
280. When auditing the securityof a data center, an IS auditor would look for the
presence of a voltageregulator to:
A. protect hardware against powersurges.
Explanation:
A voltage regulator protectsagainst short term power fluctuations. It does not
normally protect againstlong-term surges, nor does it maintain the integrity if
power is interrupted orlost.
Area: 4
281. Electromagnetic emissionsfrom a terminal represent an exposure because
they:
D. can be detected and displayed.
Explanation:
Emissions can be detected bysophisticated equipment and displayed, thus giving
access to data tounauthorized persons. They should not cause disruption of CPUs
or affect noisepollution.
Area: 4
282. Which of the followingstatements relating to power-off switches is FALSE?
B. Two emergency power switchesshould be installed inside the computer room
adjacent to exits.
Explanation:
All of the answers refer to truestatements relating to power-off switches, except
that at least one switchshould be located just outside the computer room in the
event the computer roomcannot be accessed.
Area: 4
283. Which of the followingmethods of suppressing a fire in a data center is the
MOST effective andenvironmentally friendly?
C. Dry-pipe sprinklers
Explanation:
Water sprinklers, with anautomatic power shut-off system, are accepted as
efficient because they can beset to automatic release without threat to life and
water is environmentallyfriendly. Sprinklers must be dry-pipe to prevent the risk
of leakage. Halon isefficient and effective as it does not threaten human life, and
therefore canbe set to automatic release, but it is environmentally damaging and
veryexpensive. Water is an acceptable medium but the pipes should be empty to
avoidleakage, so a full system is not a viable option. Carbon dioxide is accepted
asan environmentally acceptable gas, but it is less efficient as it cannot be setto
automatic release in a manned site because it threatens life.
Area: 4
284. Which of the followingenvironmental controls is appropriate to protect
computer equipment againstshort-term reductions in electrical power?
A. Power line conditioners
Explanation:
Power line conditioners are usedto compensate for peaks and valleys in the
power supply and reduce peaks in thepower flow to what is needed by the
machine. Any valleys are removed by powerstored in the equipment. Surge
protection devices protect against high voltagebursts. Alternative power supplies
are intended for computer equipment runningfor longer periods and are normally
coupled with other devices such asUninterruptible Power Supply (UPS) to
compensate for the power loss until thealternate power supply becomes
available. An interruptible power supply wouldcause the equipment to come
down whenever there was a power failure.
Area: 4
285. Which of the following wouldbe the LEAST important item in a business
continuity plan?
C. Adequate insurance coverage
Explanation:
Although maintaining adequateinsurance coverage is important to the overall
recovery of the organization, itrepresents the last resort for financial recovery.
The underlying purpose ofbusiness continuity planning is the resumption of
business operations. As such,business recovery plans include procedures
developed to accommodate systems,user and network recovery strategies.
Area: 4
286. Which of the followingphysical access controls would provide the highest
degree of security overunauthorized access?
D. Fingerprint scanner
Explanation:
All are physical access controlsdesigned to protect the organization from
unauthorized access. However,electronic door locks and biometric door locks,
such as a fingerprint scanner,provide advantages over bolting or combination
locks since they are harder toduplicate, easier to deactivate and individually
identified. Biometric doorlocks are used when extremely sensitive facilities must
be protected sinceindividuals' unique body features are used for access.
Area: 4
287. Which of the following isLEAST likely to be classified as a physical access
control?
B. All physical assets have anidentification tag and are properly recorded.
Explanation:
The requirement that all physicalassets have an identification tag and are
properly recorded is an effectiveprocedure of recording and monitoring assets.
This is not directly related tophysical access control, although they do facilitate
implementing physicalaccess controls. The other choices are access controls
which control andmonitor physical access.
Area: 4
288. During the course of aphysical verification of assets an IS auditor discovered
discrepancies inproperly identifying and recording assets which could be
attributed to a lackof related procedures and policies. Which of the following
would NOT be aresultant exposure caused by this situation?
A. Assets do not have an adequateidentification tag.
Explanation:
Assets not having anidentification tag is an audit finding, but not an exposure.
Exposure is apotential loss on account of the risk prevalent in the existing
environment.The other choices are probably exposures on account of an
inaccurate recordingof assets, which may include some of the assets not having
identification tags.
Area: 4
289. Which of the followingprocedures can a biometric system perform?
B. Provide security over physicalaccess.
Explanation:
Biometric devices are used tomaintain physical security. Some examples are
finger print scanners, and retinascanners. Airborne contamination is measured
using air quality monitors.Temperature and humidity levels are measured by
environmental controlmonitoring devices. Electromagnetic fields are measured
by environmentalcontrol devices.
Area: 4
290. Which of the followingconcerns associated with the World Wide Web would
be addressed by a firewall?
A. Unauthorized access fromoutside the organization
Explanation:
Firewalls are meant to preventoutsiders from gaining access to an organization's
computer systems through theInternet gateway. They form a barrier with the
outside world, but are notintended to address access by internal users and are
more likely to causedelays than address such concerns.
Area: 4
291. A digital signature containsa message digest to:
A. show if the message has beenaltered after transmission.
Explanation:
The message digest is calculatedand included in a digital signature to prove that
the message has not beenaltered as it should be the same value as a
recalculation performed uponreceipt. It does not define the algorithm or enable
the transmission in digitalformat and has no effect on the identity of the user,
being there to ensureintegrity rather than identity.
Area: 4
292. Which of the following firesuppressant systems would an IS auditor expect
to find when conducting an auditof an unmanned computer center?
A. Carbon dioxide
Explanation:
Since fire cannot burn in carbondioxide, it is an effective suppressant. However,
in a manned operation, therelease of this gas is likely to result in fatalities so
automatic release isinadvisable, if not illegal, and manual release delays the
suppression of thefire. Where an installation is unmanned, carbon dioxide can be
releasedautomatically should a fire be detected. Halon gas may be released
automaticallyas it is breathable by humans while suppressing a fire. However, it
is veryexpensive and, since it has an adverse affect on the earth's ozone layer,
itsuse is discouraged and, in many countries, banned. Dry-pipe sprinklers,
whichfill with water only when the fire is detected, are considered an
appropriateoption in manned installations but are not necessary when people are
notpresent. Wet-pipe sprinklers, which are filled with water at all times, are nota
viable option for a computer installation due to the risk of leaks.
Area: 4
293. The use of web sitecertificates achieve all of the following objectives
EXCEPT:
A. authenticate the user.
Explanation:
The web site certificates are notdesigned to authenticate the user. The web site
has its own mechanisms toidentify and authenticate the user. These mechanisms
might be evaluated by thecertificate, but the certificate itself does not
authenticate users.
Area: 4
294. Which of the following typesof transmission media provide the BEST
security against unauthorized access?
C. Fiber optic cables
Explanation:
Fiber optic cables have proven tobe more secure than the other media. Satellite
transmission and copper wire canbe violated with inexpensive equipment.
Coaxial cable can also be more easilyviolated than other transmission media.
Area: 4
295. Controls designed to ensurethat unauthorized changes cannot be made to
information once it resides in afile are known as:
A. data security controls.
Explanation:
Data security controls are thecontrols that ensure data integrity, not accuracy.
None of the other controlslisted ensure data integrity.
Area: 4
296. Which of the following isthe MOST effective technique for providing security
during data transmission?
C. Encryption
Explanation:
Encryption provides security fordata during transmission. The other choices do
not provide protection duringdata transmission.
Area: 4
297. Which of the following isthe MOST effective control over visitor access to a
data center?
A. Visitors are escorted
Explanation:
Escorting visitors will ensurethat both staff and visitors have permission to
access the data processingfacility. Choices B and C are not reliable controls.
Choice D is incorrectbecause visitors should be accompanied at all times while
they are on thepremises, not only when they are in the data processing facility.
Area: 4
298. Which of the following is atechnique that could illegally capture network
user passwords?
B. Sniffing
Explanation:
Sniffing is an attack that can beillegally used to capture sensitive pieces of
information (password), passingthrough the network. Encryption is a method of
scrambling information toprevent unauthorized individuals from understanding
the transmission. Spoofingis forging an address and inserting it into a packet to
disguise the origin ofthe communication. Data destruction is erasing information
or removing it fromtheir original location.
Area: 4
299. All of the following areelements of a security infrastructure EXCEPT:
C. legal notice banners displayedon terminals with Internet connectivity.
Explanation:
The implementation oforganization policy through legal notice is not an element
of a securityinfrastructure. The elements of security infrastructure begin with
managementcommitment and support, followed by user training program on
security andcomplemented by establishing defined and documented security
policies andprocedures.
Area: 4
300. Which of the following isthe BEST audit procedure when examining if a
firewall is configured incompliance with the organization's security policy?
A. Review the parameter settings
Explanation:
A review of the parametersettings will provide a good basis for comparison of the
actual configurationto the security policy and as such test documentation
provides strong auditevidence. The other choices do not provide strong audit
evidence as testdocumentation.
Area: 4
301. All of the following aresignificant Internet exposures EXCEPT:
C. insufficient resources toimprove and maintain integrity.
Explanation:
Having insufficient resources toimprove and maintain integrity is not an
exposure, but a reason why exposuresoccur. The other choices are significant
exposures. For example, loss ofintegrity (i.e., exploitation of vulnerabilities in
vendor programs) can leadto unauthorized access, a loss of data integrity or
denial of service.
Area: 4
302. When an organization'snetwork is connected with an external network in an
Internet client/servermodel not under that organization's control, security
becomes a concern. Inproviding adequate security in this environment, which of
the followingassurance levels is LEAST important?
C. Data recovery
Explanation:
Data recovery, as a correctiveaction, occurs after total network failure (denial of
service), and thereforeprovides the least importance assurance in maintaining
adequate security in anetworked environment. The other choices are proactive in
nature and directlyimpact network security on daily level. Server and client
authentication iswhere the client needs to have some way of verifying that the
server they arecommunicating with is a valid server, and where the server needs
to know thatthe clients are in fact valid client machines. Data integrity is
required forverifying that the data received over the network has not been
modified duringits transmission. Data confidentiality is required for protecting
informationsent over the network from eavesdropping.
Area: 4
303. Programs that can runindependently and travel from machine to machine
across network connections,which may destroy data or utilize tremendous
computer and communicationresources, are referred to as:
C. worms.
Explanation:
Worms are non-replicatingprograms that can run independently and travel from
machine to machine. Atrojan horse resembles a commonly used authorized
program that does somethingelse unrelated to its stated or intended purpose
causing a malicious orfraudulent action or event to occur. Viruses are malicious
program codeinserted into other executable code that can self replicate and
spread fromcomputer to computer. Logic bombs are programmed threats that lie
dormant incommonly used software for an extended period of time until they are
triggered.
Area: 4
304. Which of the following wouldLEAST likely prevent an information security
failure in a wide area network?
C. Developing systems that arefree from vulnerabilities
Explanation:
Developing systems that are freefrom vulnerabilities would be considered an
improbability, as there is nothingconsidered as absolutely secure or free from
vulnerabilities. What can be doneis to take adequate and appropriate steps to
ensure that security breaches areprevented or detected and corrected. Choices
A, B and D reflect the steps whichwould be taken as security measures and
compensate for most security failures.
Area: 4
305. All of the following arecommon forms of Internet attacks EXCEPT:
D. systematic hackerfoot-printing of an organization.
Explanation:
Systematic foot-printing(gathering target information) of an organization allow
hackers to create acomplete profile of an organization's security posture that
lead to an attack.By using a combination of tools and techniques, attackers with
no insider knowledgeof an organization's network except for its domain name
can obtain therequisite information in devising a means for launching an attack
(e.g., rangeof domain names, network blocks, and individual IP addresses of a
targetorganization's systems directly connected to the Internet). The other
choicesare instances of actual attacks that can occur, leading either to
anunauthorized user gaining control of a machine or access that causes damage
ordenial of service to a host system or network.
Area: 4
306. The management of anorganization has encountered several security
incidents recently and hasdecided to establish a security awareness program.
Which of the following wouldbe the LEAST effective in establishing a successful
security awareness program?
D. Utilize an intrusion detectionsystem to report on incidents that occur
Explanation:
Utilizing an intrusion detectionsystem to report on incidents that occur is an
implementation of a securityprogram and is not effective in establishing a
security awareness program. Theother choices are all elements of a security
awareness program.
Area: 4
307. Password syntax rules shouldinclude all of the following EXCEPT:
B. shadowed so they are notdisplayed.
Explanation:
Passwords are not shadowed toprevent their display. Shadowing passwords refers
to pulling the password fieldout of the public password file and putting it into a
file that is accessibleonly to those individuals (security or system administrators)
with privilegedaccess authority.
Area: 4
308. Information for detectingunauthorized input from a terminal would be BEST
provided by the:
B. transaction journal.
Explanation:
The transaction journal wouldrecord all transaction activity, which then could be
compared to the authorizedsource documents to identify any unauthorized input.
A console log printout isnot the best because it would not record activity from a
specific terminal. Anautomated suspense file listing would only list transaction
activity where anedit error occurred, and the user error report would only list
input thatresulted in an edit error.
Area: 4
309. An IS auditor attempting todetermine whether access to program
documentation is restricted to authorizedpersons would MOST likely:
B. interview programmers aboutthe procedures currently being followed.
Explanation:
Asking programmers about theprocedures currently being followed is useful in
determining whether access to programdocumentation is restricted to authorized
persons. Evaluating the recordretention plans for off-premises storage tests
recovery procedures, not accesscontrol over program documentation. Testing
utilization records will notaddress access security over program documentation.
Testing data file accesssecurity does not address security over program
documentation.
Area: 4
310. A systems analyst shouldhave access to all of the following EXCEPT:
B. password identification tables.
Explanation:
The systems analyst does not needto know who has access to particular data
files or programs, but only thatappropriate identification tables exist. The analyst
needs access to sourcecode to obtain assurance that the system design criteria
and objectives areincorporated into developing applications, to user procedures
to determine howinput is entered and output is used and access to edit criteria
to obtainassurance that the system design criteria and objectives are
incorporated intodeveloping applications.
Area: 4
311. Authentication is theprocess by which the:
B. system verifies the identityof the user.
Explanation:
Authentication is the process bywhich the system verifies the identity of the user.
Choice A is not the bestanswer because authentication refers to verifying who
the user is to a securitytable of users authorized to access the system not
necessarily the functionswhich the user can perform. Choice C is incorrect
because this does not imply thatthe system has verified the identity of the user.
Choice D is not correctbecause this is an application control for accuracy.
Area: 4
312. The IS auditor hasdetermined that protection of computer files is
inadequate. Which of thefollowing is LEAST likely to have caused this problem?
A. Arrangements for compatiblebackup computer facilities
Explanation:
Arrangements for compatiblebackup computer facilities is the best answer since
it does not relate to thesecurity of files, but only to the availability of backup
computer facilities.Procedures at the backup computer center would not affect
file protectionunless there was a need to use the backup facility. Inadequate
procedures forreleasing files would relate to inadequate protection, inadequate
offsitestorage procedures would relate to inadequate protection over files,
andinadequate environmental controls would relate to inadequate protection
overfiles.
Area: 4
313. If inadequate, which of thefollowing would MOST likely contribute to a denial
of service attack?
A. Router configuration and rules
Explanation:
Inadequate router configurationand rules would lead to an open exposure to
denial of service attacks. ChoicesB and C would have contribute less to
vulnerabilities in case of attacks, andchoice D is incorrect because audit testing
and review techniques are appliedafter the fact.
Area: 4
314. Which of the following isthe MOST effective type of anti-virus software?
C. Integrity checkers
Explanation:
Integrity checkers compute abinary number on a known virus-free program that
is then stored in a databasefile. The number is called a cyclical redundancy
check or CRC. When thatprogram is called to execute, the checker computes the
CRC on the program aboutto be executed and compares it to the number in the
database. A match means noinfection; a mismatch means that a change in the
program has occurred. A changein the program could mean a virus within it.
Integrity checkers take advantageof the fact that executable programs and boot
sectors do not change very often,if at all. Scanners look for sequences of bits
called signatures that aretypical of virus programs. They examine memory, disk
boot sectors, executablesand command files for bit patterns that match a known
virus. Scanners thereforeneed to be updated periodically to remain effective.
Active monitors interpretDOS and ROM basic input-output system (BIOS) calls,
looking for virus-likeactions. Active monitors can be annoying because they
cannot distinguishbetween a user request and a program or virus request. As a
result, users areasked to confirm actions like formatting a disk or deleting a file
or set offiles. Vaccines are known to be good anti-virus software, however, they
alsoneed to be updated periodically to remain effective and not always, do
allsoftware providers guarantee detecting and/or eliminating all the kinds ofvirus
that circulate in the web environment.
Area: 4
315. The technique used to ensuresecurity in virtual private networks (VPNs) is:
A. encapsulation.
Explanation:
Encapsulation or tunneling is atechnique used to carry traffic of one protocol
over a network that does notsupport that protocol directly. The original packet is
wrapped in anotherpacket. The other choices are not security techniques specific
for VPNs.
Area: 4
316. A critical function of afirewall is to act as a:
C. server used to connectauthorized users to private trusted network resources.
Explanation:
A firewall is a set of relatedprograms, located at a network gateway server, that
protects the resources of aprivate network from users of other networks. An
enterprise with an intranetthat allows its workers access to the wider Internet
installs a firewall toprevent outsiders from accessing its own private data
resources and forcontrolling the outside resources to which its own users have
access.Basically, a firewall, working closely with a router program, filters
allnetwork packets to determine whether to forward them toward their
destination.A firewall also includes or works with a proxy server that makes
networkrequests on behalf of workstation users. A firewall is often installed in
aspecially designated computer separate from the rest of the network so that
noincoming request can get directed at private network resources.
Area: 4
317. During an audit of anenterprise that is dedicated to e-commerce in the
modality ofbusiness-to-customer, the IS manager states that digital signatures
are used inthe establishment of its commercial relations. The auditor must prove
thatwhich of the following is used?
C. A hash of the data that istransmitted and encrypted with the customer's
public key
Explanation:
The process to calculate a hashor digest of the data that is transmitted and then
encrypting this result withthe public key of the client (receiver) is called a
signature of the message,or digital signature. The receiver performs the same
process and then comparesthe received hash once it has been decrypted with
his private key, with thehash that he/she calculates with the received data. If it
happens that they arethe same, the auditor would conclude that there is
integrity in the data thathas arrived and authenticates the origin.
Area: 4
318. Risk of hash compromise isBEST mitigated using:
A. digital signatures.
Explanation:
A digital signature is generatedencrypting a message digest with a private key. A
digital signature providesassurance of origin authentication and nonrepudiation.
Message encryption canonly ensure the confidentiality of data. It cannot provide
originauthentication and nonrepudiation. Message authentication code cannot
provideorigin authentication and nonrepudiation. It can only indicate that the
claimedand actual sender are identical. Cryptanalysis is a science of finding
atechnique to break encryption algorithms.
Area: 4
319. Secure socket layer (SSL)protocol addresses the confidentiality of a
message through:
A. symmetric encryption.
Explanation:
SSL uses a symmetric key formessage encryption. A message authentication
code is used for ensuring dataintegrity. Hash function is used for generating a
message digest. It does notuse public key encryption for message encryption.
Digital signaturecertificates are used by SSL for server authentication.
Area: 4
320. An organization isconsidering connecting a critical PC-based system to the
Internet. Which of thefollowing would provide the BEST protection against
hacking?
A. Application level gateway
Explanation:
An application level gateway isthe best way to protect against hacking because it
is the type of firewall thatcan reach with detail the rules that define the type of
user or connection thatis, or is not permitted. This way, it analyzes in detail each
package, not onlyin layers one through four in the OSI model (port numbers,
service used), butalso layers five through seven, which means that it reviews the
commands ofeach protocol of higher level (HTTP, FTP, SNMP, etc.) For a remote
accessserver there is a device (server) asking for username and passwords
beforeentering the network. This is good when accessing private networks, but it
canbe easily mapped or scanned from the Internet giving a security hole for
acompany network. Proxy servers can provide protection based on the IP
addressand ports. However, an individual is needed who really knows how to do
this,and second applications can use different ports for the different sections
oftheir program. Port scanning works when there is a very specific task to do,but
not when trying to control what comes from the Internet (or when all theports
available need to be controlled somehow). For example, the port for'ping' (echo-
request) could be blocked and the IP addresses would be availablefor the
application and browsing, but would not respond to ping.
Area: 4
321. A "dry-pipe" fireextinguisher system is a system that uses:
A. water, but in which water doesnot enter the pipes until a fire has been
detected.
Explanation:
The dry-pipe sprinkler is aneffective and environmentally friendly method of
suppressing fire. Watersprinklers, with an automatic power shut-off system, can
be set to automaticrelease without threat to life. Sprinklers must be dry-pipe to
prevent the riskof leakage. Halon or carbon dioxide are also used to extinguish
fire, but arenot used through a dry pipe.
Area: 4
322. An enterprise isimplementing a business-to-business (B-to-B) network
infrastructure to ensureefficient and effective communication and supply chain
management with allinternational customers and suppliers. The enterprise would
like to utilize thenetwork infrastructure for secure communication, paperless
negotiations andagreements and to ensure appropriate evidence for all
transactions. The MOSTappropriate solution is:
A. asymmetric encryption anddigital signatures.
Explanation:
The basic objectives areauthentication, confidentiality, data integrity and
nonrepudiation. Theseobjectives can be achieved using choices A, B or C.
However, choices B and Cwill have political and mutual consensus issues relating
to control and accessto the security infrastructure. Shared secret concept of
symmetric encryptionis not suitable for this environment. PKI may not be
acceptable to the businesspartners. However, mutually agreed cryptographic
algorithms that will be usedfor public key encryption and trusted certificate
authorities should bedecided. Shared key encryption is not practically suitable for
the B-to-Benvironment. Single partner controlled security infrastructure raises
trustissues in business propositions. Message authentication code does not
ensureconfidentiality.
Area: 4
323. Electronic signatures canprevent messages from being:
B. repudiated.
Explanation:
Electronic signatures provide areceipt of the transaction in order to ensure that
the entities thatparticipated in that transaction cannot repudiate their
commitments. Anelectronic signature does not prevent messages from being
suppressed, disclosedor copied.
Area: 4
324. Confidential data stored ona laptop is BEST protected by:
C. data encryption.
Explanation:
The best protection forconfidential data stored on a laptop is data encryption,
because this mechanismensures that the only individual who can access the data
is the authorizeduser. Data in optical disks, if not encrypted, would be accessible
to anyonewho has access to the disks. Log-on ID and password is not the best
protectionbecause a stand-alone laptop, depending on the operating system,
does not needan ID and password to begin a session and because there are easy
ways to bypasssecurity controls on laptops to gain access to the operating
system. Physicallocks prevent physical theft only.
Area: 4
325. Security administrationprocedures require read-only access to:
B. security log files.
Explanation:
Security administrationprocedures require read-only access to security log files
to ensure that, oncegenerated, the logs are not modified, not even by the
administrator. Logs arecritical in the audit process to evidence and trail
suspicious transactions anduser activities. Security administration procedures
require write access toaccess control tables to manage and update the privileges
according to businessauthorized requirements. Logging options require write
access to allow theadministrator to update the way the transactions and user
activities aremonitored, captured, stored, processed and reported.
Area: 4
326. Which of the following wouldan IS auditor consider a MAJOR risk of using
single sign-on?
A. It enables access to singlemultiple applications
Explanation:
A primary audit concern of, orrisk associated with, single sign-on is the single
authentication point. If apassword is compromised, unauthorized access to many
applications can beobtained without further verification. A single point of failure
provides asimilar redundancy to the single authentication point. However, it can
be madethrough data, process or network. Where there is an administrative
bottleneck,the administration is centralized in an entry system of one single
step. Thisis therefore an advantage. User lockout can occur with any
passwordauthentication system and is normally swiftly remedied by the
securityadministrator resetting the account.
Area: 4
327. Naming convention for accesscontrols are usually set by:
A. data owners with the help ofthe security officer.
Explanation:
Data owners are responsible forthe accurate use of the information. Data owners
provide written authorizationfor users to gain access to computerized
information. Security administrationsets up access rules that stipulates which
users, or group of users, areauthorized to access data or files and the level of
authorized access (read orupdate) and provides written authorization for users to
gain access tocomputerized information. The access control mechanism applies
these ruleswhenever a user, who has been granted access on a need-to-know or
need-to-dobasis, attempts or uses a protected resource. Programmers and
system analystsmay be required to adjust to the setup of naming conventions for
accesscontrols, but not to the setup of naming conventions. A librarian is
notinvolved in naming conventions for access controls.
Area: 4
328. Which of the following isthe MOST secure way to connect a private network
over the Internet in asmall-to medium-sized organization?
Explanation:
The most secure way would be avirtual private network (VPN) using encryption,
authentication and tunneling toallow data to travel securely from a private
network to the Internet. ChoicesB, C and D are network connectivity options too
expensive to be practical forsmall-to medium-sized organizations.
Area: 4
329. The potential forunauthorized system access, by way of terminals or
workstations within theorganization's facility, is increased when:
A. connecting points areavailable in the facility to connect laptops to the
network.
Explanation:
Any person with wrongfulintentions can connect a laptop to the network. In this
case, because thefacility has unsecured connecting points, unauthorized access
may be possible.However, if the laptop is connected to a network, access could
not be gainedwithout a user-ID or password. The other choices are controls for
preventingunauthorized network access. If system passwords are not readily
available forintruders to use, they must guess, which introduces an additional
work factorand also involves time. System passwords provide protection
againstunauthorized use of terminals located in unsecured locations. Physical
accessto computer hardware is controlled, making unauthorized system access
notpossible. Supervision is also one form of control. It is very effective whenused
to exercise control over a small and manageable unit of the operating
orproduction resources. Hence, terminals in such clusters cannot be accessed
byunauthorized users.
Area: 4
330. The BEST defense againsteavesdropping into computer networks is:
A. encryption.
Explanation:
Encryption is the best choice inthis situation and generally does protect
information from eavesdroppers.However, encrypted strings with a discernible
pattern can be captured by asniffer (for example L0PHCRACK, which captures
encrypted passwords). This meansthat due care should be taken even with
encryption. Considering informationwhen encrypted is useless for the
eavesdropper. The intended recipient gets theinformation intact without it being
affected by attenuation, distortion bynoise or without costing any significant cost
overheads. Moving the defenseperimeter outward would entail additional cost as
the security coverage wouldenlarge. Reducing the amplitude of the
communication signal would result inattenuation of the signal and the
information would not be properly received bythe recipient. Masking it with noise
would cause signal distortion andtherefore distortion in the information received,
which is not desirable.
Area: 4
331. A virtual private network(VPN) performs which of the following functions?
A. Hides information fromsniffers on the net
Explanation:
A VPN hides information fromsniffers on the net. A VPN hides information using
encryption, which does notmake any sense to sniffers on the network. It works
based on tunneling. A VPNdoes not analyze information packets and therefore
cannot enforce securitypolicies. It does not check the content of packets and so
cannot detect misuseor mistakes and it does not perform an authentication
function and hence,cannot regulate access.
Area: 4
332. Within an e-Commercetransaction through the Internet, the process of
applying a digital signatureto the data that travels in the network, provides
which of the following?
C. Integrity and nonrepudiation
Explanation:
The process of applying amathematical algorithm to the data that travels in the
network and placing theresults of this operation with the hash data is used for
controlling dataintegrity, since with any unauthorized modification to this data
the hash wouldbe different. The application of a digital signature would
accomplish thenonrepudiation of the delivery of the message. The term security
is a broadconcept and not a specific one. Confidentiality is applied when in
addition toa hash and a digital signature, an encryption process exists.
Area: 4
333. Which of the following wouldan IS auditor consider a weakness when
performing an audit of an organizationthat uses a public key infrastructure with
digital certificates for itsbusiness-to-consumer transactions via the Internet?
D. The organization is the ownerof the CA.
Explanation:
If the certificate authoritybelongs to the same organization, this would generate
a conflict of interest.If a customer wanted to repudiate a transaction, he/she
could allege that thereexists an unlawful agreement between the parties
generating the certificates,because of the shared interests. If a customer wanted
to repudiate atransaction, he/she could believe that there exists a bribery
between theparties to generate the certificates, as there exist shared interests.
Theother options are not weaknesses.
Area: 4
334. Which of the followingimplementation modes would provide the GREATEST
amount of security to outbounddata connecting to the Internet?
C. Tunnel mode with AH plus ESP
Explanation:
Tunnel mode provides protectionto the entire IP package. To accomplish this, AH
and ESP services can benested. The transport mode provides primary protection
for the protocols'higher layers. That is, protection extends to the data field
(payload) of an IPpackage. The SSL (secure socket layer) mode, provides security
to the highercommunication layers (transport layer). The triple DES encryption
mode is analgorithm that provides confidentiality.
Area: 4
335. Which of the following isthe MOST reliable sender authentication method?
C. Digital certificates
Explanation:
Digital certificates are issuedby the trusted third party. The message sender
attaches the certificate ratherthan the public key and can verify authenticity with
the certificaterepository. Asymmetric cryptography is vulnerable to a man-in-the-
middleattack. Digital certificates are used for confidentiality.
Messageauthentication code is used for message integrity verification.
Area: 4
336. In the Internet encryptionprocess, which of the following steps provides the
GREATEST assurance inachieving authenticity of a message?
B. The pre-hash code is encryptedusing the sender's private key.
Explanation:
The step where the pre-hash codeis encrypted using the sender's private key
provides assurance of theauthenticity of the message. Mathematically deriving
the pre-hash code providesintegrity to the message. Encrypting the pre-hash
code and the message usingthe secret key provides confidentiality.
Area: 4
337. An Internet security threatthat could compromise integrity is:
C. a trojan horse browser.
Explanation:
Internet securitythreats/vulnerabilities to integrity include a trojan horse found
on clientbrowser software, modification of user data, modification of memory
andmodification of message traffic in transit. The other options
compromiseconfidentiality.
Area: 4
338. An IS auditor performing areview of the implemented security infrastructure
of an organization thatprovides business-to-business activities, observes that PKI
services are beingused. The auditor's conclusion would be that they use:
C. public key infrastructure.
Explanation:
PKI is an acronym for public keyinfrastructure. This is the denomination that is
provided to the entireimplemented scheme for asymmetric encryption, digital
signatures and digitalcertificates administration.
Area: 4
339. In a public keyinfrastructure (PKI), the authority which is responsible for the
identificationand authentication of an applicant for a digital certificate (i.e.,
certificatesubjects) is the:
A. registration authority (RA).
Explanation:
A RA is an entity that isresponsible for identification and authentication of
certificate subjects, butthat does not sign or issue certificates. The certificate
subject usuallyinteracts with the RA for completing the process of subscribing to
the servicesof the certification authority in terms of getting identity validated
with themeans of standard identification documents, as detailed in the
certificatepolicies of the CA. In the context of a particular certificate, the issuing
CAis the CA that issued the certificate. In the context of a particular
CAcertificate, the subject CA is the CA whose public key is certified in
thecertificate. Certain very large PKI communities of trust create a
dedicatedauthority to approve certificate related policy for the entire PKI.
Area: 4
340. In which of the followingsituations would a checkpoint/restart procedure
NOT enable recovery?
C. Completing the run of anincorrect version of the program
Explanation:
If the wrong version of theprogram is initiated, it must be re-run from the start.
Once the failure isrepaired, the run can be restarted from the last checkpoint. If a
tape is loadedout of sequence, the job can be restarted from an earlier
checkpoint. Followinga power loss, the run can be restarted from the last
checkpoint.
Area: 5
341. If a database is restoredusing before image dumps, where should the
process be restarted following aninterruption?
A. Before the last transaction
Explanation:
If before images are used, thelast transaction in the dump will not have updated
the database prior to thedump being taken. The last transaction will not have
updated the database andmust be re-processed. Program checkpoints are
irrelevant in this situation.
Area: 5
342. Which of the following is animportant consideration in providing backup for
online systems?
B. Ensuring periodic dumps oftransaction logs
Explanation:
Ensuring periodic dumps oftransaction logs is the only safe way of preserving
timely historical data. Thevolume of activity usually associated with an online
system makes other moretraditional methods of backup impractical.
Area: 5
343. As updates to an onlineorder entry system are processed, the updates are
recorded on a transactiontape and a hard copy transaction log. At the end of the
day, the order entryfiles are backed up onto tape. During the backup procedure,
the disk drivemalfunctions and the order entry files are lost. Which of the
following arenecessary to restore these files?
A. The previous day's backup fileand the current transaction tape
Explanation:
The previous day's backup will bethe most current historical backup of activity in
the system. The current day'stransaction file will contain all of the day's activity.
Therefore, thecombination of these two files will enable full recovery up to the
point ofinterruption.
Area: 5
344. Which of the followingbusiness recovery strategies would require the least
expenditure of funds?
D. Reciprocal agreement
Explanation:
Reciprocal agreements are theleast expensive because they usually rely on a
gentlemen's agreement betweentwo firms. However, while they are the least
expensive, they also are the leastreliable and often unenforceable at the time of
need.
Area: 5
345. Which of the followingalternative business recovery strategies would be
LEAST appropriate in a largedatabase and online communications network
environment where the criticalbusiness continuity period is 10 days?
C. Reciprocal agreement
Explanation:
It is unlikely that reciprocalagreements could be made to accommodate
sophisticated environments, i.e.,databases with large communications networks.
Even if a compatible alternatefacility could be located, it would be unlikely that
there would be sufficientcapacity available to accommodate foreign systems,
and provide the necessarysecurity and integrity. Further, a cold site arrangement
could be appropriateif plans to convert the cold site to a hot site could be
executed rapidlyenough to accommodate critical processing.
Area: 5
346. For which of the followingapplications would rapid recovery be MOST
crucial?
A. Point-of-sale
Explanation:
A point-of-sale system is acritical online system that when inoperable will
jeopardize the ability of acompany to generate revenue and properly track
inventory.
Area: 5
347. An organization's disasterrecovery plan should address early recovery of:
D. processing in priority order,as defined by business management.
Explanation:
Business management should knowwhat systems are critical and when they
need to process well in advance of adisaster. It is their responsibility to develop
and maintain the plan. Adequatetime will not be available for this determination
once the disaster occurs. ISand the information processing facility are service
organizations that existfor the purpose of assisting the general user
management in successfullyperforming their jobs.
Area: 5
348. An off-site informationprocessing facility:
A. should have the same amount ofphysical access restrictions as the primary
processing site.
Explanation:
An off-site informationprocessing facility should have the same amount of
physical control as theoriginating site. It should not be easily identified from the
outside toprevent intentional sabotage. The off-site facility should not be subject
tothe same natural disaster that could affect the originating site and thusshould
not be located in proximity, and the off-site facility should possessthe same level
of environmental monitoring and control as the originating site.
Area: 5
349. An advantage of the use ofhot sites as a backup alternative is:
C. that hot sites can be madeready for operation within a short period of time.
Explanation:
Hot sites can be made ready foroperation normally within hours. However, the
use of hot sites is expensive,should not be considered as a long-term solution
and does require thatequipment and systems software be compatible with the
primary installationbeing backed up.
Area: 5
350. An IS auditor reviewingback-up procedures for software need only
determine that:
C. both object and source codeslibraries are backed up.
Explanation:
Backup for software must includeboth object and source code libraries, and must
include a provision formaintaining program patches on a current basis at all
back-up locations.
Area: 5
351. Which of the followingcontrol concepts should be included in a
comprehensive test of disasterrecovery procedures?
C. Rotate recovery managers.
Explanation:
Recovery managers should berotated to ensure the experience of the recovery
plan is spread. Clients may beinvolved but not necessarily in every case. Not all
technical staff should beinvolved in each test. Remote or off-site backup should
always be used.
Area: 5
352. Which of the following testswould NOT apply to a review of the data center
disaster recovery plan?
C. Installing key files fromthose stored in the Media Library
Explanation:
Off-site backup should be used,not that from the media library. If alternative
processing facilities are notused then only the restore from backup process is
tested. Restored functionsmust be fully tested to ensure restoration is complete
and accurate.Applications must also be restored from backup held off-site.
Area: 5
353. Which of the following isthe business continuity planning and reconstruction
team that is responsiblefor updating the applications database working from
terminals at the userrecovery site during a reconstruction?
D. Data preparation and recordsteam
Explanation:
The data preparation and recordsteam is responsible for updating the
applications database, working fromterminals at the user recovery site during a
reconstruction. They also overseecontract data-entry personnel and assist in
record salvage efforts. Theapplications team travels to the recovery site and is
responsible for restoringuser packs and application programs on the backup
system. The network recoveryteam is responsible for rerouting wide area voice
and data communicationstraffic and reestablishing host network control and
access at the systemrecovery site. The emergency operations team resides at
the systems recoverysite and manages system operations during the entirety of
the reconstruction.
Area: 5
354. Which of the followingprocedures would an IS auditor perform to BEST
determine whether adequaterecovery/restart procedures exist?
B. Reviewing operationsdocumentation
Explanation:
Operations documentation shouldcontain recovery/restart procedures so that
operations can return to normalprocessing in a timely manner. Turning off the
UPS and then turning off thepower might create a situation for recovery and
restart, but the negativeeffect on operations would prove this method to be
undesirable. The review ofprogram code and documentation generally does not
provide evidence regardingrecovery/restart procedures.
Area: 5
355. A company performs fullback-up of data and programs on a regular basis.
The primary purpose of thispractice is to:
B. restore application processingafter a disruption.
Explanation:
Back-up procedures are designedto restore programs and data to a previous
state prior to computer or systemdisruption. These backup procedures merely
copy data and do not test orvalidate integrity. Back-up procedures will also not
prevent changes to programand data. On the contrary, changes will simply be
copied. Although backupprocedures can ease the recovery process following a
disaster, they are notsufficient in themselves.
Area: 5
356. An IS auditor conducting areview of disaster recovery planning at a financial
processing organization hasdiscovered the following:
* The existing disaster recoveryplan was compiled two years ago by a systems
analyst in the organization's ITdepartment using transaction flow projections
from the operations department.
* The plan was presented to thedeputy CEO for approval and formal issue, but it
is still awaiting hisattention.
* The plan has never beenupdated, tested or circulated to key management and
staff, though interviewsshow that each would know what action to take for their
area in the event of adisruptive incident.
The IS auditor's report shouldrecommend that:
D. an experienced managercoordinate the creation of a new plan or revised plan
within a defined timelimit.
Explanation:
The primary concern is toestablish a workable disaster recovery plan which
reflects current processingvolumes to protect the organization from any
disruptive incident. Censuring thedeputy CEO will not achieve this, and is
generally not within the scope of anIS Auditor to recommend anyway. Setting up
a board to review the plan, which istwo years out of date, may achieve an
updated plan, but is not likely to be aspeedy operation and issuing the existing
plan would be folly without firstensuring that it is workable. The best way to
achieve a disaster recovery planin a short timescale is to make an experienced
manager responsible forcoordinating the knowledge of other managers, as
established by the auditinterviews, into a single, formal document within a
defined time limit.
Area: 5
357. An IS auditor conducting areview of disaster recovery planning at a financial
processing organization hasdiscovered the following:
* The existing disaster recoveryplan was compiled two years ago by a systems
analyst in the organization's ITdepartment using transaction flow projections
from the operations department.
* The plan was presented to thedeputy CEO for approval and formal issue, but it
is still awaiting hisattention.
* The plan has never beenupdated, tested or circulated to key management and
staff, though interviewsshow that each would know what action to take for their
area in the event of adisruptive incident.
The basis of the organization'sdisaster recovery plan is to re-establish live
processing at an alternativesite where a similar, but not identical hardware
configuration is alreadyestablished. The IS auditor should:
C. perform a review to verifythat the second configuration can support live
processing.
Explanation:
The IS Auditor does not have afinding unless it can be shown that the alternative
hardware cannot support thelive processing system. Even though the primary
finding is the lack of a provenand communicated disaster recovery plan, it is
essential that this aspect ofrecovery is included in the audit. Since, if it is found
to be inadequate thefinding will materially support the overall audit opinion. It is
certainly notappropriate to take no action at all, leaving this important factor
untested,and unless it is shown that the alternative site is inadequate, there can
be nocomment on the expenditure (even if this is considered a proper comment
for theIS Auditor to make). Similarly, there is no need for the configurations to
beidentical. The alternative site could actually exceed the recovery
requirementsif it is also used for other work, such as other processing or
systemsdevelopment and testing. The only proper course of action at this point
wouldbe to find out if the recovery site can actually cope with a recovery.
Area: 5
358. Disaster recovery planningfor a company's computer system usually
focuses on:
D. alternative procedures toprocess transactions.
Explanation:
It is important that disasterrecovery identify alternative processes that can be
put in place while thesystem is not available.
Area: 5
359. The MAIN purpose forperiodically testing off-site hardware back-up facilities
is to:
C. ensure the continuedcompatibility of the contingency facilities.
Explanation:
The main purpose of off-sitehardware testing is to ensure the continued
compatibility of the contingencyfacilities. Specific software tools are available to
ensure the ongoingintegrity of the database. Contingency plans should not be
eliminated andprogram and system documentation should be continuously
reviewed for currency.
Area: 5
360. During a business continuityplanning review, the IS auditor discovered that
software back-up is being keptonly by the IT department and that senior
management is not aware of whereback-ups are being kept. Which of the
following recommendations is an ISauditor LEAST likely to make?
A. Validations in the applicationsoftware should be made to prevent unauthorized
access to data.
Explanation:
Validations are a measure ofsecurity and are not directly related to business
continuity planning in theabove case. The other recommendations are important
steps to be taken by thecompany for having an effective business continuity
plan.
Area: 5
361. A large chain of shops withelectronic funds transfer (EFT) at point-of-sale
devices has a centralcommunications processor for connecting with the banking
network. Which of thefollowing is the BEST disaster recovery plan for the
communications processor?
D. Alternative standby processorat another network node
Explanation:
Having an alternative standbyprocessor at another network node would be the
best. The unavailability of thecentral communications processor would disrupt all
access to the bankingnetwork resulting in the disruption of operations for all of
the shops. Thiscould be caused by failure of equipment, power or
communications. Off-sitestorage of back-ups would not help since EFT tends to
be an online process andoff-site storage will not replace the dysfunctional
processor. The provision ofan alternate processor on-site would be fine if it were
an equipment problem,but would not help if the outage were caused by power
etc. Installation ofduplex communication links would be most appropriate if it
were only thecommunication link that were to fail.
Area: 5
362. The following table liststhe estimate of the probability of a computer system
being destroyed in anatural disaster and the corresponding overall business loss.
Which system hasthe greatest exposure to loss?
Likelihood Losses (in $)
D. 25% 4 million
Explanation:
A = .10x6m = $600,000
B = .15x5m = $750,000
C = .20x2.5m = $500,000
D = .25x4m = $1,000,000
Area: 5
363. Which of the following wouldan IS auditor consider to be the MOST
important to review when conducting abusiness continuity audit?
D. Media backups are performed ona timely basis and stored off-site.
Explanation:
Without data to process, allother components of the recovery effort are in vain.
Even in the absence of aplan, recovery efforts of any type would not be practical
without data toprocess.
Area: 5
364. Which of the followingmethods of providing telecommunication continuity
involves routing traffic throughsplit or duplicate cable facilities?
A. Diverse routing
Explanation:
Diverse routing is a method ofproviding telecommunication continuity that
involves routing traffic throughsplit or duplicate cable facilities. Alternative
routing is accomplished viaalternative media such as copper cable or wire optics,
redundancy involves theuse of excess capacity and long haul network diversity is
a service provided byvendors to allow access to diverse long distance networks.
Area: 5
365. Which of the following isNOT a feature of an uninterruptible power supply
(UPS)?
D. A UPS uses a greater wattageinto the computer to ensure enough power is
available.
Explanation:
A UPS typically cleanses thepower to ensure wattage into the computer remains
consistent and does notdamage the computer. All other answers are features of a
UPS.
Area: 5
366. Most business continuitytests should:
C. evaluate the performance ofpersonnel.
Explanation:
Business continuity tests shouldbe scheduled during a time that minimizes
disruptions to normal operations.They should test all critical components of the
system. They should bemonitored by management as a means of determining
the efficiency and effectivenessof the plan and the performance of personnel.
Area: 5
367. Which of the following wouldBEST ensure continuity of a wide area network
(WAN) across the organization?
A. Built-in alternative routing
Explanation:
Alternative routing would meanthe network would continue if a server is lost or if
a link is severed asmessage re-routing can be automatic. System back-up will not
afford immediateprotection. The repair contract is not as effective as permanent
alternativerouting. Standby servers would appear to be the best approach, but
will notprovide continuity if a link is severed.
Area: 5
368. The MOST significant levelof business continuity planning program
development effort is generallyrequired during the:
D. early stages of planning.
Explanation:
A company in the early stages ofbusiness continuity planning (BCP) will incur the
most significant level ofprogram development effort, which will level out as the
BCP program moves intomaintenance, testing and evaluation stages. It is during
the planning stagethat an IS Auditor will play an important role in obtaining
senior management'scommitment to resources and assignment of BCP
responsibilities.
Area: 5
369. An IS auditor reviewing anorganization's information systems disaster
recovery plan should verify that itis:
B. regularly reviewed andupdated.
Explanation:
The plan must be reviewed atappropriate intervals, depending upon the nature
of the business and the rateof change of systems and personnel, otherwise it
may quickly become out of dateand may no longer be effective (for example,
hardware or software changes inthe live processing environment are not
reflected in the plan). Of course, theplan must be subjected to regular testing,
but the period between tests willagain depend on the nature of the organization
and the relative importance ofIS. Three months or even annually may be
appropriate in differentcircumstances. Although the disaster recovery plan
should receive the approvalof senior management, it need not be the CEO if
another executive officer isequally, or more appropriate. For a purely IS-related
plan, the executiveresponsible for technology may have approved the plan.
Similarly, although a businesscontinuity plan (BCP) is likely to be circulated
throughout an organization,the IS disaster recovery plan will usually be a
technical document and relevantto IS and communications staff only.
Area: 5
370. Which of the followingimplementations of digital encryption standard is the
simplest implementation?
A. Electronic code block (ECB)
Explanation:
ECB is the simplestimplementation. The text of the message to be encoded is
divided into blocksand each block is encoded with the same key, but
independently of the otherblocks. Each encoded block derives from the original
text. Identical blocks inthe original text are also identical in the encoded text. As
the methods B, Cand D have a scheme where one block carries the indirect
pointing to (ordepends upon) the other consecutive block, they are more
complicated, ascompared to the electronic code block.
Area: 5
371. Which of the followingmanages the certificate life cycle of public key pairs
to ensure adequatesecurity and controls exist in e-commerce applications?
A. Registration authority
Explanation:
The registration authoritymaintains a directory of certificates for the reference of
those receivingthem. It manages the certificate life cycle, including certificate
directorymaintenance and certificate revocation list maintenance and
publication. ChoiceB is not correct because a certificate authority is a trusted
third party thatverifies the identity of a party to a transaction. Choice C is
incorrect sincea CRL is an instrument for checking the continued validity of the
certificatesfor which the registration authority has responsibility. Choice D is
incorrectbecause a certification practice statement is a detailed set of rules
governingthe certificate authority's operations.
Area: 5
372. An IS auditor performing areview of the back-up processing facilities would
be MOST concerned that:
C. offsite storage of transactionand master files exists.
Explanation:
Adequate fire insurance and fullytested backup processing facilities are
important elements for recovery, butwithout the offsite storage of transaction
and master files, it is generallyimpossible to recover. Regular hardware
maintenance does not relate to recovery.
Area: 5
373. Which of the followingfindings would an IS auditor be MOST concerned
about when performing an auditof backup and recovery and the offsite storage
vault?
C. Data files, which are storedin the vault, are synchronized
Explanation:
More than one person would needto have a key to the vault and location of the
vault is important, but not asimportant as the files being synchronized. Choice A
is incorrect because morethan one person would typically need to have a key to
the vault to ensure thatindividuals responsible for the offsite vault can take
vacations and rotateduties. Choice B is not correct because the IS auditor would
not be concernedwhether paper documents are stored in the offsite vault. In fact,
paperdocuments such as procedural documents and a copy of the contingency
plan wouldmost likely be stored in the offsite vault.
Area: 5
374. Which of the followingrepresents the GREATEST risk created by a reciprocal
agreement for disasterrecovery made between two companies?
A. Developments may result inhardware and software incompatibility
Explanation:
If one organization updates itshardware and software configuration, it may mean
that it is no longercompatible with the systems of the other party in the
agreement. This may meanthat each company is unable to use the facilities at
the other company torecover their processing following a disaster. Resources
being unavailable whenneeded are an intrinsic risk in any reciprocal agreement,
but this is acontractual matter and is not the greatest risk. The plan can be
tested bypaper-based walkthroughs and possibly, by agreement between the
companies, andthe difference in security infrastructures, while a risk, is not
insurmountableas recovery of processing following a disaster.
Area: 5
375. All of the following aresecurity and control concerns associated with disaster
recovery proceduresEXCEPT:
D. inability to resolve systemdeadlock.
Explanation:
The inability to resolve systemdeadlock is a control concern in the design of
database management systems, notdisaster recovery procedures. All of the
other choices are control concernsassociated with disaster recovery procedures.
Area: 5
376. Losses can be minimized MOSTeffectively by using outside storage facilities
to do which of the following?
A. Include current, criticalinformation in backup files
Explanation:
Without having current, criticalinformation in offsite backup files recovery is
generally impossible. Havingcurrent backup documentation offsite, tested
backup hardware and personneltrained in backup procedures facilitates the
recovery process, but they are notas important as having the current, critical
information available in offsitebackup files.
Area: 5
377. Which of the following BESTdescribes the difference between a disaster
recovery plan and a businesscontinuity plan?
C. The disaster recovery plandefines all needed actions to restore to normal
operation after an un-plannedincident whereas the business continuity plan only
deals with criticaloperations needed to continue working after an un-planned
incident.
Explanation:
The difference pertains to thescope of each plan. A disaster recovery plan
recovers all operations, whereas abusiness continuity plan retrieves business
continuity (minimum requirements toprovide services to the customers or
clients). Choices A, B and D are incorrectbecause the type of plan (recovery or
continuity) is independent from the sortof disaster or process and it includes both
awareness campaigns and procedures.
Area: 5
378. Which of the following wouldwarranty a quick continuity of operations when
the recovery time window isshort?
D. A manual contingency procedure
Explanation:
A quick continuity of operationscould be accomplished when manual procedures
for a contingency exist. ChoicesA, B and C are options for recovery.
Area: 5
379. Which of the following isMOST important to have in a disaster recovery
plan?
A. Backup of compiled objectprograms
Explanation:
Of the choices, a backup ofcompiled object programs is the most important in a
successful recovery. Areciprocal processing agreement is not as important,
because alternativeequipment can be found after a disaster occurs. A phone
contact list may aid inthe immediate aftermath, as would an accessible supply of
special forms, butneither is as important as having access to required programs.
Area: 5
380. At the end of a simulationof an operational contingency test, the IS auditor
performed a review of therecovery process. The IS auditor concluded that the
recovery was more than thecritical time frame that was necessary. Which of the
following actions wouldthe auditor recommend?
C. Perform an integral review ofthe recovery tasks.
Explanation:
The performance of an exhaustivereview of the recovery tasks would be
appropriate to determine time invested ineach task and the way each was
conducted. This would allow the individualresponsible for the test to adjust the
time assigned for the recovery tasks.The other choices could be conclusions
once the first analysis was made.
Area: 5
381. An IS auditor inspects anorganization's offsite storage and plans to sample
the system and programdocumentation. The IS auditor is MOST likely interested
in reviewing:
A. error conditions and usermanuals.
Explanation:
Error conditions and user manualsare considered as system and program
documentation. Choices B and C areoperating procedures, while choice D is
special procedures documentation.
Area: 5
382. While reviewing the businesscontinuity plan of an organization, the IS
auditor observed that theorganization's data and software files are backedup on
a periodic basis. Whichcharacteristic of an effective plan does this demonstrate?
B. Mitigation
Explanation:
An effective business continuityplan includes steps to mitigate the effects of a
disaster. To have anappropriate backup plan, an organization should have a
process capabilityestablished to restore data and files on a timely basis,
mitigating theconsequence of a disaster. An example of deterrence is when a
plan includesinstallation of firewalls for information systems. An example of
recovery iswhen a plan includes an organization's hot site to restore normal
businessoperations.
Area: 5
383. Which of the followingdisaster recovery/continuity plan components
provides the GREATEST assurancefor recovery after a disaster?
A. The requirement that thealternate facility be available until the original
information processingfacility is restored.
Explanation:
The alternate facility should be madeavailable until the original site is restored to
provide the greatest assuranceof recovery after a disaster. Without this
assurance the plan will not besuccessful. All other choices ensure prioritization or
the execution of theplan.
Area: 5
384. Which of the followingprinciples must exist to ensure the viability of a
duplicate informationprocessing facility?
C. The workload of the primarysite is monitored to ensure adequate backup is
complete.
Explanation:
Resource availability must beassured. The workload of the site must be
monitored to ensure that availabilityfor emergency backup use is not impaired.
The site chosen should not be subjectto the same natural disaster as the primary
site. In addition, a reasonable compatibilityof hardware/software must exist to
serve as a basis for backup. The latest ornewest hardware may not adequately
serve this need. Testing the site whenestablished is essential, but regular testing
of the actual backup data isnecessary to ensure the operation will continue to
perform as planned.
Area: 5
385. There are several methods ofproviding telecommunications continuity. The
method of routing traffic throughsplit cable or duplicate cable facilities is:
B. diverse routing.
Explanation:
Diverse routing routes trafficthrough split cable facilities or duplicate cable
facilities. This can beaccomplished with different and/or duplicate cable sheaths.
If different cablesheaths are used, the cable may be in the same conduit and
therefore subject tothe same interruptions as the cable it is backing up. The
communication servicesubscriber can duplicate the facilities by having alternate
routes, althoughthe entrance to and from the customer premises may be in the
same conduit. Thesubscriber can obtain diverse routing and alternate routing
from the localcarrier, including dual entrance facilities. This type of access
istime-consuming and costly. Alternative routing is a method of
routinginformation via an alternate medium such as copper cable or fiber optics.
Thisinvolves use of different networks, circuits or end points should the
normalnetwork be unavailable. Long haul network diversity is a diverse long-
distancenetwork utilizing T1 circuits among the major long-distance carriers.
Itensures long-distance access should any one carrier experience a
networkfailure. Last mile circuit protection is a redundant combination of
localcarrier T1s, microwave and/or coaxial cable access to the local
communicationsloop. This enables the facility to have access during a local
carriercommunication disaster. Alternate local carrier routing is also utilized.
Area: 5
386. Which of the followingoffsite information processing facility conditions would
cause an IS auditorthe GREATEST concern?
A. The facility is clearlyidentified on the outside with the company name.
Explanation:
The offsite facility should notbe easily identified from the outside. Signs
identifying the company and thecontents of the facility should not be present.
This is to prevent intentionalsabotage of the offsite facility should the destruction
of the originating sitebe from malicious attack. The offsite facility should not be
subject to thesame natural disaster that affected the originating site. The offsite
facilitymust also be secured and controlled just as the originating site. This
includesadequate physical access controls such as locked doors, no windows and
humansurveillance.
Area: 5
387. Which of the following is acontinuity plan test that uses actual resources to
simulate a system crash tocost-effectively obtain evidence about the plan's
effectiveness?
C. Preparedness test
Explanation:
A preparedness test is usually alocalized version of a full test, wherein actual
resources are expended in thesimulation of a system crash. This test is
performed regularly on differentaspects of the plan and can be a cost-effective
way to gradually obtainevidence about the plan's effectiveness. It also provides a
means to improvethe plan in increments. A paper test is a paper walkthrough of
the plan,involving major players in the plan's execution who attempt to
determine whatmight happen in a particular type of service disruption. The
paper test usuallyprecedes the preparedness test. A post-test is actually a test
phase and iscomprised of a group of activities, such as returning all resources to
theirproper place, disconnecting equipment, returning personnel and deleting
allcompany data from third-party systems. A walkthrough is a test involving
asimulated disaster situation that tests the preparedness and understanding
ofmanagement and staff, rather than the actual resources.
Area: 5
388. An offsite backup facilityhaving electrical writing, air conditioning, flooring,
etc., but no computer orcommunications equipment, intended to operate an
information processingfacility is better known as a:
A. cold site.
Explanation:
A cold site is ready to receiveequipment, but does not offer any components at
the site in advance of theneed. A warm site is an offsite backup facility that is
partially configuredwith network connections and selected peripheral equipment
such as disk drives,tape drives, controllers, and CPUs to operate an information
processingfacility. A duplicate information processing facility is a dedicated,self-
developed recovery site that can back up critical applications.
Area: 5
389. Which of the followingmethods of results analysis, during the testing of the
business continuity plan(BCP), provides the BEST assurance that the plan is
workable?
A. Quantitatively measuring theresults of the test
Explanation:
Quantitatively measuring theresults of the test involves a generic statement
measuring all the activitiesperformed during BCP, which gives the best
assurance of an effective plan.Although choices B and C are also quantitative,
they relate to specific areas,or an analysis of results from one viewpoint, namely
the accuracy of theresults and the elapsed time.
Area: 5
390. A large organization withnumerous applications running on its mainframe
system is experiencing a growingbacklog of undeveloped applications. As part of
a master plan to eliminate thisbacklog, end-user computing with prototyping is
being introduced, supported bythe acquisition of an interactive application
generator system. Which of thefollowing areas is MOST critical to the ultimate
success of this venture?
B. Systems analysis
Explanation:
End-user computing tools such asprototyping systems and interactive application
generator systems alreadyhandle many of the technical aspects of the system
design process. However, endusers are still required to have the adequate skills
to design a systemefficiently. These skills are often attributable to systems
analysts thatunderstand efficient methods of data flow. Therefore, the end-user
should befamiliar with systems analysis in order to make this venture successful.
Area: 6
391. Which of the followinggeneral control items would NOT normally be found in
an audit of userprogramming procedures in an end-user computing
environment?
A. Console log procedures
Explanation:
Most end-user computing devicesdo not record all system activities nor is it
reasonable to do so because ofthe extensive storage resources required to hold
the logs.
Area: 6
392. Which of the followingrepresents a typical prototype of an interactive
application?
B. Screens, interactive edits andsample reports
Explanation:
Process programs are not producedby a prototyping tool. This often leads to
confusion for the end-user whoexpects quick implementation of programs that
accomplish the results that thesetools produce.
Area: 6
393. Which of the followingstatements relating to the use of spreadsheets is
FALSE?
C. In the designing process, itis important that data be limited to one
spreadsheet.
Explanation:
Large spreadsheets are very cumbersometo maintain and are often subject to
errors when changes are required.Therefore, it is better to limit the size of any
one spreadsheet to make itmore manageable. This is best accomplished by
creating a shell for basicspreadsheet functions and storing the actual data in a
separate spreadsheetthat can be retrieved by the shell.
Area: 6
394. Which of the following taskswould NOT be performed by an IS auditor when
reviewing systems developmentcontrols in a specific application?
D. Design and execute testingprocedures for use during acceptance testing.
Explanation:
An IS Auditor must maintain theirindependence during the development of a
system, therefore, the IS Auditorshould not perform functions outside the scope
of their responsibilities. It isthe responsibility of the users and technical staff to
test the system. The ISAuditor is responsible for reviewing the test plan and
results.
Area: 6
395. Which of the followingrepresents the MOST pervasive control over
application development?
B. Standard developmentmethodologies
Explanation:
Standard developmentmethodologies will provide consistency for all systems
utilized in the company.They also assist the IS Auditor by providing a standard
with which to measurethe adequacy of a system.
Area: 6
396. A computerized informationsystem frequently fails to meet the needs of
users because:
D. user participation in definingthe system's requirements is inadequate.
Explanation:
Lack of adequate userinvolvement, especially in the systems requirements
phase, will usually resultin a system that doesn't fully or adequately address the
needs of the user.Only users can define what their needs are and, therefore,
what the systemshould accomplish.
Area: 6
397. Which of the following areobjectives of using a system development life
cycle methodology?
B. Providing a method ofcontrolling costs and schedules and ensuring
communication among users, ISauditors, management and IS personnel.
Explanation:
A well defined systemsdevelopment methodology will facilitate effective
management of the projectsince costs and schedules will be consistently
monitored. Also, designmethodologies require various approvals and sign-offs
from different functionalgroups. This facilitates adequate communications
between these groups.
Area: 6
398. A primary reason for an ISauditor's involvement in the development of a
new application system is todetermine that:
A. adequate controls are builtinto the system.
Explanation:
The provision of controls is theprimary reason for audit involvement.
Area: 6
399. In which of the followingphases of the system development life cycle of a
new application system is itthe MOST important for the IS auditor to participate?
A. Design
Explanation:
The design phase is wherecontrols should be considered and included in the
system. The greatest costbenefit for implementing controls is to include them in
the design phase.
Area: 6
400. During a detailed systemdesign, the IS auditor would be LEAST concerned
with:
C. adequacy of hardware to handlethe system.
Explanation:
The processing of data orinformation is of primary importance to the IS Auditor.
Hardware considerationsare a secondary concern that need to be addressed at
some point in the SDLCprocess.
Area: 6
401. Which of the followinggroups/individuals assume ownership of systems
development life cycle projectsand the resulting system?
A. User management
Explanation:
User management assumes ownershipof the project and resulting system. They
should review and approvedeliverables as they are defined and accomplished.
Senior management approvesthe project and the resources needed to complete
it. The project steeringcommittee provides overall direction and is responsible for
all costs andtimetables. Systems development management provides technical
support.
Area: 6
402. Which of the followingstatements regarding the function of a systems
development life cycle steeringcommittee is FALSE?
B. Report only to seniormanagement on project status.
Explanation:
The steering committee should notonly report to senior management, but also to
users. Users at all levels shouldbe kept informed of project status. All other
answers are true regarding thefunction of a steering committee.
Area: 6
403. The responsibility ofassuring that the systems development life cycle design
adheres to corporatesecurity policies and tests system security prior to
implementation is that ofthe:
A. security officer.
Explanation:
The security officer isresponsible for assuring that the systems development life
cycle design adheresto corporate security policies and tests system security prior
toimplementation. Quality assurance reviews project results and
deliverables,while the project manager and project steering committee provide
overallproject direction.
Area: 6
404. An IS auditor who isparticipating in a systems development life cycle project
should:
C. ensure that adequate andcomplete documentation exists for all project
phases.
Explanation:
An IS Auditor who is participatingin a systems development life cycle project
should ensure that adequate andcomplete documentation exists for all project
phases. Recommendations forcontrols to minimize risks and exposures should
consider the relative costsinvolved. The IS Auditor should attend project team
meetings and offer advicethroughout, and the IS Auditor should be held to the
same qualitative projectcompletion measures as the rest of the team.
Area: 6
405. The phases and deliverablesof a systems development life cycle project
should be determined:
A. during the early planningstages of the project.
Explanation:
It is extremely important thatthe project be properly planned and that the
specific phases and deliverablesbe identified during the early stages of the
project.
Area: 6
406. Where a systems developmentlife cycle methodology is inadequate, the
MOST serious immediate risk is thatthe new system will:
C. not meet business and userneeds.
Explanation:
Although all of the answers arerisks of an inadequate SDLC methodology, the
first and most devastating is thatthe new system will not need business and user
needs and requirements.
Area: 6
407. Which of the following is amanagement technique that enables
organizations to develop strategicallyimportant systems faster while reducing
development costs and maintainingquality?
C. Rapid application development
Explanation:
Rapid application development isa management technique that enables
organizations to develop strategicallyimportant systems faster while reducing
development costs and maintainingquality. PERT and critical path methodology
are both planning and controltechniques, while function point analysis is used for
estimating the complexityof developing business applications.
Area: 6
408. Which of the following isNOT an advantage of using structured analysis
(SA)?
D. SA addresses the issue ofstructuring systems into concurrent tasks.
Explanation:
SA does not address the issue ofstructuring systems into concurrent tasks. All of
the other answers areadvantages of SA.
Area: 6
409. Which of the following is anadvantage of prototyping?
B. Prototype systems can providesignificant time and cost savings.
Explanation:
Prototype systems can providesignificant time and cost savings, however they
also have severaldisadvantages. They often have poor internal controls, change
control becomesmuch more complicated and it often leads to functions or extras
being added tothe system that were not originally intended.
Area: 6
410. The use of fourth generationlanguages (4GLs) should be weighed carefully
against using traditionallanguages because 4GLs:
A. can lack lower level detailcommands necessary to perform data intensive
operations.
Explanation:
All of the answers are advantagesof using 4GLs except that they can lack lower
level detail commands necessaryto perform data intensive operations. These
operations are usually requiredwhen developing major applications.
Area: 6
411. Which of the following isNOT a feature of structured programming for
defining applications?
A. Programs are written using abottom-up approach.
Explanation:
All of the answers are featuresof structured programming except that programs
are written from the top leveldown to the detail.
Area: 6
412. Which of the followingcomputer aided software engineering (CASE) products
is used for developingdetailed designs, such as screen and report layouts?
C. Middle CASE
Explanation:
Middle CASE products are used fordeveloping detail designs, such as screen and
report layouts. Super CASE is nota defined CASE product, upper CASE is used to
describe and document businessand application requirements and lower CASE
deals with the generation ofprogram code and database definitions.
Area: 6
413. Which of the following is acharacteristic of a decision support system (DSS)?
C. DSS emphasizes flexibility inthe decision making approach of users.
Explanation:
DSS emphasizes flexibility in thedecision-making approach of users. It is aimed
at solving less structuredproblems, combines the use of models and analytic
techniques with traditionaldata access and retrieval functions and supports semi-
structureddecision-making tasks.
Area: 6
414. Which of the followingstatements pertaining to data warehouses is FALSE?
D. A data warehouse is used bysenior management only because of the
sensitivity of the data.
Explanation:
All of the answers are true asthey pertain to data warehouses, except that a data
warehouse can be used fordecision support in any position of an organization.
Area: 6
415. The primary role of an ISauditor in the system design phase of an
application development project is to:
C. ensure all necessary controlsare included in the initial design.
Explanation:
The duty of the IS Auditor is toensure that required controls are included. Unless
specifically present as aconsultant, the IS Auditor should not be involved in
detailed designs. Duringthe design phase, the IS Auditor's primary role is to
ensure controls areincluded. Unless there is any potential slippage to report, the
IS Auditor isnot concerned with project control at this stage.
Area: 6
416. Which of the following wouldbe considered to be the MOST serious
disadvantage of prototyping systemsdevelopment?
C. Users may perceive that thedevelopment is complete.
Explanation:
Prototyping involvesdemonstrating an apparently complete system to users,
without the requiredprocessing. This may give them a false impression that the
project is moreadvanced. The point of prototyping is to ensure that analysts do
have anunderstanding of users' needs.
Area: 6
417. An advantage of usingsanitized live transactions in test data is that:
D. test transactions arerepresentative of live processing.
Explanation:
Test transactions arerepresentative of live processing, though this is only of value
when testingthe development's ability to handle volumes as all transaction types
or errorconditions are unlikely to be tested in this way.
Area: 6
418. An IS auditor's primaryconcern when application developers wish to use a
copy of yesterday'stransaction file from the production process to show that the
development cancope accurately with the required volume is that:
B. unauthorized access to sensitivedata may result.
Explanation:
Unless the data is sanitized byamending sensitive elements to garbage, there is
increased risk of unauthorizeduse.
Area: 6
419. Many IT projects experienceproblems because the development time and/or
resource requirements areunderestimated. Which of the following techniques
would improve the estimationof the resources required in system construction
after the development of therequirements specification?
D. Function point estimation
Explanation:
Function point analysis is atechnique to determine the size of a development
task, based on the number offunction points. Function points are factors such as
inputs, outputs, inquires,logical internal file, etc. A PERT chart will help determine
project durationonce all the activities and the work involved in the activities are
known.
Area: 6
420. Which of the following isthe MOST important reason for the IS auditor to be
involved in the systemdevelopment life cycle process?
D. Ensure that adequate controlsare built into the system during development.
Explanation:
All of the answers in thisquestion are reasons why an IS Auditor should be
involved in the SDLC process.However, the most important reason is to ensure
that adequate controls arebuilt into the system during development.
Area: 6
421. Which of the following is aprimary purpose for conducting parallel testing?
D. To ensure the new system meetsall user requirements.
Explanation:
The purpose of parallel testingis to ensure the implementation of a new system
will meet all userrequirements. Parallel testing may show that the old system is,
in fact, betterthan the new, but this is not the primary reason. Unit and system
testing will becompleted before parallel testing. Errors in program interfaces with
files willbe tested during system testing.
Area: 6
422. Unit testing is differentfrom system testing because:
C. system testing relates tointerfaces between programs.
Explanation:
Unit testing is different fromsystem testing because system testing relates to
interfaces between programs.System testing takes place before users are invited
to test against theirrequirements. System testing will normally be carried out by
the programmingteam. Unit testing is usually less comprehensive.
Area: 6
423. Which of the following auditprocedures would an IS auditor normally
perform FIRST when auditing the currentdocumented systems development life
cycle?
D. Compare established standardsto observed procedures.
Explanation:
The first step should be toestablish that the entity being audited meets best
practice. The adequacy ofthe procedures observed should follow confirmation
that they meet bestpractice. Effectiveness analysis will follow establishment of
standards.Compliance tests will follow establishment of standards.
Area: 6
424. An IS auditor who hasparticipated in the development of an application
system might have theirindependence impaired if they:
D. are actively involved in thedesign and implementation of the application
system.
Explanation:
Independence may be impaired ifthe auditor becomes actively involved in the
design and implementation of the applicationsystem. For example, if the auditor
becomes a decision-making member of theproject team, the auditor's ability to
perform an independent applicationdevelopment review of the application
system is impaired. The auditor mayrecommend control and other system
enhancements, perform an applicationdevelopment review and perform an
independent evaluation of the applicationafter its implementation without
impairing independence.
Area: 6
425. Which of the following toolswould NOT be used in program debugging
during system development?
A. Compiler
Explanation:
Debugging tools are programs thatassist a programmer to fine-tune or debug the
program under development.Compilers have some potential to provide feedback
to a programmer but are notconsidered debugging tools. Debugging tools fall
into three main categories;logic path monitors, memory dumps, and output
analyzers.
Area: 6
426. Which of the followingstatements relating to structured query language
(SQL) is TRUE?
D. SQL serves as an interfacebetween the client, computer, and server.
Explanation:
SQL allows a user to accessinformation without knowing where it is located or
how it is structured. It iseasier to use than a programming language and can
generate a set of requestsfor information stored on different computers in
different locations. SQL isthe interface between the front-end (client), computer
and the engine acting asthe back end (server).
Area: 6
427. A significant problem in planningand controlling a software development
project is determining:
C. time and resource requirementsfor individual tasks.
Explanation:
The most difficult andfundamental problem in software development is deriving
software measures forindividual tasks or development activities (analysis,
design, code, and test)in effectively estimating a project's time and/or resource
requirements. Thisis commonly done through direct software measures (size-
oriented SLOC-sourcelines of code; KLOC-thousand lines of code) or indirect
software measures(function points-values for number of user inputs, outputs,
inquiries; numberof files and interfaces). For planning and estimating, these
measures arehistorical (effectiveness on past projects). The other choices are
projectmanagement methods and techniques employed that are dependent on
theeffectiveness of methods used in deriving accurate and reliable
softwaredevelopment productivity and performance measures.
Area: 6
428. Which of the following isNOT a role of a project sponsor who is involved in a
systems developmentproject?
C. Monitors and controls costsand project timetable
Explanation:
The project sponsor providesfunding for the project and works closely with the
project manager to definesuccess measurement for the project. Data and
application ownership are alsoassigned to a project sponsor. However,
responsibility for monitoring andcontrolling costs and the project timetable is
typically assigned to theproject manager.
Area: 6
429. Large scale systemsdevelopment life cycle (SDLC) efforts:
C. require that businessrequirements be defined before the project begins.
Explanation:
The methodology used shouldprovide for business requirements to be clearly
defined before approval of anydevelopment, implementation or modification
project. The phases anddeliverables should be decided during the early planning
stages of the projectand not throughout its duration. The phases necessary to
complete the projectdepend on its size and the type of tolls being used by the
project team (e.g.prototyping tools or CASE technology.) In addition, the selected
methodologymust fit to a particular organization's practices and size.
Area: 6
430. Which of the following is areason to involve an IS auditor in systems design
activities?
C. It is extremely costly toinstitute controls after a system becomes operational.
Explanation:
The assurance of adequatecontrols is the primary reason for an IS Auditor's
involvement in the systemreview process. The fact that these controls can be
designed into the system asopposed to being retrofitted brings tremendous cost
savings to the overall costof the system. Therefore, this is a basic justification for
involving the ISAuditor in the SDLC process.
Area: 6
431. Which of the following wouldNOT normally be part of a feasibility study?
B. Defining the majorrequirements of the new system.
Explanation:
Defining the problem or need thatrequires resolution and defining broad or major
requirements of the new systemare a part of the requirements definition phase.
All of the other procedureswould be completed during the feasibility study phase
of an IS development andacquisition process.
Area: 6
432. Detailed systemsspecifications do NOT normally include:
B. program, operations and userdocumentation.
Explanation:
Program documentation provides adetailed explanation of how a specific
program is designed and operates. It isoften used in the maintenance of the
program and is generally prepared duringthe development of the program.
Program documentation would, therefore, not befound in the detailed
specifications which should be prepared prior to coding.Similarly, operations and
user documentation would not be included, since theserelate to the operation of
the system and not directly to the details ofdesign. This documentation would
not be prepared until after the detailedsystem specification phase of systems
development. Choices A, C, and D allrepresent information necessary for the
completion of the detailed systemspecification phase of systems development.
Area: 6
433. The purpose of the systemdevelopment life cycle program and procedure
development phase is to:
A. prepare, test and document allcomputer programs and manual procedures.
Explanation:
The preparation, testing, anddocumentation of all computer programs and
manual procedures best relate to theprogram and procedure development
phase. Choices B, C and D relate to earlierphases of the system development life
cycle.
Area: 6
434. The knowledge base of anexpert system that uses questionnaires to lead
the user through a series ofchoices before a conclusion is reached is known as:
B. decision trees.
Explanation:
Decision trees use questionnairesto lead a user through a series of choices until
a conclusion is reached.Flexibility is compromised, because the user must
answer the question in theexact sequence. Rules refer to the expression of
declarative knowledge throughthe use of IF-THEN relationships. Semantic nets
consist of a graph in whichnodes represent physical or conceptual objects and
the arcs describe the relationshipbetween the nodes. Semantic nets resemble a
data flow diagram and make use ofan inheritance mechanism to prevent
duplication of data.
Area: 6
435. Structured programming isBEST described as a technique that:
B. reduces the maintenance timeof programs by the user of small-scale program
modules.
Explanation:
A characteristic of structuredprogramming is smaller, workable units. Structured
programming has evolvedbecause smaller, workable units are easier to maintain.
Structured programmingis a style of programming which restricts the kinds of
control structures. Thislimitation is not crippling; any program can be written
with allowed controlstructures. Structured programming is sometimes referred to
as go-to-less programming,since a go to statement is not allowed. This is
perhaps the most well knownrestriction of the style, since go to statements were
common at the timestructured programming was becoming more popular.
Statement labels also becomeunnecessary, except in languages where
subroutines are identified by labels.
Area: 6
436. Peer reviews that detectsoftware errors during each program development
cycle resulting in fasterimplementation, better documentation, easier
maintenance and higher programmermorale are called:
B. structured walkthroughs.
Explanation:
Structured walk-through is amanagement tool for improving programmer's
productivity because programmerswill be more careful when they know that their
work will be reviewed by others.This psychological pressure increases
productivity. Also, structuredwalkthroughs detect incorrect or improper
interpretation of decision or programspecifications. This, in turn, improves the
quality of system testing andacceptance of it. The other choices are used as
methods or tools in the overallsystems development process.
Area: 6
437. An IS auditor who plans ontesting the connection of two or more system
components that pass informationfrom one area to another would use:
C. interface testing.
Explanation:
Interface testing is a hardwareor software test that evaluates the connection of
two or more components thatpass information from one area to another. Pilot
testing is a preliminary testthat focuses on specific and predetermined aspects of
a system and is not meantto replace other methods. Parallel testing is the
process of feeding test datainto two systems: the modified system and an
alternative system and comparingthe results. Regression testing is the process of
rerunning a portion of a testscenario or test plan to ensure that changes or
corrections have not introducednew errors. The data used in regression testing is
the same as the data used inthe original test.
Area: 6
438. An advantage in using abottom-up versus a top-down approach to software
testing is that:
C. errors in critical modules aredetected earlier.
Explanation:
The bottom-up approach tosoftware testing begins with the testing of atomic
units, such as programs andmodules, and work upwards until a complete system
testing has taken place. Theadvantages of using a bottom-up approach to
software testing is the fact thatthere is no need for stubs or drivers and errors in
critical modules are foundearlier. The other choices in this question all refer to
advantages of a topdown approach which follows the opposite path, either in
depth-first orbreadth-first search order.
Area: 6
439. During which phase of asystem development process would an IS auditor
first consider applicationcontrols?
D. Functional specification
Explanation:
It is important that IS Auditorsraise control concerns as early as possible. One
risk during the functionalspecification is that the requirement for controls is not
clearly specified.The IS Auditor should ensure that the business areas specify
their requirementfor control at that stage. The construction phase of the project
is often toolate for the identification of the controls, since this may require
thatchanges be made in the design. Controls should be designed in at the
systemdesign stage, but the types of controls should have been identified as part
ofthe functional specification. The acceptance testing stage is also too late
toidentify controls, since this can require major changes to the system.
Area: 6
440. Which of the followingquality mechanisms is MOST likely to occur when a
system development project isin the middle of the construction stage?
A. Unit tests
Explanation:
During the construction phase,the development team should have mechanisms
in place to ensure that coding isbeing developed to standard and is working
correctly. Unit tests are keyelements of that process in that they ensure that
individual programs areworking correctly. They would normally be supported by
code reviews. Stresstests, regression tests and acceptance testing would
normally occur later inthe development and testing phases. As part of the
process of assessingcompliance with quality processes, IS Auditors should verify
that such reviewsare undertaken.
Area: 6
441. An IS auditor reviewing asystem development project would be MOST
concerned whether:
A. business objectives areachieved.
Explanation:
The most important issue inreviewing system development processes, including
the quality assuranceprocess, is to ensure that business objectives are achieved.
A softwaredevelopment project should meet its objectives. Security and control
proceduresare to be considered as a subset of business objectives, because
awell-controlled system that does not meet business needs is of little benefitto
the organization.
Area: 6
442. A large number of systemfailures are occurring when corrections to
previously detected faults areresubmitted for acceptance testing. This would
indicate that the developmentteam is probably not adequately performing which
of the following types oftesting?
B. Integration testing
Explanation:
A common system developmentproject problem is that faults are often corrected
quickly (especially whendeadlines are tight), subject to unit testing by the
programmer, and thentransferred to the acceptance test area. This often results
in major systemproblems, which should have been detected during integration,
or system testinggoing undetected. Integration testing aims at ensuring that
major components ofthe system interface correctly.
Area: 6
443. An organization isdeveloping a new business system. Which of the following
will provide the MOSTassurance that the system provides the required
functionality?
Explanation:
Acceptance testing is primarilyconducted by the users before sign-off. It is
performed by the users from theirperspective to confirm whether all the required
functionalities are facilitatedby the software. Unit testing is used for testing the
basic functionality of aprogram. Regression testing is used to compare changes
to an application toensure that the programs are working the same after a
change as they wereworking before. Integration testing is used to ensure that all
of the programsin an application are working correctly and that information is
flowingcorrectly.
Area: 6
444. Which of the following techniqueswould provide the BEST assurance that
the estimate of program developmenteffort is reliable?
Explanation:
The use of estimation techniques,such as function point analysis or lines of code
estimation, provide a firmbasis for estimation, particularly if supported by
historic records of pastactivities. Estimates by an experienced programmer
would be the next bestoption. However, these may be individualistic and unless
there is a standardapproach adopted by the programmer, the estimate can vary
considerably from oneprogrammer to another. Standard project scheduling tools
assist in working outthe overall project schedule, but are reliant on the quality of
estimation ofindividual tasks. They don't give an estimate of actual development
cost.
Area: 6
445. An IS auditor reviewing anorganization's test strategy discovers that it is
proposed that the testdatabase be refreshed weekly from a section of the
production database. Whichof the following would MOST likely be affected by this
approach?
B. Test processing efficiency
Explanation:
A section of the productiondatabase may not have all the cases that require
testing. In general it shouldbe supplemented with simulated master records that
include conditions not foundin the copied records. Completeness of the testing
would be of concern, but itis not the biggest concern. The documentation of the
test results would be aproblem, since the test data would be changing on a
weekly basis, and as aresult it would be difficult to keep track of what has been
tested and what hasnot. Because a copy of the production data is placed in the
test area, theintegrity of the information should not be affected.
Area: 6
446. Which of the following wouldbe a major DISADVANTAGE of using prototyping
as a systems developmentmethodology?
A. User expectations of projecttimescales may be over-optimistic.
Explanation:
The fact that prototypinginvolves demonstrating various external elements of a
completed project tousers, such as screen layouts and printed reports, may
cause a user to believethat the project is further advanced than it actually is,
(that underlyingprogrammed processes are also completed). This may result in
users havingunrealistic expectations of project delivery and lead to friction and
conflictwith user departments. Change control may be more difficult, but is
certainlynot impossible. Users are unlikely to be involved in day-to-day project
management,and the whole point of prototyping is that users do usually have
sufficientknowledge to assist in system development.
Area: 6
447. An IS auditor involved as ateam member in the detailed system design
phase of a system under developmentwould be MOST concerned with:
A. internal control procedures.
Explanation:
As a member of the project team,the IS Auditor's primary role is to ensure that
adequate and appropriatecontrol procedures are designed and programmed into
the system. At this stage,user acceptance schedules are not the concern of the
IS Auditor who isspecifically involved as a member of the project team. It is also
too early forconcern about training programs. Similarly, user procedures are not
the concernof the project team at this stage.
Area: 6
448. The PRIMARY reason forseparating the test and development environments
would be to:
C. control the stability of thetest environment.
Explanation:
The test environment must be controlledand stable in order to ensure that
development projects are tested in arealistic environment which, as far as
possible, mirrors the live environment.Restricting access to test and
development systems can easily be achieved bynormal access control methods
and the mere separation of the environments willnot provide adequate
segregation of duties. The IS Auditor must be aware of thebenefits of separating
these environments wherever possible.
Area: 6
449. The use of coding standardsis encouraged by IS auditors because they:
D. ensure compliance with fieldnaming conventions.
Explanation:
Ensuring field-naming conventionsis important to ensure that on-going program
maintenance can easily be carriedout by different programmers, and that quality
controls are facilitated. Accesscontrol tables, program documentation and
dataflow diagram techniques would notnormally be included in coding standards.
An IS Auditor has to be aware of suchstandards and their components so that
they know where to look for informationand why such standards are important.
Area: 6
450. During which of thefollowing phases in systems development would user
acceptance test plansnormally be prepared?
B. Requirements definition
Explanation:
During requirements definition,the project team will be working with the users to
define their preciseobjectives and functional needs. At this time, the users should
be working withthe team to consider and document how the system functionality
can be tested toensure it meets their stated needs. The feasibility study is far too
early forsuch detailed user involvement and the implementation planning
andpost-implementation review phases are far too late. The IS Auditor should
knowat what point user testing should be planned in order to ensure it is
mosteffective and efficient.
Area: 6
451. In the development of animportant application affecting the entire
organization, which of the followingwould be the MOST appropriate project
sponsor?
B. A member of executivemanagement
Explanation:
The project sponsor puts his/hername on a project to emphasize its importance
to the organization, and moreeasily ensure the commitment and cooperation of
management. Where thedevelopment is both important, and affects the entire
organization, the sponsormust be of sufficient corporate standing to require such
cooperation.Therefore, a member of the executive team is most appropriate. The
manager of adepartment may not command automatic support from peers, and
the IS manager andan independent consultant are inappropriate to sponsor such
a development.
Area: 6
452. Which of the following isLEAST likely to be included in the feasibility study?
C. Control and auditspecifications
Explanation:
The feasibility study enablesmanagement to make an executive decision on
whether or not to proceed with adevelopment. To do this, they must be fully
aware of all financialimplications, as well as threats to be addressed. Statutory
requirements mayrepresent a threat and the possibility that new hardware or an
upgradedoperating system may be needed are potential costs. Although audit
and controlimplications may also represent a cost, they would not be specified at
thisstage.
Area: 6
453. Which of the followingdevelopment methods uses a prototype that can
continually be updated to meetchanging user or business requirements?
D. Rapid application development(RAD)
Explanation:
Only RAD uses prototyping as itscore development tool. OOD and DOD use
continuously developing models and BPRattempts to convert an existing
business process rather than make dynamicchanges.
Area: 6
454. Which of the followingshould be included in a feasibility study for a project
to install electronicdata interchange (EDI)?
C. The necessary communicationprotocols
Explanation:
Encryption algorithms, detailedagreements and internal control procedures are
too detailed for this phase,where they would only be outlined and any cost or
performance implicationsshown. The communications protocols must be
included, as there may be costimplications if new hardware and software are
involved, and risk implicationsif the technology is new to the organization.
Area: 6
455. When reviewing the qualityof an IS department's development process, the
IS auditor finds that they donot use any formal, documented methodology and
standards. The IS auditor's MOSTappropriate action would be to:
C. document the informalstandards and test for compliance.
Explanation:
The IS Auditor's first concernwould be to ensure that projects are consistently
managed to a standard, sowhere the standard is claimed to exist, it is most
important to ensure that itis correctly operated, even where this means
documenting the claimed standardsfirst. Merely reporting the issue as a
weakness and closing the audit withoutfindings would not help the organization
in any way and investigating formal methodologiesmay be unnecessary if the
existing, informal standards prove to be adequate andeffective.
Area: 6
456. Which of the followingtesting methods is MOST effective during the initial
phases of prototyping?
D. Top-down testing
Explanation:
Top-down testing starts with thesystem's major functions, and works downwards.
The initial emphasis when usingprototyping is to create screens and reports, thus
shaping most of the proposedsystem's features in a short period. Volume and
system testing is performedduring final system testing phases. Parallel testing is
not necessarily needed,especially if there's no old system to compare with.
Area: 6
457. IS management has decided torewrite a legacy customer relations system
using fourth generation languages(4GLs). Which of the following risks is MOST
often associated with systemdevelopment using 4GLs?
D. Inability to perform dataintensive operations
Explanation:
4GLs are usually not suitable fordata intensive operations. Instead, they are
mainly used for graphic userinterface (GUI) design or as simple query/report
generators. Screen/reportdesign facilities are one of the main advantages of
4GLs, and 4GLs have simpleprogramming language subsets. Portability is also
one of the main advantages of4GLs.
Area: 6
458. Which of the following auditprocedures would MOST likely be used in an
audit of a systems developmentproject?
D. Review functional requirementsdocumentation
Explanation:
The most likely audit procedurein systems development is the review of the
functional requirements, since thiswill indicate what the new system is supposed
to provide and how. Based on thisdocumentation other testing may be performed
in order to confirm that thenecessary controls and functionality are in place. The
development of testtransactions may also be performed if necessary. However,
this would be toassist functional requirements testing. The use of code
comparison utilitiescompares two copies of the source code to identify
differences and wouldnormally be used for system maintenance. Audit software
programs may bedeveloped if necessary, but is not performed by an IS Auditor.
Area: 6
459. When a new system is to beimplemented within a short timeframe, it is
MOST important to:
B. perform user acceptancetesting.
Explanation:
It would be most important tocomplete the user acceptance testing so as to
ensure that the system which isto be implemented is working correctly. The
completion of the user manuals issimilar to the performance of code reviews. If
time is tight, the last thingone would want to do is add another enhancement. It
would be necessary tofreeze the code and complete the testing, then make any
other changes as futureenhancements. It would be appropriate to have the code
documented and reviewed,but unless the acceptance testing is completed, there
is no guarantee that thesystem will work correctly and meet user requirements.
Area: 6
460. The PERT diagram belowshould be used to answer the following question.
The arrows and letters A throughH in the diagram represent:

B. activities.
Explanation:
The arrows and associated lettersrepresent activities. The circled numbers (1-6)
represent specific events (forexample, the start or end of a specific activity).
Predecessor and successorpoints are events that simply precede or succeed
another event. For example,event 1 precedes events 2 through 4, while event 6
succeeds event 5.
Area: 6
Which of the following projectcompletion paths represents the critical path?

B. AFGH
Explanation:
The critical path is the path thattakes the longest. In this example the critical
path is AFGH will take 14 weeksto complete. Path CGH will takes 13 weeks, path
AEH 12 weeks and path BDGH 11weeks.
Area: 6
Which of the following activitiesmust be completed on time to ensure that the

project is not delayed?
D. Activity F
Explanation:
Since activity F lies on thecritical path any delay in this activity will delay the
project. Delays inother activities may or may not delay the completion of the
project.
Area: 6
463. Which of the followingshould NOT be criteria related to the decision to
acquire system software?
C. Similarity of the acquiredsystem software to that currently in use
Explanation:
The process should be proactiveand reach out for new solutions and approaches,
not reactive and preserving thestatus quo. All other answers are part of the
decision making process.
Area: 6
464. Which of the following isNOT considered an advantage of packaged
software?
C. Increased processingefficiencies
Explanation:
Increased processing efficienciesmay not be realized with a packaged software
system. Usually in-house developedsystems are more efficient because they are
developed for a specific resourceenvironment.
Area: 6
465. Which of the following wouldNOT be a reason for IS Audit involvement in
information systems contractualnegotiations?
D. Only the IS auditor candetermine whether the controls in the system are
adequate.
Explanation:
Users, quality assurancepersonnel, security personnel, systems analysts and
other personnel also couldassess controls. However, the IS Auditor usually has
more experience andexpertise in assessing controls. Also, control assessment is
not a factor ofcontract negotiations. The assessment of adequate controls should
have beencompleted before making the decision to acquire the system.
Area: 6
466. If the decision has been madeto acquire software rather than develop it
internally, this decision isnormally made during the:
B. feasibility study phase of theproject.
Explanation:
Software acquisition is not aphase in what is regarded as the standard system
development life cycle.However, if a decision is made to acquire rather than
develop software, thisprocess should occur after the requirements definition
phase and a decision isnormally made in the feasibility study phase.
Area: 6
467. Which of the following isNOT an advantage of concurrent software
licensing?
D. Users must wait for access, ifall concurrent access sessions are in use.
Explanation:
Users must wait in line if allconcurrent access sessions are in use. All other
answers are advantages ofusing concurrent software licensing.
Area: 6
468. Which of the following BESTdescribes the necessary documentation of an
enterprise product reengineering(EPR) software installation?
C. All phases of the installationmust be documented
Explanation:
Following, or within a BPRaction, a global enterprise product reengineering (EPR)
software package can beapplied to the business with the relevant parameters to
replace, simplify andimprove the quality of IT processing. Documentation is
intended to helpunderstand how, why and which solutions that have been
selected andimplemented, and therefore must be specific to the project.
Documentation isalso intended to support quality assurance and must be
comprehensive.
Area: 6
469. When auditing therequirements phase of a software acquisition, an IS
auditor would:
D. ensure that controlspecifications have been defined.
Explanation:
During the requirements phase ofa software acquisition the IS Auditor should
verify the detailed requirementsdefinition document including reviewing
conceptual design specifications. TheIS Auditor would identify and determine the
criticality of the need and verifyall cost justifications/benefits and present how
anticipated benefits will berealized during the feasibility phase. The assessment
of the adequacy of audittrails would take place during the detailed design and
programming phase.
Area: 6
470. A company has contracted anexternal consulting firm to implement a
commercial financial system to replaceits existing in-house developed system. In
reviewing the proposed developmentapproach, which of the following would be
of GREATEST concern?
B. A quality plan is not part ofthe contracted deliverables.
Explanation:
A quality plan is an essentialelement of all projects. It is critical that the
contracted supplier isrequired to produce such a plan. The quality plan for the
proposed developmentcontract should be comprehensive and encompass all
phases of the developmentand include what business functions will be catered to
and when. Acceptance isnormally managed by the user area, since they must be
satisfied that the newsystem will meet their requirements. If the system is large,
a phased-inapproach to implementing the application is a reasonable approach.
Prototypingis a valid method of ensuring that the system will meet business
requirements.
Area: 6
471. Which of the followingshould be in place to protect the purchaser of an
application package in theevent that the vendor ceases to trade?
A. Source code held in escrow.
Explanation:
Contractual obligations may notbe enforceable if the vendor ceases to trade and
training is irrelevant, as programmerscannot maintain an application unless
source code is available. Thus, havingobject code available is also not an
adequate solution. Only ensuring that thesource code can be obtained in the
event that the vendor cannot provide supportwill protect the purchaser.
Area: 6
472. Change management proceduresare established by IS management to:
A. control the movement ofapplications from the test environment to the
production environment.
Explanation:
Change management procedures areestablished by IS management to control
the movement of applications from thetest environment to the production
environment. Problem escalation procedurescontrol the interruption of business
operations from lack of attention tounresolved problems, and quality assurance
procedures verify that systemchanges are authorized and tested.
Area: 6
473. Which of the followingsystem software elements enables complex system
maintenance?
A. System exits
Explanation:
System exits are special systemsoftware facilities that permit the user to perform
complex system maintenance.They often exist outside of the computer security
system and thus are notrestricted or reported in their use. Special system logon-
IDs are logons providedby a vendor; network change controls consist of
terminals, communication lines,modems, switches and the CPU; and bypass label
processing bypasses computerreading of the file label.
Area: 6
474. Which of the followingprogram change controls is NOT the responsibility of
the user department?
A. Updating documentation toreflect all changes
Explanation:
System documentation is theresponsibility of the information systems
department as it is considered afunction of maintenance.
Area: 6
475. Which of the following isMOST effective in controlling application
maintenance?
C. Obtaining user approval ofprogram changes
Explanation:
User approvals of program changeswill ensure that changes are correct as
specified by the user and that they areauthorized. Therefore, erroneous or
unauthorized changes are less likely tooccur, minimizing system downtime and
errors.
Area: 6
476. Which of the followingshould be tested if an application program is modified
in an authorizedmaintenance procedure?
D. The complete program,including any interface systems
Explanation:
The complete program with allinterfaces needs to be tested to determine the full
impact of a change toprogram code. Usually the more complex the program, the
more testing that isrequired.
Area: 6
477. A post-implementation reviewof a new or extensively modified system is
usually performed by:
D. project development team andend-users.
Explanation:
A post-implementation review isusually performed jointly by the project
development team and the appropriateend-users. Typically, the focus of this type
of internal review is to assessand critique the project process.
Area: 6
478. In regard to moving anapplication program from the test environment to the
production environment,the BEST control would be provided by having the:
D. production control group copythe source program to the production libraries
and then compile the program.
Explanation:
Best control would be provided byhaving the Production Control Group copy the
source program to the productionlibraries and then compile the program.
Area: 6
479. Utilizing audit software toprovide code comparisons of production programs
is an audit technique used totest program:
B. changes.
Explanation:
The use of audit software tocompare production programs is an audit technique
used to test change control.
Area: 6
480. Which of the following BEST describesthe process used to solve a year or
date problem in a current operating system?
C. Testing, verification, andvalidation of converted or replaced platforms,
applications, databases, andutilities
Explanation:
Testing, verification, andvalidation of converted or replaced platforms,
applications, databases, andutilities are processes performed for converted or
replaced platforms,applications, database, and utilities. Choices A, B and D are
representative ofprocesses for the design of a new application system.
Area: 6
481. Which of the following wouldNOT represent a strong test approach for an
organization attempting to solve ayear or date problem in a current operating
system?
D. Use of integrated power toolsthat support testing of critical application
prototypes and establishment of acentral repository for requirements coming out
of this process.
Explanation:
Use of integrated power tools isa feature of rapid application development
methods for testing new prototypesystems, not existing systems. Any
applicability to year or date conversionefforts would be an indirect benefit of its
primary function. Choices A, B andC are part of a strong test approach for an
organization attempting to solve ayear or date problem in a current operating
system.
Area: 6
482. An advantage to setting astop or freezing point on the design of a new
project is to:
C. require changes after thatpoint be reviewed and evaluated for cost-
effectiveness.
Explanation:
Projects often have a tendency toexpand, especially during the requirements
definition phase. This expansionoften grows to a point where the originally
anticipated cost benefits arediminished because the cost of the project has
increased. When this occurs itis recommended that the project be stopped or
frozen to allow a re-review ofall of the remaining cost benefits and the pay back
period.
Area: 6
483. All of the following systemmaintenance controls are the responsibility of the
user department EXCEPT:
B. updating systems documentationto reflect all changes.
Explanation:
System documentation is theresponsibility of the information systems
department as it is considered afunction of maintenance. Choices A, C and D are
the responsibility of the userdepartment.
Area: 6
484. If an application program ismodified and proper system maintenance
procedures are in place, which of thefollowing should be tested?
C. The complete program,including any interface systems
Explanation:
The complete program with allinterfaces needs to be tested to determine the full
impact of a change toprogram code. Usually the more complex the program, the
more testing that isrequired.
Area: 6
485. An IS auditor performing anapplication maintenance audit would review a
manually prepared log of programchanges to determine the:
A. number of authorized programchanges.
Explanation:
The manual log will most likelycontain only information on authorized changes to
a program. Deliberate,unauthorized changes will not be documented by the
responsible party. Anautomated log, found usually in library management
products, will most likelycontain date information for the source and executable
modules.
Area: 6
486. Ideally, stress testingshould only be carried out in a:
C. test environment using liveworkloads.
Explanation:
Stress testing is carried out toensure a system can cope with production
workloads, but as it may be tested todestruction, a test environment should
always be used to avoid damaging theproduction environment. Hence, testing
should never take place in a productionenvironment (B and D) and if only test
data is used, there is no certainty thatthe system was adequately stress tested.
Area: 6
487. When auditing the proposedacquisition of a new computer system, the IS
auditor should FIRST establishthat:
A. a clear business case has beenapproved by management.
Explanation:
The first concern of the ISauditor should be to establish that the proposal meets
the needs of thebusiness, and this should be established by a clear business
case. Althoughcompliance with security standards is essential, as are meeting
the needs ofthe users and having users involved in the implementation process,
it is tooearly in the procurement process for these to be the IS auditor's
firstconcern.
Area: 6
488. Which of the following is anobject-oriented technology characteristic that
permits an enhanced degree ofsecurity over data?
C. Encapsulation
Explanation:
Encapsulation is a property ofobjects because of which it is not possible to
access either properties ormethods that has not been previously defined as
public. This means that anyimplementation of the behavior of an object is not
accessible. An objectdefines a communication interface with the exterior and
only whatever belongsto that interface can be accessed.
Area: 6
489. The objective of softwaretest designs is to provide the highest likelihood of
finding most errors with aminimum of time and effort. Which of the following
methods is LEAST likely tomeet the design objective?
B. White box testing predicatedon a close examination of procedural detail of all
software logical paths.
Explanation:
White box testing is predicatedon a close examination of procedural detail where
logical paths through thesoftware are tested by providing test cases that exercise
specific sets ofconditions and/or loops. However such exhaustive testing is
impossible forlarge software systems with thousands of logical paths to review.
Instead atester would limit his/her review to a select few critical paths for
review.Choices A, C, and D are applicable in finding most errors with a minimum
oftime and effort. Black box testing during integration testing examines
someaspect of the system (usually at an interface) with little regard for
theinternal logical structure of the software. Regression testing is used toassure
that no new errors have been introduced, and a software test designincorporates
bottom up strategy in assuring adequate levels of testing occur.
Area: 6
490. All of the following areused as cost estimating techniques during the project
planning stage EXCEPT:
A. PERT charts.
Explanation:
PERT chart is not a costestimation technique but rather assists in identifying the
critical path. Itensures that proper planning and tracking is done. However, it will
not help incost estimation. The other options are techniques that could be used
forestimating costs in a planning stage for a project. Function points are used
toestimate the workload and contents of the proposed system and hence
indirectlyfor the resource requirements as well. Delphi technique is used to
resolve thedifference of opinions between various individuals who estimate the
resourceneed. This is done by arriving at the consensus by mutual discussions
andrefinement adjustment to the estimates in successive rounds. Expert
judgment isthe most widely used technique, where based on his/her prior
experience, theperson plots an estimate for the given project.
Area: 6
491. Which of the following is adynamic analysis tool for the purpose of testing of
software modules?
A. Black box test
Explanation:
A black box test is a techniqueconsidered a dynamic analysis tool for testing
software modules. During thetesting of software modules a black box test works
first in a cohesive manneras a one single unit/entity, consisting of numerous
modules and second,together with the user data that flows across software
modules. In some casesthis even drives the software behavior. In choices B, C
and D, the software(design or code) remains static and somebody simply closely
examines it byapplying his/her mind, without actually activating the software.
Hence, thesecannot be referred to as dynamic analysis tools.
Area: 6
492. The primary purpose of asystem test is to:
C. evaluate the systemfunctionally.
Explanation:
The primary reason why a systemis tested is to evaluate the entire system
functionality. The other choices areincorrect.
Area: 6
493. When implementing anapplication software package, which of the following
presents the GREATESTrisk?
C. Parameters are not setcorrectly
Explanation:
Parameters that are not setcorrectly would be of greatest concern when
implementing an applicationsoftware package. The other choices, though
important, are a concern of theprovider, not the organization that is
implementing the software itself.
Area: 6
494. For the design andprogramming of an information system, which is the
typical sequence in whichparticipation of these individuals should occur?
C. Functional analyst, technicalanalyst, programmer
Explanation:
Functional analyst, technicalanalyst, programmer is the typical sequence since
the functional analyst needsto identify the right functionality of a system before
the technical analystcan decide which tools would be best to structure the
system. The programmer isthe last individual to participate in the process of
designing and programmingany system.
Area: 6
495. In the design of an applicationsystem, the IS auditor:
A. should participate to ensureappropriate controls are included in the system.
Explanation:
The IS auditor should participatein the design of an application system to provide
his/her opinion regarding thecontrols that need to be included in the system. By
no means should the auditorcode or define all the controls within the system
because this would affecthis/her independence.
Area: 6
496. Which of the followingcontrols would be MOST effective in ensuring that
production source code andobject code are synchronized?
D. Date and time-stamp reviews ofsource and object code
Explanation:
Date and time-stamp reviews ofsource and object code would ensure that source
code which has been compiledhas been used. This is the most effective way to
ensure that the approvedproduction source code is compiled and used.
Area: 6
497. Following the development ofan application system, it is determined that
several design objectives have notbeen achieved. This is MOST likely to have
been caused by:
A. insufficient user involvement.
Explanation:
User involvement is the mostcommon reason for the failure of an application
system development.
Area: 6
498. During a post-implementationreview of an enterprise resource management
system an IS auditor would MOSTlikely:
A. review access controlconfiguration.
Explanation:
Reviewing access controlconfiguration would be first task performed to
determine whether security hasbeen mapped appropriately in the system. Since
it concerns apost-implementation review that is usually done after user
acceptance testingand actual implementation, one would not engage in interface
testing ordetailed design documentation, which will probably be out of date.
Evaluatinginterface testing would be part of the implementation process. The
issue ofreviewing detailed design documentation is not generally relevant to
anenterprise resource management system since these are usually vendor
packageswith user manuals. System testing is also normally performed before
final usersign off.
Area: 6
499. An executable module isabout to be migrated from the test environment to
the production environment.Which of the following controls would MOST likely
detect an unauthorizedmodification to the module?
A. Object code comparison
Explanation:
The IS auditor would probablywant to review access control to ensure that users
have been properly set upwith the appropriate level of authorization while
ensuring that IS staff areremoved or limited in their access. Since the module is
in executable form,only object code comparison would detect the change, not a
source codecomparison. Timestamps and manual inspection are far less
effective.
Area: 6
500. The use of object-orienteddesign and development techniques would MOST
likely:
A. facilitate the ability toreuse modules.
Explanation:
One of the major benefits ofobject-oriented design and development is the ability
to reuse modules. Theother options do not necessarily require such a technique.
Area: 6

It Exam

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

It Exam

Încărcat de

Drepturi de autor:

Formate disponibile

1.

Which of the following BEST describes the purpose or character of an audit

8.Which of the following forms of evidence would be considered to be the MOST

9.Which of the following forms of evidence would be considered to be the MOST

11.Which of the following computer-based tools would assist an IS auditor when

12.Which of the following would NOT be a use of generalized audit software

14.Which of the following statements regarding test data techniques is TRUE?

15.Which of the following statements regarding sampling is TRUE?

16.Which of the following is NOT an advantage of using CAATs?

17.An important distinction an IS auditor should make when evaluating and

18.Which of the following statements regarding an IS auditor's use of a

19.An IS auditor's substantive test reveals evidence of fraud perpetrated from

20.Which of the following statements pertaining to the determination of sample

21.Which of the following would NOT normally be performed using CAATs?

22.To gain a full understanding of a LAN environment, an IS auditor should

23.During a review of a customer master file an IS auditor discovered numerous

24.A manufacturing company has implemented a new client/server system

25.Which of the following would an IS auditor consider to be the BEST population

26.Which of the following tests is an IS auditor performing when a sample of

28.The primary reason for enabling software audit trails is to:

30.Data flow diagrams are used by IS auditors to:

32.An IS auditors is expected to use due professional care when performing

33.An internal audit department, that organizationally reports exclusively to the

34.An IS auditor conducting a review of software usage and licensing discovers

36.A primary benefit derived from an organization employing control self

38.Which of the following is an anti-virus detective control?

39.Which of the following represents the MOST significant exposure for an

40.When reviewing a system development project at the project initiation stage,

44.Which of the following is a detective control?

45.An IS auditor is assigned to perform a post implementation review of an

46.Detection risk refers to a:

47.Information requirement definitions, feasibility studies, and user requirements

48.Which of the following steps would an IS auditor normally perform FIRST in a

49.Which of the following is the LEAST reliable audit evidence?

50.Which of the following types of information would an IS auditor find LEAST

A. design the audit programs for each system or function involved.

54. Risk assessments performed by IS auditors is a critical factor for audit

56. The BEST time to perform a control self-assessment involving line

57. While conducting a control self-assessment (CSA) program, an IS auditor

A. to enhance audit responsibilities.

58. The responsibility, authority and accountability of the information systems

A. approved by the highest level of management.

A. a substantive approach to the audit are more cost-effective.

61.An IS auditor performing an audit of the company's information system

A. assess IS security procedures.

62.Which of the following organizational goals would normally be mentioned in

A. Test a new accounting package.

A. Local offices are independent and exchange data on an occasional basis.

64.The initial step in establishing an information security program is the:

A. development and implementation of an information security standards

65.Which of the following documentation would an IS auditor place LEAST

A. Interviews with user and IS personnel

A. details of source documents.

67.Which of the following statements pertaining to ISO 9000 is FALSE?

68.Which of the following procedures would normally be performed last by an IS

A. Assess the business needs of the organization.

A. an index of computer hardware and software.

70.The function of general ledger setup in an enterprise resource package

A. need to change accounting periods on aregular basis.

71.Which of the following procedures would MOST effectively detect

A. The use of diskless workstations

72.Which of the following is LEAST likely to be associated with an

A. Developing a database repository of pastincidents and actions to facilitate