Vous êtes sur la page 1sur 392

Sheet1

Question No.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

Page 1

Sheet1
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

Page 2

Sheet1
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167

Page 3

Sheet1
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

Page 4

Sheet1
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279

Page 5

Sheet1
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335

Page 6

Sheet1
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391

Page 7

Sheet1
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447

Page 8

Sheet1
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503

Page 9

Sheet1
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559

Page 10

Sheet1
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615

Page 11

Sheet1
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671

Page 12

Sheet1
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727

Page 13

Sheet1
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783

Page 14

Sheet1
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839

Page 15

Sheet1
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895

Page 16

Sheet1
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951

Page 17

Sheet1
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007

Page 18

Sheet1
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063

Page 19

Sheet1
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119

Page 20

Sheet1
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175

Page 21

Sheet1
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231

Page 22

Sheet1
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287

Page 23

Sheet1
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343

Page 24

Sheet1
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399

Page 25

Sheet1
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455

Page 26

Sheet1
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511

Page 27

Sheet1
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567

Page 28

Sheet1
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623

Page 29

Sheet1
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679

Page 30

Sheet1
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735

Page 31

Sheet1
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791

Page 32

Sheet1
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847

Page 33

Sheet1
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903

Page 34

Sheet1
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959

Page 35

Sheet1
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015

Page 36

Sheet1
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071

Page 37

Sheet1
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127

Page 38

Sheet1
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183

Page 39

Sheet1
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239

Page 40

Sheet1
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295

Page 41

Sheet1
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351

Page 42

Sheet1
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407

Page 43

Sheet1
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463

Page 44

Sheet1
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519

Page 45

Sheet1
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575

Page 46

Sheet1
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631

Page 47

Sheet1
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687

Page 48

Sheet1
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743

Page 49

Sheet1
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799

Page 50

Sheet1
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855

Page 51

Sheet1
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911

Page 52

Sheet1
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967

Page 53

Sheet1
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023

Page 54

Sheet1
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079

Page 55

Sheet1
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090

Page 56

Sheet1

Question
All of the following assumptions about legacy application systems are correct except
For a high security installation the most effective physical access control devices is
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which of the following is NOT TRUE about a database management system application environment?
Which one of the following network architectures is designed to provide data services using physical networks that are mo
Which of the following is not a function of operations management:
Which of the following tests would be used to ensure whether a software product fails or not?
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Control over data preparation is important because:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Computer viruses could be detected by which one of the following actions?
Concentration technique in a communication network DOES NOT
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Internet was established NOT for
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
All of the following should be in place prior to programming except:
The biggest benefit of prototyping is:
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The DISADVANTAGE in cross training employees is that:
The following is an advantage of using link encryption
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
The test of access control, over a distributed database, can be carried out by The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
In data processing, which of the following causes the maximum losses
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encryp
Network performance monitoring tools will MOST affect which of the following?
The Digital Signature system uses the services of an Arbitrator to prevent
The initial validation control for a credit card transaction capture application would MOST like be to:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
The following estimates the probability of a computer system being destroyed in a natural disaster and the corresponding
The software test objective of operating in different platforms is achieved by conducting:
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
. After you enter a purchase order in an on-line system, you get the message, The request could not be processed due to
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
The communication of signals is subjected to noise MOST LIKELY because of
Which of the following activities should not be permitted when operators use a communications network control terminal:
An auditor performing a statistical sampling of the financial transactions in a financial MIS would BEST use :
The Duties of a Database administrator does NOT comprise of :
The duty of the Quality Assurance Group is
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
The residual dump technique in backup has the disadvantage of
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which of the following is not true in respect of Expert systems?
What makes Rapid prototyping technique portable?
All of the following assumptions about legacy application systems are correct except
Identify the EARLIEST software development model

Page 57

Sheet1

For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
The following is an advantage of using link encryption
End-to-end encryption provides only limited protection against a subversive attack that uses:
Which of the following is not an audit objective in the review of hardware acquisition?
In Information Technology projects, which of the following factors is most crucial?
Out of the following pairs of services, which provides an access control over a network of computers
The major risk in prototyping model is :
Prototyping approach to system design is resorted to when
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
When users of an information system are dispersed over a wide area and are authorized to use dial-up lines for getting ac
Which of the following is NOT TRUE about a database management system application environment?
Which of the following is not a function of operations management:
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
. The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATE
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
. Which of the following activities would not be performed by control section personnel when they collect the output of a b
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
The duty of the Quality Assurance Group is
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
Control over data preparation is important for :
The quantification of the sample size depends on which of the following criteria.
A procedure to have an overall environmental review which is NOT performed by an IS auditor during pre audit planning i
The application run manual would normally comprise of :
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
. An IS auditor carrying out review of logical access control, shall have the PRIMARY OBJECTIVE of
Incorrect initialization occurs on account of which of the following faults ?
The biggest benefit of prototyping is:
The comment which is NOT true regarding ISO 9000 is
Auditors of IS face an acute problem of evaluating the general authorization methods in a computerized accounting syste
Which of the following is not a function of operations management:
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
The complete information about all data in a database is found in :
Use of public key infrastructure by an eCommerce site, where public key is widely distributed and the private key is for the
Which of the following is NOT a proper responsibility of functional users.
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following is NOT true relating to the use of fiber optics:
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
Which of the following represents a typical prototype of an interactive application?
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
Which of the following is not a function of operations management:
The following message service provides the strongest protection about the occurrence of a specific action:
Which one of the following techniques is represented by structured analysis 'and design?
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
Which would ensure that IS organizations do not take more resources for less output?
Which of the following controls would prevent unauthorized access to specific data elements in a database management
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following activities should not be permitted when operators use a communications network control terminal:
User interface prototyping may NOT focus on :
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
Due Professional Care requires an IS auditor to possess which of the following quality
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in

Page 58

Sheet1

Which of the following systems are MOST important for business resumption following a disaster?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Prototyping approach does not assume the existence of
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
Which of the following is not a function of operations management:
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the f
The public audit trail of a Digital Signature system will not contain which of the following?
In Information Technology projects, which of the following factors is most crucial?
The class of control used to overcome problems before they acquire gigantic proportions is :
The DES is an example of a:
The initial validation control for a credit card transaction capture application would MOST like be to:
The MOST secured access control mechanism is
The class of control used to minimise the impact of a threat is :
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following can be construed as a COMPREHENSIVE preventive method 'in locating a bug?
Which one of the following is not an operating control:
The Duties of a Computer operations does NOT comprise of :
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
The snapshot technique involves:
The validity of a program recalculation could be audited by the following techniques except:
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
During the review of logical access controls over a company s various application systems, an auditor found that access c
An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
In which phase of SDLC Desk Checking is practiced?
In the system development life cycle approach, which of the following is MOST likely to be constant?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Which of the comments about Business Process Re-engineering (BPR) is NOT false?
While valuing the assets, an information systems(IS) auditor is likely to value MOST
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Personal Computers and Laptops have both a floppy disk drive and a hard disk drive. The major difference between the t
Electronic methods of data transfer are involved in all of the following except:
The database administrator is not responsible for which one of the following functions?
The major reason why quality metrics need to be chosen for a specific information systems project is:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
It would not be possible to use the Checkpoint/restart facilities when:
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
During the detailed design phase of SDLC, which one of the following tasks performed?
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
With respect to AI, a heuristic refers to :
Which of the following is not a function of operations management:
A PIN if stored for reference purposes, must be stored in:
Which of the following tests would be used to ensure whether a software product fails or not?
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following functions cannot be performed using a communications network control terminal:
When using message switching in a communication network, the following is not a desirable control?
Which of the following utilities can be used to directly examine the quality of data in the database:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
A control is NOT designed and implemented to:
The work schedule of a clerk in a Control Group is of
The Duties of a Computer operations does NOT comprise of :

Page 59

Sheet1

To protect computer systems from short term power fluctuations, the best environmental control is A main advantage of a standard access control software implemented properly is Which of the following is not a major benefit of applications software prototyping ?
In Information Technology projects, which of the following factors is most crucial?
Identify the factor that is not part of an expert system architrcture.
The software test objective of operating in different platforms is achieved by conducting:
Identify the EARLIEST software development model
what is the major risk that is faced by a user organization during system integration projects?
In segregation of duties, the organisation will exposed to a very HIGH risk if the duties of
The least commonly used medium for local area network (LAN) environment is:
In an online processing system, to reconstruct correctly the interrupted transactions on a failure, the system should have
Which of the following terms best describes the purpose of control practice over the input Output control is best described by which of the following ?
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
Passwords belong to the following class of authentication information:
The DES is an example of a:
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is a responsibility of computer operations department?
Which of the following represents a typical prototype of an interactive application?
The software test objective of operating in different platforms is achieved by conducting:
The most important factor while creating test data for checking a system, is :
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which one of the following is not an operating control:
Which one of the following uses a modem technology as a common means of communicating between computers?
Analyzing data protection requirements for installing a local area network (LAN) does not include:
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
Concentration technique in a communication network DOES NOT
PC-based analysis and design tools are used alongwith mainframe computer-based tools.
Which one of the following is not a substantive test?
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
The control procedure of installing the anti-virus software in the system is called Interference is resisted MOST by
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
Which one of the following is performed FIRST in a system development life cycle project?
Which one of the following graphical user interface (GUI) development approaches would create more user-friendly intera
Which of the following system life factors is most difficult to control by a user organization?
Which of the following statements about national and international information systems standard is true?
The following is not a desirable property of a cipher system:
The person responsible for providing access rights to each of the user and access profile for each data element stored in
In a manufacturing company, which of the following computer files is MOST critical?
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Many automated tools are designed for testing and evaluating computer systems. Which one of the following such tools im
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
The estimate of time which has the MOST important relevance in evaluation of the activities in a Program Evaluation Revi
The work schedule of a clerk in a Control Group is of
Which one of the following statements is False?
Which of the following would not be considered a characteristic of a private key cryptosystem?
The DES is an example of a:
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
The duties of a Data Security Officer does NOT comprise of :
When using message switching in a communication network, the following is not a desirable control?
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :

Page 60

Sheet1

During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Compliance auditing is used to do?
The reason for the IS auditor NOT preparing a formal audit program is :
While reviewing the telecommunication access control, the primary concern of the IS Auditor will be on the An IS Auditor carrying out security review for verification of the implementation of certain security measures, will be LEAS
Which of the following is NOT relevant in the case of a Business Continuity Plan Testing?
Which of the following statements about digital signatures is NOT true?
Operations audit trail rather than the accounting audit trail is likely to show
In the case of a bank teller the access control policy is an example of:
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
The use of programming aids, data and instructions that are prepared for one computer and can be used on another com
Which one of the following is NOT false:
Most computer systems have hardware controls that are built in by the computer manufacturer. Common hardware contro
Which of the following principles should guide the ways in which QA personnel monitor compliance with information syste
In general, output controls over reports of batch systems would be more compared with that of online systems because:
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following is NOT an advantage of continuous auditing approach ?
Which of the following statements about automated operations facility parameters is not true?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
In Information Technology projects, which of the following factors is most crucial?
Which one of the following will be included in the application software testing phase for effective controls?
To which one of the following issues that an information systems (IS) auditor participating 'in a system development life cy
To provide the management with appropriate information about the process being used 'by the software development pro
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
The Duties of a Computer operations does NOT comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following is NOT an input control objective?
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Which of the following is not a desirable control feature in a modem:
When encryption is used in the communication subsystem, the primary purpose of an error propagation code is to protec
A modem is NOT intended to
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
The reason for the IS auditor NOT preparing a formal audit program is :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
A main advantage of a standard access control software implemented properly is Which of the following electronic commerce systems handle non-monetary documents?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
All of the following assumptions about legacy application systems are correct except
Which of the following is not an audit objective in the review of hardware acquisition?
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
After you enter a purchase order in an on-line system, you get the message, The request could not be processed due to l
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
The class of control used to overcome problems before they acquire gigantic proportions is :
Which of the following is NOT a proper responsibility of functional users.
Which of the following is NOT included in the digital certficate:
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
In Information Technology projects, which of the following factors is most crucial?
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic e
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying

Page 61

Sheet1

A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following conditions lead to increase in white noise:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Computer viruses could be detected by which one of the following actions?
Link encryption in communication of signals
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
The first step the IS Internal Audit manager should take, when preparing the Annual audit plan is to:
Which of the following utilities can be used to directly examine the quality of data in the database:
The inherent risk in an applicable system is NOT likely to be influenced by
Which of the following network risk apply to EDI transactions irrespective of the type of network involved?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
In the case of Business Process re-engineering which of the following is NOT true ?
Which of the following areas would an IS auditor NOT do while conducting a review of an organisation s IS Strategies.
The following is an advantage of using link encryption
Which of the following is not a desirable property of a cipher system:
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
The general control that concern the proper segregation of duties and responsibilities is called Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
An upper CASE tool is used in :
Identify the cost that does NOT form part of software package installation or implementation cost?
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
The following is NOT a desirable property of a cipher system:
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
What makes Rapid prototyping technique portable?
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan documen
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested p
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
System Auditor primarily uses the information provided by a detailed understanding of the Information system controls an
When the results of production data files processing with a generalized audit software do not agree with the total balance
Link encryption in communication of signals
Which among the following hacking techniques DOES NOT facilitate impersonation?
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Which of the following does NOT need to be considered in determining statistical sample sizes?
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of an
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
Accuracy of data is important most likely to a
A main advantage of a standard access control software implemented properly is Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
In the case of electronic funds transfer (EFT), which one of the following is MOST vulnerable to fraud and physical attack
Which among the following is NOT true of start topologies?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which phase of SDLC uses "Program slicing" technique?
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
Which of the following terms best describes the purpose of control practice over the input
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
An Information System Auditor observed that technical support personnel have unlimited access to all data and program f
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
Machine maintenance engineers pose some difficult control programs because:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best

Page 62

Sheet1

Which of the following is a responsibility of computer operations department?


Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
For assessing process variations in software development and maintenance projects which one of the following will be use
Which one of the following techniques is represented by structured analysis 'and design?
During the review of logical access controls over a company s various application systems, an auditor found that access c
In a central computer system users specify where their output is printed, but some users give the wrong destination code
Which of the following is not a function of the control section:
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wit
Which of the following is not a substantive test:
Interference is resisted MOST by
PC-based analysis and design tools are used alongwith mainframe computer-based tools.
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
The activity of detective control in detecting virus relates to
The inherent risk in an applicable system is NOT likely to be influenced by
The Duties of a Database administrator does NOT comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
The duties and role of an IS Steering Committee is:
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following statements regarding security concerns for lap top computers is NOT false?
Output control is best described by which of the following ?
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
In Information Technology projects, which of the following factors is most crucial?
The complete information about all data in a database is found in :
The following statement about controls over computer operators is true:
When sending a signed message under a public key infrastructure, the message is encrypted using the:
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
The Duties of a Database administrator does NOT comprise of :
Conditioning of the transmission lines is LEAST effective against
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
The DES is an example of a:
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
The snapshot technique involves:
Packet switching is an example of:
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Which one of the following is not a compliance test ?
The definition of expected loss from a threat is:
Computer viruses could be detected by which one of the following actions?
When the results of production data files processing with a generalized audit software do not agree with the total balance
An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
Active attack on communication network DOES NOT include
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Which one of the following errors will occur because of overflow conditions?
Which phase of SDLC uses Data Flow Diagram?
In the system development life cycle approach, which of the following is MOST likely to be constant?
The main focus of the graphical user interface (GUI) environments is:
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
Which of the following principles should not guide the way in which QA personnel report to management?
Retention date on magnetic tape files would:
Prototyping approach to system design is resorted to when

Page 63

Sheet1

Which of the following events is recorded on a public audit trail in a digital signature system?
Which of the following is NOT an input control objective?
The manager of the information systems QA function should report to the:
An example for a concurrent audit tool whose complexity is low is :
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
The duty of the Quality Assurance Group is
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
You would NOT use stubs or drivers in which of the following testing approaches?
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wit
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Which of the following should find a place in a disaster recovery plan
Which of the following activities should not be permitted when operators use a communications network control terminal:
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
The FIRST and preliminary step in the process of information security program establishment is :
Which one of the following graphical user interface (GUI) development approaches would create more user-friendly intera
With respect to expert systems, a heuristic is not a:
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following is not a desirable control feature in a modem:
Which of the following conditions lead to increase in white noise:
The DES is an example of a:
The following is not a desirable property of a cipher system:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
The main objective of separation of duties is to ensure that:
The purpose of electronic signature is
Which of the following is considered potential benefits of Electronic Data Interchange (EDI)?
Which one of the following local area network devices functions as a data regenerator?
During an audit of the tape management system at a data center, an IS auditor discovered that some parameters are set
Which one of the following is NOT an essential component of a distributed computing environment?
In order to achieve more perfection of an already working software system, what method will be adopted?
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Analyzing data protection requirements for installing a local area network (LAN) does not include:
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
To properly control access to accounting data held in a Database Management System, the database administrator shou
When the results of production data files processing with a generalized audit software do not agree with the total balance
Control over data preparation is important for :
Identify the test-case design techniques that is used in unit and integration testing of applications software.
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
If fraud or errors are suspected in the population , the auditor would use:
Which among the following statements about information systems personnel is NOT true?
The MOST likely characteristic of an informational systems OPERATIONAL plan is:
The following resources are protected by Logical access controls
Which of the following electronic commerce systems handle non-monetary documents?
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
Which one of the following design approaches would address data sharing and system access problems in legacy applica
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo

Page 64

Sheet1

Which of the following is NOT true about a database management system application environment?
Overall responsibility to protect and control the database and monitor and improve the efficiency of the database are the
The test of access control, over a distributed database, can be carried out by In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedur
The initial validation control for a credit card transaction capture application would MOST like be to:
The main objective of separation of duties is to ensure that:
Which of the following controls would address the concern that data uploaded from a microcomputer to the company's ma
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following statements about computer is correct?
An MIS Manager has only enough resources to install either a new payroll system or a new data security system, but not b
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
Control over data preparation is important for :
Which one of the following criteria shall NOT be considered for choosing an appropriate Computer platform to suit a give
The database administrator is not responsible for which one of the following functions?
Which of the following is not an important control step of the input/output control group?
A company s management wants to implement a computerised system to facilitate communications among auditors, who
To properly control access to accounting data held in a Database Management System, the database administrator shou
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilit
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Which of the following does NOT need to be considered in determining statistical sample sizes?
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
Which one of the following design approaches would address data sharing and system access problems in legacy applic
All of the following should be in place prior to programming except:
Which of the following is an upper CASE tool?
Identify the factor that is not part of an expert system architrcture.
A document-driven approach is used in :
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
what is the major risk that is faced by a user organization during system integration projects?
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Uninterruptible power supplies are used in computer centers to reduce the likelihood of :
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following is NOT True as a mode of network reliability enhancement:
The following method of PIN validation seems to result in the fewest control problems?
As an IS auditor, which would you consider the MOST CRITICAL CONTROL over an employee performing a function.
In an IPF (Information processing facility) is typically a large computer centre, which of the following has the primary cons
Network downtime is very costly and should be kept to minimum as much as possible. Which one of the following networ
The class of control used to minimise the impact of a threat is :
Which of the following is not a function of the control section:
Which of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?
Which of the following usually is a purpose of a modem:
Which of the following is NOT a proper responsibility of functional users.
Identify the document which is LEAST effective during the acceptance test of applications software.
Which of the following is FALSE with regard to a public key cryptosystem?
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
In order to achieve more perfection of an already working software system, what method will be adopted?
Removing sequences of extraneous zeros or spaces in a file is an application of:
A company s management wants to implement a computerised system to facilitate communications among auditors, who
You would NOT use stubs or drivers in which of the following testing approaches?
When the Auditor uses generalised audit software to access a data maintained by a database management system, whi
The snapshot technique involves:
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilit
Which of the following statistical selection technique is least desirable for use by the IS auditor.
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Which of the following statement is TRUE about an offsite information processing facility?
The MAIN purpose of having Compensating Controls are to

Page 65

Sheet1

The advantage of an ISO 9001 quality system implementation is:


Auditors of IS face an acute problem of evaluating the general authorization methods in a computerized accounting syste
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Which of the following is not a function of operations management:
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which of the following terms best describes the purpose of control practice over the input The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro
Identify the one that is NOT a key concept of object-oriented technology.
The basic purpose of an IS audit is :
What would you use to enforce integration rules so as to integrate one component with another?
Which of the following is NOT a proper responsibility of functional users.
Which of the following is NOT an input control objective?
Which of the following pairs of items perform similar functions?
Which of the following is FALSE with regard to a public key cryptosystem?
The presence of an arbitrator in a digital signature system will prevent:
The work schedule of a clerk in a Control Group is of
Where would you handle finite state machines in SDLC?
Which phase of SDLC uses 'Program slicing' technique?
If fraud or errors are suspected in the population , the auditor would use:
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wit
While reviewing the telecommunication access control, the primary concern of the IS Auditor will be on the Which one of the following is a control weakness in the treatment of user messages in electronic mail system?
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Which one of the following documents would be least effective in performing unit testing of an applications software?
Which one of the following statements is true?
In Information Technology projects, which of the following factors is most crucial?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
During the detailed design phase of SDLC, which one of the following tasks performed?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
A normally expected outcome of a business process re-engineering is that:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
End-to-end encryption provides only limited protection against a subversive attack that uses:
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
The Digital Signature system uses the services of an Arbitrator to prevent
The person responsible for providing access rights to each of the user and access profile for each data element stored in
Ability to operate on multiple computer types from different vendors is envisaged by
After the system is developed, the auditor's objective in conducting a general review is to
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
The science of cryptography provides all of the following safeguards except
Software quality assurance process does NOT undertake:
The Duties of a Computer operations does NOT comprise of :
Operations audit trail rather than the accounting audit trail is likely to show
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
When the Auditor uses generalised audit software to access a data maintained by a database management system, whi
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Control of employee activities in a computerized environment is, vis- -vis manual systems,
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informati
Which of the following is not part of an emergency plan?
Which of the following is NOT true about Pretty good privacy (PGP) and privacy enhanced mail (PEM)?
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
In which phase of SDLC Desk Checking is practiced?

Page 66

Sheet1

The main focus of the graphical user interface (GUI) environments is:
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
A Systems Analyst s duties and roles comprises of:
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following is not a function of operations management:
Which of the following is NOT True as a mode of network reliability enhancement:
The database administrator is not responsible for which one of the following functions?
Which of the following statements about national and international information systems standard is true?
It would not be possible to use the Checkpoint/restart facilities when:
Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
Identify the document which is LEAST effective during the acceptance test of applications software.
In data processing, which of the following causes the maximum losses
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
Passwords belong to the following class of authentication information:
The presence of an arbitrator in a digital signature system will prevent:
Which of the following would greatly affect the project estimate if any changes made to it while developing a project?
Which of the following usually is a purpose of a modem:
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would
Which one of the following statements is False?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance lo
Which of the following utilities can be used to directly examine the quality of data in the database:
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which of the following is deemed as good system design practice?
To conduct a System audit the IS auditor should:
An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
Which among the following is NOT a serious problem in a ring topology based LAN?
Operations audit trail rather than the accounting audit trail is likely to show
Which of the following alternate facilities has the GREATEST chance of failure due to change in systems and personnel?
Which of the following system life factors is most difficult to control by a user organization?
A lower cost software product metric that is used for data collection :
The MAIN purpose of having Compensating Controls are to
Which of the comments about Business Process Re-engineering (BPR) is NOT false?
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following would not normally be considered a typical file structure for a database management system:
Which one of the following is NOT true relating to the use of fiber optics:
Which of the following is not a function of the control section:
The manager of the information systems QA function should report to the:
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
Identify the EARLIEST software development model
In the system development life cycle approach, which of the following is MOST likely to be constant?
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the f
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
The class of control used to overcome problems before they acquire gigantic proportions is :
Which of the following represents a typical prototype of an interactive application?
Software quality assurance process does NOT undertake:
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
User interface prototyping may NOT focus on :
Computer viruses could be detected by which one of the following actions?
When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed

Page 67

Sheet1

Which among the following components is of PRIMARY concern for evolving a recovery plan after a communication failur
Which one of the following is not a substantive test?
Which of the below is a TRUE statement concerning Test Data Techniques.
One of the advantages of using naming convention for access control is that Processing control procedures include
The residual dump technique in backup has the disadvantage of
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Identify the EARLIEST software development model
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In which phase of a system development life cycle would you perform Mutation analysis?
Which one of the following is NOT true relating to the use of fiber optics:
Analyzing data protection requirements for installing a local area network (LAN) does not include:
The major reason why quality metrics need to be chosen for a specific information systems project is:
For a high security installation the most effective physical access control devices is
Output control is best described by which of the following ?
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
The class of control used to minimise the impact of a threat is :
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
What makes Rapid prototyping technique portable?
Which of the following is NOT TRUE about a database management system application environment?
With respect to AI, a heuristic refers to :
The DES is an example of a:
In a central computer system users specify where their output is printed, but some users give the wrong destination code
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
The following is an advantage of using link encryption
Which of the following network architecture is most reliable?
Which is the primary reason for replacing cheques with Electronic Funds Transfer (EFT) systems in the accounts payable
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wi
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
Computer viruses could be detected by which one of the following actions?
The following measures will protect the computer systems from virus attack EXCEPT:
Which one of the following errors will occur because of overflow conditions?
what is the major risk that is faced by a user organization during system integration projects?
Which of the following features is least likely to be found in a real time application?
The installation of a database management system (DBMS) does not have any direct impact on :
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following statements about personnel training in QA standards and procedures is false?
The following statement applies to a capability based approach to authorisation?
The control to provide security against accidental destruction of records and to ensure continuous operations is called Determining what components to include in the network configuration is called a:
The following is NOT a desirable property of a cipher system:
The media that is rarely used in present day LANs is:
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following is not a function of the control section:
Which one of the following is not an operating control:
The class of control used to monitor inputs and operation is :
Which of the following represents a typical prototype of an interactive application?
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which one of the following network architectures is designed to provide data services using physical networks that are m

Page 68

Sheet1

When the account number is entered into an online banking system, the computer responds with a message that reads:
Which of the following controls would prevent unauthorized access to specific data elements in a database management
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
Which one would be a material irregularity?
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
A modem is NOT intended to
Which phase of SDLC uses 'Program slicing' technique?
The application run manual would normally comprise of :
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
Which of the following encryption algorithms or schemes is MOST difficult to break?
Which one of the following is a control weakness in the treatment of user messages in electronic mail system?
Which one of the following documents would be least effective in performing unit testing of an applications software?
After the system is developed, the auditor's objective in conducting a general review is to
Which of the following lines prevents tapping?
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Electronic methods of data transfer are involved in all of the following except:
Which of the following would not be considered a characteristic of a private key cryptosystem?
A public key cryptosystem uses:
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
The manager of the information systems QA function should report to the:
The class of control used to minimise the impact of a threat is :
An audit technique used to select items from a population for audit testing purposes based on the characteristics is terme
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Software quality assurance process does NOT undertake:
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Which of the following is not a function of the control section:
Where would you handle finite state machines in SDLC?
Which one of the following statements is correct with regard to reciprocal processing agreement?
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
A function NOT possible of being accomplished using CAATs is :
To properly control access to accounting data held in a Database Management System, the database administrator shou
Which among the following is NOT true of start topologies?
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Which one of the following is performed FIRST in a system development life cycle project?
A less formal review technique is:
Which of the following is deemed as good system design practice?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
A Systems Analyst s duties and roles comprises of:
Which one of the following is not an essential component of a distributed computing environment?
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Information system crimes and abuses in comparison to those of the general category are likely to be
A document-driven approach is used in :
Identify the contractual provision that is objective and enforceable among the parties involved in a system development lif
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
The following is NOT a desirable property of a cipher system:
The initial validation control for a credit card transaction capture application would MOST like be to:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the

Page 69

Sheet1

Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Formal change control mechanism would start after which of the following in an overall system development project?
Which one of the following techniques is represented by structured analysis 'and design?
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
Which one of the following uses a modem technology as a common means of communicating between computers?
Internal controls are not designed to provide reasonable assurance that:
Which one would be a material irregularity?
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
The independence of an IS auditor who was involved in the development of an appliction system shall be impaired when
The auditor of an IS can exercise control over
Control of employee activities in a computerized environment is, vis- -vis manual systems,
The basic control requirement in a real time application system is :
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from o
The first step in the installation of an information security program is the The technique employed in packet switching mode of transmission is:
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
A lower cost software product metric that is used for data collection :
Replacing the manual system with a computerized system is MORE likely to result in the assets and records
Which of the following is likely to be a benefit of electronic data interchange (EDI)
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
The Digital Signature system uses the services of an Arbitrator to prevent
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
Machine maintenance engineers pose some difficult control programs because:
Prototyping approach to system design is resorted to when
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
What makes Rapid prototyping technique portable?
Which of the following software metrics would refer to function points?
Which of the following statements about automated operations facility parameters is not true?
Which one of the following pair of items is a primary cause of signal distortion in data communications?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been lo
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
To provide the management with appropriate information about the process being used 'by the software development pro
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
The snapshot technique involves:
To properly control access to accounting data held in a Database Management System, the database administrator shou
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
In selecting the applications to be audited, which criteria is LEAST likely to be used:
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
Which of the following statements about encryption is NOT correct?
Dual protection or mirroring of servers mitigates the exposures from
The DISADVANTAGE in cross training employees is that:
Which one of the following is not part of a computer capacity management function?
The general control that concern the proper segregation of duties and responsibilities is called An access control policy for a Customer Service Representative in a banking application is an example of the implementa
dentify the factor that is not part of an expert system architecture.
In the system development life cycle approach, which of the following is MOST likely to be constant?

Page 70

Sheet1

The best control to ensure that a customer uses a debit/credit card carefully is:
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The information technology pilot projects envisages which of the following concepts?
Which of the following is NOT an input control objective?
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
In Information Technology projects, which of the following factors is most crucial?
The science of cryptography provides all of the following safeguards except
Which of the following usually is a purpose of a modem:
Which would ensure that IS organizations do not take more resources for less output?
The work schedule of a clerk in a Control Group is of
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
When encryption is used in the communication subsystem, the primary purpose of an error propagation code is to protec
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Which one would be a material irregularity?
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Identify the test-case design techniques that is used in unit and integration testing of applications software.
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
Which one of the following methodologies require efficient system requirements analysis?
The software test objective of operating in different platforms is achieved by conducting:
A document-driven approach is used in :
In order to trace data through several application programs, an auditor needs to know what programs use the data, which
Electronic methods of data transfer are involved in all of the following except:
The following statement applies to a capability based approach to authorisation?
Ability to operate on multiple computer types from different vendors is envisaged by
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
Passwords belong to the following class of authentication information:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developmen
The software test objective of operating in different platforms is achieved by conducting:
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following is considered potential benefits of Electronic Data Interchange (EDI)?
Which of the following is not a function of operations management:
Which one of the following protocols is used by the Internet?
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
Wiretapping CANNOT easily be done without detection in
Which of the following activities should not be permitted when operators use a communications network control terminal:
Control over data preparation is important because:
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
Which of the following is not a desirable control feature in a modem:
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
Which of the following Technical specifications will NOT be included in a functional
The BEST and the most reliable form of evidence that an IS auditor would look for in audit of an IS environment is
Segregation of duties is TRUE in which of the following cases ?
The IS Control Group is NOT responsible for performing
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
The duties and role of an IS Steering Committee is:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following statements about national and international information systems standard is true?
Which of the following principles should not guide the way in which QA personnel report to management?
The following statement is true about a mandatory access control policy?
. The test of access control, over a distributed database, can be carried out by The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c

Page 71

Sheet1

A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
Hardware controls are important to IS auditors for they:
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
Which of the following decisions most likely CANNOT BE made on the basis of reports prepared from the maintenance lo
Which of the following pairs of items perform similar functions?
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
Passwords belong to the following class of authentication information:
The comment which is a DISADVANTAGE concerning prototyping is:
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following best describes feature of statistical sampling?
Internal controls are not designed to provide reasonable assurance that:
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informa
The residual dump technique in backup has the disadvantage of
Which is the primary reason for replacing cheques with Electronic Funds Transfer (EFT) systems in the accounts payable
Which of the following activities is undertaken during data preparation:
Which one of the following is not a compliance test ?
To properly control access to accounting data held in a Database Management System, the database administrator shou
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
The control procedure of installing the anti-virus software in the system is called An IS auditor reviewing an organisation s Business Continuity Plan discovered that the software backups are not stored in
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
Which of the following is not a desirable property of a cipher system:
Which of the following principles should not guide the way in which QA personnel report to management?
Staffing the QA function is often difficult because:
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
A major advantage of associating passwords with users in the access control mechanism, over associating the password
It would not be possible to use the Checkpoint/restart facilities when:
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Identify the wrong statement with respect to structured programming concepts and program modularity.
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
Which of the following pairs of items perform similar functions?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
Which of the following functions SHOULD NOT BE combined with Control Group.
Which of the following is NOT included in the digital certficate:
Which of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?'
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
Which one of the following network types will play an important role in implementing E-commerce?
Which one of the following controls would protect the production libraries without compromising the efficiency of open acc
The primary objective of security software is to:
Which one of the following statements is correct with regard to reciprocal processing agreement?
Which of the following actions provides the IS Auditor with the greatest assurance that certain weaknesses in internal con
A function NOT possible of being accomplished using CAATs is :
The basic character / purpose of an audit charter is best described by which of the following.
Reciprocal Agreements are normally entered between two or more organisations:
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
what is the major risk that is faced by a user organization during system integration projects?
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Most computer systems have hardware controls that are built in by the computer manufacturer. Common hardware contro
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,

Page 72

Sheet1

Which type of cipher has the highest work factor?


To which of the following resource type are the most complex action privileges assigned?
IS Auditor performing a security review will perform all the following steps. However he will begin with A major drawback of a remote dial up network communication system is
. Which of the following physical access control devices would be most effective for a high security installation?
As an IS auditor, which would you consider the MOST CRITICAL CONTROL over an employee performing a function.
Identify the factor that is not part of an expert system architecture.
In the system development life cycle approach, which of the following is MOST likely to be constant?
In which phase Rapid prototyping is used in Waterfall life cycle development model?
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
Software piracy is a common threat to an organization and so while choosing an application software package what shou
The media that is rarely used in present day LANs is:
What would you use to enforce integration rules so as to integrate one component with another?
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following is not a major benefit of applications software prototyping ?
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
. The following is NOT a desirable property of a cipher system:
In software maintenance, the NON technical tool is: 'maintenance?
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
Wiretapping CANNOT easily be done without detection in
End-to-end encryption provides only limited protection against a subversive attack that uses:
The following is an advantage of using link encryption
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Which of the following statistical selection technique is least desirable for use by the IS auditor.
The reason for the IS auditor NOT preparing a formal audit program is :
The password administration procedure should follow the following principle in implementing the access control :
In which of the following phases of a system development life cycle decision 'tables being used?
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
Which one of the following is not part of a computer capacity management function?
Which type of cipher has the highest work factor?
Which of the following principles should not guide the way in which QA personnel report to management?
Staffing the QA function is often difficult because:
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
An on line bookseller decides to accept online payment from customers after implementing agreements with major credit
Due to an important work, the senior computer operator has gone on a leave for ten days. In his place, the security officer
In an automated processing system of records, processing control total reconciliation is a type of In an IPF (Information processing facility) is typically a large computer centre, which of the following has the primary consi
The installation of a database management system (DBMS) does not have any direct impact on :
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
To effectively prevent intrusion, usually the following controls are established. Of this, which control BEST detects intrusion
Which of the following is not a database model :
Which one of the following is NOT true relating to the use of fiber optics:
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
The following is an advantage of using link encryption
Software metric that deals with measurement of lines of code is:
Which of the following network architecture is most reliable?
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
Transmission of electronic signals is not free of impairments. Which of the following statements is true?
The following resources are protected by Logical access controls
A compensating control for the weakness in access controls is the daily review of log files. The IS Auditor reviewing the ad

Page 73

Sheet1

Logging of authorised and unauthorised attempts to access the computer systems and Disconnection of a terminal after i
Which one of the following documents would be least effective in performing unit testing of an applications software?
Which of the following is a dynamic analysis to detect software errors?
With respect to expert systems, a heuristic is not a:
The comment which is NOT true regarding ISO 9000 is
The MAIN purpose of having Compensating Controls are to
Which of the following features is least likely to be found in a real time application?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
Which of the following is NOT True as a mode of network reliability enhancement:
Identify the EARLIEST software development model
The class of control used to monitor inputs and operation is :
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
Which of the following statements about computer is correct?
Which phase of SDLC uses Data Flow Diagram?
Identify the document which is LEAST effective during the acceptance test of applications software.
The biggest benefit of prototyping is:
The application run manual would normally comprise of :
The IS Control Group is NOT responsible for performing
Which one of the following uses a modem technology as a common means of communicating between computers?
In a central computer system users specify where their output is printed, but some users give the wrong destination code
Where would you handle finite state machines in SDLC?
The FIRST and preliminary step in the process of information security program establishment is :
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
As against link encryption, end-to-end encryption cannot protect against
Which of the following should find a place in a disaster recovery plan
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
The activity of detective control in detecting virus relates to
Application's access control will be seriously jeopardised if Business continuity plan of an organisation should address early recovery of which of the following?
Which among the following is NOT a serious problem in a ring topology based LAN?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Which one of the following reasons is the most important to retain a legacy application system?
Which of the following is a dynamic analysis to detect software errors?
Which of the following is deemed as good system design practice?
What makes Rapid prototyping technique portable?
A well written and concise job description is IRRELEVANT to
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which of the following functions cannot be performed using a communications network control terminal:
The least commonly used medium for local area network (LAN) environment is:
What is the major risk that is faced by a user organization during system integration projects?
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following statements about automated operations facility parameters is not true?
Control over data preparation is important for :
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
The application run manual would normally comprise of :
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested pr
Which of the following is not an important control step of the input/output control group?
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
To examine the existence of the entities described by the data , which of the functional capabilities in the generilise audit
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
The reason for the IS auditor NOT preparing a formal audit program is :
Access to the work area restricted through a swipe card or only through otherwise authorised process and when visitors e
IS security policy of an organisation will not contain details about the following:
A newly released virus was enabled into LAN, from a floppy drive in one of the workstations connected to the LAN. The e

Page 74

Sheet1

One of the main tasks performed by a Security Administrator is Which of the following alternate facilities has the GREATEST chance of failure due to change in systems and personnel?
Which one of the following is performed FIRST in a system development life cycle project?
Which one of the following reasons is the most important to retain a legacy application system?
Information system is broken into various subsystems. Which among the following is NOT a component of the application
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
The following is an advantage of using link encryption
Personal Computers and Laptops have both a floppy disk drive and a hard disk drive. The major difference between the t
Which of the following is not a function of operations management:
The least commonly used medium for local area network (LAN) environment is:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
In general, output controls over reports of batch systems would be more compared with that of online systems because:
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
Identify the wrong statement with respect to structured programming concepts and program modularity.
In which phase of SDLC Desk Checking is practiced?
The main focus of the graphical user interface (GUI) environments is:
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which of the following is NOT a proper responsibility of functional users.
The following estimates the probability of a computer system being destroyed in a natural disaster and the corresponding
Machine maintenance engineers pose some difficult control programs because:
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
The application run manual would normally comprise of :
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following characteristics is not associated with a public key cryptosystem?
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
The primary objective of security software is to:
The validity of a program recalculation could be audited by the following techniques except:
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
Which among the following components is of PRIMARY concern for evolving a recovery plan after a communication failur
Which one would be a material irregularity?
The Duties of a Computer operations does NOT comprise of :
Which of the following feature may seriously affect or nullify the utility of audit trails for an application system ?
Which of the following is TRUE about Automated Teller Machines (ATMs)?
Identify the wrong statement with respect to structured programming concepts and program modularity.
The main focus of the graphical user interface (GUI) environments is:
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Which of the following is likely to be a benefit of electronic data interchange (EDI)
The following is an advantage of using link encryption
The DES is an example of a:
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Out of the following pairs of services, which provides an access control over a network of computers
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Identify the cost that does NOT form part of software package installation or implementation cost?
The software test objective of operating in different platforms is achieved by conducting:
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls an
Which of the following lines prevents tapping?
Concentration technique in a communication network DOES NOT
Link encryption in communication of signals
Operations audit trail rather than the accounting audit trail is likely to show
Identify the test-case design techniques that is used in unit and integration testing of applications software.
Which of the following is deemed as good system design practice?

Page 75

Sheet1

To conduct a System audit the IS auditor should:


A procedure to have an overall environmental review which is NOT performed by an IS auditor during pre audit planning i
The application run manual would normally comprise of :
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
For reviewing the physical security of the IPF facility, the necessity of the following document is the LEAST Which of the following is an advantage of the use of hot sites as a backup alternative?
The biggest benefit of prototyping is:
Ability to operate on multiple computer types from different vendors is envisaged by
A Systems Analyst s duties and roles comprises of:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Electronic methods of data transfer are involved in all of the following except:
Which of the following is not a function of operations management:
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
The DES is an example of a:
Removing sequences of extraneous zeros or spaces in a file is an application of:
While classifying controls on the basis of the operations involved, input control can be classified as Identify the wrong statement with respect to structured programming concepts and program modularity.
Machine maintenance engineers pose some difficult control programs because:
Prototyping approach to system design is resorted to when
The following is NOT a desirable property of a cipher system:
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following software metrics would refer to function points?
The class of control used to minimise the impact of a threat is :
An audit technique used to select items from a population for audit testing purposes based on the characteristics is terme
Which of the following is not a desirable property of a cipher system:
Which of the following utilities can be used to directly examine the quality of data in the database:
To properly control access to accounting data held in a Database Management System, the database administrator shou
The primary objective of security software is to:
Internet was established NOT for
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
Which of the following is not a substantive test:
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
A function NOT possible of being accomplished using CAATs is :
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is The following measures will protect the computer systems from virus attack EXCEPT:
A compensating control for the weakness in access controls is the daily review of log files. The IS Auditor reviewing the ad
The technique employed in packet switching mode of transmission is:
Internet was established NOT for
During the detailed design phase of SDLC, which one of the following tasks performed?
In segregation of duties, the organisation will exposed to a very HIGH risk if the duties of
Which one of the following uses a modem technology as a common means of communicating between computers?
The following is not a desirable property of a cipher system:
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested p
Which of the following is a responsibility of computer operations department?
Which of the following is not a database model :
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
Which type of cipher has the highest work factor?
An audit technique used to select items from a population for audit testing purposes based on the characteristics is terme
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
A PIN if stored for reference purposes, must be stored in:
Which one of the following is not an operating control:
Software quality assurance process does NOT undertake:

Page 76

Sheet1

Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
Control over data preparation is important because:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
To properly control access to accounting data held in a Database Management System, the database administrator shou
When the results of production data files processing with a generalized audit software do not agree with the total balance
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Which phase of SDLC uses 'Program slicing' technique?
Due Professional Care requires an IS auditor to possess which of the following quality
Which among the following statements about information systems personnel is NOT true?
Which of the following encryption algorithms or schemes is MOST difficult to break?
Which of the following statement is TRUE about an offsite information processing facility?
Which of the following is an upper CASE tool?
In the system development life cycle approach, which of the following is MOST likely to be constant?
In which phase of a system development life cycle would you perform Mutation analysis?
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
In order to trace data through several application programs, an auditor needs to know what programs use the data, which
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Which of the following physical access control devices would be most effective for a high security installation?
An upper CASE tool is used in :
During a fire in a data centre, an automatic fire suppression system would first:
Identify the EARLIEST software development model
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
he best control to ensure that a customer uses a debit/credit card carefully is:
The complete information about all data in a database is found in :
The primary advantage of a derived Personal Identification Number (PIN) is that :
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which one of the following is not an operating control:
Prototyping approach to system design is resorted to when
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
. Which of the following is NOT TRUE with regard to network reliability enhancement:
The Duties of a Database administrator does NOT comprise of :
Which of the following is not a function of the control section:
As against link encryption, end-to-end encryption cannot protect against
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
The main difference in terms of control between a manual system and a computer system is:
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which of the following controls would address the concern that data uploaded from a microcomputer to the company s m
When the results of production data files processing with a generalized audit software do not agree with the total balance
Access to the work area restricted through a swipe card or only through otherwise authorised process and when visitors e
. For reviewing the physical security of the IPF facility, the necessity of the following document is the LEAST Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Which of the following is the most difficult to manage in a SDLC project?
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
The MAIN purpose of having Compensating Controls are to
The Digital Signature system uses the services of an Arbitrator to prevent
While classifying controls on the basis of the operations involved, input control can be classified as Which of the following physical access control devices would be most effective for a high security installation?
All of the following assumptions about legacy application systems are correct except
As an IS auditor, which would you consider the MOST CRITICAL CONTROL over an employee performing a function.
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Out of the following pairs of services, which provides an access control over a network of computers
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best

Page 77

Sheet1

Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?


Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
The class of control used to monitor inputs and operation is :
Ability to operate on multiple computer types from different vendors is envisaged by
Which of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Software metric that deals with measurement of lines of code is:
To properly control access to accounting data held in a Database Management System, the database administrator shou
Concentration technique in a communication network DOES NOT
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
Which of the following does NOT need to be considered in determining statistical sample sizes?
The inherent risk in an applicable system is NOT likely to be influenced by
In evaluation of an organisation s IS strategy, which of the following would an IS auditor consider to be the MOST importa
The validity of a program recalculation could be audited by the following techniques except:
IS security policy of an organisation will not contain details about the following:
Which of the following access rights if allotted to a computer operator, will violate a standard access control rules :
The communication of signals is subjected to noise MOST LIKELY because of
Conditioning of the transmission lines is LEAST effective against
Which phase of SDLC uses Data Flow Diagram?
Identify the EARLIEST software development model
The advantage of an ISO 9001 quality system implementation is:
Which of the following is not a desirable control feature in a modem:
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Access to a computer system is conditional upon success of the authentication process. The best methodology of authen
n order to prevent the loss of data during the processing cycle, the First point at which control totals should be implemente
The class of control used to minimise the impact of a threat is :
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is NOT an advantage of continuous auditing approach ?
Which of the following would greatly affect the project estimate if any changes made to it while developing a project?
Which one of the following network architectures is designed to provide data services using physical networks that are mo
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
Out of the following pairs of services, which provides an access control over a network of computers
The science of cryptography provides all of the following safeguards except
Which one of the following statements is FALSE?
Which of the following usually is a purpose of a modem:
The IS Control Group is NOT responsible for performing
Which one of the following is not an essential component of a distributed computing environment?
Which one of the following is not a compliance test ?
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
MAC or message authentication code prevents
Operations audit trail rather than the accounting audit trail is likely to show
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
Which one would be a material irregularity?
The reason for the IS auditor NOT preparing a formal audit program is :
Which of the following security control is MOST effective to prevent fraud and abuse in the case of electronic fund transfe
Which of the following cryptographic algorithm does both encryption and digital signature?
Active attack on communication network DOES NOT include
What is the most important factor to be considered when comparing system alternatives before making the final selection
In the development life cycle model, the place to start software quality process is:
Identify the wrong statement with respect to structured programming concepts and program modularity.
All computers have a central processing unit (CPU) that works in conjunction with peripheral devices. The function of the
During a review of system access rules, an IS Auditor noted that the System Administrator has unlimited access to all dat
In order to prevent the loss of data during the processing cycle, the First point at which control totals should be implement

Page 78

Sheet1

The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Which of the following controls would address the concern that data uploaded from a microcomputer to the company's ma
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following tests would be used to ensure whether a software product fails or not?
When the account number is entered into an online banking system, the computer responds with a message that reads: A
The least commonly used medium for local area network (LAN) environment is:
Control over data preparation is important because:
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
Computer viruses could be detected by which one of the following actions?
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
The Duties of a Computer operations does NOT comprise of :
Which of the following feature may seriously affect or nullify the utility of audit trails for an application system ?
Which of the following is TRUE about Automated Teller Machines (ATMs)?
Which of the following electronic commerce systems handle non-monetary documents?
Which of the following cryptographic algorithm does both encryption and digital signature?
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
MAC or message authentication code prevents
Fuzzy logic is most effective when :
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
Identify the wrong statement with respect to structured programming concepts and program modularity.
Ability to operate on multiple computer types from different vendors is envisaged by
Which one of the following statements concerning microcomputer systems NOT true?
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
. It would not be possible to use the Checkpoint/restart facilities when:
A major advantage of associating passwords with users in the access control mechanism, over associating the password
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
In an automated processing system of records, processing control total reconciliation is a type of In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
Which one of the following transmission media is unsuitable for handling intra-building data or voice communications?
Machine maintenance engineers pose some difficult control programs because:
An example for a concurrent audit tool whose complexity is low is :
Passwords belong to the following class of authentication information:
What is the control that should have been in vogue so as to enable detection of a change made in a payroll program by a
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
. Which one of the following is not an essential component of a distributed computing environment?
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
The internet is made up of a series of networks that include
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
Active attack on communication network DOES NOT include
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which of the following best describes feature of statistical sampling?
The Duties of a Database administrator does NOT comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trai
To prevent virus attack effectively in an IS environment, the first and the foremost step to be taken is In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
Which of the following is not part of an emergency plan?
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Identify the item that is not a part of performance guarantees in software contract negotiations.
Identify the wrong statement with respect to structured programming concepts and program modularity.
The database administrator is not responsible for which one of the following functions?

Page 79

Sheet1

The test of access control, over a distributed database, can be carried out by A major drawback of a remote dial up network communication system is
Which of the following physical access control devices would be most effective for a high security installation?
Identify the factor that is not part of an expert system architecture.
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
The class of control used to minimise the impact of a threat is :
Which of the following is a common security practice in a LAN.
Which of the following statement is true about a mandatory access control policy?
The objective of compliance testing is to find :
A document-driven approach is used in :
The biggest benefit of prototyping is:
The most important factor while creating test data for checking a system, is :
Which one of the following statements is FALSE?
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
Wiretapping CANNOT easily be done without detection in
In selecting the applications to be audited, which criteria is LEAST likely to be used:
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
The Duties of a Computer operations does NOT comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
For reviewing the physical security of the IPF facility, the necessity of the following document is the LEAST Which of the following cryptographic algorithm does both encryption and digital signature?
Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Interference is resisted MOST by
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
With respect to expert systems, a heuristic is not a:
The comment which is NOT true regarding ISO 9000 is
The duties and role of an IS Steering Committee is:
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which of the following is NOT true about a database management system application environment?
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
For a stand alone system, the best security control is to have A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
The class of control used to overcome problems before they acquire gigantic proportions is :
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
he main objective of separation of duties is to ensure that:
The manager of the information systems QA function should report to the:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developmen
When implementing local area networks, the major implementation choices involve decisions about all of the following exc
Which of the following software metrics would refer to function points?
Which of the following statements about computer is correct?
Which one of the following testing order is correct?
Which of the following activities should not be permitted when operators use a communications network control terminal:
. Where would you handle finite state machines in SDLC?
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informa
Which of the following lines prevents tapping?
Which one would be a material irregularity?
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
Which of the following utilities can be used to directly examine the quality of data in the database:
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informati
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
The control procedure of installing the anti-virus software in the system is called An IS auditor reviewing an organisation s Business Continuity Plan discovered that the plan provides for an alternate site
Incorrect initialization occurs on account of which of the following faults ?

Page 80

Sheet1

The comment which is NOT true regarding ISO 9000 is


Information system is broken into various subsystems. Which among the following is NOT a component of the managem
Which of the following functions cannot be performed using a communications network control terminal:
Which one of the following uses a modem technology as a common means of communicating between computers?
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
Which of the following controls would prevent unauthorized access to specific data elements in a database management
Electronic card access system is used to control access to a data centre. The documentation for this system should be up
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
he following message service provides the strongest protection about the occurrence of a specific action:
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which phase of SDLC uses Data Flow Diagram?
Which of the following would NOT be a reason for IS Audit involvement in information systems contractual negotiations?
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
A PIN if stored for reference purposes, must be stored in:
The work schedule of a clerk in a Control Group is of
Which of the following controls would prevent unauthorized access to specific data elements in a database management
Analyzing data protection requirements for installing a local area network (LAN) does not include:
To examine the existence of the entities described by the data , which of the functional capabilities in the generilise audit
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
The BEST method to verify the data values through the various stages of processing
Active attack on communication network DOES NOT include
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
In the development life cycle model, the place to start software quality process is:
Which of the following is an upper CASE tool?
Requirement specification errors lead to:
Identify the factor that is not part of an expert system architrcture.
The DISADVANTAGE in cross training employees is that:
A normally expected outcome of a business process re-engineering is that:
Control over data preparation is important because:
The least commonly used medium for local area network (LAN) environment is:
The following statement is true about a mandatory access control policy?
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
Due to an important work, the senior computer operator has gone on a leave for ten days. In his place, the security officer
dentify the factor that is not part of an expert system architecture.
Network performance monitoring tools will MOST affect which of the following?
The major risk in prototyping model is :
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following statement is true about a mandatory access control policy?
Ability to operate on multiple computer types from different vendors is envisaged by
n electronic device that combines data from several low speed communication lines into a single high-speed line is a :
. Which one of the following network types will play an important role in implementing E-commerce?
. In unit testing, which one of the following can be mechanised?
Which one of the following is not an essential component of a distributed computing environment?
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
Which of the following best describes feature of statistical sampling?
Interference is resisted MOST by
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Which one of the following is not a compliance test ?
The main difference between manual and computerized systems in so far as separation of duties is concerned is :
The Duties of a Database administrator does NOT comprise of :

Page 81

Sheet1

The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
To effectively prevent intrusion, usually the following controls are established. Of this which control BEST detects intrusion
The following measures will protect the computer systems from virus attack EXCEPT:
Password control procedures incorporate all the following features EXCEPT Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
In the case of message encryption, which of the following is more secure?
Identify the cost that does NOT form part of software package installation or implementation cost?
During the detailed design phase of SDLC, which one of the following tasks performed?
A major drawback of a remote dial up network communication system is
Which of the following physical access control devices would be most effective for a high security installation?
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
The major risk in prototyping model is :
The software test objective of operating in different platforms is achieved by conducting:
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following incidents can seriously damage a digital signature system?
Which of the following is NOT a proper responsibility of functional users.
Which of the following types of subversive attacks on a communication network is not an active attack:
Which one of the following poses a major threat in using remote workstations?
Which one of the following statements is FALSE?
Which of the following is NOT an input control objective?
Which of the following would not be considered a characteristic of a private key cryptosystem?
The DES is an example of a:
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Control over data preparation is important for :
Which one would be a material irregularity?
In selecting the applications to be audited, which criteria is LEAST likely to be used:
Which of the following does NOT need to be considered in determining statistical sample sizes?
The BEST and reliable form of evidence that assists the IS auditor to develop audit conclusions is :
Segregation of duties is TRUE in which of the following cases ?
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Link encryption in communication of signals
In the case of a bank teller the access control policy is an example of:
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Information system is broken into various subsystems. Which among the following is NOT a component of the application
Uninterruptible power supplies are used in computer centers to reduce the likelihood of :
Which one of the following is not an operating control:
Which of the following is not a desirable property of a cipher system:
The primary advantage of the list-oriented approach to authorisation is:
The following method of PIN validation seems to result in the fewest control problems?
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Which of the following is FALSE with regard to a public key cryptosystem?
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
Which one of the following poses a major threat in using remote workstations?
A software metric will NOT define which one of the following?
Software quality assurance process does NOT undertake:
In evaluation of an organisation s IS strategy, which of the following would an IS auditor consider to be the MOST importa
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from ins
The following is an advantage of using link encryption
Which of the following is not a function of operations management:
User interface prototyping may NOT focus on :
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
When the results of production data files processing with a generalized audit software do not agree with the total balance
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Which of the following activities should not be permitted when operators use a communications network control terminal:

Page 82

Sheet1

The most important factor while creating test data for checking a system, is :
Which of the following does NOT need to be considered in determining statistical sample sizes?
Which of the following cryptographic algorithm does both encryption and digital signature?
Concentration technique in a communication network DOES NOT
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
An upper CASE tool is used in :
A document-driven approach is used in :
In the system development life cycle approach, which of the following is MOST likely to be constant?
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
Which of the following would not be considered a characteristic of a private key cryptosystem?
Control over data preparation is important because:
When a compliance failure occurs, QA personnel should:
The public audit trail of a Digital Signature system will not contain which of the following?
Within an EDI system which of the following is used to determine non-repudiation?, Only Digital signautres can ensure no
In general, output controls over reports of batch systems would be more compared with that of online systems because:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used w
ne main reason for using Redundant Array of Inexpensive Disks (RAID) is :
The basic purpose of an IS audit is :
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Machine maintenance engineers pose some difficult control programs because:
Identify the document which is LEAST effective during the acceptance test of applications software.
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which one of the following protocols is used by the Internet?
Which one of the following techniques is represented by structured analysis 'and design?
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
After you enter a purchase order in an on-line system, you get the message, The request could not be processed due to
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following is likely to be a benefit of electronic data interchange (EDI)
The duties of a Data Security Officer does NOT comprise of :
Which of the following conditions lead to increase in white noise:
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Which of the following encryption algorithms or schemes is MOST difficult to break?
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
Which of the following system life factors is most difficult to control by a user organization?
The software test objective of operating in different platforms is achieved by conducting:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
A major drawback of a remote dial up network communication system is
Ability to operate on multiple computer types from different vendors is envisaged by
For electronic-Commerce deals through web-based transactions involving acceptance of payment through credit cards, in
In which phase of SDLC Desk Checking is practiced?
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Which of the following functions SHOULD NOT BE combined with Control Group.
During an audit of the tape management system at a data center, an IS auditor discovered that some parameters are set
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following tests would be used to ensure whether a software product fails or not?
The duty of the Quality Assurance Group is
End-to-end encryption provides only limited protection against a subversive attack that uses:

Page 83

Sheet1

A company s management wants to implement a computerised system to facilitate communications among auditors, who
Which among the following is NOT true of start topologies?
The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
Substantive Testing and Compliance Testing can be best differentiated as :
An IS auditor carrying out review of logical access control, shall have the PRIMARY OBJECTIVE of
The IS security policy of a company usually incorporates all of the following features EXCEPT Which of the following access rights if allotted to a computer operator, will violate a standard access control rules :
Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?
An IS Auditor carrying out security review for verification of the implementation of certain security measures, will be LEAS
Which of the following statement is TRUE about an offsite information processing facility?
Which among the following is NOT true of start topologies?
What makes Rapid prototyping technique portable?
Which of the following computer technologies is a major shift in the develpoment and maintenance of application systems
The main focus of the graphical user interface (GUI) environments is:
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Which of the following characteristics is not associated with a public key cryptosystem?
A public key cryptosystem uses:
IS Auditor performing a security review will perform all the following steps. However he will begin with Abuse of information system (IS) is BEST described as :
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
When users of an information system are dispersed over a wide area and are authorized to use dial-up lines for getting ac
Which of the following functions SHOULD NOT BE combined with Control Group.
Which of the following is NOT TRUE about a database management system application environment?
The main objective of separation of duties is to ensure that:
The software test objective of operating in different platforms is achieved by conducting:
Ability to operate on multiple computer types from different vendors is envisaged by
The biggest benefit of prototyping is:
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Which one of the following statements is FALSE?
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict t
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
What is the control that should have been in vogue so as to enable detection of a change made in a payroll program by a
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Software metric that deals with measurement of lines of code is:
Dual protection or mirroring of servers mitigates the exposures from
Which one of the following statements is correct with regard to reciprocal processing agreement?
Which of the following activities is undertaken during data preparation:
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan docume
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
All of the following assumptions about legacy application systems are correct except
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
In today s business environment one can hardly find a company without a computer. But an IPF (Information processing f
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
During the detailed design phase of SDLC, which one of the following tasks performed?
For a high security installation the most effective physical access control devices is
Identify the cost that does NOT form part of software package installation or implementation cost?
In an automated processing system of records, processing control total reconciliation is a type of In Information Technology projects, which of the following factors is most crucial?
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The installation of a database management system (DBMS) does not have any direct impact on :

Page 84

Sheet1

Which of the following is NOT included in the digital certficate:


The class of control used to monitor inputs and operation is :
The main objective of separation of duties is to ensure that:
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Which would ensure that IS organizations do not take more resources for less output?
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
Control over data preparation is important because:
When using message switching in a communication network, the following is not a desirable control?
Which one would be a material irregularity?
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
Which one would be a material irregularity?
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
The password administration procedure should follow the following principle in implementing the access control :
A main advantage of a standard access control software implemented properly is Which of the following is TRUE about Automated Teller Machines (ATMs)?
Which one of the following is performed FIRST in a system development life cycle project?
An upper CASE tool is used in :
The comment which is NOT true regarding ISO 9000 is
In an IS based on computerized environment, the audit trail is
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
In general, output controls over reports of batch systems would be more compared with that of online systems because:
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
An access control policy for a Customer Service Representative in a banking application is an example of the implementa
For electronic-Commerce deals through web-based transactions involving acceptance of payment through credit cards, in
In Information Technology projects, which of the following factors is most crucial?
Network performance monitoring tools will MOST affect which of the following?
The science of cryptography provides all of the following safeguards except
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following is not a major benefit of applications software prototyping ?
With respect to AI, a heuristic refers to :
An MIS Manager has only enough resources to install either a new payroll system or a new data security system, but not b
Confidentiality and data integrity services are provided in a network in which of the following layers of the ISO/OSI model?
Which one of the following is the most essential activity for effective computer capacity planning:
The following is an advantage of using link encryption
If fraud or errors are suspected in the population , the auditor would use:
Which of the following lines prevents tapping?
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Control over data preparation is important for :
Which of the following statistical selection technique is least desirable for use by the IS auditor.
When the account number is entered into an online banking system, the computer responds with a message that reads:
Which of the following factors would bring down the risks most in Joint Application Design (JAD) meetings?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
The advantage of an ISO 9001 quality system implementation is:
The effectiveness of an information system shall normally be measured in terms of
Replacing the manual system with a computerized system is MORE likely to result in the assets and records
A computer can call into primary storage only that portion of a program and data needed immediately while storing the rem
Removing sequences of extraneous zeros or spaces in a file is an application of:
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
Which one of the following uses a modem technology as a common means of communicating between computers?
To effectively implement the principle of least privilege, it is necessary to have:
Retention date on magnetic tape files would:
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The DES is an example of a:
The Digital Signature system uses the services of an Arbitrator to prevent

Page 85

Sheet1

Which phase of SDLC uses Data Flow Diagram?


Which type of cipher has the highest work factor?
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
The main objective of separation of duties is to ensure that:
Which one of the following local area network devices functions as a data regenerator?
Passwords belong to the following class of authentication information:
Which of the following tests would be used to ensure whether a software product fails or not?
Which would ensure that IS organizations do not take more resources for less output?
Which of the following is not an important control step of the input/output control group?
The primary objective of security software is to:
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which is the primary reason for replacing cheques with Electronic Funds Transfer (EFT) systems in the accounts payable
Several risk are inherent in the evaluation of evidence that has been obtained through the use of statistical sampling .A b
Which one would be a material irregularity?
Generalised Audit Software (GAS) are NOT used for:
During the review of logical access controls over a company s various application systems, an auditor found that access c
The first step in the installation of an information security program is the Wiretapping CANNOT easily be done without detection in
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
A less formal review technique is:
"Availability of computer time" is taken care of in which part of the Project Planning and scheduling ?
Identify the cost that does NOT form part of software package installation or implementation cost?
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
what is the major risk that is faced by a user organization during system integration projects?
The MAIN purpose of having Compensating Controls are to
Which of the following statements relating to packet switching networks is True?
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
During the detailed design phase of SDLC, which one of the following tasks performed?
Machine maintenance engineers pose some difficult control programs because:
Out of the following pairs of services, which provides an access control over a network of computers
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
Which of the following converts digital pulses from the computer into frequencies within the audio signals
Which of the following is not true in respect of Expert systems?
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
Which one of the following techniques is represented by structured analysis 'and design?
To which one of the following issues that an information systems (IS) auditor participating 'in a system development life cy
The technique employed in packet switching mode of transmission is:
Which of the following is not an important control step of the input/output control group?
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which one of the following is not a compliance test ?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
The activity of detective control in detecting virus relates to
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
To properly control access to accounting data held in a Database Management System, the database administrator shou
Where a transaction processing application is very complex, involving many sources of data capture and many routes for
The following measures will protect the computer systems from virus attack EXCEPT:
For reviewing the physical security of the IPF facility, the necessity of the following document is the LEAST Which of the following is not part of an emergency plan?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
An upper CASE tool is used in :
The DISADVANTAGE in cross training employees is that:
When encryption is used in the communication subsystem, the primary purpose of an error propagation code is to protec
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
To which of the following resource type are the most complex action privileges assigned?
Duplication of submitting corrections to errors could be prevented by:

Page 86

Sheet1

Which of the following controls would prevent unauthorized access to specific data elements in a database management
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
An access control policy for a Customer Service Representative in a banking application is an example of the implementa
Hardware controls are important to IS auditors for they:
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
Implementing a large distributed system involves a number of unique risks arising from both technical and management is
Machine maintenance engineers pose some difficult control programs because:
Of the following, the most critical component in a LAN is likely to be the:
The major risk in prototyping model is :
The principle of least privilege is a important concept in access controls of a network. Among the four enumerated here, w
The technical support personnel should have unlimited access to all data and program files to do their job. Which of the f
Which of the following converts digital pulses from the computer into frequencies within the audio signals
Availability of computer time is taken care of in which part of the Project Planning and scheduling ?
The following is NOT a desirable property of a cipher system:
Which of the following tests address the interaction and consistency issues of successfully tested 'Parts of a system?
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
The snapshot technique involves:
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
The Duties of a Computer operations does NOT comprise of :
An IS auditor carrying out review of logical access control, shall have the PRIMARY OBJECTIVE of
Which of the following statement is TRUE about an offsite information processing facility?
What is the most important factor to be considered when comparing system alternatives before making the final selection
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
A Systems Analyst s duties and roles comprises of:
Which of the following statements regarding security concerns for lap top computers is NOT false?
Which of the following is not a function of the control section:
The least commonly used medium for local area network (LAN) environment is:
The following is not a desirable property of a cipher system:
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Errors in an information system based on computers are less tolerable than in a manual system primarily because:
For a high security installation the most effective physical access control devices is
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
The main objective of separation of duties is to ensure that:
What would you use to enforce integration rules so as to integrate one component with another?
Which of the following is NOT a proper responsibility of functional users.
Which of the following is NOT included in the digital certficate:
Which one of the following transmission media is unsuitable for handling intra-building data or voice communications?
Which of the following is NOT a proper responsibility of functional users.
Identify the document which is LEAST effective during the acceptance test of applications software.
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
The major difference between a client/server and a mainframe-based application 'may NOT likely to occur with regard to
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
Which one of the following is not a compliance test ?
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
Control of employee activities in a computerized environment is, vis- -vis manual systems,
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
The primary objective of security software is to:
The following is NOT a pre-requisite for installing a new anti-virus software
The communication of signals is subjected to noise MOST LIKELY because of
In the case of a bank teller the access control policy is an example of:
Which one of the following errors will occur because of overflow conditions?
What makes Rapid prototyping technique portable?
Customer details like address changes etc are being used in too many mainframe application systems calling for a great

Page 87

Sheet1

A Systems Analyst s duties and roles comprises of:


As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
While down sizing a material inventory system, data center personnel considered redundant array of inexpensive disks (R
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
Identify the one that is NOT a key concept of object-oriented technology.
Prototyping approach to system design is resorted to when
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
hich of the following is not a function of operations management:
An MIS Manager has only enough resources to install either a new payroll system or a new data security system, but not b
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Which of the following would not be appropriate to consider in the physical design of a data centre?
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from ins
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Control over data preparation is important for :
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
In determining the sample size for a test of control using attribute sampling , a System Auditor would be least concern wit
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
The basic character / purpose of an audit charter is best described by which of the following.
Substantive Testing and Compliance Testing can be best differentiated as :
Exposure that could have been caused by the line - grabbing technique is In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Which one of the following documents would be least effective in performing unit testing of an applications software?
Which of the following is the most difficult to manage in a SDLC project?
In which of the following phases of a system development life cycle decision 'tables being used?
In which phase of a system development life cycle would you perform Mutation analysis?
Packet switching is an example of:
When using message switching in a communication network, the following is not a desirable control?
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
The following statement applies to a capability based approach to authorisation?
During a review of system access rules, an IS Auditor noted that the System Administrator has unlimited access to all dat
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
Identify the contractual provision that is objective and enforceable among the parties involved in a system development li
Which of the following is NOT included in the digital certficate:
Which one of the following is not an operating control:
Ability to operate on multiple computer types from different vendors is envisaged by
An Information System Auditor observed that technical support personnel have unlimited access to all data and program f
Which one of the following protocols is used by the Internet?
Which one of the following metrics deal with "number of entries/exits per module" ?
Can an IS auditor of a company outsourcing its operations insist to review the vendor s Business Continuity plan documen
The Duties of a Computer operations does NOT comprise of :
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
Which of the following is not a function of operations management:
Several risk are inherent in the evaluation of evidence that has been obtained through the use of statistical sampling .A b
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
Which among the following is NOT a serious problem in a ring topology based LAN?
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
Internal controls are not designed to provide reasonable assurance that:
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
The BEST and reliable form of evidence that assists the IS auditor to develop audit conclusions is :
The application run manual would normally comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
A compensating control for the weakness in access controls is the daily review of log files. The IS Auditor reviewing the ad

Page 88

Sheet1

Which of the following system life factors is most difficult to control by a user organization?
Identify the item that is not a part of performance guarantees in software contract negotiations.
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Packet switching is an example of:
To effectively implement the principle of least privilege, it is necessary to have:
For a high security installation the most effective physical access control devices is
The public audit trail of a Digital Signature system will not contain which of the following?
In an automated processing system of records, processing control total reconciliation is a type of Which of the following control objectives is violated when the theft of proprietary software or corporate data is stolen:
An audit technique used to select items from a population for audit testing purposes based on the characteristics is terme
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which of the following steps provide the highest assurance in achieving confidentiality, message integrity and non-repudia
Which one of the following is ideally suited for multimedia applications?
Identify the document which is LEAST effective during the acceptance test of applications software.
A large organization with numerous applications running on its mainframe system is experiencing a growing backlog of un
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
Which one of the following testing order is correct?
Software quality assurance process does NOT undertake:
The work schedule of a clerk in a Control Group is of
A Data Base Management System locks out a record used by one user, when it is simultaneously accessed by another us
Which of the following controls would prevent unauthorized access to specific data elements in a database management
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Which one of the following is not part of a computer capacity management function?
Which of the following lines prevents tapping?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
To properly control access to accounting data held in a Database Management System, the database administrator shou
MAC or message authentication code prevents
Identify the wrong statement with respect to structured programming concepts and program modularity.
A Systems Analyst s duties and roles comprises of:
An advantage of outsourcing data processing activities in a company is obtained by:
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Output control is best described by which of the following ?
During a review of system access rules, an IS Auditor noted that the System Administrator has unlimited access to all dat
Retention date on magnetic tape files would:
Which of the following control objectives is violated when the theft of proprietary software or corporate data is stolen:
The class of control used to monitor inputs and operation is :
Which of the following events is recorded on a public audit trail in a digital signature system?
Which of the following incidents can seriously damage a digital signature system?
Which of the following is not true in respect of Expert systems?
Which one of the following techniques is represented by structured analysis 'and design?
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
How the control in a loan processing edit program which ensures a logical relationship between the amount advanced, the
In which phase of SDLC would you use software sneak circuit analysis?
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel,
The snapshot technique involves:
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Link encryption in communication of signals
Internet was established NOT for
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
The IS Control Group is NOT responsible for performing
To disable easy detection of password, it should be arranged in the following convention as shown below:

Page 89

Sheet1

A main advantage of a standard access control software implemented properly is Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
The objective of software quality assurance is not:
Maintenance of adequate security measures over IS assets and accountability for the same rests with the:
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
The DES is an example of a:
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
The designer of a cryptosystem is called a:
The primary advantage of the list-oriented approach to authorisation is:
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Abuse of information system (IS) is BEST described as :
A sampling technique that estimates the amount of overstatement in an account balance is termed as :
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
In an automated processing system of records, processing control total reconciliation is a type of In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
The software test objective of operating in different platforms is achieved by conducting:
Which of the following is NOT a desirable property of a cipher system:
Which of the following is NOT a proper responsibility of functional users.
A software metric will NOT define which one of the following?
The major difference between a client/server and a mainframe-based application 'may NOT likely to occur with regard to w
Which of the following is NOT an input control objective?
In which phase of SDLC would you use software sneak circuit analysis?
User interface prototyping may NOT focus on :
The snapshot technique involves:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
In evaluation of an organisation s IS strategy, which of the following would an IS auditor consider to be the MOST importa
During the review of logical access controls over a company s various application systems, an auditor found that access c
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
In the development life cycle model, the place to start software quality process is:
Which of the following is the most difficult to manage in a SDLC project?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
A Systems Analyst s duties and roles comprises of:
Which of the comments about Business Process Re-engineering (BPR) is NOT false?
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Packet switching is an example of:
While down sizing a material inventory system, data center personnel considered redundant array of inexpensive disks (R
Which of the following is not an audit objective in the review of hardware acquisition?
. Which of the following is not a function of operations management:
Which of the following terms best describes the purpose of control practice over the input A document-driven approach is used in :
In data processing, which of the following causes the maximum losses
Passwords belong to the following class of authentication information:
The information technology pilot projects envisages which of the following concepts?
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following maintenance aspects would greatly ensure the currency of the plan as time passes?
In order to achieve more perfection of an already working software system, what method will be adopted?
Segregation of duties is TRUE in which of the following cases ?
When constructing the communications infrastructure for moving data over a local area network, the major implementation
Which of the following is NOT an input control objective?
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Which of the following is not a substantive test:

Page 90

Sheet1

Which one of the following statements is correct with regard to reciprocal processing agreement?
Which of the following actions provides the IS Auditor with the greatest assurance that certain weaknesses in internal con
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
The logical access exposure involving data changing before and/or while being entered into the computer is called Which of the following systems are MOST important for business resumption following a disaster?
In the case of electronic funds transfer (EFT), which one of the following is MOST vulnerable to fraud and physical attack
Which among the following is NOT a serious problem in a ring topology based LAN?
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but many
Which one of the following reasons is the most important to retain a legacy application system?
Which of the following testing approaches will test the system s ability to withstand misuse by inexperienced users?
Identify the wrong statement with respect to structured programming concepts and program modularity.
The biggest benefit of prototyping is:
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Staffing the QA function is often difficult because:
An example for a concurrent audit tool whose complexity is low is :
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
In switching over to an Electronic Fund Transfer (EFT) environment, which of the following risks DOES NOT occur?
Machine maintenance engineers pose some difficult control programs because:
The following statement about controls over computer operators is true:
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and control
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
The FIRST and preliminary step in the process of information security program establishment is :
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Link encryption in communication of signals
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
Which of the following is not a substantive test:
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
The Duties of a Computer operations does NOT comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
The validity of a program recalculation could be audited by the following techniques except:
Where a transaction processing application is very complex, involving many sources of data capture and many routes for
An IS Auditor carrying out security review for verification of the implementation of certain security measures, will be LEAS
Which of the following electronic commerce systems handle non-monetary documents?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which one of the following reasons is the most important to retain a legacy application system?
Which phase of SDLC uses Data Flow Diagram?
Information system is broken into various subsystems. Which among the following is NOT a component of the application
Which one of the following is not an essential component of a distributed computing environment?
The least commonly used medium for local area network (LAN) environment is:
For a stand alone system, the best security control is to have Access to an online system running an application program, requires users to validate themselves with a user ID and pas
A major advantage of associating passwords with users in the access control mechanism, over associating the password
dentify the document which is LEAST effective during the acceptance test of applications software.
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedure
In the system development life cycle approach, which of the following is MOST likely to be constant?
Network performance monitoring tools will MOST affect which of the following?
Software piracy is a common threat to an organization and so while choosing an application software package what shoul
The main objective of separation of duties is to ensure that:
Which of the following statements about automated operations facility parameters is not true?
Which one of the following protocols is used by the Internet?

Page 91

Sheet1

During an audit of the tape management system at a data center, an IS auditor discovered that some parameters are set
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following usually is a purpose of a modem:
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
Which of the following lines prevents tapping?
System Auditor primarily uses, the information provided by a detailed understanding of the Information system controls an
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
The BEST and reliable form of evidence that assists the IS auditor to develop audit conclusions is :
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
The validity of a program recalculation could be audited by the following techniques except:
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is A main advantage of a standard access control software implemented properly is . MAC or message authentication code prevents
Requirement specification errors lead to:
After the system is developed, the auditor's objective in conducting a general review is to
During the detailed design phase of SDLC, which one of the following tasks performed?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
Which of the following is not a desirable control feature in a modem:
The DES is an example of a:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
An Information System Auditor observed that technical support personnel have unlimited access to all data and program
Identify the wrong statement with respect to structured programming concepts and program modularity.
The following message service provides the strongest protection about the occurrence of a specific action:
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which one of the following is NOT an essential component of a distributed computing environment?
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
The DES is an example of a:
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is :
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Which one of the following statements is False?
Control over data preparation is important because:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
User interface prototyping may NOT focus on :
Which one would be a material irregularity?
PC-based analysis and design tools are used alongwith mainframe computer-based tools.
Internet was established NOT for
Control over data preparation is important for :
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
An access control review conducted by an IS auditor, highlighted the following control weaknesses in the system. Which o
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Which among the following is NOT a serious problem in a ring topology based LAN?
Which one of the following errors will occur because of overflow conditions?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which of the following would not normally be considered a typical file structure for a database management system:
Which of the following statements about national and international information systems standard is true?
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
A major advantage of associating passwords with users in the access control mechanism, over associating the password
Software piracy is a common threat to an organization and so while choosing an application software package what shou
Select the BEST control to mitigate the risk of creation of duplicate user name and Password during sign on procedures, i
The best control to ensure that a customer uses a debit/credit card carefully is:
The following method of obtaining customer selected PINs does not require the cryptographic generation of a reference n
The MOST secured access control mechanism is

Page 92

Sheet1

When users of an information system are dispersed over a wide area and are authorized to use dial-up lines for getting ac
Which of the following controls would address the concern that data uploaded from a microcomputer to the company's ma
Which of the following functions cannot be performed using a communications network control terminal:
An Information System Auditor observed that technical support personnel have unlimited access to all data and program f
The application run manual would normally comprise of :
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
In which phase of SDLC would you use software sneak circuit analysis?
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
In the case of Business Process re-engineering which of the following is NOT true ?
Internal controls are not designed to provide reasonable assurance that:
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
Substantive Testing and Compliance Testing can be best differentiated as :
A control is NOT designed and implemented to:
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
The technique employed in packet switching mode of transmission is:
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Identify the wrong statement with respect to structured programming concepts and program modularity.
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Hardware controls usually are those built into the equipment by the manufacturer. One such control, an echo check , is be
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
The DES is an example of a:
In an online processing system, to reconstruct correctly the interrupted transactions on a failure, the system should have
Identify the document which is LEAST effective during the acceptance test of applications software.
Out of the following pairs of services, which provides an access control over a network of computers
The biggest benefit of prototyping is:
The class of control used to monitor inputs and operation is :
he complete information about all data in a database is found in :
The objective of compliance testing is to find :
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
The main objective of separation of duties is to ensure that:
Which one of the following is NOT an essential component of a distributed computing environment?
. Which one of the following protocols is used by the Internet?
Which of the following usually is a purpose of a modem:
The test approach that includes ALL of the systems requirement, system design, and 'systems development documents i
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
When the Auditor uses generalised audit software to access a data maintained by a database management system, whic
If fraud or errors are suspected in the population , the auditor would use:
Which among the following is NOT a serious problem in a ring topology based LAN?
Dual protection or mirroring of servers mitigates the exposures from
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
The BEST and the most reliable form of evidence that an IS auditor would look for in audit of an IS environment is
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
Access control list of a firewall can have the following parameters, on the basis of which it may filter access, EXCEPT one
The following is NOT a pre-requisite for installing a new anti-virus software
Maximum reliability is available in
Which one of the following errors will occur because of overflow conditions?
In an IS based on computerized environment, the audit trail is
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of
During a review of system access rules, an IS Auditor noted that the System Administrator has unlimited access to all dat
Retention date on magnetic tape files would:
Identify the cost that does NOT form part of software package installation or implementation cost?

Page 93

Sheet1

When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which one of the following local area network devices functions as a data regenerator?
Which one of the following pair of items is a primary cause of signal distortion in data communications?
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
The biggest benefit of prototyping is:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
here access control mechanism is implemented in an open environment, the users are allowed to access a resource:
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
Which of the following would not be appropriate to consider in the physical design of a data centre?
The technique employed in packet switching mode of transmission is:
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following is not a function of operations management:
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Accuracy of data is important most likely to a
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
Which of the following BEST describes a warm site?
Which of the following cryptographic algorithm does both encryption and digital signature?
Wiretapping CANNOT easily be done without detection in
Operations audit trail rather than the accounting audit trail is likely to show
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
Fuzzy logic is most effective when :
Which of the following factors would bring down the risks most in Joint Application Design (JAD) meetings?
The main focus of the graphical user interface (GUI) environments is:
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
In the case of Business Process re-engineering which of the following is NOT true ?
In an audit of the outsourcing process, the IS auditor would LAST perform the task of:
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which of the following is least likely to be a reason for making QA personnel responsible for identifying areas where quali
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
The software test objective of operating in different platforms is achieved by conducting:
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Which one of the following will be included in the application software testing phase for effective controls?
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
For effective implementaion of a software quality program the MOST important prerequisite is:
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
Which one of the following is the most essential activity for effective computer capacity planning:
Which one of the following controls would protect the production libraries without compromising the efficiency of open acc
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Wiretapping CANNOT easily be done without detection in
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Concentration technique in a communication network DOES NOT
Which among the following is NOT a serious problem in a ring topology based LAN?
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of a
The snapshot technique involves:
Substantive Testing and Compliance Testing can be best differentiated as :
Computer viruses could be detected by which one of the following actions?
The first step in the installation of an information security program is the Which of the following cryptographic algorithm does both encryption and digital signature?
As against link encryption, end-to-end encryption cannot protect against
During the detailed design phase of SDLC, which one of the following tasks performed?
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad

Page 94

Sheet1

Which of the following is not a function of the control section:


Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
The following statement applies to a capability based approach to authorisation?
An IS auditor performing a telecommunication access control review would focus the MOST attention on the:
Which of the following events is recorded on a public audit trail in a digital signature system?
Which of the following types of subversive attacks on a communication network is not an active attack:
The main objective of separation of duties is to ensure that:
An example for a concurrent audit tool whose complexity is low is :
In Information Technology projects, which of the following factors is most crucial?
Which one of the following network types will play an important role in implementing E-commerce?
fter you enter a purchase order in an on-line system, you get the message, The request could not be processed due to la
computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail lo
Which one of the following is not part of a computer capacity management function?
The least commonly used medium for local area network (LAN) environment is:
Which of the following is not an important control step of the input/output control group?
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
Packet switching is an example of:
Transmission of electronic signals is not free of impairments. Which of the following statements is true?
The risk that the conclusion based on a sample might be different from the conclusion based on examination of the entire
The main difference between manual and computerized systems in so far as separation of duties is concerned is :
During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
To disable easy detection of password, it should be arranged in the following convention as shown below:
Identify the cost that does NOT form part of software package installation or implementation cost?
The programmed check that ensures that required fields on a data entry screen are NOT left blank is
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following features is least likely to be found in a real time application?
Network designers must be able to predict network performance if they are to optimise a network. The probability of a los
The following method of PIN validation seems to result in the fewest control problems?
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
An Information System Auditor observed that technical support personnel have unlimited access to all data and program f
An on line bookseller decides to accept online payment from customers after implementing agreements with major credit c
Determining what components to include in the network configuration is called a:
The class of control used to overcome problems before they acquire gigantic proportions is :
The science of cryptography provides all of the following safeguards except
The following estimates the probability of a computer system being destroyed in a natural disaster and the corresponding
hich of the following is NOT a proper responsibility of functional users.
Identify the cost that does NOT form part of software package installation or implementation cost?
Which one of the following controls would protect the production libraries without compromising the efficiency of open acc
The least commonly used medium for local area network (LAN) environment is:
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
The main difference in terms of control between a manual system and a computer system is:
PC-based analysis and design tools are used alongwith mainframe computer-based tools.
Identify the test-case design techniques that is used in unit and integration testing of applications software.
Which of the following is not a substantive test:
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
The basic character / purpose of an audit charter is best described by which of the following.
Fuzzy logic is most effective when :
A less formal review technique is:
In which of the following phases of a system development life cycle decision 'tables being used?
A lower cost software product metric that is used for data collection :
Prototyping approach to system design is resorted to when

Page 95

Sheet1

Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
The least commonly used medium for local area network (LAN) environment is:
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
The following statement applies to a capability based approach to authorisation?
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
A major drawback of a remote dial up network communication system is
Which of the following physical access control devices would be most effective for a high security installation?
A PIN if stored for reference purposes, must be stored in:
The best control to ensure that a customer uses a debit/credit card carefully is:
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following is NOT included in the digital certficate:
The manager of the information systems QA function should report to the:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following is NOT TRUE with regard to network reliability enhancement:
The presence of an arbitrator in a digital signature system will prevent:
Which one of the following is not an operating control:
Which of the following tests address the interaction and consistency issues of successfully tested 'Parts of a system?
The estimate of time which has the MOST important relevance in evaluation of the activities in a Program Evaluation Rev
Segregation of duties is TRUE in which of the following cases ?
. Which of the following activities should not be permitted when operators use a communications network control terminal:
Software metric that deals with measurement of lines of code is:
The snapshot technique involves:
Which of the following Technical specifications will NOT be included in a functional
The reason for the IS auditor NOT preparing a formal audit program is :
The definition of expected loss from a threat is:
The duty of the Quality Assurance Group is
When the account number is entered into an online banking system, the computer responds with a message that reads:
The control procedure of installing the anti-virus software in the system is called Logging of authorised and unauthorised attempts to access the computer systems and Disconnection of a terminal after i
Which of the following is not part of an emergency plan?
Which of the following system life factors is most difficult to control by a user organization?
After the system is developed, the auditor's objective in conducting a general review is to
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In segregation of duties, the organisation will exposed to a very HIGH risk if the duties of
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Which one of the following uses a modem technology as a common means of communicating between computers?
The manager of the information systems QA function should report to the:
The class of control used to monitor inputs and operation is :
The functions of operations management relating to the microcomputers in organisations where microcomputers are used
Which of the following usually is a purpose of a modem:
Which one of the following statements is FALSE?
The biggest benefit of prototyping is:
A PIN if stored for reference purposes, must be stored in:
Which one of the following criteria shall NOT be considered for choosing an appropriate Computer platform to suit a given
A majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict th
The test approach that includes ALL of the systems requirement, system design, and 'systems development documents is
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
Which one of the following statements is False?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
The following is an advantage of using link encryption
Which among the following is NOT a serious problem in a ring topology based LAN?
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Which of the following activities is undertaken during data preparation:
Several risk are inherent in the evaluation of evidence that has been obtained through the use of statistical sampling .A b
If fraud or errors are suspected in the population , the auditor would use:
Which one would be a material irregularity?

Page 96

Sheet1

The primary consideration for a System Auditor , regarding internal control policies, procedures, and standards available
To examine the existence of the entities described by the data , which of the functional capabilities in the generilise audit
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
The application run manual would normally comprise of :
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
When the account number is entered into an online banking system, the computer responds with a message that reads:
To protect computer systems from short term power fluctuations, the best environmental control is Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
In an online processing system, to reconstruct correctly the interrupted transactions on a failure, the system should have
The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested p
Access may be filtered by a firewall access control list based on each of the following EXCEPT:
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used w
Of the following, the most critical component in a LAN is likely to be the:
The best control to ensure that a customer uses a debit/credit card carefully is:
What is the major risk that is faced by a user organization during system integration projects?
What makes Rapid prototyping technique portable?
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
Which of the following software metrics would refer to function points?
Which one of the following is NOT true relating to the use of fiber optics:
Which one of the following network architectures is designed to provide data services using physical networks that are m
Which of the following is NOT a proper responsibility of functional users.
Prototyping approach to system design is resorted to when
The software test objective of operating in different platforms is achieved by conducting:
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
The primary objective of security software is to:
Link encryption in communication of signals
As against link encryption, end-to-end encryption cannot protect against
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
The quantification of the sample size depends on which of the following criteria.
The independence of an IS auditor who was involved in the development of an appliction system shall be impaired when
The duty of the Quality Assurance Group is
When the results of production data files processing with a generalized audit software do not agree with the total balance
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
The following resources are protected by Logical access controls
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The MAIN purpose of having Compensating Controls are to
Which of the following areas would an IS auditor NOT do while conducting a review of an organisation s IS Strategies.
A ring network
The person responsible for providing access rights to each of the user and access profile for each data element stored in
A PIN if stored for reference purposes, must be stored in:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
Which of the following is a responsibility of computer operations department?
Which of the following is NOT included in the digital certficate:
Which of the following statement is true about a mandatory access control policy?
Which one of the following is ideally suited for multimedia applications?
Which of the following is NOT TRUE with regard to network reliability enhancement:
Which one of the following protocols is used by the Internet?
A software metric will NOT define which one of the following?
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
Active attack on communication network DOES NOT include
When the results of production data files processing with a generalized audit software do not agree with the total balance

Page 97

Sheet1

Which of the following activities should not be permitted when operators use a communications network control terminal:
The most important factor while creating test data for checking a system, is :
A control is NOT designed and implemented to:
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
During the review of logical access controls over a company s various application systems, an auditor found that access c
An interest calculation program of a Bank has several schemes and several interest rates. The MOST APPROPRIATE co
A compensating control for the weakness in access controls is the daily review of log files. The IS Auditor reviewing the ad
Wiretapping CANNOT easily be done without detection in
In Information Technology projects, which of the following factors is most crucial?
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
Prototyping approach to system design is resorted to when
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Which of the following is likely to be a benefit of electronic data interchange (EDI)
Which of the following would not be considered a characteristic of a private key cryptosystem?
Which of the following is NOT True as a mode of network reliability enhancement:
Identify the cost that does NOT form part of software package installation or implementation cost?
Passwords belong to the following class of authentication information:
Prototyping approach to system design is resorted to when
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following is not a database model :
hich of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?'
The DES is an example of a:
The duty of the Quality Assurance Group is
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
Computer viruses could be detected by which one of the following actions?
A modem is NOT intended to
Control over data preparation is important for :
Which of the following activities is undertaken during data preparation:
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of a
Which among the following statements about information systems personnel is NOT true?
In general, mainframe computer production programs and data are adequately protected against unauthorized access. C
When the results of production data files processing with a generalized audit software do not agree with the total balance
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Business continuity plan of an organisation should address early recovery of which of the following?
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
Which one of the following design approaches would address data sharing and system access problems in legacy applica
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
The Job responsibilities and rights of an application programmer does NOT include
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
Which of the following characteristics is not associated with a public key cryptosystem?
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
For a high security installation the most effective physical access control devices is
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
How the control in a loan processing edit program which ensures a logical relationship between the amount advanced, th
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
The following is NOT a desirable property of a cipher system:
The principle of least privilege is a important concept in access controls of a network. Among the four enumerated here, w
The science of cryptography provides all of the following safeguards except
Which of the following software metrics would refer to function points?
Which one of the following local area network devices functions as a data regenerator?
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
Which of the following usually is a purpose of a modem:
Formal change control mechanism would start after which of the following in an overall system development project?
Which one of the following metrics deal with "number of entries/exits per module" ?
The longest phase in SDLC is :

Page 98

Sheet1

The IS Control Group is NOT responsible for performing


Which of the following is not a function of operations management:
The FIRST and preliminary step in the process of information security program establishment is :
. If fraud or errors are suspected in the population , the auditor would use:
Internet was established NOT for
The difference between SCARF and Continuous and Intermittence Simulation (CIS) is :
Evaluation of which of the following functional areas CANNOT be carried out by risk assessment techniques.
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
The BEST method to verify the data values through the various stages of processing
The first step in the installation of an information security program is the Which of the following cryptographic algorithm does both encryption and digital signature?
Conditioning of the transmission lines is LEAST effective against
Which among the following is NOT true of start topologies?
Link encryption in communication of signals
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
Which of the following is NOT True as a mode of network reliability enhancement:
A major drawback of a remote dial up network communication system is
The main focus of the graphical user interface (GUI) environments is:
The manager of the information systems QA function should report to the:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following is not a function of operations management:
Which of the following techniques ensure an e-mail message's, authenticity, confidentiality, integrity and non-repudiation?'
Machine maintenance engineers pose some difficult control programs because:
In order to achieve more perfection of an already working software system, what method will be adopted?
Which one of the following is not an essential component of a distributed computing environment?
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informat
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
Compliance auditing is used to do?
The definition of expected loss from a threat is:
The Duties of a Database administrator does NOT comprise of :
The primary objective of security software is to:
Exposure that could have been caused by the line - grabbing technique is The logical access exposure involving data changing before and/or while being entered into the computer is called Which of the following encryption algorithms or schemes is MOST difficult to break?
Rollforward and rollback are two important techniques for backup. Which among the following should be logged for facilita
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Which one of the following graphical user interface (GUI) development approaches would create more user-friendly intera
Which of the following is the most difficult to manage in a SDLC project?
A lower cost software product metric that is used for data collection :
After the system is developed, the auditor's objective in conducting a general review is to
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
Packet switching is an example of:
Control over data preparation is important because:
The least commonly used medium for local area network (LAN) environment is:
Output control is best described by which of the following ?
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
Which of the following is a common security practice in a LAN.
Which of the following is not a function of operations management:
ormal change control mechanism would start after which of the following in an overall system development project?
Which of the following tests would be used to ensure whether a software product fails or not?
The estimate of time which has the MOST important relevance in evaluation of the activities in a Program Evaluation Revi

Page 99

Sheet1

The application run manual would normally comprise of :


A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
Which one of the following statements is False?
Which one of the following is not part of a computer capacity management function?
Which of the following best describes feature of statistical sampling?
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
In selecting the applications to be audited, which criteria is LEAST likely to be used:
The activity of detective control in detecting virus relates to
The IS security policy of a company usually incorporates all of the following features EXCEPT Which of the following is NOT true about Pretty good privacy (PGP) and privacy enhanced mail (PEM)?
A modem is NOT intended to
OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Information system is broken into various subsystems. Which among the following is NOT a component of the managem
A ring network
A company s management wants to implement a computerised system to facilitate communications among auditors, who
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
Which one of the following is not an essential component of a distributed computing environment?
The DES is an example of a:
The primary advantage of the list-oriented approach to authorisation is:
To determine the authorized sign on in an EDI transaction, the EDI system uses the following method
The control to provide security against accidental destruction of records and to ensure continuous operations is called An upper CASE tool is used in :
In the system development life cycle approach, which of the following is MOST likely to be constant?
Machine maintenance engineers pose some difficult control programs because:
The complete information about all data in a database is found in :
The information technology pilot projects envisages which of the following concepts?
When sending a signed message under a public key infrastructure, the message is encrypted using the:
hich one of the following is not an operating control:
Which one of the following protocols is used by the Internet?
The class of control used to overcome problems before they acquire gigantic proportions is :
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
Which of the following best describes feature of statistical sampling?
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
Concentration technique in a communication network DOES NOT
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
The quantification of the sample size depends on which of the following criteria.
The reason for the IS auditor NOT preparing a formal audit program is :
The definition of expected loss from a threat is:
Control of employee activities in a computerized environment is, vis- -vis manual systems,
While reviewing the telecommunication access control, the primary concern of the IS Auditor will be on the The control procedure of installing the anti-virus software in the system is called Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?
Which of the following cryptographic algorithm does both encryption and digital signature?
Which of the following is an advantage of the use of hot sites as a backup alternative?
The most important factor while creating test data for checking a system, is :
A document-driven approach is used in :
An advantage of outsourcing data processing activities in a company is obtained by:
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
Which of the following features is least likely to be found in a real time application?
In today s business environment one can hardly find a company without a computer. But an IPF (Information processing f
Which of the following physical access control devices would be most effective for a high security installation?
Most computer systems have hardware controls that are built in by the computer manufacturer. Typical hardware controls
The class of control used to minimise the impact of a threat is :
The most appropriate concurrent audit tool whose complexity is very high and useful when regular processing cannot be i

Page 100

Sheet1

The technical support personnel should have unlimited access to all data and program files to do their job. Which of the fo
ith respect to AI, a heuristic refers to :
Personal Computers and Notebook computers have both a floppy disk drive and a hard disk drive. The major difference b
In order to achieve more perfection of an already working software system, what method will be adopted?
Which one of the following is not an essential component of a distributed computing environment?
Which of the following is not an important control step of the input/output control group?
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
Which of the following utilities can be used to directly examine the quality of data in the database:
The objective of using System Control Audit Review File (SCARF) within the application is for collecting following informa
Transmission of electronic signals is not free of impairments. Which of the following statements is true?
A reasonably controlled practice in the distributed executable programs that execute in background of a web browser clie
The unauthorised use of data files can be best prevented by using IS security policy of an organisation will not contain details about the following:
Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?
Which of the following is NOT true about Pretty good privacy (PGP) and privacy enhanced mail (PEM)?
Which of the following statements about encryption is NOT correct?
Conditioning of the transmission lines is LEAST effective against
Dual protection or mirroring of servers mitigates the exposures from
Which one of the following reasons is the most important to retain a legacy application system?
What is the most important factor to be considered when comparing system alternatives before making the final selection
Which phase of SDLC uses Data Flow Diagram?
In the case of Business Process re-engineering which of the following is NOT true ?
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
Control over data preparation is important because:
While reviewing an organisation that has a mainframe and a client/server environment where all production data reside, t
The Digital Signature system uses the services of an Arbitrator to prevent
Which of the following terms best describes the purpose of control practice over the input Software piracy is a common threat to an organization and so while choosing an application software package what shou
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following protocols is used by the Internet?
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
Identify the document which is LEAST effective during the acceptance test of applications software.
he biggest benefit of prototyping is:
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following characteristics is not associated with a public key cryptosystem?
The advantage tagging live transactions in an Integrated Test Facility (ITF) as against designing new test data is that:
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
Which of the following computer technologies is a major shift in the development and maintenance of application systems
Which one of the following is not a substantive test?
The independence of an IS auditor who was involved in the development of an appliction system shall be impaired when
The auditor of an IS can exercise control over
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
Password control procedures incorporate all the following features EXCEPT Reciprocal Agreements are normally entered between two or more organisations:
Active attack on communication network DOES NOT include
Which of the following is an upper CASE tool?
Which of the following features is least likely to be found in a real time application?
Which of the following is not a function of the control section:
Which one of the following is the most essential activity for effective computer capacity planning:
Which of the following is least likely to be a reason for making QA personnel responsible for identifying areas where quali
. The control to provide security against accidental destruction of records and to ensure continuous operations is called Retention date on magnetic tape files would:
Duplication of submitting corrections to errors could be prevented by:

Page 101

Sheet1

An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
Identify the technique that mostly prevents a system failure from occurring or facilitates quick recovery from failures.
In the system development life cycle approach, which of the following is MOST likely to be constant?
etworks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
The complete information about all data in a database is found in :
Which of the following functions cannot be performed using a communications network control terminal:
Which of the following is FALSE with regard to a symmetric key cryptosystem?
Which of the following statement is true about a mandatory access control policy?
Which of the following types of subversive attacks on a communication network is not an active attack:
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
The objective of compliance testing is to find :
Identify the cost that does NOT form part of software package installation or implementation cost?
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
Which of the following is not advantage of distributed computing vis- -vis centralised computing?
System Auditor primarily uses, the information provided by a detailed, understanding of the Information system controls a
Which of the following utilities can be used to directly examine the quality of data in the database:
When an accounting application is processed by computer, an auditor cannot verify the reliable operation of programmed
The BEST and the most reliable form of evidence that an IS auditor would look for in audit of an IS environment is
Which of the below is a TRUE statement concerning Test Data Techniques.
Accuracy of data is important most likely to a
The BEST method to verify the data values through the various stages of processing
Which of the following is the LEAST important in the case of backup and recovery plan?
As against link encryption, end-to-end encryption cannot protect against
Operations audit trail rather than the accounting audit trail is likely to show
All of the following should be in place prior to programming except:
What makes Rapid prototyping technique portable?
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
During the detailed design phase of SDLC, which one of the following tasks performed?
Which of the following areas would an IS auditor NOT do while conducting a review of an organisation s IS Strategies.
When a compliance failure occurs, QA personnel should:
There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
Whenever there is a modification made to an existing software, which of the following testing approaches should be used?
Which of the following is NOT a proper responsibility of functional users.
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
Availability of computer time is taken care of in which part of the Project Planning and scheduling ?
Which of the following decisions most likely CANNOT BE made on the basis of performance monitoring statistics that are
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
A PIN if stored for reference purposes, must be stored in:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
A company has policy to purchase microcomputer software only from recognized vendors and prohibit employees from in
Wiretapping CANNOT easily be done without detection in
In the case of Business Process re-engineering which of the following is NOT true ?
When using message switching in a communication network, the following is not a desirable control?
Which one of the following is not a substantive test?
An auditor performing a statistical sampling of the financial transactions in a financial MIS would BEST use :
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
To properly control access to accounting data held in a Database Management System, the database administrator shou
Exposure that could have been caused by the line - grabbing technique is IS security policy of an organisation will not contain details about the following:
Password control procedures incorporate all the following features EXCEPT . The technique employed in packet switching mode of transmission is:
Prototyping approach does not assume the existence of
A document-driven approach is used in :
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG

Page 102

Sheet1

As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which one of the following is the most essential activity for effective computer capacity planning:
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
A PIN if stored for reference purposes, must be stored in:
The installation of a database management system (DBMS) does not have any direct impact on :
The presence of an arbitrator in a digital signature system will prevent:
Which one of the following is ideally suited for multimedia applications?
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
An example for a concurrent audit tool whose complexity is low is :
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Passwords belong to the following class of authentication information:
While reviewing the outsourcing agreement with an external agency, the IS auditor would be LEAST interested in verifying
Which of the following is NOT True as a mode of network reliability enhancement:
Which of the following terms is commonly used for the agreement about packaging and interpreting both data and contro
End-to-end encryption provides only limited protection against a subversive attack that uses:
A decision table is used for testing the test data. The purpose of the results stub in the decision table:
Dual protection or mirroring of servers mitigates the exposures from
A company has entered into a contract with a service provider to outsource network and desktop support, and the relation
Which phase of SDLC uses 'Program slicing' technique?
Which of the following activities is undertaken during data preparation:
Testing of the accuracy of the interest collected on lending by a financial institution is a/an
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Which of the following systems are MOST important for business resumption following a disaster?
Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Active attack on communication network DOES NOT include
In residual dumping technique for backup, the records that are backed up are those that have not undergone any change
The residual dump technique in backup has the disadvantage of
Which one of the following errors cannot be detected during an inspection activiy?
In determining good preventive and detective security measures practised by an employee, the IS auditor places the HIG
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
An advantage of outsourcing data processing activities in a company is obtained by:
Which of the following activities needs to be undertaken first to identify those components of a telecommunications syste
Which of the following statements about personnel training in QA standards and procedures is false?
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Most computer systems have hardware controls that are built in by the computer manufacturer. Typical hardware controls
The following statement about controls over computer operators is true:
The manager of the information systems QA function should report to the:
The primary advantage of a derived Personal Identification Number (PIN) is that :
Which of the following is FALSE with regard to a public key cryptosystem?
Which of the following statement is true about a mandatory access control policy?
Which of the following steps provide the highest assurance in achieving confidentiality, message integrity and non-repudia
One main reason for using Redundant Array of Inexpensive Disks (RAID) is :
Which of the following functions SHOULD NOT BE combined with Control Group.
The following is NOT a desirable property of a cipher system:
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
When the account number is entered into an online banking system, the computer responds with a message that reads:
Accounts Receivable Section personnel for a manufacturer frequently access computer data on customer and product sa
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
The following is an advantage of using link encryption
Which of the following activities should not be permitted when operators use a communications network control terminal:
The snapshot technique involves:
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
To protect computer systems from short term power fluctuations, the best environmental control is The control procedure of installing the anti-virus software in the system is called -

Page 103

Sheet1

Which of the following electronic commerce systems handle non-monetary documents?


A modem is NOT intended to
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Identify the cost that does NOT form part of software package installation or implementation cost?
Which of the following characteristics is not associated with a public key cryptosystem?
The DES is an example of a:
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
An online banking system permitted withdrawals from inactive customer accounts. Which of the following controls would p
An on line bookseller decides to accept online payment from customers after implementing agreements with major credit
Identify the non-cost factor while analysing feasible system alternatives for an organisation.
dentify the wrong statement with respect to structured programming concepts and program modularity.
The major risk in prototyping model is :
The class of control used to monitor inputs and operation is :
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
majority of defects are attributed to a few number of causes. Which of the 'following basic tools would BETTER depict thi
o which one of the following issues that an information systems (IS) auditor participating 'in a system development life cyc
Which of the following is addressed by software configuration management as part of 'Software quality assurance?
The System Development Tool which gives the BEST results in an application maintenance function is:
The Duties of a Computer operations does NOT comprise of :
Notebook computers are portable and used to access the company s database while the executives are on travel. Which
A competitor would gain by accessing sensitive operating information stored on computer files. Which of the following con
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
Which of the following characteristics is not associated with a public key cryptosystem?
End-to-end encryption provides only limited protection against a subversive attack that uses:
Which of the following activities should not be permitted when operators use a communications network control terminal:
The work schedule of a clerk in a Control Group is of
The control procedure of installing the anti-virus software in the system is called In the case of message encryption, which of the following is more secure?
Which one of the following design approaches would address data sharing and system access problems in legacy applica
In the development life cycle model, the place to start software quality process is:
Which of the following is deemed as good system design practice?
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
Which one of the following statements concerning microcomputer systems NOT true?
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following statements about personnel training in QA standards and procedures is false?
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
The test of access control, over a distributed database, can be carried out by The IS Manager of a small company senses that unrestricted access to production library results in the risk of untested p
In Information Technology projects, which of the following factors is most crucial?
The best control to ensure that a customer uses a debit/credit card carefully is:
Uninterrupted Power Supply (UPS) systems are used in computers to reduce the likelihood of :
Which one of the following network architectures is designed to provide data services using physical networks that are mo
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
he class of control used to minimise the impact of a threat is :
cho Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described a
The following is NOT a desirable property of a cipher system:
Which one of the following testing order is correct?
The technique employed in packet switching mode of transmission is:
. A company s management wants to implement a computerised system to facilitate communications among auditors, who
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
A modem is NOT intended to
The BEST and reliable form of evidence that assists the IS auditor to develop audit conclusions is :
Computer viruses could be detected by which one of the following actions?
The main activity of the input/output control function is In residual dumping technique for backup, the records that are backed up are those that have not undergone any change

Page 104

Sheet1

Which one of the following methodologies require efficient system requirements analysis?
Which of the following is the most difficult to manage in a SDLC project?
A less formal review technique is:
Which of the following computer technologies is a major shift in the develpoment and maintenance of application systems
A brokerage firm is moving into new office premises already equipped with extensive telephone wiring. The firm is plannin
All computers have a central processing unit (CPU) that works in conjunction with peripheral devices. The function of the
Which one of the following is the most essential activity for effective computer capacity planning:
Which one of the following uses a modem technology as a common means of communicating between computers?
The manager of the information systems QA function should report to the:
Which of the following statements about personnel training in QA standards and procedures is false?
A remote dial up order entry system using portable computers for sales man to place order should have the following con
Access to an online system running an application program, requires users to validate themselves with a user ID and pas
Information system crimes and abuses in comparison to those of the general category are likely to be
Ability to operate on multiple computer types from different vendors is envisaged by
In data processing, which of the following causes the maximum losses
Network performance monitoring tools will MOST affect which of the following?
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
Which of the following represents a typical prototype of an interactive application?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originati
Which one of the following local area network devices functions as a data regenerator?
Formal change control mechanism would start after which of the following in an overall system development project?
Which of the following tests address the interaction and consistency issues of successfully tested 'Parts of a system?
Which of the following activities would not be performed by control section personnel when they collect the output of a ba
End-to-end encryption provides only limited protection against a subversive attack that uses:
The main difference between manual and computerized systems in so far as separation of duties is concerned is :
The Duties of a Computer operations does NOT comprise of :
In a central computer system users specify where their output is printed, but some users give the wrong destination code
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
Which of the following is TRUE about Electronic Data Interchange (EDI) application system?
Most important risk to be addressed in an electronic data interchange (EDI) transaction is:
Which one of the following methodologies require efficient system requirements analysis?
With respect to expert systems, a heuristic is not a:
In an IS based on computerized environment, the audit trail is
Which of the following statements regarding security concerns for lap top computers is NOT false?
A computer can call into primary storage only that portion of a program and data needed immediately while storing the rem
Which of the following is most unlikely to be a reason for having QA personnel responsible for formulating, promulgating,
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
Overall responsibility to protect and control the database and monitor and improve the efficiency of the database are the
Most computer systems have hardware controls that are built in by the computer manufacturer. Typical hardware controls
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developmen
To effectively prevent intrusion, usually the following controls are established. Of this, which control BEST detects intrusion
What would you use to enforce integration rules so as to integrate one component with another?
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is not true in respect of Expert systems?
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which one of the following pair of items is a primary cause of signal distortion in data communications?
What makes Rapid prototyping technique portable?
Which of the following is NOT TRUE with regard to network reliability enhancement:
In a central computer system users specify where their output is printed, but some users give the wrong destination code
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
Which of the following statistical selection technique is least desirable for use by the IS auditor.

Page 105

Sheet1

Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
In a data processing environment, where the data is centrally stored at a database and data entry is carried out from rem
Which of the following statistical selection technique is least desirable for use by the IS auditor.
Each of the following is a general control concern EXCEPT:
A procedure to have an overall environmental review which is NOT performed by an IS auditor during pre audit planning i
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is The unauthorised use of data files can be best prevented by using An IS auditor reviewing an organisation s Business Continuity Plan discovered that the plan provides for an alternate site
Modems do enhance the quality of transmission. Which among the following is NOT a control feature that enhances the q
Which phase of SDLC uses "Program slicing" technique?
For consideration of outsourcing of computer operations which is the factor that would LEAST indicate the same.
Which one of the following is NOT true relating to the use of fiber optics:
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
The following statement is true about a mandatory access control policy?
The most appropriate audit strategy for a large organisation which relies on comprehensive user controls over the micro c
Which of the following physical access control devices would be most effective for a high security installation?
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
The following statement about controls over computer operators is true:
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is NOT TRUE with regard to network reliability enhancement:
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
In a situation where a public key cryptosystem is in use, the message sent by the sender is signed by the:
The application run manual would normally comprise of :
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
Which of the following best describes feature of statistical sampling?
Which of the following conditions lead to increase in white noise:
In SDLC, in which phase would you perform Boundary value analysis?
. Which one would be a material irregularity?
The reason for the IS auditor NOT preparing a formal audit program is :
When the account number is entered into an online banking system, the computer responds with a message that reads:
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
One of the advantages of using naming convention for access control is that Rollback is easily accomplished with differential file backup technique for which of the following reasons?
What is the most important factor to be considered when comparing system alternatives before making the final selection
A less formal review technique is:
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which one of the following is not an essential component of a distributed computing environment?
A public key cryptosystem uses:
To effectively implement the principle of least privilege, it is necessary to have:
A major drawback of a remote dial up network communication system is
Retention date on magnetic tape files would:
Information system crimes and abuses in comparison to those of the general category are likely to be
An on line bookseller decides to accept online payment from customers after implementing agreements with major credit
In which phase Rapid prototyping is used in Waterfall life cycle development model?
Networks are growing day-by-day. Which one of the following component of such growth is most difficult to predict?
The class of control used to overcome problems before they acquire gigantic proportions is :
The complete information about all data in a database is found in :
The initial validation control for a credit card transaction capture application would MOST like be to:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
Which of the following is a responsibility of computer operations department?

Page 106

Sheet1

The objective of compliance testing is to find :


The DES is an example of a:
For effective implementaion of a software quality program the MOST important prerequisite is:
Ring topologies have an edge over bus topologies. Which of the following statements is FALSE?
Improper segregation of duties amongst programmers and computer operators may lead to the threat of :
Which of the following systems are MOST important for business resumption following a disaster?
Which of the following is not part of an emergency plan?
Which among the following is NOT true of start topologies?
Logging of transaction is an important means of backup. Which purpose among the following is not served by logging the
Which of the following approach is ideal in order to test the electronic data interchange (EDI system for a value added ne
Which one of the following graphical user interface (GUI) development approaches would create more user-friendly intera
In which phase of SDLC Desk Checking is practiced?
An IS auditor came across an instance of a security administrator working occasionally as a senior computer operator. Th
Computer manufacturers generally install software programs permanently inside the computers as part of its main memo
Which of the following would not normally be considered a typical file structure for a database management system:
In today s business environment one can hardly find a company without a computer. But an IPF (Information processing f
A computer can call into primary storage only that portion of a program and data needed immediately while storing the rem
The major reason why quality metrics need to be chosen for a specific information systems project is:
Duplication of submitting corrections to errors could be prevented by:
Errors in an information system based on computers are less tolerable than in a manual system primarily because:
Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
Determining what components to include in the network configuration is called a:
The following message service provides the strongest protection about the occurrence of a specific action:
The presence of an arbitrator in a digital signature system will prevent:
Which of the following is not a major benefit of applications software prototyping ?
Which of the following is NOT an advantage of continuous auditing approach ?
Which of the following software metrics would refer to function points?
When a new system is envisaged to replace a legacy application system, the next step that requires a detailed analysis is
The following is NOT a desirable property of a cipher system:
The internal auditor's first job while trying to identify the components of a telecommunication system posing the GREATES
Confidentiality of sensitive data transmitted over public communication lines could best be protected by
Employees are compulsorily asked to proceed on a week long vacation in many organisations to
The snapshot technique involves:
Which of the following is not a substantive test:
Internet was established NOT for
In selecting the applications to be audited, which criteria is LEAST likely to be used:
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
The following measures will protect the computer systems from virus attack EXCEPT:
Which one of the following network configurations used by electronic data interchange (EDI) trading partners does not ha
Maximum reliability is available in
Which of the following network risk apply to EDI transactions irrespective of the type of network involved?
What is the most important factor to be considered when comparing system alternatives before making the final selection
Which of the following is a dynamic analysis to detect software errors?
"Availability of computer time" is taken care of in which part of the Project Planning and scheduling ?
Which of the following is NOT true about a database management system application environment?
Which of the following statements regarding security concerns for lap top computers is NOT false?
The installation of a database management system (DBMS) does not have any direct impact on :
Simple Software has just purchased a minicomputer. The make and module selected will allow the company to attach ad
When a compliance failure occurs, QA personnel should:
Which of the following is least likely to be a reason for making QA personnel responsible for identifying areas where quali
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
Select the BEST control to mitigate the risk of creation of duplicate user name and Password during sign on procedures,
Which of the following functions SHOULD NOT BE combined with Control Group.
Which of the following would not be appropriate to consider in the physical design of a data centre?
You as an IS Auditor observed that technical support personnel have unlimited access to all data and program files in the
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described

Page 107

Sheet1

There are various techniques for telecommunication controls. Confidentiality of data is BEST maintained by
A major design consideration for local area networks that replaces stand alone computing in an organisation include:
Which one of the following metrics deal with "number of entries/exits per module" ?
Conditioning of the transmission lines is LEAST effective against
Where would you handle finite state machines in SDLC?
A ring network
Computer viruses could be detected by which one of the following actions?
Which of the following Technical specifications will NOT be included in a functional
Which of the following activities should not be permitted when operators use a communications network control terminal:
Which of the following activities would NOT be performed by control section personnel when they collect the output of a b
The best way to delete a highly confidential file from a microcomputer would be by using which of the following:
When the results of production data files processing with a generalized audit software do not agree with the total balance
Wiretapping CANNOT easily be done without detection in
Operations audit trail rather than the accounting audit trail is likely to show
Which of the following threats, vulnerabilities, or risks do not arise in an in-house system development project?
Identify the item that is not a part of performance guarantees in software contract negotiations.
Identify the document which is LEAST effective during the acceptance test of applications software.
Customer details like address changes etc are being used in too many mainframe application systems calling for a great
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
Which of the following statements about computer is correct?
Which of the following decisions most likely cannot be made on the basis of performance monitoring statistics that are ca
The presence of a Quality Assurance (QA) function has an effect of the auditors function. Which of the following stateme
To which of the following resource type are the most complex action privileges assigned?
To effectively implement the principle of least privilege, it is necessary to have:
Duplication of submitting corrections to errors could be prevented by:
Of the following, the most critical component in a LAN is likely to be the:
The class of control used to overcome problems before they acquire gigantic proportions is :
The main objective of separation of duties is to ensure that:
The presence of an arbitrator in a digital signature system will prevent:
What makes Rapid prototyping technique portable?
Which of the following is FALSE with regard to a symmetric key cryptosystem?
Which one of the following is NOT an essential component of a distributed computing environment?
Which one of the following statements is FALSE?
The main objective of separation of duties is to ensure that:
When a store uses a point of sale device to record the sale of an item, which of the following sequences of activities best
The DES is an example of a:
Which would ensure that IS organizations do not take more resources for less output?
Analyzing data protection requirements for installing a local area network (LAN) does not include:
Which of the following is not a function of operations management:
Incompatible functions may be performed by the same individual either in the Information System department or in the Us
MAC or message authentication code prevents
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Which phase of SDLC uses 'Program slicing' technique?
Which among the following components is of PRIMARY concern for evolving a recovery plan after a communication failur
Which of the following actions should be undertaken when plastic debit/credit cards are issued:
Each of the following is a general control concern EXCEPT:
The main difference between manual and computerized systems in so far as separation of duties is concerned is :
The duties of a Data Security Officer does NOT comprise of :
Which of the following is not true in respect of Expert systems?
Identify the cost that does NOT form part of software package installation or implementation cost?
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
When a compliance failure occurs, QA personnel should:
The following is not a desirable property of a cipher system:
The primary advantage of the list-oriented approach to authorisation is:
A detective control designed to establish the validity and appropriateness or numeric data elements, and to guard against
A PIN if stored for reference purposes, must be stored in:

Page 108

Sheet1

Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
Identify the factor that is not part of an expert system architecture.
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
When sending a signed message under a public key infrastructure, the message is encrypted using the:
Which of the following functions SHOULD NOT BE combined with Systems Analyst
Which of the following is not a function of the control section:
Which of the following statement is FALSE for Equipment mean-time-between-failure (MTBF)?
An example for a concurrent audit tool whose complexity is low is :
Which one of the following will be included in the application software testing phase for effective controls?
Use of a local area network has its own restrictions when compared to a wide area network. Which one of the following is
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
Control over data preparation is important because:
A company uses a wide area network (WAN) to allow salesmen in the field to remotely log onto to the office server using
An electronic device that combines data from several low speed communication lines into a single high-speed line is a :
During the audit of automated Information systems, responsibility and reporting lines CANNOT be established since :
Which of the following utilities can be used to directly examine the ability of the program to maintain data integrity?
To properly control access to accounting data held in a Database Management System, the database administrator shou
Which one of the following audit techniques would likely provide an Systems Auditor assurance about the effectiveness a
An Integrated Test Facility (ITF) is BEST described as:
Which of the following would not be appropriate to consider in the physical design of a data centre?
Which of the following statements about digital signatures is NOT true?
While preparing a cost benefit analysis of a security objective for an electronic data interchange (EDI) transaction, which
A less formal review technique is:
Identify the item that is not a part of performance guarantees in software contract negotiations.
An upper CASE tool is used in :
In which phase of SDLC Desk Checking is practiced?
As compared with other Information Systems, Executive Information Systems does NOT have the characteristic of
The advantage of an ISO 9001 quality system implementation is:
The least commonly used medium for local area network (LAN) environment is:
Machine maintenance engineers pose some difficult control programs because:
Select the BEST control to mitigate the risk of creation of duplicate user name and Password during sign on procedures, i
The complete information about all data in a database is found in :
Whenever there is a modification made to an existing software, which of the following testing approaches should be used?
Which of the following is NOT TRUE with regard to network reliability enhancement:
Which of the following statement is true about a mandatory access control policy?
The class of control used to monitor inputs and operation is :
The DES is an example of a:
In monitoring and controlling a system development life cycle project what is NOT formal and documented?
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic
The Duties of a Database administrator does NOT comprise of :
Because of the sensitivity of its data, a database system for business forecasting was implemented with access control a
Which of the following functions cannot be performed using a communications network control terminal:
. OSI model of ISO presents a model of seven layers through which data communication across computers passes. Encry
Transaction logs generally consist of successful transactions. Rejected transactions are printed to a separate log. This se
For an effective implementation of a continuous monitoring system, which of the following is identified as the FIRST and F
The risk in auditing an information system is dependent on various other risks. Which of the following results in decrease
Which of the following would be of great concern to an auditor reviewing a policy about selling a company s used microco
When the results of production data files processing with a generalized audit software do not agree with the total balance
Before disposing off the PC used for storing confidential data the most important precautionary measure to be taken is Exposure that could have been caused by the line - grabbing technique is The following measures will protect the computer systems from virus attack EXCEPT:
Which of the following is the LEAST important in the case of backup and recovery plan?
With respect to expert systems, a heuristic is not a:
"Availability of computer time" is taken care of in which part of the Project Planning and scheduling ?
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
As organisations move to implement EDI, more of them are turning to the use of value added networks (VANs). Which of

Page 109

Sheet1

The internet is made up of a series of networks that include


Which of the following would not normally be considered a typical file structure for a database management system:
Which of the following statements about national and international information systems standard is true?
Whenever there is a modification made to an existing software, which of the following testing approaches should be used
Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organisation?
Which one of the following local area network devices functions as a data regenerator?
Which one of the following network architectures is designed to provide data services using physical networks that are mo
document-driven approach is used in :
Echo Check belongs to hardware controls, which usually are those built into the equipment. Echo Check is best described
An apparent error in input data describing an inventory item was detected and the issue was referred back to the originatin
Symbolic evaluation is an error detection method. Where would you handle this? 'An error detection technique "symbolic e
he estimate of time which has the MOST important relevance in evaluation of the activities in a Program Evaluation Revie
During the review of logical access controls over a company s various application systems, an auditor found that access c
Removing sequences of extraneous zeros or spaces in a file is an application of:
Which of the following would not be considered a characteristic of a private key cryptosystem?
The duties of a Data Security Officer does NOT comprise of :
Packet switching is an example of:
Which of the following utilities can be used to directly examine the quality of data in the database:
In evaluation of an organisation s IS strategy, which of the following would an IS auditor consider to be the MOST importa
To properly control access to accounting data held in a Database Management System, the database administrator shou
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Rollback is an effective means of recovering data. In which of the following situations after an error has occurred but man
Rollback is easily accomplished with differential file backup technique for which of the following reasons?
Identify the item that is not a part of performance guarantees in software contract negotiations.
Identify the wrong statement with respect to structured programming concepts and program modularity.
The requirements specification phase needs a lot of operational viewpoint input in the early stage of a system developme
Uninterruptible power supplies are used in computer centers to reduce the likelihood of :
The installation of a database management system (DBMS) does not have any direct impact on :
Which of the following decisions most likely could not be made on the basis of reports prepared from the maintenance log
Which one of the following transmission media is unsuitable for handling intrabuilding data or voice communications?
For a high security installation the most effective physical access control devices is
Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem is used for sending the messages, then Mr. R. encry
In a Bank, the updating programme for bank account balances calculates check digit for account numbers. This procedur
During the detailed design phase of SDLC, which one of the following tasks performed?
n data processing, which of the following causes the maximum losses
ut of the following pairs of services, which provides an access control over a network of computers
Which of the following statement is true about a mandatory access control policy?
Which of the following statements about automated operations facility parameters is not true?
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
The manager of the information systems QA function should report to the:
Passwords belong to the following class of authentication information:
A PIN if stored for reference purposes, must be stored in:
In software maintenance, the NON technical tool is: 'maintenance?
To ensure proper separation of duties, the function NOT to be performed by the Scheduling and Operations personnel is
Which of the following risks is not greater in an electronic funds transfer (EFT) environment than in a manual system usin
Which of the following data base environment controls enforces access rules in addition to maintaining standardized defin
An IS Auditor, concerned that application controls are not adequate to prevent duplicate payment of invoices, decided to r
One of the production supervisors who has got access to the corporate database sold sensitive product pricing informatio
The password administration procedure should follow the following principle in implementing the access control :
A main advantage of a standard access control software implemented properly is The residual dump technique in backup has the disadvantage of
Error seeding should be done in which of the following phases of a system development life cycle?
Which one of the following statements is true?
Which of the following factors would bring down the risks most in Joint Application Design (JAD) meetings?
What makes Rapid prototyping technique portable?
Identify the document which is LEAST effective during the acceptance test of applications software.

Page 110

Sheet1

A normally expected outcome of a business process re-engineering is that:


Which of the following lines prevents tapping?
Which one of the following statements concerning microcomputer systems NOT true?
When constructing the communications infrastructure for moving data over a local area network, the major implementatio
To effectively implement the principle of least privilege, it is necessary to have:
For a stand alone system, the best security control is to have Information system crimes and abuses in comparison to those of the general category are likely to be
Identify the one that is NOT a key concept of object-oriented technology.
In an IPF (Information processing facility) is typically a large computer centre, which of the following has the primary consi
Many automated tools are designed for testing and evaluating computer systems. Which one of the following such tools im
Use of public key infrastructure by an eCommerce site, where public key is widely distributed and the private key is for the
What is a MAJOR benefit of switching over to the electronic data interchange (EDI) system?
Which one of the following pairs ,when performed simultaneously, would pose a major Risk?
The auditor plans to select a sample of transactions to assess the extent that purchase cash discounts may have been los
The following message service provides the strongest protection about the occurrence of a specific action:
Which of the following is NOT TRUE with regard to network reliability enhancement:
Which one of the following network types will play an important role in implementing E-commerce?
The application run manual would normally comprise of :
Which of the following controls would prevent unauthorized access to specific data elements in a database management
Which of the following statements relating to packet switching networks is True?
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
Introduction of computer-based information system has affected auditing. Which of the following is NOT an effect of IS on
An insurance company is planning to implement new standard software in all its local offices. The new software has a fas
Which among the following hacking techniques DOES NOT facilitate impersonation?
A procedure to have an overall environmental review which is NOT performed by an IS auditor during pre audit planning i
The main difference in terms of control between a manual system and a computer system is:
To properly control access to accounting data held in a Database Management System, the database administrator shou
In an IS environment, routing all links to external systems via a firewall, scanning all diskettes and CDs brought in from ou
Which of the following is a dynamic analysis to detect software errors?
The major risk in prototyping model is :
The duties and role of an IS Steering Committee is:
Implementation and maintenance of new and existing systems with the aid of programmers and analysts is the responsib
Information system is broken into various subsystems. Which among the following is NOT a component of the application
When using message switching in a communication network, the following is not a desirable control?
End-to-end encryption provides only limited protection against a subversive attack that uses:
Which of the following characteristics is not associated with a public key cryptosystem?
Which of the following is least likely to be a reason for making QA personnel responsible for identifying areas where quali
The best control to ensure that a customer uses a debit/credit card carefully is:
The science of cryptography provides all of the following safeguards except
Which of the following functions SHOULD NOT BE combined with Control Group.
Which of the following instruments is used to measure atmospheric humidity in Data Centres?
Which of the following is NOT TRUE about a database management system application environment?
The class of control used to monitor inputs and operation is :
The following message service provides the strongest protection about the occurrence of a specific action:
Which one of the following statements is FALSE?
In general, mainframe computer production programs and data are adequately protected against unauthorized access. Ce
A computerized system should contain an audit trail of information to facilitate detection of certain events. In an audit trail
Which of the following is NOT an input control objective?
Which of the following statements is (are) correct regarding the Internet as a commercially viable network
When using message switching in a communication network, the following is not a desirable control?
The following is an advantage of using link encryption
In evaluating and reviewing the effectiveness of the management s communication of IS policies to concerned personnel
When the results of production data files processing with a generalized audit software do not agree with the total balance
In an accounts payable system, clerks who enter invoices for payment also maintain the file containing valid vendor code
Where access control mechanism is implemented in an open environment, the users are allowed to access a resource:
Intentional Standards Organisation (ISO) has defined risk as the potential that a given threat will exploit vulnerability of a

Page 111

Sheet1

A function NOT possible of being accomplished using CAATs is :


Which of the following should be verified by an IS auditor reviewing a Business Continuity Plan?
In the case of electronic funds transfer (EFT), which one of the following is MOST vulnerable to fraud and physical attack
Which of the following is a dynamic analysis to detect software errors?
Identify the test-case design techniques that is used in unit and integration testing of applications software.
In order to achieve the requirements of the user, the BEST option in acquiring an off-the-shelf applications software packa
Which of the following characteristics is not associated with a public key cryptosystem?
Which one of the following uses a modem technology as a common means of communicating between computers?
To which of the following resource type are the most complex action privileges assigned?
In preventing unauthorised access to a computer file from a remote terminal, which of the following controls can be used
Spooling software can be subject to one of the following control problem:

Page 112

Sheet1
Option A
A legacy system is a mainframe computer-based application system
User ID and password
Increased access violations
SCARF/EAM
applets damaging machines on the network by opening connections from the client machine
Multiple users use data concurrently
Transmission control protocol/Internet Protocol (TCP/IP)
performance monitoring
Quality assurance test
Requirements
whether new hardware/system software resources are needed
it is often a major cost area taking about 50% of the data processing budget
CIS can not collect data for performance monitoring purposes
Maintain backups of program and data.
route the message over alternate path if the normal path fails
Substantive tests
Special audit routines do not have to be embedded
The input and output process of data entry and reports generated.
mid-level formatting of hard disk
minimizing the high risk protocol conversion functions that the gateways perform
Presentation
User manual
Better version control
Compliance Testing
Succession planning is not provided for.
it protects messages against traffic analysis
modem
User ID and Password
Reconciliation of batch control totals
Tests of user controls
poor computer centre design
Mr. R.'s private key.
accuracy
the complaint of non-receipt of message by the receiver
check that the transaction is not invalid for that card type
It is the average length of time the hardware is functional
System A - Likelihood 10%, Losses(in$) 6 million
Recovery test
Input edit checks
Modifications to physical and facilities
Detection
Interviewing the system operator
Confidence risk
Defective switching equipment
Monitoring network activity levels
Generalised Audit Software
Monitoring database usage
Ensuring completeness of the output on processing.
Afterimages
complexity of recovery more than a physical dump
Beforeimages of the modified records have been kept in the differential file
Expert system's knowledge is represented declaratively
User friendliness
A legacy system is a mainframe computer-based application system
The Waterfall model

Page 113

Sheet1

There is a delay of more than 36 months in application development.


detective control
it protects messages against traffic analysis
message duplication
ensuring that adequate information for sound management decision making is available prior to contracting for the purch
Adhering to the project schedule
Identification and authentication
The prototype becomes the finished system
the SDLC method is chosen
parallel simulation technique
forced change of password after every day
Multiple users use data concurrently
performance monitoring
A scatter diagram
Identify the business objectives of the network
Requirements
checking basic control totals
higher cost per transaction
Ensuring completeness of the output on processing.
Active data dictionary system
Increased workloads
adequate reporting between the company and the service provider
it is often a major cost area taking about 50% of the data processing budget
The sample size decreases as the precision amount decreases.
Understanding of business risks by interviewing management s key personnel.
Change records for the application source code.
The mainframe computer should be backed-up on a regular basis.
An integrated test facility.
ensuring that access is given in accordance with the organisation's authorities
Data fault
Better version control
Documentation of activities is the main focus of the standard.
authorizations have been replaced by system software controls
performance monitoring
Sequence check
Database schema
customer over the confidentiality of messages received from the hosting site
Establishing data ownership guidelines
Distributed computing infrastructure
Data is transmitted rapidly
Systems analysis and design
Screens and process programs
Data Control
performance monitoring
delivery proof
Function-oriented techniques
Requirements
Full-scale projects
Sign-on verification security at the physical terminals.
Repeaters
Monitoring network activity levels
Screen layouts
Beforeimages of the modified records have been kept in the differential file
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Good amount of programming skills in the required software.
Restore infected systems with authorized versions.

Page 114

Sheet1

Vital systems
Beforeimages of the modified records have been kept in the differential file
Delay in transmission of the data
Reusable software
Waterfall model
performance monitoring
Unshielded Twisted pair
Such access authority is appropriate, if they are logged completely.
Public Key registrations
Adhering to the project schedule
Preventive
long-key cipher system
check that the transaction is not invalid for that card type
encryption
Preventive
the encryption key can be known to all communication users
Formal inspections
Library security and use of proper file labels
Trouble shooting teleprocessing problems.
Substantive tests
Selecting transaction that must pass through input program
Use of Generalized Audit software
Remote processing site after transmission to the central processing site.
Beforeimages of the modified records have been kept in the differential file
only if authorisation information specifies users can access the resource
Consider the use of access control software.
Software backup should be kept in an offsite location in a fireproof safe.
Requirements
Allocation of resources for purchase of software platforms and hardware
Build or buy
Lesser accountability and Weaker Organisational structures are the outcome of a BPR.
Data files and backup
electronic bulletin board system
Has much larger storage capacity than a floppy disk and can also access information much more quickly
remote batch processing
Physical design of a database
to alleviate conflict between stakeholders
QA personnel should have the most knowledge about the impact of national and international
quality standards on the
A Power loss occurred
whether access logs are maintained of use of various system resources
Defining control, security, and audit requirements
Error detection and correction
Data Control
Rule of thumb
performance monitoring
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Quality assurance test
Change management forms
Repeaters
resetting message queue lengths
store-and-forward capability
Pointer validation utility
Time and cost involved and resources utilised in conducting an audit.
reduce the enormity of the loss when a threat materializes
Authorising all the transactions.
Trouble shooting teleprocessing problems.

Page 115

Sheet1

an alternative source of power


use of security guards can be dispensed with
Reduction in development costs
Adhering to the project schedule
Knowledge base
Recovery test
The Waterfall model
Isolated islands of information
Computer Operator and Quality Assurance are combined.
Fiber optics cable
Reconciliation of batch control totals
Authorisation of access to data files
the controls that are designed to provide reasonable assurance that data received for processing have been properly au
identifying who the user is
Procedures for annual review of the security reports.
Conversion
physical attributes
long-key cipher system
Hydrometer
analysing system degradation
Screens and process programs
Recovery test
Have a sufficient quantity of data for each test case
data preparation, data capture, data input
Library security and use of proper file labels
Packet-switched networks
Uninterruptible power source
Substantive tests
route the message over alternate path if the normal path fails
Diagramming tools
Determining program changes are approved
test of controls
The mainframe computer should be backed-up on a regular basis.
Preventive control
transmission by radio frequency
In ring topology, nodes are connected on a point to point basis whereas it is a multipoint connection in a bus network
Developing program flow chart
Object-oriented user interfaces
The length of time the system will satisfy the needs ofthe initial user
the adoption of national and international information systems standards will increase the cost of the QA function
high work factor
Data Custodian
Debtor s file
Ensuring sophisticated and state-of-the-art recovery mechanism
Physical layer
Test data generators
SCARF/EAM
Most Likely time
Authorising all the transactions.
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
the encryption key can be transmitted through the system over the normal communication path
short key cipher system
Unauthorised program changes.
Monitoring whether security of data is adequate and effective.
store-and-forward capability
modem

Page 116

Sheet1

In sharing of resources, ownership is difficult to be established.


Increased workloads
Complete audit under accepted auditing standards
To structure the IS auditor s own planning.
access logs on usage of various system resources
the timely and efficient delivery of information by the EDP department
Involvement of key business continuity team members
It prevents non-repudiation by the receiver
message sequence number
User directed policy
Cost of preventive action
Modularity
Conversion to a database system is inexpensive
duplicate circuitry, echo checks, tape file protection and internal header labels
QA personnel should use automated tools to ensure compliance with information systems standards
Batch output is more detailed than online output.
Cable Modems
Input edit checks
User ID and Password
The Business Plan of the organization
Cumulative effects for the year is tested.
operating system will identify an inaccuracy
Incorporate into hardware upgrades
The Business Plan of the organization
Adhering to the project schedule
Test cases, test documentation
Technical issues
Software quality assurance management
No, since the BCP is a personal document of the vendor.
Trouble shooting teleprocessing problems.
Centrally monitor the print queues for correct destinations
Redundant switching equipment
Maintenance of accurate batch registers
determine the business purpose of the network
attenuation amplification
release of message contents
reduce the noise level in the transmission
adequate reporting between the company and the service provider
To structure the IS auditor s own planning.
Centrally monitor the print queues for correct destinations
use of security guards can be dispensed with
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Beforeimages of the modified records have been kept in the differential file
A legacy system is a mainframe computer-based application system
ensuring that adequate information for sound management decision making is available prior to contracting for the purch
The number of workstations that can be connected to a network
Detection
identifying who the user is
Preventive
Establishing data ownership guidelines
The private key of the sender
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Adhering to the project schedule
only if authorisation information specifies users can access the resource
Requirements
Continuity of service by the agency in case of a happening of a disaster.

Page 117

Sheet1
Restore infected systems with authorized versions.
Repeaters
whether new hardware/system software resources are needed
the transmission speed of actual documents increases
faulty switching gear
CIS can not collect data for performance monitoring purposes
Maintain backups of program and data.
controls the exposures from traffic analysis
A log
Meet the audit committee members to discuss the IS audit plan
Pointer validation utility
the criticality of the application
Failure to detect the recipient
White-box, code-based, logic-driven technique
Development of a project plan and defining the key areas to be reviewed is a key factor for
Interviewing concerned Corporate Management personnel.
it protects messages against traffic analysis
simplicity
User ID and Password
An output control
Integrated Test Facility
modem
Design
Cost of hardware
sender's private key
high work factor
appropriate, but all access should be logged
User friendliness
a component that signals the control unit that an operation has been performed
No, since the BCP is a personal document of the vendor.
Reasonableness test
Unauthorised program changes.
Substantive tests
Tell data processing that the inventory application has a bug in it.
controls the exposures from traffic analysis
Forging the signature
only if authorisation information specifies users can access the resource
Desired precision
Vulnerabilities of assets
To identify a control weakness and trace its effects has become harder
Decision Support System (DSS)
use of security guards can be dispensed with
Transmits transactions using sophisticated formats and file definitions
Point-of-sale system
Ring topologies are more reliable than start topologies
Beforeimages of the modified records have been kept in the differential file
Requirements
audit trail subsystem
Mr. R. 's private key.
Authorisation of access to data files
Check-digit verification
Audit trails are not enabled
appropriate, but all access should be logged
Increased access violations
they possess very high level of computing skills
data preparation, data capture, data input

Page 118

the success of a BPR.

Sheet1

analysing system degradation


Has much larger storage capacity than a floppy disk and can also access information much more quickly
The Business Plan of the organization
A control chart
Function-oriented techniques
Consider the use of access control software.
Centrally monitor the print queues for correct destinations
dispatching input to the computer room
Interviewing the system operator
Expected rate of occurrence
Confirmation of data with outside sources
transmission by radio frequency
Diagramming tools
the last full dump
Interviewing the system operator
Exhibits the expected and actual results
Daily scanning of the entire file server and moving to a safer area all the doubtful files
the criticality of the application
Monitoring database usage
The terminal used to make the attempt
Performance review of the system department.
end to end data encryption
Decentralised controls over the selection and acquisition of hardware and software is a major concern
the controls that are designed to provide reasonable assurance that data received for
processing have been properl
context-dependent security
Audit trails are not enabled
Adhering to the project schedule
Database schema
segregation of operator duties is not a very effective control
receiver's private key
appropriate, but all access should be logged
checking basic control totals
Monitoring database usage
Attenuation
checking basic control totals
short key cipher system
To identify a control weakness and trace its effects has become harder
Selecting transaction that must pass through input program
multiplexing technique
checking basic control totals
Reconciling accounts
the anticipated loss from the failure of the system to meet its functional, efficiency and effectiveness objectives
Maintain backups of program and data)
Tell data processing that the inventory application has a bug in it.
Software backup should be kept in an offsite location in a fireproof safe.
Flooding the network with spurious messages
Afterimages
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Requirement errors
Requirements
Allocation of resources for purchase of software platforms and hardware
Portability guidelines
checking basic control totals
the recommendation that QA personnel make should be backed up by concrete facts
Enable files with the same generation number to be distinguished
the SDLC method is chosen

Page 119

Sheet1
registration of public keys
Maintenance of accurate batch registers
managing director of the organisation
SCARF/EAM
checking basic control totals
A scatter diagram
Ensuring completeness of the output on processing.
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
Interviewing the system operator
A top-down approach
Expected rate of occurrence
The vendor table will not contain current information.
Program coding standards for the organization
Monitoring network activity levels
A log
The input and output process of data entry and reports generated.
A decrease in desired audit risk
test of controls
Acquisition of a software for the purpose of controlling the security access.
Object-oriented user interfaces
Rule of thumb
Component isolation
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
end to end data encryption
attenuation amplification
faulty switching gear
short key cipher system
high work factor
User ID and passwords
The workload in the organisation is shared
to establish the authenticity of the message
improving a vendor's response time to buyer orders
Network interface card
tape header should be manually logged and checked by the operators
Distributed computing infrastructure
Program changes due to changes in rules, laws, and regulations
Identify the business objectives of the network
Check-digit verification
Uninterruptible power source
Approved
Read-only access to the database files.
Tell data processing that the inventory application has a bug in it.
it is often a major cost area taking about 50% of the data processing budget
White-box, code-based, logic-driven technique
mail the cards in an envelope that identifies the name of the issuing institution
Attribute sampling
IS personnel have always lacked ethics
assessing the strengths and limitations of the hardware to be installed and software platform to be used
All the nodes in a LAN
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Test mailbox
Develop a shareware application
Compliance Testing
detective control
audit trail subsystem
File integrity

Page 120

Sheet1

Multiple users use data concurrently


Security administrator
Reconciliation of batch control totals
File management control
check that the transaction is not invalid for that card type
The workload in the organisation is shared
The mainframe computer should be backed-up on a regular basis.
the encryption key can be known to all communication users
Notebook computers usually cost more than Personal Computers but less than mainframes
Giving priority to the security system
mail the cards in an envelope that identifies the name of the issuing institution
it is often a major cost area taking about 50% of the data processing budget
Database size
Physical design of a database
verifying input authorisation
electronic bulletin board system
Read-only access to the database files.
Afterimages
checking basic control totals
Desired precision
Cost of preventive action
Develop a shareware application
User manual
Debugging tool
Knowledge base
The prototyping model
Develop "seamless" processes
Isolated islands of information
Asynchronous communication
failing to control concurrent access to data
whether new hardware/system software resources are needed
Redundant switching equipment
allow the customer to make a small number of PIN entry attempts, close the account after the limit has been reached, and
Supervisory Control
minimise the distance that data control personnel must travel to deliver data and reports
Line monitor
Preventive
dispatching input to the computer room
encrypt the message with the sender's public key, and sign the message with the receiver's private key
increase line errors caused by noise
Establishing data ownership guidelines
Program source code
the encryption key can be known to all communication users
Modifications to physical and facilities
Program changes due to changes in rules, laws, and regulations
Disk striping
electronic bulletin board system
A top-down approach
A tree structure
Selecting transaction that must pass through input program
Afterimages
Systematic sampling selection technique
Encryption of data files on the notebook computer.
The vendor table will not contain current information.
Should be located near to the originating site so that it can quickly be made operational
Report the errors and omissions noticed.

Page 121

Sheet1
All business problems are assured of quality solutions.
authorizations have been replaced by system software controls
Lower communication costs
performance monitoring
Disk striping
Authorisation of access to data files
Tests of user controls
Encapsulation
To identify control objectives
A data flow diagram
Establishing data ownership guidelines
Maintenance of accurate batch registers
The Web server and the Web browser
the encryption key can be known to all communication users
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Authorising all the transactions.
Requirements
Requirements
Attribute sampling
Expected rate of occurrence
access logs on usage of various system resources
Retransmission of the corrupted messages
Presentation
Program source code
Testing follows debugging
Adhering to the project schedule
White-box, code-based, logic-driven technique
Defining control, security, and audit requirements
Ease to use compared with other systems.
Control Risk assessment.
Information technologies will remain unaltered.
Lower communication costs
message duplication
modem
checking basic control totals
the complaint of non-receipt of message by the receiver
Data Custodian
Integrity
determine whether a critical application system needs modification due to a recent change in the statute
Improving of business relationship with trading partners
data preparation, data capture, data input
system availability
Reviewing library controls
Trouble shooting teleprocessing problems.
message sequence number
Approved
A tree structure
Data dictionary
Exhibits the expected and actual results
more difficult as the IS personnel resent being supervised at every step
Software configuration management is established and enforced
Disaster notification to personnel
They are both based on public-key cryptography
both rollforward and rollback to be effected in case of a disater
Cost of preventive action
Requirements

Page 122

Sheet1

Portability guidelines
Remove possible disruption caused when going on leave for a day at a time.
Scheduling of computer resources.
File integrity
performance monitoring
Redundant switching equipment
Physical design of a database
the adoption of national and international information systems standards will increase the cost of the QA function
A Power loss occurred
Integrated Test Facility
Controlled disposal of documents
Program source code
poor computer centre design
Increased access violations
physical attributes
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Time
increase line errors caused by noise
No, since the BCP is a personal document of the vendor.
Encryption of data files on the notebook computer.
Check-digit verification
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
whether to move files from one storage medium to another to reduce read/write errors
Pointer validation utility
Monitoring network activity levels
High cohesion of modules, low coupling of modules, and high modularity of programs
Be technically at par with client's technical staff
Software backup should be kept in an offsite location in a fireproof safe.
Corruption of tokens during transmission may occur
message sequence number
Reciprocal agreement
The length of time the system will satisfy the needs ofthe initial user
Requirements tracing
Report the errors and omissions noticed.
Lesser accountability and Weaker Organisational structures are the outcome of a BPR.
File integrity
Hierarchical structure
Data is transmitted rapidly
dispatching input to the computer room
managing director of the organisation
Such access authority is appropriate, if they are logged completely.
Develop "seamless" processes
The Waterfall model
Allocation of resources for purchase of software platforms and hardware
Such access authority is appropriate, if they are logged completely.
whether new hardware/system software resources are needed
Incorporate into hardware upgrades
Preventive
Screens and process programs
Reviewing library controls
Security card
Preventing privileged software from being installed on the mainframe.
modem
Screen layouts
Maintain backups of program and data.
Manually comparing detail transaction files used by an edit program with the program's generated error listings to determ

Page 123

Sheet1

Software
Determining program changes are approved
Requires the usage of a Test Data Generator.
ambiguity in the resource name is avoided
Authorisation and authentication of users
complexity of recovery more than a physical dump
Both rollforward and rollbackward of transactions after a disaster is rendered easier
The Waterfall model
Component isolation
Requirements
Data is transmitted rapidly
Uninterruptible power source
to alleviate conflict between stakeholders
User ID and password
the controls that are designed to provide reasonable assurance that data received for processing have been properly aut
network interface card(NIC)
identifying who the user is
Physical layer
Component isolation
User ID and passwords
Preventive
entry via phone
User friendliness
Multiple users use data concurrently
Rule of thumb
short key cipher system
Centrally monitor the print queues for correct destinations
store electronic purchase orders of one organisation to be accessed by another organisation
it protects messages against traffic analysis
star network
to ensure compliance with international EFT standard
Expected rate of occurrence
Evaluation of potential risks from air flight paths.
The mainframe computer should be backed-up on a regular basis.
Maintain backups of program and data)
once the diskettes are checked for virus and cleaned, write protect them
Requirement errors
Isolated islands of information
User manuals
Data redundancy within files
Emulation
Uninterruptible power source
a personal development plan with respect to QA training should exist for each employee in the information systems functi
a list of users who can access the resource is associated with each resource together with each user s action privileges w
A processing control
Configuration control
high work factor
Fibre optics cable
SCARF/EAM
Control Group
dispatching input to the computer room
Library security and use of proper file labels
Preventive
Screens and process programs
whether new hardware/system software resources are needed
Transmission control protocol/Internet Protocol (TCP/IP)

Page 124

Sheet1
Existence check
Sign-on verification security at the physical terminals.
The number of workstations that can be connected to a network
Remove possible disruption caused when going on leave for a day at a time.
Programmers forgot to indicate file retention periods
Remote processing site after transmission to the central processing site.
reduce the noise level in the transmission
Requirements
Change records for the application source code.
Preventing privileged software from being installed on the mainframe.
International data encryption algorithm (IDEA)
Retransmission of the corrupted messages
Program source code
determine whether a critical application system needs modification due to a recent change in the statute
an optical fiber line
File integrity
remote batch processing
the encryption key can be transmitted through the system over the normal communication path
two private keys
Ensuring sophisticated and state-of-the-art recovery mechanism
network interface card(NIC)
Component isolation
Error detection and correction
managing director of the organisation
Preventive
Continuous Sampling
The Business Plan of the organization
Reviewing library controls
Encryption of data files on the notebook computer.
Check-digit verification
dispatching input to the computer room
Requirements
It should be documented in writing and signed by both parties.
Special audit routines do not have to be embedded
Time and cost involved and resources utilised in conducting an audit.
Calculating the age-wise outstandings of Receivables and Payables.
Read-only access to the database files.
Ring topologies are more reliable than start topologies
the last full dump
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Developing program flow chart
Inspections
High cohesion of modules, low coupling of modules, and high modularity of programs
Build or buy
Scheduling of computer resources.
Unix platform
Interactivity
context-dependent security
Of less serious nature
The prototyping model
Commitment to quality
File management control
high work factor
check that the transaction is not invalid for that card type
It is the average length of time the hardware is functional
appropriate, but all access should be logged

Page 125

Sheet1
only if authorisation information specifies users can access the resource
Completing the system planning document
Function-oriented techniques
At what point was the first baseline established?
Packet-switched networks
Irregularities will be eliminated
Programmers forgot to indicate file retention periods
CIS can not collect data for performance monitoring purposes
only if authorisation information specifies users can access the resource
Actively involves himself while designing and implementing the application system.
Desired audit risk
more difficult as the IS personnel resent being supervised at every step
Logging of all transactions
Corrective controls
Installation of a security control software
modulation technique
Test mailbox
Requirements tracing
getting concentrated more in a single location
the transmission speed of actual documents increases
modem
the complaint of non-receipt of message by the receiver
Controlled disposal of documents
Input edit checks
File management control
they possess very high level of computing skills
the SDLC method is chosen
User ID and Password
User friendliness
Requirements metrics
operating system will identify an inaccuracy
Sudden change in weather and temperature
Incorporate into hardware upgrades
Open purchase orders
whether new hardware/system software resources are needed
Software quality assurance management
Code Correction
Lower communication costs
determine the business purpose of the network
Remove possible disruption caused when going on leave for a day at a time.
Selecting transaction that must pass through input program
Read-only access to the database files.
mail the cards in an envelope that identifies the name of the issuing institution
Technological complexity
A tree structure
Exhibits the expected and actual results
Time and cost involved and resources utilised in conducting an audit.
Whether deleted files on the hard disk have been completely erased.
Encryption protect data in transit from unauthorised interception and manipulation
a power loss
Succession planning is not provided for.
Service management
An output control
User-directed policy
Knowledge base
Allocation of resources for purchase of software platforms and hardware

Page 126

Sheet1

to make the customer liable if the careless use of a card leads to a fraud,
entry via phone
To test a new idea
Maintenance of accurate batch registers
appropriate, but all access should be logged
Adhering to the project schedule
system availability
increase line errors caused by noise
Full-scale projects
Authorising all the transactions.
Unshielded Twisted pair
store electronic purchase orders of one organisation to be accessed by another organisation
release of message contents
Systems and procedure manuals of the user department.
Programmers forgot to indicate file retention periods
multiple transmission speeds
White-box, code-based, logic-driven technique
Substantive tests
In sharing of resources, ownership is difficult to be established.
Transmits transactions using sophisticated formats and file definitions
In ring topology, nodes are connected on a point to point basis whereas it is a multipoint connection in a bus network
Reverse engineering
Recovery test
The prototyping model
Database schema
remote batch processing
a list of users who can access the resource is associated with each resource together with each user s action privileges w
Integrity
sender's private key
physical attributes
Waterfall model
Recovery test
The Business Plan of the organization
improving a vendor's response time to buyer orders
performance monitoring
DNA
Data Control
optical fibre transmission
Monitoring network activity levels
it is often a major cost area taking about 50% of the data processing budget
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
attenuation amplification
Confidence risk
System design
The IS auditor s test results
Improvement of an organistion s efficiency and communication can be achieved through a restrictive separation of duties
Logging of data input
Remove possible disruption caused when going on leave for a day at a time.
Performance review of the system department.
Lower communication costs
File integrity
the adoption of national and international information systems standards will increase the cost of the QA function
the recommendation that QA personnel make should be backed up by concrete facts
it is not possible for users to change their classification level, though they can change their clearance levels
Reconciliation of batch control totals
Tests of user controls

Page 127

Sheet1

Duplicate processing of transactions


network interface card(NIC)
Procedures for annual review of the security reports.
Ensure correct programming of operating system functions
formulated by the person who develops the application system for the microcomputers
failing to control concurrent access to data
Improving of business relationship with trading partners
whether to move files from one storage medium to another to reduce read/write errors
The Web server and the Web browser
It is the average length of time the hardware is functional
physical attributes
Development through standard system development approach is faster than Prototyping.
Redundant switching equipment
It allows the auditors to have the same degree of confidence as with judgement sampling
Irregularities will be eliminated
Statistical sampling
complexity of recovery more than a physical dump
to ensure compliance with international EFT standard
errors identified during the input validation phase are corrected
Reconciling accounts
Read-only access to the database files.
An integrated test facility.
Preventive control
Software backup should be kept in an offsite location in a fireproof safe.
There is a delay of more than 36 months in application development.
simplicity
the recommendation that QA personnel make should be backed up by concrete facts
high levels of interpersonal conflict often arise among QA personnel
the extent of substantive testing to be carried out by the auditors can be decreased substantially when QA function is wor
Processing time saved is substantial.
A Power loss occurred
network interface card(NIC)
Physical layer
Modules should perform only one principal function
sender's private key
The Web server and the Web browser
Incorporate into hardware upgrades
Systems Analyst
The private key of the sender
encrypt the message with the sender's public key, and sign the message with the receiver's private key
parallel simulation technique
Local area network
Restrict updating and read access to one position
Control access to information system resources.
It should be documented in writing and signed by both parties.
Discussing with the management the corrective procedures that were implemented to strengthen the internal controls.
Calculating the age-wise outstandings of Receivables and Payables.
Outlines the overall authority scope and responsibilities of the audit function.
Within same geographical location
Cost of preventive action
Isolated islands of information
Emulation
duplicate circuitry, echo checks, tape file protection and internal header labels
Repeaters
Disk striping
QA personnel should have the most knowledge about the impact of national and international quality standards on their o

Page 128

Sheet1

substitution cipher
hardware
Test of evidence of physical access at suspected locations
absence of logging of attempted sign-on
Proximity sensing card reader
Supervisory Control
Knowledge base
Allocation of resources for purchase of software platforms and hardware
Requirements
Modifications to physical and facilities
Product portability
Fibre optics cable
A data flow diagram
The Business Plan of the organization
Reduction in development costs
checking basic control totals
high work factor
Cross referencer
Disk striping
Unshielded Twisted pair
optical fibre transmission
message duplication
it protects messages against traffic analysis
only if authorisation information specifies users can access the resource
Systematic sampling selection technique
To structure the IS auditor s own planning.
Passwords may be changed by the user at his discretion and users at their discretion need not even change the initial pa
Requirements Definition
Conversion
There is a delay of more than 36 months in application development.
Service management
substitution cipher
the recommendation that QA personnel make should be backed up by concrete facts
high levels of interpersonal conflict often arise among QA personnel
Cable Modems
firewall architecture hides the internal network
Inform the top management of the complexities and risks in doing so.
File management control
minimise the distance that data control personnel must travel to deliver data and reports
Data redundancy within files
SCARF/EAM
only through authorized procedures, user creation and privileges are granted
Hierarchical structure
Data is transmitted rapidly
The Business Plan of the organization
No, since the BCP is a personal document of the vendor.
Restore infected systems with authorized versions.
Lower communication costs
modem
it protects messages against traffic analysis
Requirements metrics
star network
Data dictionary
Satellite signals are not easily affected by other electronic transmissions.
All the nodes in a LAN
the contents of the log file

Page 129

Sheet1
Physical access controls
Program source code
Inspections
Rule of thumb
Documentation of activities is the main focus of the standard.
Report the errors and omissions noticed.
User manuals
whether to move files from one storage medium to another to reduce read/write errors
Redundant switching equipment
The Waterfall model
Preventive
Improving of business relationship with trading partners
Notebook computers usually cost more than Personal Computers but less than mainframes
Requirements
Program source code
Better version control
Change records for the application source code.
Logging of data input
Packet-switched networks
Centrally monitor the print queues for correct destinations
Requirements
Acquisition of a software for the purpose of controlling the security access.
Special audit routines do not have to be embedded
insertion of a spurious message
Program coding standards for the organization
Exhibits the expected and actual results
Daily scanning of the entire file server and moving to a safer area all the doubtful files
Passwords are allowed to be shared
All applications designed by the IS Manager
Corruption of tokens during transmission may occur
Delay in transmission of the data
It meets the needs of the organization
Inspections
High cohesion of modules, low coupling of modules, and high modularity of programs
User friendliness
Providing a little indication of segregation of duties.
the firm would be dependent on others for system maintenance
resetting message queue lengths
Fiber optics cable
Isolated islands of information
receiver's private key
operating system will identify an inaccuracy
it is often a major cost area taking about 50% of the data processing budget
Physical layer
A scatter diagram
Change records for the application source code.
Controlled disposal of documents
Reasonableness test
verifying input authorisation
A log
File assess capabilities
Data dictionary
To structure the IS auditor s own planning.
Organisational controls
the overall security philosophy of the organisation
ensuring compulsory scanning of all floppy disks before use

Page 130

Sheet1

formulating the data classification methodology


Reciprocal agreement
Developing program flow chart
It meets the needs of the organization
hardware components
determine the business purpose of the network
it protects messages against traffic analysis
Has much larger storage capacity than a floppy disk and can also access information much more quickly
performance monitoring
Fiber optics cable
QA personnel should have the most knowledge about the impact of national and international quality standards on their o
Batch output is more detailed than online output.
Controlled disposal of documents
Audit trails are not enabled
whether access logs are maintained of use of various system resources
Modules should perform only one principal function
Requirements
Portability guidelines
whether new hardware/system software resources are needed
Establishing data ownership guidelines
System A - Likelihood 10%, Losses(in$) 6 million
they possess very high level of computing skills
Ensuring sophisticated and state-of-the-art recovery mechanism
Change records for the application source code.
Duplicate processing of transactions
Redundant switching equipment
the encryption key can be known to all communication users
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
Control access to information system resources.
Use of Generalized Audit software
Active data dictionary system
Software
Programmers forgot to indicate file retention periods
Trouble shooting teleprocessing problems.
User ids are not recorded in the audit trail
Uses protected telecommunication lines for data transmissions
Modules should perform only one principal function
Portability guidelines
Asynchronous communication
the transmission speed of actual documents increases
it protects messages against traffic analysis
short key cipher system
Tests of user controls
Build or buy
Identification and authentication
formulated by the person who develops the application system for the microcomputers
failing to control concurrent access to data
Cost of hardware
Recovery test
Substantive tests
an optical fiber line
route the message over alternate path if the normal path fails
controls the exposures from traffic analysis
message sequence number
White-box, code-based, logic-driven technique
High cohesion of modules, low coupling of modules, and high modularity of programs

Page 131

Sheet1
Be technically at par with client's technical staff
Understanding of business risks by interviewing management s key personnel.
Change records for the application source code.
Security card
Complete details of the IPF floor plans
Hot sites can be used for an extended amount of time.
Better version control
Integrity
Scheduling of computer resources.
Lower communication costs
the firm would be dependent on others for system maintenance
remote batch processing
performance monitoring
checking basic control totals
short key cipher system
Disk striping
Organisation control
Modules should perform only one principal function
they possess very high level of computing skills
the SDLC method is chosen
high work factor
the encryption key can be known to all communication users
Requirements metrics
Preventive
Continuous Sampling
simplicity
Pointer validation utility
Read-only access to the database files.
Control access to information system resources.
minimizing the high risk protocol conversion functions that the gateways perform
Increased workloads
Special audit routines do not have to be embedded
Confirmation of data with outside sources
The input and output process of data entry and reports generated.
Calculating the age-wise outstandings of Receivables and Payables.
Whether deleted files on the hard disk have been completely erased.
mid-level formatting of hard disk
once the diskettes are checked for virus and cleaned, write protect them
the contents of the log file
modulation technique
minimizing the high risk protocol conversion functions that the gateways perform
Defining control, security, and audit requirements
Computer Operator and Quality Assurance are combined.
Packet-switched networks
high work factor
entry via phone
Restrict updating and read access to one position
analysing system degradation
Hierarchical structure
Incorporate into hardware upgrades
substitution cipher
Continuous Sampling
Ensuring sophisticated and state-of-the-art recovery mechanism
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Library security and use of proper file labels
Reviewing library controls

Page 132

Sheet1
Inappropriate
The terminal used to make the attempt
it is often a major cost area taking about 50% of the data processing budget
Lower communication costs
Read-only access to the database files.
Tell data processing that the inventory application has a bug in it.
the last full dump
both rollforward and rollback to be effected in case of a disater
Increased workloads
Requirements
Good amount of programming skills in the required software.
IS personnel have always lacked ethics
International data encryption algorithm (IDEA)
Should be located near to the originating site so that it can quickly be made operational
Debugging tool
Allocation of resources for purchase of software platforms and hardware
Requirements
Control Risk assessment.
Database schema
Emulation
Proximity sensing card reader
Design
Cut power to data processing equipment.
The Waterfall model
sender's private key
to make the customer liable if the careless use of a card leads to a fraud,
Database schema
it is easy to remember
Evaluation of potential risks from air flight paths.
Library security and use of proper file labels
the SDLC method is chosen
mail the cards in an envelope that identifies the name of the issuing institution
Redundant switching equipment
Monitoring database usage
dispatching input to the computer room
insertion of a spurious message
Interviewing the system operator
there is a difference in the internal control principles
Evaluation of potential risks from air flight paths.
The mainframe computer should be backed-up on a regular basis.
Tell data processing that the inventory application has a bug in it.
Organisational controls
Complete details of the IPF floor plans
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Personnel turnover
Conversion
Report the errors and omissions noticed.
the complaint of non-receipt of message by the receiver
Organisation control
Proximity sensing card reader
A legacy system is a mainframe computer-based application system
Supervisory Control
Build or buy
Identification and authentication
data preparation, data capture, data input

Page 133

Sheet1
It is the average length of time the hardware is functional
Systems analysis and design
Preventive
Integrity
encrypt the message with the sender's public key, and sign the message with the receiver's private key
Check-digit verification
whether to move files from one storage medium to another to reduce read/write errors
determine the business purpose of the network
Requirements metrics
Read-only access to the database files.
route the message over alternate path if the normal path fails
Substantive tests
Desired precision
the criticality of the application
Adequately supporting the business objectives of the organisation.
Use of Generalized Audit software
the overall security philosophy of the organisation
Right only to read data
Defective switching equipment
Attenuation
Requirements
The Waterfall model
All business problems are assured of quality solutions.
attenuation amplification
Duplicate processing of transactions
identifying who the user is
in transit to the computer
Preventive
formulated by the person who develops the application system for the microcomputers
Hydrometer
Cumulative effects for the year is tested.
Time
Transmission control protocol/Internet Protocol (TCP/IP)
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Identification and authentication
system availability
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
increase line errors caused by noise
Logging of data input
Unix platform
Reconciling accounts
CIS can not collect data for performance monitoring purposes
messages getting changed by hackers
message sequence number
both rollforward and rollback to be effected in case of a disater
Programmers forgot to indicate file retention periods
To structure the IS auditor s own planning.
Encryption
International data encryption algorithm (IDEA)
Flooding the network with spurious messages
ROI
Requirements phase
Modules should perform only one principal function
Input, Output and arithmetic-logic
Appropriate, but all access should be logged.
in transit to the computer

Page 134

Sheet1

entry via phone


SCARF/EAM
failing to control concurrent access to data
The mainframe computer should be backed-up on a regular basis.
It is the average length of time the hardware is functional
data preparation, data capture, data input
Quality assurance test
Existence check
Fiber optics cable
it is often a major cost area taking about 50% of the data processing budget
Active data dictionary system
Maintain backups of program and data.
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Approved
Trouble shooting teleprocessing problems.
User ids are not recorded in the audit trail
Uses protected telecommunication lines for data transmissions
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
International data encryption algorithm (IDEA)
In ring topology, nodes are connected on a point to point basis whereas it is a multipoint connection in a bus network
messages getting changed by hackers
Used to develop decision support systems
Functional testing
Modules should perform only one principal function
Integrity
Database management systems are available for microcomputer systems
Repeaters
Interactivity
A Power loss occurred
Processing time saved is substantial.
Procedures for annual review of the security reports.
File management control
Increased access violations
Identify the business objectives of the network
Unshielded Twisted pair
they possess very high level of computing skills
SCARF/EAM
physical attributes
Output of the payroll journal s audit trail.
Cable Modems
Unix platform
Unauthorised program changes.
bridges to direct messages through the optimum data path
Confidence risk
Flooding the network with spurious messages
Monitoring network activity levels
It allows the auditors to have the same degree of confidence as with judgement sampling
Monitoring database usage
The terminal used to make the attempt
formulating and adopting a detailed anti-virus policy for the organisation as a whole and appraising all users about the sa
Corrective controls
Disaster notification to personnel
Afterimages
Terms of payment
Modules should perform only one principal function
Physical design of a database

Page 135

Sheet1
Reconciliation of batch control totals
absence of logging of attempted sign-on
Proximity sensing card reader
Knowledge base
Error detection and correction
Preventive
Matching user ID and name with password
it is not possible for users to change their classification level, though they can change their clearance levels
Whether statutory regulations are complied with.
The prototyping model
Better version control
Have a sufficient quantity of data for each test case
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Security card
The number of workstations that can be connected to a network
optical fibre transmission
Technological complexity
A decrease in desired audit risk
Trouble shooting teleprocessing problems.
The terminal used to make the attempt
Complete details of the IPF floor plans
International data encryption algorithm (IDEA)
Use of dedicated network
transmission by radio frequency
Functional testing
Rule of thumb
Documentation of activities is the main focus of the standard.
Performance review of the system department.
the firm would be dependent on others for system maintenance
Multiple users use data concurrently
Interactivity
User ID and passwords
Duplicate processing of transactions
Preventive
formulated by the person who develops the application system for the microcomputers
The workload in the organisation is shared
managing director of the organisation
Waterfall model
Repeaters
Requirements metrics
Notebook computers usually cost more than Personal Computers but less than mainframes
Integration test, unit test, systems test, acceptance test
Monitoring network activity levels
Requirements
Compliance Testing
Statistical sampling
an optical fiber line
Programmers forgot to indicate file retention periods
Substantive tests
Pointer validation utility
Software configuration management is established and enforced
The terminal used to make the attempt
An integrated test facility.
Preventive control
Ensure that the alternate site could process all the critical applications.
Data fault

Page 136

Sheet1

Documentation of activities is the main focus of the standard.


audit trail subsystem
resetting message queue lengths
Packet-switched networks
context-dependent security
Integrated Test Facility
Sign-on verification security at the physical terminals.
Procedures for annual review of the security reports.
Build or buy
delivery proof
parallel simulation technique
data preparation, data capture, data input
receiver's private key
Requirements
Often hardware does not interface in an acceptable manner
a component that signals the control unit that an operation has been performed
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Authorising all the transactions.
Sign-on verification security at the physical terminals.
Uninterruptible power source
File assess capabilities
Exhibits the expected and actual results
multiple transmission speeds
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Increased workloads
Check digits
Flooding the network with spurious messages
Delay in transmission of the data
Requirements phase
Debugging tool
Function-related bugs
Knowledge base
Succession planning is not provided for.
Information technologies will remain unaltered.
it is often a major cost area taking about 50% of the data processing budget
Fiber optics cable
it is not possible for users to change their classification level, though they can change their clearance levels
Audit trails are not enabled
Inform the top management of the complexities and risks in doing so.
Knowledge base
accuracy
The prototype becomes the finished system
data preparation, data capture, data input
it is not possible for users to change their classification level, though they can change their clearance levels
Integrity
modem
Local area network
Syntax checking
Unix platform
Remove possible disruption caused when going on leave for a day at a time.
It allows the auditors to have the same degree of confidence as with judgement sampling
transmission by radio frequency
Afterimages
Reconciling accounts
separation of duties is essential in manual systems whereas in-built checks and balances take care in computerized syste
Monitoring database usage

Page 137

Sheet1
Security card
only through authorized procedures, user creation and privileges are granted
once the diskettes are checked for virus and cleaned, write protect them
Forcing frequent changes of password by the user
Transmits transactions using sophisticated formats and file definitions

Cost of hardware
Defining control, security, and audit requirements
absence of logging of attempted sign-on
Proximity sensing card reader
Cable Modems
The prototype becomes the finished system
Recovery test
receiver's private key
compromise of a key server's private key
Establishing data ownership guidelines
message modification
Standard software packages
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Maintenance of accurate batch registers
the encryption key can be transmitted through the system over the normal communication path
short key cipher system
Compliance Testing
Systems and procedure manuals of the user department.
it is often a major cost area taking about 50% of the data processing budget
Programmers forgot to indicate file retention periods
Technological complexity
Desired precision
Control Self Assessment assurance received on the working of the application from a line management personnel.
Improvement of an organistion s efficiency and communication can be achieved through a restrictive separation of duties
Software configuration management is established and enforced
controls the exposures from traffic analysis
User directed policy
detective control
hardware components
failing to control concurrent access to data
Library security and use of proper file labels
simplicity
it introduces run-time efficiency
allow the customer to make a small number of PIN entry attempts, close the account after the limit has been reached, an
Check-digit verification
failing to control concurrent access to data
the encryption key can be known to all communication users
Systems analysis and design
Standard software packages
Number of defects per thousand lines of code
Reviewing library controls
Adequately supporting the business objectives of the organisation.
Restore infected systems with authorized versions.
it protects messages against traffic analysis
performance monitoring
Screen layouts
Active data dictionary system
Tell data processing that the inventory application has a bug in it.
Presentation
Monitoring network activity levels

Page 138

Sheet1
Have a sufficient quantity of data for each test case
Desired precision
International data encryption algorithm (IDEA)
route the message over alternate path if the normal path fails
Cost of preventive action
Design
The prototyping model
Allocation of resources for purchase of software platforms and hardware
Control Risk assessment.
the encryption key can be transmitted through the system over the normal communication path
it is often a major cost area taking about 50% of the data processing budget
notify external auditors because it may affect the audit plan
Public Key registrations
Private key cryptosystem.
Batch output is more detailed than online output.
User ID and passwords
all data can still be reconstructed even if one drive fails
To identify control objectives
receiver's private key
whether new hardware/system software resources are needed
they possess very high level of computing skills
Program source code
data preparation, data capture, data input
DNA
Function-oriented techniques
At what point was the first baseline established?
Preventing privileged software from being installed on the mainframe.
Detection
whether new hardware/system software resources are needed
resetting message queue lengths
Lower communication costs
end to end data encryption
the transmission speed of actual documents increases
Monitoring whether security of data is adequate and effective.
faulty switching gear
Beforeimages of the modified records have been kept in the differential file
Software configuration management is established and enforced
International data encryption algorithm (IDEA)
Functional testing
The length of time the system will satisfy the needs ofthe initial user
Recovery test
Waterfall model
Database administrator.
Emulation
absence of logging of attempted sign-on
Integrity
Encryption of all transactions
Requirements
formulated by the person who develops the application system for the microcomputers
Systems Analyst
tape header should be manually logged and checked by the operators
all data can still be reconstructed even if one drive fails
The Business Plan of the organization
Quality assurance test
Ensuring completeness of the output on processing.
message duplication

Page 139

Sheet1
electronic bulletin board system
Ring topologies are more reliable than start topologies
Approved
The latter tests details while the former tests procedures.
ensuring that access is given in accordance with the organisation's authorities
complete details about the computer hardware and software used
Right only to read data
Approval of the plan by Board of Directors.
the timely and efficient delivery of information by the EDP department
Should be located near to the originating site so that it can quickly be made operational
Ring topologies are more reliable than start topologies
User friendliness
RDBMS technology
Portability guidelines
Database administrator.
the encryption key can be known to all communication users
two private keys
Test of evidence of physical access at suspected locations
Unauthorized modification of pay roll cheque printing program to inflate the amount for the perpetrator.
Physical layer
Error detection and correction
forced change of password after every day
Systems Analyst
Multiple users use data concurrently
The workload in the organisation is shared
Recovery test
Integrity
Better version control
a component that signals the control unit that an operation has been performed
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
A scatter diagram
Change management forms
Output of the payroll journal s audit trail.
Check-digit verification
store electronic purchase orders of one organisation to be accessed by another organisation
Substantive tests
Systems and procedure manuals of the user department.
Requirements metrics
a power loss
It should be documented in writing and signed by both parties.
errors identified during the input validation phase are corrected
A tree structure
A decrease in desired audit risk
No, since the BCP is a personal document of the vendor.
Corrective controls
A legacy system is a mainframe computer-based application system
store electronic purchase orders of one organisation to be accessed by another organisation
minimise the distance that data control personnel must travel to deliver data and reports
Tests of user controls
Defining control, security, and audit requirements
User ID and password
Cost of hardware
File management control
Adhering to the project schedule
Increased access violations
Data redundancy within files

Page 140

Sheet1

The private key of the sender


Preventive
The workload in the organisation is shared
Physical layer
Full-scale projects
Preventing privileged software from being installed on the mainframe.
it is often a major cost area taking about 50% of the data processing budget
store-and-forward capability
Programmers forgot to indicate file retention periods
adequate reporting between the company and the service provider
Programmers forgot to indicate file retention periods
The input and output process of data entry and reports generated.
Preventing privileged software from being installed on the mainframe.
Passwords may be changed by the user at his discretion and users at their discretion need not even change the initial pa
use of security guards can be dispensed with
Uses protected telecommunication lines for data transmissions
Developing program flow chart
Design
Documentation of activities is the main focus of the standard.
becoming redundant as the validations and authorizations are more and more online and real time based
Sequence check
Batch output is more detailed than online output.
Duplicate processing of transactions
User-directed policy
Encryption of all transactions
Adhering to the project schedule
accuracy
system availability
Control Group
Reduction in development costs
Rule of thumb
Giving priority to the security system
Physical layer
Scheduling of documents
it protects messages against traffic analysis
Attribute sampling
an optical fiber line
Presentation
Beforeimages of the modified records have been kept in the differential file
it is often a major cost area taking about 50% of the data processing budget
Systematic sampling selection technique
Existence check
The right software
White-box, code-based, logic-driven technique
All business problems are assured of quality solutions.
the users satisfaction of meeting their requirements
getting concentrated more in a single location
compiling
Disk striping
Interactivity
Packet-switched networks
a ticket oriented approach to authorisation
Enable files with the same generation number to be distinguished
Increased access violations
short key cipher system
the complaint of non-receipt of message by the receiver

Page 141

Sheet1

Requirements
substitution cipher
appropriate, but all access should be logged
The workload in the organisation is shared
Network interface card
physical attributes
Quality assurance test
Full-scale projects
verifying input authorisation
Control access to information system resources.
Monitoring network activity levels
to ensure compliance with international EFT standard
Properly define the population
Programmers forgot to indicate file retention periods
Selecting unusual data as per the auditor s choice.
Consider the use of access control software.
Installation of a security control software
optical fibre transmission
the last full dump
Inspections
Milestones
Cost of hardware
Develop "seamless" processes
Isolated islands of information
Report the errors and omissions noticed.
passwords cannot be included in the packet
User ID and Password
Input edit checks
Defining control, security, and audit requirements
they possess very high level of computing skills
Identification and authentication
Identify the business objectives of the network
multiplexor
Expert system's knowledge is represented declaratively
A scatter diagram
Function-oriented techniques
Technical issues
modulation technique
verifying input authorisation
higher cost per transaction
Reconciling accounts
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Daily scanning of the entire file server and moving to a safer area all the doubtful files
test of controls
Read-only access to the database files.
controls for validating data
once the diskettes are checked for virus and cleaned, write protect them
Complete details of the IPF floor plans
Disaster notification to personnel
Delay in transmission of the data
Design
Succession planning is not provided for.
release of message contents
the extent of substantive testing to be carried out by the auditors can be decreased substantially when QA function is wor
hardware
After errors have been corrected, the error reports should be discarded

Page 142

Sheet1
Sign-on verification security at the physical terminals.
Ensuring sophisticated and state-of-the-art recovery mechanism
User-directed policy
Ensure correct programming of operating system functions
Component isolation
Error detection and correction
they possess very high level of computing skills
LAN cables
The prototype becomes the finished system
Privilege based on the time and day
Such access authority is appropriate, if they are logged completely.
multiplexor
Milestones
high work factor
Unit testing
both rollforward and rollback to be effected in case of a disater
Selecting transaction that must pass through input program
Continuity of service by the agency in case of a happening of a disaster.
Trouble shooting teleprocessing problems.
ensuring that access is given in accordance with the organisation's authorities
Should be located near to the originating site so that it can quickly be made operational
ROI
Compliance Testing
Scheduling of computer resources.
Decentralised controls over the selection and acquisition of hardware and software is a major concern
dispatching input to the computer room
Fiber optics cable
high work factor
Tests of user controls
context-dependent security
Users have almost a blind faith that any output generated by a computers has to be correct
User ID and password
File management control
The workload in the organisation is shared
A data flow diagram
Establishing data ownership guidelines
The private key of the sender
Unshielded Twisted pair
Establishing data ownership guidelines
Program source code
checking basic control totals
only if authorisation information specifies users can access the resource
Change management forms
The system development environment
Restore infected systems with authorized versions.
Reconciling accounts
test of controls
more difficult as the IS personnel resent being supervised at every step
Software configuration management is established and enforced
Control access to information system resources.
the machine should have a compatible operating system
Defective switching equipment
User directed policy
Requirement errors
User friendliness
Develop "seamless" processes

Page 143

Sheet1

Scheduling of computer resources.


store electronic purchase orders of one organisation to be accessed by another organisation
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
all data can still be reconstructed even if one drive fails
Cable Modems
Encapsulation
the SDLC method is chosen
Identify the business objectives of the network
performance monitoring
Giving priority to the security system
The Business Plan of the organization
Evaluation of potential risks from air flight paths.
Cable Modems
Restore infected systems with authorized versions.
the firm would be dependent on others for system maintenance
Substantive tests
Exhibits the expected and actual results
it is often a major cost area taking about 50% of the data processing budget
Confidence risk
Expected rate of occurrence
Time and cost involved and resources utilised in conducting an audit.
Outlines the overall authority scope and responsibilities of the audit function.
The latter tests details while the former tests procedures.
excessive usage of the hard disk space
the last full dump
Program source code
Personnel turnover
Requirements Definition
Requirements
multiplexing technique
store-and-forward capability
checking basic control totals
a list of users who can access the resource is associated with each resource together with each user s action privileges w
Appropriate, but all access should be logged.
Inappropriate
Commitment to quality
The private key of the sender
Library security and use of proper file labels
Integrity
appropriate, but all access should be logged
DNA
Requirements metrics
No, since the BCP is a personal document of the vendor.
Trouble shooting teleprocessing problems.
checking basic control totals
performance monitoring
Properly define the population
Special audit routines do not have to be embedded
Corruption of tokens during transmission may occur
both rollforward and rollback to be effected in case of a disater
Irregularities will be eliminated
A tree structure
Control Self Assessment assurance received on the working of the application from a line management personnel.
Change records for the application source code.
Centrally monitor the print queues for correct destinations
the contents of the log file

Page 144

Sheet1

The length of time the system will satisfy the needs ofthe initial user
Terms of payment
detective control
multiplexing technique
a ticket oriented approach to authorisation
User ID and password
Public Key registrations
File management control
preserving data integrity
Continuous Sampling
Data redundancy within files
applets damaging machines on the network by opening connections from the client machine
the recipient uses his/her private key to decrypt the secret key.
Integrated services digital network (ISDN) and broadband ISDN
Program source code
Data Control
only if authorisation information specifies users can access the resource
It is the average length of time the hardware is functional
Integration test, unit test, systems test, acceptance test
Reviewing library controls
Authorising all the transactions.
Duplicate processing of transactions
Sign-on verification security at the physical terminals.
Software configuration management is established and enforced
Service management
an optical fiber line
Has much larger storage capacity than a floppy disk and can also access information much more quickly
To identify a control weakness and trace its effects has become harder
Read-only access to the database files.
messages getting changed by hackers
Modules should perform only one principal function
Scheduling of computer resources.
Requirement of more user involvement in communicating user needs.
determine the business purpose of the network
whether new hardware/system software resources are needed
the controls that are designed to provide reasonable assurance that data received for processing have been properly aut
Appropriate, but all access should be logged.
Enable files with the same generation number to be distinguished
preserving data integrity
Preventive
registration of public keys
compromise of a key server's private key
Expert system's knowledge is represented declaratively
Function-oriented techniques
Controlled disposal of documents
A format check
Requirements
Systems and procedure manuals of the user department.
Selecting transaction that must pass through input program
The vendor table will not contain current information.
controls the exposures from traffic analysis
minimizing the high risk protocol conversion functions that the gateways perform
Afterimages
A tree structure
Logging of data input
RAMA

Page 145

Sheet1

use of security guards can be dispensed with


Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Testing quality into a product
Database administrator
end to end data encryption
the firm would be dependent on others for system maintenance
whether new hardware/system software resources are needed
short key cipher system
QA personnel should have the most knowledge about the impact of national and international quality standards on their o
cryptoanalyst
it introduces run-time efficiency
context-dependent security
Unauthorized modification of pay roll cheque printing program to inflate the amount for the perpetrator.
Variable Sampling
modem
File management control
Increased access violations
Recovery test
simplicity
Establishing data ownership guidelines
Number of defects per thousand lines of code
The system development environment
Maintenance of accurate batch registers
Requirements
Screen layouts
Selecting transaction that must pass through input program
CIS can not collect data for performance monitoring purposes
Adequately supporting the business objectives of the organisation.
Consider the use of access control software.
Whether deleted files on the hard disk have been completely erased.
Preventing privileged software from being installed on the mainframe.
Presentation
Requirements phase
Personnel turnover
White-box, code-based, logic-driven technique
Scheduling of computer resources.
Lesser accountability and Weaker Organisational structures are the outcome of a BPR.
electronic bulletin board system
multiplexing technique
all data can still be reconstructed even if one drive fails
ensuring that adequate information for sound management decision making is available prior to contracting for the purcha
performance monitoring
Authorisation of access to data files
The prototyping model
poor computer centre design
physical attributes
To test a new idea
Distributed computing infrastructure
Incorporate into hardware upgrades
Program changes due to changes in rules, laws, and regulations
Improvement of an organistion s efficiency and communication can be achieved through a restrictive separation of duties
Repeaters
Maintenance of accurate batch registers
store electronic purchase orders of one organisation to be accessed by another organisation
Exhibits the expected and actual results
Confirmation of data with outside sources

Page 146

Sheet1
It should be documented in writing and signed by both parties.
Discussing with the management the corrective procedures that were implemented to strengthen the internal controls.
Continuity of service by the agency in case of a happening of a disaster.
The terminal used to make the attempt
Virus
Vital systems
Point-of-sale system
Corruption of tokens during transmission may occur
the last full dump
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
It meets the needs of the organization
Functional testing
Modules should perform only one principal function
Better version control
Database administrator.
whether new hardware/system software resources are needed
high levels of interpersonal conflict often arise among QA personnel
SCARF/EAM
whether access logs are maintained of use of various system resources
Conversion
Increased access violations
they possess very high level of computing skills
segregation of operator duties is not a very effective control
Software configuration management is established and enforced
The terminal used to make the attempt
Asynchronous communication
Lower communication costs
Acquisition of a software for the purpose of controlling the security access.
multiple transmission speeds
controls the exposures from traffic analysis
Interviewing the system operator
Confirmation of data with outside sources
To identify a control weakness and trace its effects has become harder
Trouble shooting teleprocessing problems.
Centrally monitor the print queues for correct destinations
Use of Generalized Audit software
controls for validating data
the timely and efficient delivery of information by the EDP department
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
Beforeimages of the modified records have been kept in the differential file
It meets the needs of the organization
Requirements
hardware components
Unix platform
Fiber optics cable
User ID and passwords
context-dependent security
Processing time saved is substantial.
Program source code
File management control
Allocation of resources for purchase of software platforms and hardware
accuracy
Product portability
The workload in the organisation is shared
operating system will identify an inaccuracy
DNA

Page 147

Sheet1

tape header should be manually logged and checked by the operators


the encryption key can be known to all communication users
increase line errors caused by noise
At what point was the first baseline established?
an optical fiber line
Substantive tests
Data dictionary
Control Self Assessment assurance received on the working of the application from a line management personnel.
An integrated test facility.
Use of Generalized Audit software
mid-level formatting of hard disk
use of security guards can be dispensed with
messages getting changed by hackers
Function-related bugs
determine whether a critical application system needs modification due to a recent change in the statute
Defining control, security, and audit requirements
Ease to use compared with other systems.
attenuation amplification
long-key cipher system
User ID and passwords
Sequence check
appropriate, but all access should be logged
Modules should perform only one principal function
delivery proof
applets damaging machines on the network by opening connections from the client machine
Distributed computing infrastructure
Open purchase orders
short key cipher system
Code Correction
Whether deleted files on the hard disk have been completely erased.
Software configuration management is established and enforced
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
it is often a major cost area taking about 50% of the data processing budget
Lower communication costs
Compliance Testing
Screen layouts
Programmers forgot to indicate file retention periods
Diagramming tools
minimizing the high risk protocol conversion functions that the gateways perform
it is often a major cost area taking about 50% of the data processing budget
Data dictionary
Audit trails are not enabled
mid-level formatting of hard disk
Corruption of tokens during transmission may occur
Requirement errors
Ease to use compared with other systems.
higher cost per transaction
Hierarchical structure
the adoption of national and international information systems standards will increase the cost of the QA function
the extent of substantive testing to be carried out by the auditors can be decreased substantially when QA function is wor
Processing time saved is substantial.
Product portability
security policy should be modified
to make the customer liable if the careless use of a card leads to a fraud,
entry via phone
encryption

Page 148

Sheet1
forced change of password after every day
The mainframe computer should be backed-up on a regular basis.
resetting message queue lengths
appropriate, but all access should be logged
Change records for the application source code.
The terminal used to make the attempt
Requirements
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
Development of a project plan and defining the key areas to be reviewed is a key factor for the success of a BPR.
Irregularities will be eliminated
CIS can not collect data for performance monitoring purposes
only if authorisation information specifies users can access the resource
A log
The latter tests details while the former tests procedures.
reduce the enormity of the loss when a threat materializes
Software configuration management is established and enforced
modulation technique
Delay in transmission of the data
Modules should perform only one principal function
Conversion
electronic bulletin board system
a component that signals the control unit that an operation has been performed
whether new hardware/system software resources are needed
long-key cipher system
Reconciliation of batch control totals
Program source code
Identification and authentication
Better version control
preventive
Database schema
Whether statutory regulations are complied with.
parallel simulation technique
The workload in the organisation is shared
Distributed computing infrastructure
DNA
increase line errors caused by noise
Unit testing
Systems and procedure manuals of the user department.
A tree structure
Attribute sampling
Corruption of tokens during transmission may occur
a power loss
checking basic control totals
A log
The IS auditor s test results
Continuity of service by the agency in case of a happening of a disaster.
An integrated test facility.
IP address
the machine should have a compatible operating system
Bus topology network
Requirement errors
becoming redundant as the validations and authorizations are more and more online and real time based
store electronic purchase orders of one organisation to be accessed by another organisation
Appropriate, but all access should be logged.
Enable files with the same generation number to be distinguished
Cost of hardware

Page 149

Sheet1

receiver's private key


Network interface card
Sudden change in weather and temperature
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Better version control
data preparation, data capture, data input
sender's private key
only if authorisation information specifies users can access the resource
Change management forms
Evaluation of potential risks from air flight paths.
modulation technique
the transmission speed of actual documents increases
performance monitoring
Exhibits the expected and actual results
Decision Support System (DSS)
Code Correction
Partially equipped site where the computer environment consists of few equipment without the main computer.
International data encryption algorithm (IDEA)
optical fibre transmission
message sequence number
both rollforward and rollback to be effected in case of a disater
Used to develop decision support systems
The right software
Portability guidelines
Waterfall model
Development of a project plan and defining the key areas to be reviewed is a key factor for the success of a BPR.
Control Risk assessment.
Disk striping
QA personnel should have the knowledge and experience to make the best recommendations for improvements to inform
Ensuring sophisticated and state-of-the-art recovery mechanism
modem
failing to control concurrent access to data
data preparation, data capture, data input
Open purchase orders
Recovery test
a component that signals the control unit that an operation has been performed
Test cases, test documentation
Change management forms
Quality metrics
Preventing privileged software from being installed on the mainframe.
Scheduling of documents
Restrict updating and read access to one position
whether new hardware/system software resources are needed
optical fibre transmission
Exhibits the expected and actual results
route the message over alternate path if the normal path fails
Corruption of tokens during transmission may occur
Vulnerabilities of assets
Selecting transaction that must pass through input program
The latter tests details while the former tests procedures.
Maintain backups of program and data)
Installation of a security control software
International data encryption algorithm (IDEA)
insertion of a spurious message
Defining control, security, and audit requirements
Emulation

Page 150

Sheet1

dispatching input to the computer room


whether to move files from one storage medium to another to reduce read/write errors
a list of users who can access the resource is associated with each resource together with each user s action privileges w
whether access logs are maintained of use of various system resources
registration of public keys
message modification
The workload in the organisation is shared
SCARF/EAM
Adhering to the project schedule
Local area network
Detection
The terminal used to make the attempt
Service management
Fiber optics cable
verifying input authorisation
the transmission speed of actual documents increases
Remove possible disruption caused when going on leave for a day at a time.
To identify a control weakness and trace its effects has become harder
multiplexing technique
Satellite signals are not easily affected by other electronic transmissions.
Confidence risk
separation of duties is essential in manual systems whereas in-built checks and balances take care in computerized syste
In sharing of resources, ownership is difficult to be established.
Unauthorised program changes.
Preventing privileged software from being installed on the mainframe.
RAMA
Cost of hardware
detective control
the transmission speed of actual documents increases
User manuals
Interactivity
allow the customer to make a small number of PIN entry attempts, close the account after the limit has been reached, an
Inappropriate
appropriate, but all access should be logged
firewall architecture hides the internal network
Configuration control
Preventive
system availability
System A - Likelihood 10%, Losses(in$) 6 million
Establishing data ownership guidelines
Cost of hardware
Restrict updating and read access to one position
Fiber optics cable
the firm would be dependent on others for system maintenance
Interviewing the system operator
there is a difference in the internal control principles
Diagramming tools
White-box, code-based, logic-driven technique
Confirmation of data with outside sources
Time and cost involved and resources utilised in conducting an audit.
Outlines the overall authority scope and responsibilities of the audit function.
Used to develop decision support systems
Inspections
Requirements Definition
Requirements tracing
the SDLC method is chosen

Page 151

Sheet1

higher cost per transaction


Fiber optics cable
The number of workstations that can be connected to a network
a list of users who can access the resource is associated with each resource together with each user s action privileges w
Sequence check
absence of logging of attempted sign-on
Proximity sensing card reader
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
to make the customer liable if the careless use of a card leads to a fraud,
resetting message queue lengths
The private key of the sender
managing director of the organisation
data preparation, data capture, data input
Redundant switching equipment
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Library security and use of proper file labels
Unit testing
Most Likely time
Improvement of an organistion s efficiency and communication can be achieved through a restrictive separation of duties
Monitoring network activity levels
Requirements metrics
Selecting transaction that must pass through input program
System design
To structure the IS auditor s own planning.
the anticipated loss from the failure of the system to meet its functional, efficiency and effectiveness objectives
Ensuring completeness of the output on processing.
Existence check
Preventive control
Physical access controls
Disaster notification to personnel
The length of time the system will satisfy the needs ofthe initial user
determine whether a critical application system needs modification due to a recent change in the statute
Component isolation
Computer Operator and Quality Assurance are combined.
Asynchronous communication
Packet-switched networks
managing director of the organisation
Preventive
formulated by the person who develops the application system for the microcomputers
increase line errors caused by noise
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Better version control
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Database size
A scatter diagram
Unit testing
At what point was the first baseline established?
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
whether to move files from one storage medium to another to reduce read/write errors
it protects messages against traffic analysis
Corruption of tokens during transmission may occur
Afterimages
errors identified during the input validation phase are corrected
Properly define the population
Attribute sampling
Programmers forgot to indicate file retention periods

Page 152

Sheet1
Approved
File assess capabilities
Special audit routines do not have to be embedded
Change records for the application source code.
Code Correction
Existence check
an alternative source of power
Use of dedicated network
audit trail subsystem
Reconciliation of batch control totals
Restrict updating and read access to one position
network interface card(NIC)
User ID and passwords
LAN cables
to make the customer liable if the careless use of a card leads to a fraud,
Isolated islands of information
User friendliness
whether new hardware/system software resources are needed
Requirements metrics
Data is transmitted rapidly
Transmission control protocol/Internet Protocol (TCP/IP)
Establishing data ownership guidelines
the SDLC method is chosen
Recovery test
the encryption key can be known to all communication users
Data dictionary
Control access to information system resources.
controls the exposures from traffic analysis
insertion of a spurious message
mail the cards in an envelope that identifies the name of the issuing institution
The sample size decreases as the precision amount decreases.
Actively involves himself while designing and implementing the application system.
Ensuring completeness of the output on processing.
Tell data processing that the inventory application has a bug in it.
Corrective controls
All the nodes in a LAN
Compliance Testing
Report the errors and omissions noticed.
Interviewing concerned Corporate Management personnel.
has all computers linked to a host computer, and each linked computer routes all data through the host computer
Data Custodian
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Identify the business objectives of the network
User ID and Password
analysing system degradation
The private key of the sender
it is not possible for users to change their classification level, though they can change their clearance levels
Integrated services digital network (ISDN) and broadband ISDN
Redundant switching equipment
DNA
Number of defects per thousand lines of code
Redundant switching equipment
Lower communication costs
A log
Flooding the network with spurious messages
Tell data processing that the inventory application has a bug in it.

Page 153

Sheet1
Monitoring network activity levels
Have a sufficient quantity of data for each test case
reduce the enormity of the loss when a threat materializes
test of controls
Consider the use of access control software.
Interviewing all data entry operators about the method of input entry adopted
the contents of the log file
optical fibre transmission
Adhering to the project schedule
The Business Plan of the organization
the SDLC method is chosen
Build or buy
the transmission speed of actual documents increases
the encryption key can be transmitted through the system over the normal communication path
Redundant switching equipment
Cost of hardware
physical attributes
the SDLC method is chosen
Data redundancy within files
Hierarchical structure
encrypt the message with the sender's public key, and sign the message with the receiver's private key
short key cipher system
Ensuring completeness of the output on processing.
Active data dictionary system
Maintain backups of program and data.
reduce the noise level in the transmission
it is often a major cost area taking about 50% of the data processing budget
errors identified during the input validation phase are corrected
Vulnerabilities of assets
IS personnel have always lacked ethics
Preventing privileged software from being installed on the mainframe.
Tell data processing that the inventory application has a bug in it.
Remote processing site after transmission to the central processing site.
All applications designed by the IS Manager
Beforeimages of the modified records have been kept in the differential file
Test mailbox
Develop a shareware application
Compliance Testing
Access to system program libraries.
Lower communication costs
the encryption key can be known to all communication users
whether to move files from one storage medium to another to reduce read/write errors
User ID and password
Tests of user controls
A format check
Mr. R.'s private key.
high work factor
Privilege based on the time and day
system availability
Requirements metrics
Network interface card
parallel simulation technique
increase line errors caused by noise
Completing the system planning document
Requirements metrics
Requirements and analysis

Page 154

Sheet1

Logging of data input


performance monitoring
Acquisition of a software for the purpose of controlling the security access.
Attribute sampling
minimizing the high risk protocol conversion functions that the gateways perform
CIS can not collect data for performance monitoring purposes
Time and cost involved and resources utilised in conducting an audit.
The vendor table will not contain current information.
Active data dictionary system
Check digits
Installation of a security control software
International data encryption algorithm (IDEA)
Attenuation
Ring topologies are more reliable than start topologies
controls the exposures from traffic analysis
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
Asynchronous communication
Redundant switching equipment
absence of logging of attempted sign-on
Portability guidelines
managing director of the organisation
data preparation, data capture, data input
performance monitoring
encrypt the message with the sender's public key, and sign the message with the receiver's private key
they possess very high level of computing skills
Program changes due to changes in rules, laws, and regulations
Unix platform
Statistical sampling
Remote processing site after transmission to the central processing site.
both rollforward and rollback to be effected in case of a disater
Complete audit under accepted auditing standards
the anticipated loss from the failure of the system to meet its functional, efficiency and effectiveness objectives
Monitoring database usage
Control access to information system resources.
excessive usage of the hard disk space
Virus
International data encryption algorithm (IDEA)
Afterimages
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Object-oriented user interfaces
Personnel turnover
Requirements tracing
determine whether a critical application system needs modification due to a recent change in the statute
There is a delay of more than 36 months in application development.
multiplexing technique
it is often a major cost area taking about 50% of the data processing budget
Fiber optics cable
the controls that are designed to provide reasonable assurance that data received for processing have been properly aut
User ID and passwords
Modifications to physical and facilities
Matching user ID and name with password
performance monitoring
Completing the system planning document
Quality assurance test
Most Likely time

Page 155

Sheet1
Change records for the application source code.
Controlled disposal of documents
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Service management
It allows the auditors to have the same degree of confidence as with judgement sampling
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Beforeimages of the modified records have been kept in the differential file
Technological complexity
Daily scanning of the entire file server and moving to a safer area all the doubtful files
complete details about the computer hardware and software used
They are both based on public-key cryptography
reduce the noise level in the transmission
Presentation
audit trail subsystem
has all computers linked to a host computer, and each linked computer routes all data through the host computer
electronic bulletin board system
resetting message queue lengths
whether to move files from one storage medium to another to reduce read/write errors
Unix platform
long-key cipher system
it introduces run-time efficiency
User ID and Password
A processing control
Design
Allocation of resources for purchase of software platforms and hardware
they possess very high level of computing skills
Database schema
To test a new idea
receiver's private key
Library security and use of proper file labels
DNA
Preventive
Repeaters
It allows the auditors to have the same degree of confidence as with judgement sampling
Data dictionary
route the message over alternate path if the normal path fails
The input and output process of data entry and reports generated.
The sample size decreases as the precision amount decreases.
To structure the IS auditor s own planning.
the anticipated loss from the failure of the system to meet its functional, efficiency and effectiveness objectives
more difficult as the IS personnel resent being supervised at every step
access logs on usage of various system resources
Preventive control
Approval of the plan by Board of Directors.
International data encryption algorithm (IDEA)
Hot sites can be used for an extended amount of time.
Have a sufficient quantity of data for each test case
The prototyping model
Requirement of more user involvement in communicating user needs.
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
User manuals
minimise the distance that data control personnel must travel to deliver data and reports
Proximity sensing card reader
duplicate circuitry, echo checks, tape file protection and internal header labels
Preventive
SCARF/EAM

Page 156

Sheet1

Such access authority is appropriate, if they are logged completely.


Rule of thumb
Has much larger storage capacity than a floppy disk and can also access information much more quickly
Program changes due to changes in rules, laws, and regulations
Unix platform
verifying input authorisation
Remove possible disruption caused when going on leave for a day at a time.
Pointer validation utility
Statistical sampling
Satellite signals are not easily affected by other electronic transmissions.
installation of a firewall
hardware lock
the overall security philosophy of the organisation
Approval of the plan by Board of Directors.
They are both based on public-key cryptography
Encryption protect data in transit from unauthorised interception and manipulation
Attenuation
a power loss
It meets the needs of the organization
ROI
Requirements
Development of a project plan and defining the key areas to be reviewed is a key factor for the success of a BPR.
Emulation
it is often a major cost area taking about 50% of the data processing budget
The database administrator also serves as the Security Officer.
the complaint of non-receipt of message by the receiver
Authorisation of access to data files
Product portability
Distributed computing infrastructure
DNA
all data can still be reconstructed even if one drive fails
Program source code
Better version control
Input edit checks
Software configuration management is established and enforced
Uninterruptible power source
the encryption key can be known to all communication users
Special audit routines do not have to be embedded
An integrated test facility.
the last full dump
RDBMS technology
Determining program changes are approved
Actively involves himself while designing and implementing the application system.
Desired audit risk
Corrective controls
Forcing frequent changes of password by the user
Within same geographical location
Flooding the network with spurious messages
Debugging tool
User manuals
dispatching input to the computer room
Scheduling of documents
QA personnel should have the knowledge and experience to make the best recommendations for improvements to inform
A processing control
Enable files with the same generation number to be distinguished
After errors have been corrected, the error reports should be discarded

Page 157

Sheet1

Check-digit verification
Component isolation
Allocation of resources for purchase of software platforms and hardware
Modifications to physical and facilities
Database schema
resetting message queue lengths
the encryption and decryption process is fast
it is not possible for users to change their classification level, though they can change their clearance levels
message modification
appropriate, but all access should be logged
Whether statutory regulations are complied with.
Cost of hardware
a component that signals the control unit that an operation has been performed
Modifications to physical and facilities
Lower communication costs
Substantive tests
Pointer validation utility
Manually comparing detail transaction files used by an edit program with the program's generated error listings to determ
The IS auditor s test results
Requires the usage of a Test Data Generator.
Decision Support System (DSS)
Check digits
Frequency of the backup
insertion of a spurious message
message sequence number
User manual
User friendliness
Develop "seamless" processes
Defining control, security, and audit requirements
Interviewing concerned Corporate Management personnel.
notify external auditors because it may affect the audit plan
parallel simulation technique
Unit testing
Establishing data ownership guidelines
Systems analysis and design
Milestones
whether new hardware/system software resources are needed
Input edit checks
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Identify the business objectives of the network
Restore infected systems with authorized versions.
optical fibre transmission
Development of a project plan and defining the key areas to be reviewed is a key factor for the success of a BPR.
store-and-forward capability
Determining program changes are approved
Generalised Audit Software
To identify a control weakness and trace its effects has become harder
Read-only access to the database files.
excessive usage of the hard disk space
the overall security philosophy of the organisation
Forcing frequent changes of password by the user
modulation technique
Reusable software
The prototyping model
Waterfall model
Compliance Testing

Page 158

Sheet1

Ease to use compared with other systems.


end to end data encryption
higher cost per transaction
Scheduling of documents
Inappropriate
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Data redundancy within files
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Integrated services digital network (ISDN) and broadband ISDN
all data can still be reconstructed even if one drive fails
SCARF/EAM
a component that signals the control unit that an operation has been performed
physical attributes
Continuity of service by the agency in case of a happening of a disaster.
Redundant switching equipment
Asynchronous communication
message duplication
Exhibits the expected and actual results
a power loss
adequate reporting between the company and the service provider
Requirements
errors identified during the input validation phase are corrected
test of controls
mid-level formatting of hard disk
Vital systems
Use of dedicated network
Flooding the network with spurious messages
the last full dump
complexity of recovery more than a physical dump
Incomplete requirements errors
Compliance Testing
Ease to use compared with other systems.
Requirement of more user involvement in communicating user needs.
determine the business purpose of the network
a personal development plan with respect to QA training should exist for each employee in the information systems functi
Ensuring sophisticated and state-of-the-art recovery mechanism
duplicate circuitry, echo checks, tape file protection and internal header labels
segregation of operator duties is not a very effective control
managing director of the organisation
it is easy to remember
the encryption key can be known to all communication users
it is not possible for users to change their classification level, though they can change their clearance levels
the recipient uses his/her private key to decrypt the secret key.
all data can still be reconstructed even if one drive fails
Systems Analyst
high work factor
only if authorisation information specifies users can access the resource
Existence check
Inappropriate
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
it protects messages against traffic analysis
Monitoring network activity levels
Selecting transaction that must pass through input program
Unauthorised program changes.
an alternative source of power
Preventive control

Page 159

Sheet1
Society for Worldwide Interbank Financial Telecommunication (SWIFT)
reduce the noise level in the transmission
multiple transmission speeds
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Cost of hardware
the encryption key can be known to all communication users
short key cipher system
context-dependent security
Check-digit verification
firewall architecture hides the internal network
Conversion
Modules should perform only one principal function
The prototype becomes the finished system
Preventive
a component that signals the control unit that an operation has been performed
A scatter diagram
Technical issues
At what point was the first baseline established?
Network control programs
Trouble shooting teleprocessing problems.
Encryption of data files on the notebook computer.
Controlled disposal of documents
whether new hardware/system software resources are needed
the encryption key can be known to all communication users
message duplication
Monitoring network activity levels
Authorising all the transactions.
Preventive control

Develop a shareware application


Requirements phase
High cohesion of modules, low coupling of modules, and high modularity of programs
Waterfall model
Database management systems are available for microcomputer systems
Uninterruptible power source
a personal development plan with respect to QA training should exist for each employee in the information systems functi
User ID and passwords
Reconciliation of batch control totals
Restrict updating and read access to one position
Adhering to the project schedule
to make the customer liable if the careless use of a card leads to a fraud,
failing to control concurrent access to data
Transmission control protocol/Internet Protocol (TCP/IP)
Open purchase orders
Preventive
a component that signals the control unit that an operation has been performed
high work factor
Integration test, unit test, systems test, acceptance test
modulation technique
electronic bulletin board system
Interviewing the system operator
reduce the noise level in the transmission
Control Self Assessment assurance received on the working of the application from a line management personnel.
Maintain backups of program and data)
Loading and returning of master data tape files
the last full dump

Page 160

Sheet1

Reverse engineering
Personnel turnover
Inspections
RDBMS technology
the firm would be dependent on others for system maintenance
Input, Output and arithmetic-logic
Scheduling of documents
Packet-switched networks
managing director of the organisation
a personal development plan with respect to QA training should exist for each employee in the information systems functi
Modem equalisation
context-dependent security
Of less serious nature
Integrity
poor computer centre design
accuracy
Data redundancy within files
It is the average length of time the hardware is functional
Screens and process programs
Build or buy
modem
a component that signals the control unit that an operation has been performed
data preparation, data capture, data input
Input edit checks
Network interface card
Completing the system planning document
Unit testing
checking basic control totals
message duplication
separation of duties is essential in manual systems whereas in-built checks and balances take care in computerized syste
Trouble shooting teleprocessing problems.
Centrally monitor the print queues for correct destinations
Security card
Transmits transactions using sophisticated formats and file definitions
Delay in transmission of the data
Reverse engineering
Rule of thumb
becoming redundant as the validations and authorizations are more and more online and real time based
Decentralised controls over the selection and acquisition of hardware and software is a major concern
compiling
QA personnel should have the most knowledge about the impact of national and international quality standards on their o
Mr. R. 's private key.
Security administrator
duplicate circuitry, echo checks, tape file protection and internal header labels
Waterfall model
only through authorized procedures, user creation and privileges are granted
A data flow diagram
Hydrometer
Expert system's knowledge is represented declaratively
Evaluation of potential risks from air flight paths.
Sudden change in weather and temperature
User friendliness
Redundant switching equipment
Centrally monitor the print queues for correct destinations
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
Systematic sampling selection technique

Page 161

Sheet1
Active data dictionary system
Remote processing site after transmission to the central processing site.
Systematic sampling selection technique
Security policy
Understanding of business risks by interviewing management s key personnel.
mid-level formatting of hard disk
hardware lock
Ensure that the alternate site could process all the critical applications.
multiple transmission speeds
Requirements
There is a delay of more than 36 months in application development.
Data is transmitted rapidly
modem
it is not possible for users to change their classification level, though they can change their clearance levels
Tests of user controls
Proximity sensing card reader
Cable Modems
Ensuring sophisticated and state-of-the-art recovery mechanism
segregation of operator duties is not a very effective control
applets damaging machines on the network by opening connections from the client machine
Control Group
Hydrometer
Redundant switching equipment
Build or buy
sender's private key
Change records for the application source code.
Uninterruptible power source
Interviewing the system operator
It allows the auditors to have the same degree of confidence as with judgement sampling
faulty switching gear
Requirements
Programmers forgot to indicate file retention periods
To structure the IS auditor s own planning.
Existence check
Whether deleted files on the hard disk have been completely erased.
Security card
ambiguity in the resource name is avoided
Beforeimages of the modified records have been kept in the differential file
ROI
Inspections
higher cost per transaction
Unix platform
two private keys
a ticket oriented approach to authorisation
absence of logging of attempted sign-on
Enable files with the same generation number to be distinguished
Of less serious nature
firewall architecture hides the internal network
Requirements
Modifications to physical and facilities
Preventive
Database schema
check that the transaction is not invalid for that card type
Identify the business objectives of the network
data preparation, data capture, data input
analysing system degradation

Page 162

Sheet1

Whether statutory regulations are complied with.


short key cipher system
Quality metrics
In ring topology, nodes are connected on a point to point basis whereas it is a multipoint connection in a bus network
Unauthorised program changes.
Vital systems
Disaster notification to personnel
Ring topologies are more reliable than start topologies
Both rollforward and rollbackward of transactions after a disaster is rendered easier
Test mailbox
Object-oriented user interfaces
Requirements
Continue to work along with the Security Officer on such occasions as a precautionary preventive control.
File integrity
Hierarchical structure
minimise the distance that data control personnel must travel to deliver data and reports
compiling
to alleviate conflict between stakeholders
After errors have been corrected, the error reports should be discarded
Users have almost a blind faith that any output generated by a computers has to be correct
Integrated Test Facility
Configuration control
delivery proof
the senders from reneging on the contract by making their private key public and claiming that the message was forged
Reduction in development costs
Cumulative effects for the year is tested.
Requirements metrics
The Business Plan of the organization
high work factor
Identify the business objectives of the network
Cable Modems
Remove possible disruption caused when going on leave for a day at a time.
Selecting transaction that must pass through input program
Confirmation of data with outside sources
minimizing the high risk protocol conversion functions that the gateways perform
Technological complexity
Whether deleted files on the hard disk have been completely erased.
once the diskettes are checked for virus and cleaned, write protect them
Use of dedicated network
Bus topology network
Failure to detect the recipient
ROI
Inspections
Milestones
Multiple users use data concurrently
Decentralised controls over the selection and acquisition of hardware and software is a major concern
Data redundancy within files
Emulation
notify external auditors because it may affect the audit plan
QA personnel should have the knowledge and experience to make the best recommendations for improvements to inform
Mr. R. 's private key.
security policy should be modified
Systems Analyst
Evaluation of potential risks from air flight paths.
appropriate, but all access should be logged
a component that signals the control unit that an operation has been performed

Page 163

Sheet1

parallel simulation technique


Ensuring sophisticated and state-of-the-art recovery mechanism
Requirements metrics
Attenuation
Requirements
has all computers linked to a host computer, and each linked computer routes all data through the host computer
Maintain backups of program and data.
System design
Monitoring network activity levels
checking basic control totals
Security card
Tell data processing that the inventory application has a bug in it.
optical fibre transmission
message sequence number
Signing poor contracts
Terms of payment
Program source code
Develop "seamless" processes
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
Lap tops usually cost more than Personal Computers but less than mainframes
whether new hardware/system software resources are needed
the extent of substantive testing to be carried out by the auditors can be decreased substantially when QA function is wor
hardware
a ticket oriented approach to authorisation
After errors have been corrected, the error reports should be discarded
LAN cables
Preventive
The workload in the organisation is shared
the senders from reneging on the contract by making their private key public and claiming that the message was forged
User friendliness
the encryption and decryption process is fast
Distributed computing infrastructure
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
The workload in the organisation is shared
data preparation, data capture, data input
short key cipher system
Full-scale projects
Uninterruptible power source
performance monitoring
A log
messages getting changed by hackers
Increased workloads
Requirements
Software
mail the cards in an envelope that identifies the name of the issuing institution
Security policy
separation of duties is essential in manual systems whereas in-built checks and balances take care in computerized syste
Monitoring whether security of data is adequate and effective.
Expert system's knowledge is represented declaratively
Cost of hardware
Waterfall model
notify external auditors because it may affect the audit plan
high work factor
it introduces run-time efficiency
Sequence check
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN

Page 164

Sheet1
a component that signals the control unit that an operation has been performed
Knowledge base
Improving of business relationship with trading partners
receiver's private key
Control Group
dispatching input to the computer room
It is the average length of time the hardware is functional
SCARF/EAM
Test cases, test documentation
The number of workstations that can be connected to a network
Unshielded Twisted pair
it is often a major cost area taking about 50% of the data processing budget
end to end data encryption
modem
In sharing of resources, ownership is difficult to be established.
Data dictionary
Read-only access to the database files.
Interviewing the system operator
Tagging and extending master records.
Evaluation of potential risks from air flight paths.
It prevents non-repudiation by the receiver
Cost of preventive action
Inspections
Terms of payment
Design
Requirements
Ease to use compared with other systems.
All business problems are assured of quality solutions.
Fiber optics cable
they possess very high level of computing skills
security policy should be modified
Database schema
Unit testing
Redundant switching equipment
it is not possible for users to change their classification level, though they can change their clearance levels
Preventive
short key cipher system
Change management forms
Requirements
Monitoring database usage
Integrated Test Facility
resetting message queue lengths
Presentation
both rollforward and rollback to be effected in case of a disater
The input and output process of data entry and reports generated.
A decrease in desired audit risk
Whether deleted files on the hard disk have been completely erased.
Tell data processing that the inventory application has a bug in it.
mid-level formatting of hard disk
excessive usage of the hard disk space
once the diskettes are checked for virus and cleaned, write protect them
Frequency of the backup
Rule of thumb
Milestones
Build or buy
store electronic purchase orders of one organisation to be accessed by another organisation

Page 165

Sheet1

bridges to direct messages through the optimum data path


Hierarchical structure
the adoption of national and international information systems standards will increase the cost of the QA function
Unit testing
applets damaging machines on the network by opening connections from the client machine
Network interface card
Transmission control protocol/Internet Protocol (TCP/IP)
The prototyping model
a component that signals the control unit that an operation has been performed
Input edit checks
Requirements
Most Likely time
Consider the use of access control software.
Disk striping
the encryption key can be transmitted through the system over the normal communication path
Monitoring whether security of data is adequate and effective.
multiplexing technique
Pointer validation utility
Adequately supporting the business objectives of the organisation.
Read-only access to the database files.
The vendor table will not contain current information.
Rollback may not be too useful if many users have updated the corrupt database before the discovery of the corruption
Beforeimages of the modified records have been kept in the differential file
Terms of payment
Modules should perform only one principal function
Waterfall model
failing to control concurrent access to data
Data redundancy within files
whether to move files from one storage medium to another to reduce read/write errors
Unshielded Twisted pair
User ID and password
Mr. R. 's private key.
File management control
Defining control, security, and audit requirements
poor computer centre design
Identification and authentication
it is not possible for users to change their classification level, though they can change their clearance levels
operating system will identify an inaccuracy
Open purchase orders
managing director of the organisation
physical attributes
plain text form in the eventuality that it has to be reissued at a later stage, if the customer forget their PIN
Cross referencer
Code Correction
higher cost per transaction
Active data dictionary system
An integrated test facility.
Software configuration management is established and enforced
Passwords may be changed by the user at his discretion and users at their discretion need not even change the initial pa
use of security guards can be dispensed with
complexity of recovery more than a physical dump
Analysis
Testing follows debugging
The right software
User friendliness
Program source code

Page 166

Sheet1

Information technologies will remain unaltered.


an optical fiber line
Database management systems are available for microcomputer systems
Repeaters
a ticket oriented approach to authorisation
User ID and passwords
Of less serious nature
Encapsulation
minimise the distance that data control personnel must travel to deliver data and reports
Test data generators
customer over the confidentiality of messages received from the hosting site
Improving of business relationship with trading partners
Systems analysis and design
Open purchase orders
delivery proof
Redundant switching equipment
Local area network
Change records for the application source code.
Sign-on verification security at the physical terminals.
passwords cannot be included in the packet
Systems and procedure manuals of the user department.
To identify a control weakness and trace its effects has become harder
Increased workloads
Forging the signature
Understanding of business risks by interviewing management s key personnel.
there is a difference in the internal control principles
Read-only access to the database files.
Corrective controls
Inspections
The prototype becomes the finished system
Performance review of the system department.
Database administrator.
hardware components
store-and-forward capability
message duplication
the encryption key can be known to all communication users
QA personnel should have the knowledge and experience to make the best recommendations for improvements to inform
to make the customer liable if the careless use of a card leads to a fraud,
system availability
Systems Analyst
Hydrometer
Multiple users use data concurrently
Preventive
delivery proof
With a concentrator, the total bandwidth entering the device is normally different from the bandwidth leaving it
Preventing privileged software from being installed on the mainframe.
The terminal used to make the attempt
Maintenance of accurate batch registers
companies must apply to the Internet to gain permission to create a home page to engage in electronic commerce
store-and-forward capability
it protects messages against traffic analysis
Systems and procedure manuals of the user department.
Tell data processing that the inventory application has a bug in it.
The vendor table will not contain current information.
only if authorisation information specifies users can access the resource
Vulnerabilities of assets

Page 167

Sheet1
Calculating the age-wise outstandings of Receivables and Payables.
Approval of the plan by Board of Directors.
Point-of-sale system
Inspections
White-box, code-based, logic-driven technique
Build or buy
the encryption key can be known to all communication users
Packet-switched networks
hardware
User ID and passwords
It is error-prone because the software is highly complex.

Page 168

Sheet1
Option B
A legacy system is old and hence no longer good
Magnetic Card reader
Increased cost per transaction
ITF
a program that deposits a virus on a client
Data are shared by passing files between programs or systems
File transfer protocol
file library maintenance
Interface test
Design
whether unauthorised use is being made of hardware/system software resources
unauthorised changes to data and program can take place
CIS requires modification of the database management system used by the application
Monitor usage of the device.
reduce the wiretapper s capabilities to tap more data
Attribute sample tests
The limiting the conditions to be tested in the system
The higher the Return on Investment by the application.
deleting all the files in the hard disk
controlling all the networks connected in a better way
Physical
Coding standards
Better communications between developers and users
Risk Assessment
Increases the dependence on a single employee.
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
multiplexer
Anti-virus and anti-piracy softwares
Examination of logged activity
Edit checks of data entered
theft of machine time
Mr. S 's public key
completeness
the sender from disowning the message
ensure that the transaction amount entered is within the cardholder's credit limit
Low MTBF values imply good reliability
System B - Likelihood 15%, Losses(in$) 5 million
Regression test
missing data validity checks
Network utilization by the existing users
Correction
Reading the operator's manual
Sampling risk
Poor contact points in the wiring
down line loading a program
Regression Testing
Altering physical data definitions for improving performance.
adherence of established standards by programs, program changes and documentation.
Beforeimages
the inability of the backup operation to run in the background while operations are being carried out
Beforeimages of the modified records have been kept in the primary file
Expert system computations are performed through symbolic reasoning
Quality
A legacy system is old and hence no longer good
Prototyping model

Page 169

Sheet1

System maintenance constitutes about 65% of the programming costs.


corrective control
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
spurious associations
ensuring that the vendors are provided with appropriate and uniform data for submission of bids according to managem
Anticipating problems
Certification and accreditation
User expectations are inflated
the design is for a human resources division of the organization
data encryption technique
end-to-end encryption
Data are shared by passing files between programs or systems
file library maintenance
A Pareto diagram
Review the network with reference to the ISO/OSI model of seven layers
Design
Checking to see whether any programs terminated abnormally
unauthorised access and activity
Adherence of established standards by programs, program changes and documentation.
Passive data dictionary system
Lengthy retraining
install secured sockets layer (SSL)
unauthorised changes to data and program can take place
The expected population error rate does not affect the sample size.
Determining adherence of regulatory requirements by conducting compliance tests.
Program Logic flow charts and file definition.
Two persons should be present at the microcomputer when it is uploading data.
Statistical sampling.
reviewing the software based access controls
Requirement fault
Better communications between developers and users
Quality compliance requirement sets are defined in ISO 9000.
authorizations are more distributed among users
file library
Record check
Data dictionary
hosting site over the confidentiality of message sent to the customer
Establishing data custodianship outlines
Systems management
Fibre optic cable is small and flexible
System design and programming
Screens, interactive edits, and sample reports
Systems Analysis
file library maintenance
submission proof
Data-oriented techniques
Design
Pilot projects
Sign-on verification security when logging on to the database management system
File servers
down line loading a program
Dialogue styles
Beforeimages of the modified records have been kept in the primary file
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Arriving at an correct conclusion based on the facts and figures available.
Recompile infected programs from source code backups.

Page 170

Sheet1

Sensitive systems
Beforeimages of the modified records have been kept in the primary file
Duplicated transactions
Formal specification languages
Incremental development model
file library
Microwave transmission
Such access authority is appropriate because they have the full knowledge and understanding
about the entire system
Signature registrations
Anticipating problems
Detective
short key cipher system
ensure that the transaction amount entered is within the cardholder's credit limit
user identification with a password of not less than 6 characters
Detective
the processing time required in private key cryptosystem is faster than that of public key
cryptosystem
Programming languages
Halt and error controls
Analysis of degradation of the system.
Attribute sample tests
Capturing the working of an application at a point in time.
Source code review
Central processing site after application program processing.
Beforeimages of the modified records have been kept in the primary file
unless authorisation information specifies users cannot access the resource
Consider the use of utility software
An inventory of backup tapes at the offsite storage location should be maintained.
Design
Certain phases can be dropped
Purchase and tailor
Information protection has a high risk and always deviates from with BPR.
Programs
electronic data interchange
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
stand alone data processing
Security of a database
to reduce the amount of monitoring of compliance with standards that QA personnel will have to undertake
QA personnel will be best placed to recommend corrective actions when they formulate,
promulgate, and maintain s
The hardware temporarily malfunctioned.
whether data stored on servers are adequately protected by means of encryption or any other means
Developing screen flows with specifications
System response time and system uptime
Systems Analysis
Known fact
file library maintenance
ciphertext form produced only from an reversible encryption algorithm
Interface test
Logs
File servers
starting and terminating lines and processes
automatic message purge facility when maximum queue size at the node is exceeded
HIPO charter
Audit programs and audit procedures.
reduce the probability of the threat materializing
Carrying out corrections in the master file.
Analysis of degradation of the system.

Page 171

Sheet1

a dedicated power generator


physical access to back up storage devices can be restricted effectively
Faster delivery of the system
Anticipating problems
Computing environment
Regression test
Prototyping model
Processing and computing power
The work of a Data entry clerk is also done by a Tape Librarian.
Twisted-pair (shielded) cable
Anticipation and hash total
Authorisation of access to program files
the controls that provide reasonable assurance that all transactions are processed as authorised
identifying what the user possesses
Identification of the cardkeys documenting the data centre areas to which they grant access.
Supplies
personal details
short key cipher system
Hygrometer
analysing user specifications
Screens, interactive edits, and sample reports
Regression test
Keep the test data to a minimum to conserve testing time
data capture, data preparation, data input
Halt and error controls
Frame relay
Fault tolerance
Attribute sample tests
reduce the wiretapper s capabilities to tap more data
Simulation tools
Performing aging analysis
analytical review
Two persons should be present at the microcomputer when it is uploading data.
Compensating control
transmission over coaxial cable
The connectors in a bus topology attenuate the signals and distort them, whereas repeaters in a ring topology are relativ
Determining system inputs and outputs
Application-oriented user interfaces
The rate at which computer technology is expected to advance
QA personnel will perform better when their organisation adopts national and international information systems standard
low work factor
Security administrator
Invoices paid file
Ensuring concurrent access control
Data Link layer
Statistical software packages
ITF
Pessimistic time
Carrying out corrections in the master file.
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
two different keys are used for the encryption and decryption
32 bit key system
Loss of data while executing a program.
Suggesting and enforcing security measures (ex. Changes in password)
automatic message purge facility when maximum queue size at the node is exceeded
multiplexer

Page 172

Sheet1

In the rapid development of technology, the duties change very frequently.


Lengthy retraining
Eliminate the need for substantive auditing
Guiding the ^assistants in performing planned procedures.
protection of stored data in the server by encryption or otherwise
existence of adequate controls to minimize the potential for loss due to computer fraud or embezzlement
Test should address all critical components
It provides sender authenticity
queue length at each network node the message traverses before reaching the destination
Role based policy
Cost of implementation of management directives
Interfacing
Data redundancy can be reduced
duplicate circuitry, echo check and internal header labels
QA personnel should seek to understand the reasons for a compliance failure so that they can advise management
There are more intermediaries involved in producing and distributing batch output.
Authentication Techniques
missing data validity checks
Anti-virus and anti-piracy softwares
The information systems audit plan
Findings are generally more material to the organisation
they need to be maintained in a secure file
Incorporate into change management procedures
The information systems audit plan
Anticipating problems
Test summaries, test execution reports
Organizational issues
Software configuration management
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Analysis of degradation of the system.
Create destination defaults for printing based on each employee s departmental affiliation.
Parallel physical circuits
Completeness of batch processing
review the open systems interconnect network model
dynamic equalisation
change of message sequence
encrypt the messages transmitted and decrypt them on reception
install secured sockets layer (SSL)
Guiding the ^assistants in performing planned procedures.
Create destination defaults for printing based on each employee s departmental affiliation.
physical access to back up storage devices can be restricted effectively
Electronic funds transfer system (EFTS)
Beforeimages of the modified records have been kept in the primary file
A legacy system is old and hence no longer good
ensuring that the vendors are provided with appropriate and uniform data for submission of bids according to managem
The length of cable to connect a workstation to the network
Correction
identifying what the user possesses
Detective
Establishing data custodianship outlines
Name of the TTP/CA
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Anticipating problems
unless authorisation information specifies users cannot access the resource
Design
Statement of due care and confidentiality.

Page 173

Sheet1

Recompile infected programs from source code backups.


File servers
whether unauthorised use is being made of hardware/system software resources
liability relating to protection of proprietary business data decreases
temperature increases
CIS requires modification of the database management system used by the application
Monitor usage of the device.
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the
Check digit
Ensure that the audit staff is competent in the areas to audited and wherever required to provide for appropriate training
HIPO charter
the reliability of the controls in the system as perceived by the auditor
Data being transmitted to the wrong recipient
Black-box, code-based, data-driven technique
Implementation and monitoring of the new process is the management s responsibility.
Consideration of external environment likely to benefit / affect the organisation.
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
small key
Anti-virus and anti-piracy softwares
An access control
Database authorizations
multiplexer
Code
Cost of file conversion
receiver's public key
low work factor
appropriate, because technical support personnel need to access all data and program files
Quality
two units that provide read-after-write and dual-read capabilities
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Validity test
Loss of data while executing a program.
Attribute sample tests
Review the data field definitions and logic in the audit software.
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the
Packet replay
unless authorisation information specifies users cannot access the resource
Size of the population
Probabilities of occurrence of threats
Collection evidence process has been rendered more difficult
Strategic Planning System
physical access to back up storage devices can be restricted effectively
Applications, transactions and trading partners supported remain static over time
Home banking system
Star networks are more easily maintained than a bus network
Beforeimages of the modified records have been kept in the primary file
Design
systems development management subsystem
Mr. S 's public key
Authorisation of access to program files
Master file lookup
Programmers have access to the live environment
appropriate, because technical support personnel need to access all data and program files
Increased cost per transaction
they are prone to changing jobs frequently. This may lead to the loss of experience about a
particular machine
data capture, data preparation, data input

Page 174

Sheet1
analysing user specifications
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
The information systems audit plan
A run chart
Data-oriented techniques
Consider the use of utility software
Create destination defaults for printing based on each employee s departmental affiliation.
altering source data to correct input errors
Reading the operator's manual
Precision limit
A test to access the quality of data.
transmission over coaxial cable
Simulation tools
the last residual dump
Reading the operator's manual
Document the conditions that lead to a particular action.
Linking to external systems thro a firewall
the reliability of the controls in the system as perceived by the auditor
Altering physical data definitions for improving performance.
The date and time of access attempt.
Preparation and monitoring of System implementation plans.
dedicated phone lines
The primary methods of controls usually involves general controls
the controls that provide reasonable assurance that all transactions are processed as authorised
write protect security
Programmers have access to the live environment
Anticipating problems
Data dictionary
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
sender's private key
appropriate, because technical support personnel need to access all data and program files
Checking to see whether any programs terminated abnormally
Altering physical data definitions for improving performance.
Wiretapping
Checking to see whether any programs terminated abnormally
32 bit key system
Collection evidence process has been rendered more difficult
Capturing the working of an application at a point in time.
line conditioning technique
Checking to see whether any programs terminated abnormally
Determining whether security policy is available
the loss likely to occur in the ordinary course of business
Monitor usage of the device.
Review the data field definitions and logic in the audit software.
An inventory of backup tapes at the offsite storage location should be maintained.
Changing the order of the message
Beforeimages
After a disaster, the transactions can be reentered easily, if needed
Design errors
Design
Certain phases can be dropped
Human-computer interaction guidelines
Checking to see whether any programs terminated abnormally
stakeholders should be informed of the contents of reports before they are released to management
Indicate when the file should be again backed up
the design is for a human resources division of the organization

Page 175

Sheet1
terminal identifier
Completeness of batch processing
project leader
ITF
Checking to see whether any programs terminated abnormally
A Pareto diagram
Adherence of established standards by programs, program changes and documentation.
organisations must use firewalls if they wish to maintain security over internal data
Reading the operator's manual
A bottom-up approach
Precision limit
Clerks will enter an incorrect but valid code for payment.
History of updates to the operating system
down line loading a program
Check digit
The higher the Return on Investment by the application.
A decrease in detection risk
analytical review
Framing and adherence of a Corporate IS policy statement
Application-oriented user interfaces
Known fact
Component modularity
Inform and advise the Senior Management of the high risks involved in it.
dedicated phone lines
dynamic equalisation
temperature increases
32 bit key system
low work factor
Biometric checks
Controls exist over efficient usage of hardware
to encrypt the message for confidentiality
increasing data integrity by defining standards for retrieving paper based information
Switch
staging and job set-up procedures are not appropriate compensating controls
Systems management
Program changes due to errors discovered
Review the network with reference to the ISO/OSI model of seven layers
Master file lookup
Fault tolerance
Documented
Updating from privileged utilities.
Review the data field definitions and logic in the audit software.
unauthorised changes to data and program can take place
Black-box, code-based, data-driven technique
make the same groups responsible for the mailing of cards and the investigation of returned cards
Discover sampling
There has been a dearth of IS personnel from the initial days
focusing on the strategy for the next three years for the IS division
The entire storage devices in all the servers
Electronic funds transfer system (EFTS)
System programmer mailbox
Develop a freeware application
Risk Assessment
corrective control
systems development management subsystem
Read Only Memory (ROM)

Page 176

Sheet1

Data are shared by passing files between programs or systems


Data owner
Examination of logged activity
Output control
ensure that the transaction amount entered is within the cardholder's credit limit
Controls exist over efficient usage of hardware
Two persons should be present at the microcomputer when it is uploading data.
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Because of the increase in use of distributed system, the need for mainframes will increase in the near future
Leaving the decision to the MIS manager
make the same groups responsible for the mailing of cards and the investigation of returned cards
unauthorised changes to data and program can take place
Data usage
Security of a database
identifying questionable data
electronic data interchange
Updating from privileged utilities.
Beforeimages
Checking to see whether any programs terminated abnormally
Size of the population
Cost of implementation of management directives
Develop a freeware application
Coding standards
Source code generation tool
Computing environment
The waterfall model
Eliminate mainframe computer processing
Processing and computing power
Synchronous communication
losing data stored in main memory
whether unauthorised use is being made of hardware/system software resources
Parallel physical circuits
allow the customer to make a small number of PIN entry attempts, do not close the account after the limit has been reach
Periodic rotation of duties
provide security
Circular routing
Detective
altering source data to correct input errors
encrypt the message with the sender's private key and sign the message with the receiver's public key
produce encrypted messages
Establishing data custodianship outlines
System requirements definition
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Network utilization by the existing users
Program changes due to errors discovered
Data streaming
electronic data interchange
A bottom-up approach
A sequential file structure
Capturing the working of an application at a point in time.
Beforeimages
Stratified sampling selection technique
Setting up a password for the screensaver program on the notebook computer.
Clerks will enter an incorrect but valid code for payment.
Should have the same amount of physical access restrictions as the primary processing site
Solve the problems encountered by the detective controls.

Page 177

Sheet1
Worries over cost effectiveness are well addressed.
authorizations are more distributed among users
availability of alternate processing sites, in case of a disaster
file library
Data streaming
Authorisation of access to program files
Edit checks of data entered
Idempotence
To suggest the best possible hardware for the company
An entity relationship diagram
Establishing data custodianship outlines
Completeness of batch processing
Assembler and compiler
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
the sender from forging a message using the receiver s private key
Carrying out corrections in the master file.
Design
Design
Discover sampling
Precision limit
protection of stored data in the server by encryption or otherwise
Restoration of corrupted message from backups
Physical
System requirements definition
Debugging follows testing
Anticipating problems
Black-box, code-based, data-driven technique
Developing screen flows with specifications
User friendly features built in.
Contract reviews with the legal counsel.
It improves the product, service and profitability.
availability of alternate processing sites, in case of a disaster
spurious associations
multiplexer
Checking to see whether any programs terminated abnormally
the sender from disowning the message
Security administrator
Reliability
conduct a test of controls to ensure that the no necessary control is omitted in the design
Increasing of the transmission speed of documents
data capture, data preparation, data input
data confidentiality
Monitoring and reporting system
Analysis of degradation of the system.
queue length at each network node the message traverses before reaching the destination
Documented
A sequential file structure
Macro
Document the conditions that lead to a particular action.
more difficult because employees access the system remotely and perform duties electronically
User access to the corporate database is controlled by passwords
Equipment shutdown procedures
They both have same uses
recording the time sequence of the successful transactions alone
Cost of implementation of management directives
Design

Page 178

Sheet1

Human-computer interaction guidelines


Cross train with another employee of another department.
Testing and evaluating programmer and optimisation tools.
Read Only Memory (ROM)
file library
Parallel physical circuits
Security of a database
QA personnel will perform better when their organisation adopts national and international information systems standards
The hardware temporarily malfunctioned.
Database authorizations
Encryption of data files and safe keeping of encryption keys
System requirements definition
theft of machine time
Increased cost per transaction
personal details
the sender from forging a message using the receiver s private key
Scope
produce encrypted messages
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Setting up a password for the screensaver program on the notebook computer.
Master file lookup
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
whether only valid and authorised transactions were processed
HIPO charter
down line loading a program
Low cohesion of modules, high coupling of modules, and high modularity of programs
Be able to understand the system that is being audited
An inventory of backup tapes at the offsite storage location should be maintained.
Collision of tokens during transmission may occur
queue length at each network node the message traverses before reaching the destination
Hot site
The rate at which computer technology is expected to advance
Defect counts
Solve the problems encountered by the detective controls.
Information protection has a high risk and always deviates from with BPR.
Read Only Memory (ROM)
Batched sequential structure
Fiber optic cable is small and flexible
altering source data to correct input errors
project leader
Such access authority is appropriate because they have the full knowledge and understanding about the entire system.
Eliminate mainframe computer processing
Spiral model
Certain phases can be dropped
Such access authority is appropriate because they have the full knowledge and understanding about the entire system.
whether unauthorised use is being made of hardware/system software resources
Incorporate into change management procedures
Detective
Screens, interactive edits, and sample reports
Monitoring and reporting system
Encryption routine
Restricting privileged access to test versions of applications.
multiplexer
Dialogue styles
Monitor usage of the device.
Constructing a processing system for accounting applications and processing actual data from throughout the period thro

Page 179

Sheet1

Documentation
Performing aging analysis
Tests only pre-conceived situations
rules for protecting resources can be minimised
Access control for on line data
the inability of the backup operation to run in the background while operations are being carried out
After a disaster, the transactions can be reentered easily, if needed
Prototyping model
Component modularity
Design
Fiber optic cable is small and flexible
Fault tolerance
to reduce the amount of monitoring of compliance with standards that QA personnel will have to undertake
Magnetic Card reader
the controls that provide reasonable assurance that all transactions are processed as authorised
port
identifying what the user possesses
Data Link layer
Component modularity
Biometric checks
Detective
PIN entry at the issuer's premises
Quality
Data are shared by passing files between programs or systems
Known fact
32 bit key system
Create destination defaults for printing based on each employee s departmental affiliation.
provide translations from clients computer applications to a standard protocol used for EDI communication
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
mesh network
to decrease the number of paper-based forms
Precision limit
Proximity to earthquake zone.
Two persons should be present at the microcomputer when it is uploading data.
Monitor usage of the device.
all new software before loaded should be scanned for viruses and cleaned
Design errors
Processing and computing power
Preformatted screens
Sharing of common data
Networking
Fault tolerance
training in general QA standards should be provided by QA personnel whereas training in specific QA standards should b
the mechanism associates with each user the resources they can access together with the action privileges they have wit
An operations control
Configuration management
low work factor
Twisted-pair (shielded) cable
ITF
DBA
altering source data to correct input errors
Halt and error controls
Detective
Screens, interactive edits, and sample reports
whether unauthorised use is being made of hardware/system software resources
File transfer protocol

Page 180

Sheet1

Dependency check
Sign-on verification security when logging on to the database management system
The length of cable to connect a workstation to the network
Cross train with another employee of another department.
Operation personnel did not follow a procedure due to an oversight
Central processing site after application program processing.
encrypt the messages transmitted and decrypt them on reception
Design
Program Logic flow charts and file definition.
Restricting privileged access to test versions of applications.
RC2 and RC4
Restoration of corrupted message from backups
System requirements definition
conduct a test of controls to ensure that the no necessary control is omitted in the design
a digital line
Read Only Memory (ROM)
stand alone data processing
two different keys are used for the encryption and decryption
a two public keys
Ensuring concurrent access control
port
Component modularity
System response time and system uptime
project leader
Detective
Discrete Sampling
The information systems audit plan
Monitoring and reporting system
Setting up a password for the screensaver program on the notebook computer.
Master file lookup
altering source data to correct input errors
Design
It provides for parallel processing capability at a hot site and in the production environment.
The limiting the conditions to be tested in the system
Audit programs and audit procedures.
Checking and reconciling of postings done in the General Ledger.
Updating from privileged utilities.
Star networks are more easily maintained than a bus network
the last residual dump
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Determining system inputs and outputs
Testing
Low cohesion of modules, high coupling of modules, and high modularity of programs
Purchase and tailor
Testing and evaluating programmer and optimisation tools.
Distributed computing infrastructure
Availability
write protect security
Unaffected by stringent legal and/or organizational controls
The waterfall model
Penalties for late delivery
Output control
low work factor
ensure that the transaction amount entered is within the cardholder's credit limit
Low MTBF values imply good reliability
appropriate, because technical support personnel need to access all data and program files

Page 181

Sheet1
unless authorisation information specifies users cannot access the resource
Completing the system requirements document
Data-oriented techniques
Were the test strategies sufficient to determine whether the 'software is safe and effective?
Frame relay
logical access is permitted only in accordance with authorization
Operation personnel did not follow a procedure due to an oversight
CIS requires modification of the database management system used by the application
unless authorisation information specifies users cannot access the resource
Performs a post-implementation evaluation of the application independently.
Inherent risk
more difficult because employees access the system remotely and perform duties electronically
Logging of all terminals
Preventive controls
A detailed review by the IS Auditor of the security controls
multiplexing technique
System programmer mailbox
Defect counts
getting concentrated as much as in the manual system
liability relating to protection of proprietary business data decreases
multiplexer
the sender from disowning the message
Encryption of data files and safe keeping of encryption keys
missing data validity checks
Output control
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
the design is for a human resources division of the organization
Anti-virus and anti-piracy softwares
Quality
Design metrics
they need to be maintained in a secure file
Attenuation and propagation delay
Incorporate into change management procedures
Paid EDI invoices
whether unauthorised use is being made of hardware/system software resources
Software configuration management
Job submission
availability of alternate processing sites, in case of a disaster
review the open systems interconnect network model
Cross train with another employee of another department.
Capturing the working of an application at a point in time.
Updating from privileged utilities.
make the same groups responsible for the mailing of cards and the investigation of returned cards
Inherent Risk
A sequential file structure
Document the conditions that lead to a particular action.
Audit programs and audit procedures.
Whether the computer has viruses.
Verify authenticity of a transaction or document
an operating system error
Increases the dependence on a single employee.
Performance management
An access control
Role-based policy
Computing environment
Certain phases can be dropped

Page 182

Sheet1

blocking a card if it is not used for a period of 3 months


PIN entry at the issuer's premises
To prove a new concept
Completeness of batch processing
appropriate, because technical support personnel need to access all data and program files
Anticipating problems
data confidentiality
produce encrypted messages
Pilot projects
Carrying out corrections in the master file.
Microwave transmission
provide translations from clients computer applications to a standard protocol used for EDI communication
change of message sequence
Interviews with the IS personnel and the end users.
Operation personnel did not follow a procedure due to an oversight
auto-dial features
Black-box, code-based, data-driven technique
Attribute sample tests
In the rapid development of technology, the duties change very frequently.
Applications, transactions and trading partners supported remain static over time
The connectors in a bus topology attenuate the signals and distort them, whereas repeaters in a ring topology are relative
The Delphi method
Regression test
The waterfall model
Data dictionary
stand alone data processing
the mechanism associates with each user the resources they can access together with the action privileges they have wit
Reliability
receiver's public key
personal details
Incremental development model
Regression test
The information systems audit plan
increasing data integrity by defining standards for retrieving paper based information
file library maintenance
ISO/OSI
Systems Analysis
satellite transmission
down line loading a program
unauthorised changes to data and program can take place
Inform and advise the Senior Management of the high risks involved in it.
dynamic equalisation
Sampling risk
Mean-time-between-failure
The auditee s oral explanation / statement of the evidence
Policies on segregation of duties in IS must highlight the variations between the logical and physical access to assets.
Review and scrutiny of error listing.
Cross train with another employee of another department.
Preparation and monitoring of System implementation plans.
availability of alternate processing sites, in case of a disaster
Read Only Memory (ROM)
QA personnel will perform better when their organisation adopts national and international information systems standards
stakeholders should be informed of the contents of reports before they are released to management
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Examination of logged activity
Edit checks of data entered

Page 183

Sheet1

LAN Server Overload


port
Identification of the cardkeys documenting the data centre areas to which they grant access.
Assure that the vendors support current versions of the software.
performed by the operations manager responsible for the mainframe computer
losing data stored in main memory
Increasing of the transmission speed of documents
whether only valid and authorised transactions were processed
Assembler and compiler
Low MTBF values imply good reliability
personal details
Users do not usually know sufficiently about systems to design the system.
Parallel physical circuits
It allows the auditor to substitute sampling technique for his judgement.
logical access is permitted only in accordance with authorization
Policy and procedural variations
the inability of the backup operation to run in the background while operations are being carried out
to decrease the number of paper-based forms
captured data are converted into machine readable form
Determining whether security policy is available
Updating from privileged utilities.
Statistical sampling.
Compensating control
An inventory of backup tapes at the offsite storage location should be maintained.
System maintenance constitutes about 65% of the programming costs.
small key
stakeholders should be informed of the contents of reports before they are released to management
incumbents have little opportunity to exercise high-level information systems skills
QA personnel are likely to check information systems controls more comprehensively than auditors
Control can be exercised to a very fine level of authorisation
The hardware temporarily malfunctioned.
port
Data Link layer
Interaction between modules should be minimal
receiver's public key
Assembler and compiler
Incorporate into change management procedures
DBA
Name of the TTP/CA
encrypt the message with the sender's private key and sign the message with the receiver's public key
data encryption technique
Wireless Local area network
Permit updating and read access for everyone in IS
Restrict access to prevent installation of unauthorized utility software.
It provides for parallel processing capability at a hot site and in the production environment.
Obtaining a letter of representation from management stating that the weakness has been corrected.
Checking and reconciling of postings done in the General Ledger.
State the audit s objective for the delegation of authority for maintenance and review of internal controls.
With different business activities
Cost of implementation of management directives
Processing and computing power
Networking
duplicate circuitry, echo check and internal header labels
File servers
Data streaming
QA personnel will be best placed to recommend corrective actions when they formulate, promulgate, and maintain standa

Page 184

Sheet1
product cipher
software
An overview understanding of the functions being audited and evaluate the audit and business risk
inability to disconnect after invalid access attempts
Retina scanner
Periodic rotation of duties
Computing environment
Certain phases can be dropped
Design
Network utilization by the existing users
Vendor support
Twisted-pair (shielded) cable
An entity relationship diagram
The information systems audit plan
Faster delivery of the system
Checking to see whether any programs terminated abnormally
low work factor
Change control
Data streaming
Microwave transmission
satellite transmission
spurious associations
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
unless authorisation information specifies users cannot access the resource
Stratified sampling selection technique
Guiding the ^assistants in performing planned procedures.
Initial password assignment shall be done by the user department incharge
Detailed Design
Supplies
System maintenance constitutes about 65% of the programming costs.
Performance management
product cipher
stakeholders should be informed of the contents of reports before they are released to management
incumbents have little opportunity to exercise high-level information systems skills
Authentication Techniques
encryption is required
Develop a small program that will give a picture of what is happening during the absence of the operator
Output control
provide security
Sharing of common data
ITF
procedure to ensure that the workstation is logged off automatically when not in use for a particular period of time
Batched sequential structure
Fibre optic cable is small and flexible
The information systems audit plan
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Recompile infected programs from source code backups.
availability of alternate processing sites, in case of a disaster
multiplexer
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
Design metrics
mesh network
Macro
Attenuation is the delay in transmission of signals due to difference in frequency
The entire storage devices in all the servers
the controls available and implemented for the protection of the log file

Page 185

Sheet1
Terminal access controls
System requirements definition
Code reading
Known fact
Quality compliance requirement sets are defined in ISO 9000.
Solve the problems encountered by the detective controls.
Preformatted screens
whether only valid and authorised transactions were processed
Parallel physical circuits
Spiral model
Detective
Increasing of the transmission speed of documents
Because of the increase in use of distributed system, the need for mainframes will increase in the near future
Design
System requirements definition
Better communications between developers and users
Program Logic flow charts and file definition.
Review and scrutiny of error listing.
Frame relay
Create destination defaults for printing based on each employee s departmental affiliation.
Design
Framing and adherence of a Corporate IS policy statement
The limiting the conditions to be tested in the system
spurious associations
History of updates to the operating system
Document the conditions that lead to a particular action.
Linking to external systems thro a firewall
Password files are not encrypted
All information system processes
Collision of tokens during transmission may occur
Duplicated transactions
Changing the computing platform may not improve the legacy system
Code reading
Low cohesion of modules, high coupling of modules, and high modularity of programs
Quality
Assisting in defining the relationship between various job functions.
coaxial cabling would have to be installed throughout the building
starting and terminating lines and processes
Twisted-pair (shielded) cable
Processing and computing power
sender's private key
they need to be maintained in a secure file
unauthorised changes to data and program can take place
Data Link layer
A Pareto diagram
Program Logic flow charts and file definition.
Encryption of data files and safe keeping of encryption keys
Validity test
identifying questionable data
Check digit
Analytical review capability
Macro
Guiding the ^assistants in performing planned procedures.
Physical access controls
the authorisation procedure for accessing data
formatting of the network file server

Page 186

Sheet1

supervision of data entry


Hot site
Determining system inputs and outputs
Changing the computing platform may not improve the legacy system
database subsystem
review the open systems interconnect network model
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
file library
Twisted-pair (shielded) cable
QA personnel will be best placed to recommend corrective actions when they formulate, promulgate, and maintain standa
There are more intermediaries involved in producing and distributing batch output.
Encryption of data files and safe keeping of encryption keys
Programmers have access to the live environment
whether data stored on servers are adequately protected by means of encryption or any other means
Interaction between modules should be minimal
Design
Human-computer interaction guidelines
whether unauthorised use is being made of hardware/system software resources
Establishing data custodianship outlines
System B - Likelihood 15%, Losses(in$) 5 million
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
Ensuring concurrent access control
Program Logic flow charts and file definition.
LAN Server Overload
Parallel physical circuits
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
organisations must use firewalls if they wish to maintain security over internal data
Restrict access to prevent installation of unauthorized utility software.
Source code review
Passive data dictionary system
Documentation
Operation personnel did not follow a procedure due to an oversight
Analysis of degradation of the system.
Security administrator can amend the details in the audit trail
Must provide high levels of logical and physical security
Interaction between modules should be minimal
Human-computer interaction guidelines
Synchronous communication
liability relating to protection of proprietary business data decreases
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
32 bit key system
Edit checks of data entered
Purchase and tailor
Certification and accreditation
performed by the operations manager responsible for the mainframe computer
losing data stored in main memory
Cost of file conversion
Regression test
Attribute sample tests
a digital line
reduce the wiretapper s capabilities to tap more data
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
queue length at each network node the message traverses before reaching the destination
Black-box, code-based, data-driven technique
Low cohesion of modules, high coupling of modules, and high modularity of programs

Page 187

Sheet1
Be able to understand the system that is being audited
Determining adherence of regulatory requirements by conducting compliance tests.
Program Logic flow charts and file definition.
Encryption routine
SDLC procedure statement
Hot sites can be made ready for operation within a short period of time.
Better communications between developers and users
Reliability
Testing and evaluating programmer and optimisation tools.
availability of alternate processing sites, in case of a disaster
coaxial cabling would have to be installed throughout the building
stand alone data processing
file library
Checking to see whether any programs terminated abnormally
32 bit key system
Data streaming
General control
Interaction between modules should be minimal
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
the design is for a human resources division of the organization
low work factor
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Design metrics
Detective
Discrete Sampling
small key
HIPO charter
Updating from privileged utilities.
Restrict access to prevent installation of unauthorized utility software.
controlling all the networks connected in a better way
Lengthy retraining
The limiting the conditions to be tested in the system
A test to access the quality of data.
The higher the Return on Investment by the application.
Checking and reconciling of postings done in the General Ledger.
Whether the computer has viruses.
deleting all the files in the hard disk
all new software before loaded should be scanned for viruses and cleaned
the controls available and implemented for the protection of the log file
multiplexing technique
controlling all the networks connected in a better way
Developing screen flows with specifications
The work of a Data entry clerk is also done by a Tape Librarian.
Frame relay
low work factor
PIN entry at the issuer s premises
Permit updating and read access for everyone in IS
analysing user specifications
Batched sequential structure
Incorporate into change management procedures
product cipher
Discrete Sampling
Ensuring concurrent access control
ciphertext form produced only from an reversible encryption algorithm
Halt and error controls
Monitoring and reporting system

Page 188

Sheet1

Use of a Accounts Receivable Section password


The date and time of access attempt.
unauthorised changes to data and program can take place
availability of alternate processing sites, in case of a disaster
Updating from privileged utilities.
Review the data field definitions and logic in the audit software.
the last residual dump
recording the time sequence of the successful transactions alone
Lengthy retraining
Design
Arriving at an correct conclusion based on the facts and figures available.
There has been a dearth of IS personnel from the initial days
RC2 and RC4
Should have the same amount of physical access restrictions as the primary processing site
Source code generation tool
Certain phases can be dropped
Design
Contract reviews with the legal counsel.
Data dictionary
Networking
Retina scanner
Code
Disengage the uninterruptible power supply.
Spiral model
receiver's public key
blocking a card if it is not used for a period of 3 months
Data dictionary
new account numbers must be issued to customers if their PINs are lost or compromised
Proximity to earthquake zone.
Halt and error controls
the design is for a human resources division of the organization
make the same groups responsible for the mailing of cards and the investigation of returned cards
Parallel physical circuits
Altering physical data definitions for improving performance.
altering source data to correct input errors
spurious associations
Reading the operator's manual
the methodology for implementing the controls is not the same in both
Proximity to earthquake zone.
Two persons should be present at the microcomputer when it is uploading data.
Review the data field definitions and logic in the audit software.
Physical access controls
SDLC procedure statement
After a disaster, the transactions can be reentered easily, if needed
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Changes in hardware
Supplies
Solve the problems encountered by the detective controls.
the sender from disowning the message
General control
Retina scanner
A legacy system is old and hence no longer good
Periodic rotation of duties
Purchase and tailor
Certification and accreditation
data capture, data preparation, data input

Page 189

Sheet1
Low MTBF values imply good reliability
System design and programming
Detective
Reliability
encrypt the message with the sender's private key and sign the message with the receiver's public key
Master file lookup
whether only valid and authorised transactions were processed
review the open systems interconnect network model
Design metrics
Updating from privileged utilities.
reduce the wiretapper s capabilities to tap more data
Attribute sample tests
Size of the population
the reliability of the controls in the system as perceived by the auditor
Consistent with the IS department s preliminary budget
Source code review
the authorisation procedure for accessing data
Right to read and execute program
Poor contact points in the wiring
Wiretapping
Design
Prototyping model
Worries over cost effectiveness are well addressed.
dynamic equalisation
LAN Server Overload
identifying what the user possesses
during the return of the data to the user department
Detective
performed by the operations manager responsible for the mainframe computer
Hygrometer
Findings are generally more material to the organisation
Scope
File transfer protocol
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Certification and accreditation
data confidentiality
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
produce encrypted messages
Review and scrutiny of error listing.
Distributed computing infrastructure
Determining whether security policy is available
CIS requires modification of the database management system used by the application
traffic analysis by sniffing
queue length at each network node the message traverses before reaching the destination
recording the time sequence of the successful transactions alone
Operation personnel did not follow a procedure due to an oversight
Guiding the ^assistants in performing planned procedures.
Unique password
Digital signature standard (DSS)
Changing the order of the message
IRR
Design phase
Interaction between modules should be minimal
Control and Output
Appropriate, because System Administrator has to back up all data and program files.
during the return of the data to the user department

Page 190

Sheet1

PIN entry at the issuer's premises


ITF
losing data stored in main memory
Two persons should be present at the microcomputer when it is uploading data.
Low MTBF values imply good reliability
data capture, data preparation, data input
Interface test
Dependency check
Twisted-pair (shielded) cable
unauthorised changes to data and program can take place
Passive data dictionary system
Monitor usage of the device.
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Documented
Analysis of degradation of the system.
Security administrator can amend the details in the audit trail
Must provide high levels of logical and physical security
Electronic funds transfer system (EFTS)
Digital signature standard (DSS)
The connectors in a bus topology attenuate the signals and distort them, whereas repeaters in a ring topology are relative
traffic analysis by sniffing
Combined with neural network technologies
Unit testing
Interaction between modules should be minimal
Reliability
Integrated packages are examples of operating systems for microcomputers
File servers
Availability
The hardware temporarily malfunctioned.
Control can be exercised to a very fine level of authorisation
Identification of the cardkeys documenting the data centre areas to which they grant access.
Output control
Increased cost per transaction
Review the network with reference to the ISO/OSI model of seven layers
Microwave transmission
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
ITF
personal details
Review of the control totals.
Authentication Techniques
Distributed computing infrastructure
Loss of data while executing a program.
repeaters to physically connect separate local area networks (LANs)
Sampling risk
Changing the order of the message
down line loading a program
It allows the auditor to substitute sampling technique for his judgement.
Altering physical data definitions for improving performance.
The date and time of access attempt.
Installing the latest anti-virus software regularly
Preventive controls
Equipment shutdown procedures
Beforeimages
Warranty provisions
Interaction between modules should be minimal
Security of a database

Page 191

Sheet1
Examination of logged activity
inability to disconnect after invalid access attempts
Retina scanner
Computing environment
System response time and system uptime
Detective
Principle of highest privilege should be implemented to perform the file backup function
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Whether assets are properly valued.
The waterfall model
Better communications between developers and users
Keep the test data to a minimum to conserve testing time
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Encryption routine
The length of cable to connect a workstation to the network
satellite transmission
Inherent Risk
A decrease in detection risk
Analysis of degradation of the system.
The date and time of access attempt.
SDLC procedure statement
Digital signature standard (DSS)
Use of a single value-added network
transmission over coaxial cable
Unit testing
Known fact
Quality compliance requirement sets are defined in ISO 9000.
Preparation and monitoring of System implementation plans.
coaxial cabling would have to be installed throughout the building
Data are shared by passing files between programs or systems
Availability
Detailed logical access control procedures
LAN Server Overload
Detective
performed by the operations manager responsible for the mainframe computer
Controls exist over efficient usage of hardware
project leader
Incremental development model
File servers
Design metrics
Because of the increase in use of distributed system, the need for mainframes will increase in the near future
Unit test, systems test, integration test, acceptance test
down line loading a program
Design
Risk Assessment
Policy and procedural variations
a digital line
Operation personnel did not follow a procedure due to an oversight
Attribute sample tests
HIPO charter
User access to the corporate database is controlled by passwords
The date and time of access attempt.
Statistical sampling.
Compensating control
Recommend that the processing capacity of the alternate site should be increased.
Requirement fault

Page 192

Sheet1

Quality compliance requirement sets are defined in ISO 9000.


systems development management subsystem
starting and terminating lines and processes
Frame relay
write protect security
Database authorizations
Sign-on verification security when logging on to the database management system
Identification of the cardkeys documenting the data centre areas to which they grant access.
Purchase and tailor
submission proof
data encryption technique
data capture, data preparation, data input
sender's private key
Design
Many information systems projects incur additional costs over the contract cost
two units that provide read-after-write and dual-read capabilities
ciphertext form produced only from an reversible encryption algorithm
Carrying out corrections in the master file.
Sign-on verification security when logging on to the database management system
Fault tolerance
Analytical review capability
Document the conditions that lead to a particular action.
auto-dial features
After a disaster, the transactions can be reentered easily, if needed
Lengthy retraining
Hash totals
Changing the order of the message
Duplicated transactions
Design phase
Source code generation tool
System bugs
Computing environment
Increases the dependence on a single employee.
It improves the product, service and profitability.
unauthorised changes to data and program can take place
Twisted-pair (shielded) cable
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Programmers have access to the live environment
Develop a small program that will give a picture of what is happening during the absence of the operator
Computing environment
completeness
User expectations are inflated
data capture, data preparation, data input
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Reliability
multiplexer
Wireless Local area network
Desk checking
Distributed computing infrastructure
Cross train with another employee of another department.
It allows the auditor to substitute sampling technique for his judgement.
transmission over coaxial cable
Beforeimages
Determining whether security policy is available
separate persons are responsible for initiation and authorization in manual systems whereas execution and maintenance
Altering physical data definitions for improving performance.

Page 193

Sheet1

Encryption routine
procedure to ensure that the workstation is logged off automatically when not in use for a particular period of time
all new software before loaded should be scanned for viruses and cleaned
Ensuring that the passwords are not distributed indiscriminately
Applications, transactions and trading partners supported remain static over time
Multiple encryption
Cost of file conversion
Developing screen flows with specifications
inability to disconnect after invalid access attempts
Retina scanner
Authentication Techniques
User expectations are inflated
Regression test
sender's private key
compromise of a receiver's private key
Establishing data custodianship outlines
denial of message services
Response time
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Completeness of batch processing
two different keys are used for the encryption and decryption
32 bit key system
Risk Assessment
Interviews with the IS personnel and the end users.
unauthorised changes to data and program can take place
Operation personnel did not follow a procedure due to an oversight
Inherent Risk
Size of the population
A Letter of confirmation received from an outsider regarding the account balance.
Policies on segregation of duties in IS must highlight the variations between the logical and physical access to assets.
User access to the corporate database is controlled by passwords
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
Role based policy
corrective control
database subsystem
losing data stored in main memory
Halt and error controls
small key
it allows efficient administration of capabilities
allow the customer to make a small number of PIN entry attempts, do not close the account after the limit has been reach
Master file lookup
losing data stored in main memory
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
System design and programming
Response time
Number of defects over the life of a software product
Monitoring and reporting system
Consistent with the IS department s preliminary budget
Recompile infected programs from source code backups.
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
file library
Dialogue styles
Passive data dictionary system
Review the data field definitions and logic in the audit software.
Physical
down line loading a program

Page 194

Sheet1
Keep the test data to a minimum to conserve testing time
Size of the population
Digital signature standard (DSS)
reduce the wiretapper s capabilities to tap more data
Cost of implementation of management directives
Code
The waterfall model
Certain phases can be dropped
Contract reviews with the legal counsel.
two different keys are used for the encryption and decryption
unauthorised changes to data and program can take place
implement corrective actions as and when compliance failure occurs
Signature registrations
Digital Signatures.
There are more intermediaries involved in producing and distributing batch output.
Biometric checks
all data are split evenly across pairs of drives
To suggest the best possible hardware for the company
sender's private key
whether unauthorised use is being made of hardware/system software resources
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
System requirements definition
data capture, data preparation, data input
ISO/OSI
Data-oriented techniques
Were the test strategies sufficient to determine whether the 'software is safe and effective?
Restricting privileged access to test versions of applications.
Correction
whether unauthorised use is being made of hardware/system software resources
starting and terminating lines and processes
availability of alternate processing sites, in case of a disaster
dedicated phone lines
liability relating to protection of proprietary business data decreases
Suggesting and enforcing security measures (ex. Changes in password)
temperature increases
Beforeimages of the modified records have been kept in the primary file
User access to the corporate database is controlled by passwords
RC2 and RC4
Unit testing
The rate at which computer technology is expected to advance
Regression test
Incremental development model
Systems development manager.
Networking
inability to disconnect after invalid access attempts
Reliability
Authentication of all transaction in time
Design
performed by the operations manager responsible for the mainframe computer
DBA
staging and job set-up procedures are not appropriate compensating controls
all data are split evenly across pairs of drives
The information systems audit plan
Interface test
Adherence of established standards by programs, program changes and documentation.
spurious associations

Page 195

Sheet1
electronic data interchange
Star networks are more easily maintained than a bus network
Documented
The former tests procedures while the latter tests plans.
reviewing the software based access controls
commitment of the management for the implementation of the policy
Right to read and execute program
Plan is tested once in a year.
existence of adequate controls to minimize the potential for loss due to computer fraud or embezzlement
Should have the same amount of physical access restrictions as the primary processing site
Star networks are more easily maintained than a bus network
Quality
Client/server technology
Human-computer interaction guidelines
Systems development manager.
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
a two public keys
An overview understanding of the functions being audited and evaluate the audit and business risk
Any incident involving the IS whereby a perpetrator is able to inflict a loss to a would-be victim for his/her personal gain
Data Link layer
System response time and system uptime
end-to-end encryption
DBA
Data are shared by passing files between programs or systems
Controls exist over efficient usage of hardware
Regression test
Reliability
Better communications between developers and users
two units that provide read-after-write and dual-read capabilities
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
A Pareto diagram
Logs
Review of the control totals.
Master file lookup
provide translations from clients computer applications to a standard protocol used for EDI communication
Attribute sample tests
Interviews with the IS personnel and the end users.
Design metrics
an operating system error
It provides for parallel processing capability at a hot site and in the production environment.
captured data are converted into machine readable form
A sequential file structure
A decrease in detection risk
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Preventive controls
A legacy system is old and hence no longer good
provide translations from clients computer applications to a standard protocol used for EDI communication
provide security
Edit checks of data entered
Developing screen flows with specifications
Magnetic Card reader
Cost of file conversion
Output control
Anticipating problems
Increased cost per transaction
Sharing of common data

Page 196

Sheet1
Name of the TTP/CA
Detective
Controls exist over efficient usage of hardware
Data Link layer
Pilot projects
Restricting privileged access to test versions of applications.
unauthorised changes to data and program can take place
automatic message purge facility when maximum queue size at the node is exceeded
Operation personnel did not follow a procedure due to an oversight
install secured sockets layer (SSL)
Operation personnel did not follow a procedure due to an oversight
The higher the Return on Investment by the application.
Restricting privileged access to test versions of applications.
Initial password assignment shall be done by the user department incharge
physical access to back up storage devices can be restricted effectively
Must provide high levels of logical and physical security
Determining system inputs and outputs
Code
Quality compliance requirement sets are defined in ISO 9000.
generated always by the updating routines
Record check
There are more intermediaries involved in producing and distributing batch output.
LAN Server Overload
Role-based policy
Authentication of all transaction in time
Anticipating problems
completeness
data confidentiality
DBA
Faster delivery of the system
Known fact
Leaving the decision to the MIS manager
Data Link layer
Planning of adequate security and controls in the computer center
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
Discover sampling
a digital line
Physical
Beforeimages of the modified records have been kept in the primary file
unauthorised changes to data and program can take place
Stratified sampling selection technique
Dependency check
The right people
Black-box, code-based, data-driven technique
Worries over cost effectiveness are well addressed.
its asset safeguarding capabilities
getting concentrated as much as in the manual system
multiplexor channeling
Data streaming
Availability
Frame relay
a list oriented approach to authorisation
Indicate when the file should be again backed up
Increased cost per transaction
32 bit key system
the sender from disowning the message

Page 197

Sheet1
Design
product cipher
appropriate, because technical support personnel need to access all data and program files
Controls exist over efficient usage of hardware
Switch
personal details
Interface test
Pilot projects
identifying questionable data
Restrict access to prevent installation of unauthorized utility software.
down line loading a program
to decrease the number of paper-based forms
Draw a random sample from the population.
Operation personnel did not follow a procedure due to an oversight
Performing intricate and complex calculations
Consider the use of utility software
A detailed review by the IS Auditor of the security controls
satellite transmission
the last residual dump
Testing
Deliverables
Cost of file conversion
Eliminate mainframe computer processing
Processing and computing power
Solve the problems encountered by the detective controls.
packet lengths are variable and each packet contains the same amount of information
Anti-virus and anti-piracy softwares
missing data validity checks
Developing screen flows with specifications
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
Certification and accreditation
Review the network with reference to the ISO/OSI model of seven layers
protocol converter
Expert system computations are performed through symbolic reasoning
A Pareto diagram
Data-oriented techniques
Organizational issues
multiplexing technique
identifying questionable data
unauthorised access and activity
Determining whether security policy is available
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Linking to external systems thro a firewall
analytical review
Updating from privileged utilities.
checking of internal credibility
all new software before loaded should be scanned for viruses and cleaned
SDLC procedure statement
Equipment shutdown procedures
Duplicated transactions
Code
Increases the dependence on a single employee.
change of message sequence
QA personnel are likely to check information systems controls more comprehensively than auditors
software
Data input validation programs should highlight the situation by showing input controls do not balance

Page 198

Sheet1
Sign-on verification security when logging on to the database management system
Ensuring concurrent access control
Role-based policy
Assure that the vendors support current versions of the software.
Component modularity
System response time and system uptime
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
parallel port
User expectations are inflated
Privilege based on an application
Such access authority is appropriate because they have the full knowledge and understanding about the entire system.
protocol converter
Deliverables
low work factor
Acceptance testing
recording the time sequence of the successful transactions alone
Capturing the working of an application at a point in time.
Statement of due care and confidentiality.
Analysis of degradation of the system.
reviewing the software based access controls
Should have the same amount of physical access restrictions as the primary processing site
IRR
Risk Assessment
Testing and evaluating programmer and optimisation tools.
The primary methods of controls usually involves general controls
altering source data to correct input errors
Twisted-pair (shielded) cable
low work factor
Edit checks of data entered
write protect security
Computers systems commit errors sporadically and not in a pattern
Magnetic Card reader
Output control
Controls exist over efficient usage of hardware
An entity relationship diagram
Establishing data custodianship outlines
Name of the TTP/CA
Microwave transmission
Establishing data custodianship outlines
System requirements definition
Checking to see whether any programs terminated abnormally
unless authorisation information specifies users cannot access the resource
Logs
The system test deliverables
Recompile infected programs from source code backups.
Determining whether security policy is available
analytical review
more difficult because employees access the system remotely and perform duties electronically
User access to the corporate database is controlled by passwords
Restrict access to prevent installation of unauthorized utility software.
the security policy should be clear about administration of the anti-virus policy
Poor contact points in the wiring
Role based policy
Design errors
Quality
Eliminate mainframe computer processing

Page 199

Sheet1

Testing and evaluating programmer and optimisation tools.


provide translations from clients computer applications to a standard protocol used for EDI communication
organisations must use firewalls if they wish to maintain security over internal data
all data are split evenly across pairs of drives
Authentication Techniques
Idempotence
the design is for a human resources division of the organization
Review the network with reference to the ISO/OSI model of seven layers
file library maintenance
Leaving the decision to the MIS manager
The information systems audit plan
Proximity to earthquake zone.
Authentication Techniques
Recompile infected programs from source code backups.
coaxial cabling would have to be installed throughout the building
Attribute sample tests
Document the conditions that lead to a particular action.
unauthorised changes to data and program can take place
Sampling risk
Precision limit
Audit programs and audit procedures.
State the audit s objective for the delegation of authority for maintenance and review of internal controls.
The former tests procedures while the latter tests plans.
blocking of CPU functions
the last residual dump
System requirements definition
Changes in hardware
Detailed Design
Design
line conditioning technique
automatic message purge facility when maximum queue size at the node is exceeded
Checking to see whether any programs terminated abnormally
the mechanism associates with each user the resources they can access together with the action privileges they have wit
Appropriate, because System Administrator has to back up all data and program files.
Use of a Accounts Receivable Section password
Penalties for late delivery
Name of the TTP/CA
Halt and error controls
Reliability
appropriate, because technical support personnel need to access all data and program files
ISO/OSI
Design metrics
Yes, because it helps the IS auditor to evaluate the vendor s financial stability and capacity to abide to the contract.
Analysis of degradation of the system.
Checking to see whether any programs terminated abnormally
file library
Draw a random sample from the population.
The limiting the conditions to be tested in the system
Collision of tokens during transmission may occur
recording the time sequence of the successful transactions alone
logical access is permitted only in accordance with authorization
A sequential file structure
A Letter of confirmation received from an outsider regarding the account balance.
Program Logic flow charts and file definition.
Create destination defaults for printing based on each employee s departmental affiliation.
the controls available and implemented for the protection of the log file

Page 200

Sheet1

The rate at which computer technology is expected to advance


Warranty provisions
corrective control
line conditioning technique
a list oriented approach to authorisation
Magnetic Card reader
Signature registrations
Output control
ensuring system efficiency
Discrete Sampling
Sharing of common data
a program that deposits a virus on a client
the recipient uses the sender's public key, verified with a certificate authority, to decrypt the pre-hash code
Broadband ISDN, fiber optics, and ATM
System requirements definition
Systems Analysis
unless authorisation information specifies users cannot access the resource
Low MTBF values imply good reliability
Unit test, systems test, integration test, acceptance test
Monitoring and reporting system
Carrying out corrections in the master file.
LAN Server Overload
Sign-on verification security when logging on to the database management system
User access to the corporate database is controlled by passwords
Performance management
a digital line
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Collection evidence process has been rendered more difficult
Updating from privileged utilities.
traffic analysis by sniffing
Interaction between modules should be minimal
Testing and evaluating programmer and optimisation tools.
Establishment and enforcement of processing priorities internally.
review the open systems interconnect network model
whether unauthorised use is being made of hardware/system software resources
the controls that provide reasonable assurance that all transactions are processed as authorised
Appropriate, because System Administrator has to back up all data and program files.
Indicate when the file should be again backed up
ensuring system efficiency
Detective
terminal identifier
compromise of a receiver's private key
Expert system computations are performed through symbolic reasoning
Data-oriented techniques
Encryption of data files and safe keeping of encryption keys
An existence check
Design
Interviews with the IS personnel and the end users.
Capturing the working of an application at a point in time.
Clerks will enter an incorrect but valid code for payment.
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
controlling all the networks connected in a better way
Beforeimages
A sequential file structure
Review and scrutiny of error listing.
TN37D2640

Page 201

Sheet1

physical access to back up storage devices can be restricted effectively


To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Designing quality into the product
Data and System owners
dedicated phone lines
coaxial cabling would have to be installed throughout the building
whether unauthorised use is being made of hardware/system software resources
32 bit key system
QA personnel will be best placed to recommend corrective actions when they formulate, promulgate, and maintain standa
cryptographer
it allows efficient administration of capabilities
write protect security
Any incident involving the IS whereby a perpetrator is able to inflict a loss to a would-be victim for his/her personal gain
Monetary Unit Sampling
multiplexer
Output control
Increased cost per transaction
Regression test
small key
Establishing data custodianship outlines
Number of defects over the life of a software product
The system test deliverables
Completeness of batch processing
Design
Dialogue styles
Capturing the working of an application at a point in time.
CIS requires modification of the database management system used by the application
Consistent with the IS department s preliminary budget
Consider the use of utility software
Whether the computer has viruses.
Restricting privileged access to test versions of applications.
Physical
Design phase
Changes in hardware
Black-box, code-based, data-driven technique
Testing and evaluating programmer and optimisation tools.
Information protection has a high risk and always deviates from with BPR.
electronic data interchange
line conditioning technique
all data are split evenly across pairs of drives
ensuring that the vendors are provided with appropriate and uniform data for submission of bids according to manageme
file library
Authorisation of access to program files
The waterfall model
theft of machine time
personal details
To prove a new concept
Systems management
Incorporate into change management procedures
Program changes due to errors discovered
Policies on segregation of duties in IS must highlight the variations between the logical and physical access to assets.
File servers
Completeness of batch processing
provide translations from clients computer applications to a standard protocol used for EDI communication
Document the conditions that lead to a particular action.
A test to access the quality of data.

Page 202

Sheet1

It provides for parallel processing capability at a hot site and in the production environment.
Obtaining a letter of representation from management stating that the weakness has been corrected.
Statement of due care and confidentiality.
The date and time of access attempt.
Logical bombs
Sensitive systems
Home banking system
Collision of tokens during transmission may occur
the last residual dump
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Changing the computing platform may not improve the legacy system
Unit testing
Interaction between modules should be minimal
Better communications between developers and users
Systems development manager.
whether unauthorised use is being made of hardware/system software resources
incumbents have little opportunity to exercise high-level information systems skills
ITF
whether data stored on servers are adequately protected by means of encryption or any other means
Supplies
Increased cost per transaction
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
User access to the corporate database is controlled by passwords
The date and time of access attempt.
Synchronous communication
availability of alternate processing sites, in case of a disaster
Framing and adherence of a Corporate IS policy statement
auto-dial features
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
Reading the operator's manual
A test to access the quality of data.
Collection evidence process has been rendered more difficult
Analysis of degradation of the system.
Create destination defaults for printing based on each employee s departmental affiliation.
Source code review
checking of internal credibility
existence of adequate controls to minimize the potential for loss due to computer fraud or embezzlement
Electronic funds transfer system (EFTS)
Beforeimages of the modified records have been kept in the primary file
Changing the computing platform may not improve the legacy system
Design
database subsystem
Distributed computing infrastructure
Twisted-pair (shielded) cable
Detailed logical access control procedures
write protect security
Control can be exercised to a very fine level of authorisation
System requirements definition
Output control
Certain phases can be dropped
completeness
Vendor support
Controls exist over efficient usage of hardware
they need to be maintained in a secure file
ISO/OSI

Page 203

Sheet1

staging and job set-up procedures are not appropriate compensating controls
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
produce encrypted messages
Were the test strategies sufficient to determine whether the 'software is safe and effective?
a digital line
Attribute sample tests
Macro
A Letter of confirmation received from an outsider regarding the account balance.
Statistical sampling.
Source code review
deleting all the files in the hard disk
physical access to back up storage devices can be restricted effectively
traffic analysis by sniffing
System bugs
conduct a test of controls to ensure that the no necessary control is omitted in the design
Developing screen flows with specifications
User friendly features built in.
dynamic equalisation
short key cipher system
Biometric checks
Record check
appropriate, because technical support personnel need to access all data and program files
Interaction between modules should be minimal
submission proof
a program that deposits a virus on a client
Systems management
Paid EDI invoices
32 bit key system
Job submission
Whether the computer has viruses.
User access to the corporate database is controlled by passwords
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
unauthorised changes to data and program can take place
availability of alternate processing sites, in case of a disaster
Risk Assessment
Dialogue styles
Operation personnel did not follow a procedure due to an oversight
Simulation tools
controlling all the networks connected in a better way
unauthorised changes to data and program can take place
Macro
Programmers have access to the live environment
deleting all the files in the hard disk
Collision of tokens during transmission may occur
Design errors
User friendly features built in.
unauthorised access and activity
Batched sequential structure
QA personnel will perform better when their organisation adopts national and international information systems standards
QA personnel are likely to check information systems controls more comprehensively than auditors
Control can be exercised to a very fine level of authorisation
Vendor support
users should be educated about weak password
blocking a card if it is not used for a period of 3 months
PIN entry at the issuer's premises
user identification with a password of not less than 6 characters

Page 204

Sheet1
end-to-end encryption
Two persons should be present at the microcomputer when it is uploading data.
starting and terminating lines and processes
appropriate, because technical support personnel need to access all data and program files
Program Logic flow charts and file definition.
The date and time of access attempt.
Design
Inform and advise the Senior Management of the high risks involved in it.
Implementation and monitoring of the new process is the management s responsibility.
logical access is permitted only in accordance with authorization
CIS requires modification of the database management system used by the application
unless authorisation information specifies users cannot access the resource
Check digit
The former tests procedures while the latter tests plans.
reduce the probability of the threat materializing
User access to the corporate database is controlled by passwords
multiplexing technique
Duplicated transactions
Interaction between modules should be minimal
Supplies
electronic data interchange
two units that provide read-after-write and dual-read capabilities
whether unauthorised use is being made of hardware/system software resources
short key cipher system
Anticipation and hash total
System requirements definition
Certification and accreditation
Better communications between developers and users
Detective
Data dictionary
Whether assets are properly valued.
data encryption technique
Controls exist over efficient usage of hardware
Systems management
ISO/OSI
produce encrypted messages
Integration testing
Interviews with the IS personnel and the end users.
A sequential file structure
Discover sampling
Collision of tokens during transmission may occur
an operating system error
Checking to see whether any programs terminated abnormally
Check digit
The auditee s oral explanation / statement of the evidence
Statement of due care and confidentiality.
Statistical sampling.
Activity/service type
the security policy should be clear about administration of the anti-virus policy
Ring topology network
Design errors
generated always by the updating routines
provide translations from clients computer applications to a standard protocol used for EDI communication
Appropriate, because System Administrator has to back up all data and program files.
Indicate when the file should be again backed up
Cost of file conversion

Page 205

Sheet1

sender's private key


Switch
Attenuation and propagation delay
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Better communications between developers and users
data capture, data preparation, data input
receiver's public key
unless authorisation information specifies users cannot access the resource
Logs
Proximity to earthquake zone.
multiplexing technique
Liability relating to protection of proprietary business data decreases
file library
Document the conditions that lead to a particular action.
Strategic Planning System
Job submission
Fully equipped computer centre in a ready state for continuing operations within hours.
Digital signature standard (DSS)
satellite transmission
queue length at each network node the message traverses before reaching the destination
recording the time sequence of the successful transactions alone
Combined with neural network technologies
The right people
Human-computer interaction guidelines
Incremental development model
Implementation and monitoring of the new process is the management s responsibility.
Contract reviews with the legal counsel.
Data streaming
QA personnel are charged with being knowledgeable about and remaining up-to-date with best practice in information sys
Ensuring concurrent access control
multiplexer
losing data stored in main memory
data capture, data preparation, data input
Paid EDI invoices
Regression test
two units that provide read-after-write and dual-read capabilities
Test summaries, test execution reports
Logs
Process improvement
Restricting privileged access to test versions of applications.
Planning of adequate security and controls in the computer center
Permit updating and read access for everyone in IS
whether unauthorised use is being made of hardware/system software resources
satellite transmission
Document the conditions that lead to a particular action.
reduce the wiretapper s capabilities to tap more data
Collision of tokens during transmission may occur
Probabilities of occurrence of threats
Capturing the working of an application at a point in time.
The former tests procedures while the latter tests plans.
Monitor usage of the device.
A detailed review by the IS Auditor of the security controls
Digital signature standard (DSS)
spurious associations
Developing screen flows with specifications
Networking

Page 206

Sheet1

altering source data to correct input errors


whether only valid and authorised transactions were processed
the mechanism associates with each user the resources they can access together with the action privileges they have wit
whether data stored on servers are adequately protected by means of encryption or any other means
terminal identifier
denial of message services
Controls exist over efficient usage of hardware
ITF
Anticipating problems
Wireless Local area network
Correction
The date and time of access attempt.
Performance management
Twisted-pair (shielded) cable
identifying questionable data
liability relating to protection of proprietary business data decreases
Cross train with another employee of another department.
Collection evidence process has been rendered more difficult
line conditioning technique
Attenuation is the delay in transmission of signals due to difference in frequency
Sampling risk
separate persons are responsible for initiation and authorization in manual systems whereas execution and maintenance
In the rapid development of technology, the duties change very frequently.
Loss of data while executing a program.
Restricting privileged access to test versions of applications.
TN37D2640
Cost of file conversion
corrective control
liability relating to protection of proprietary business data decreases
Preformatted screens
Availability
allow the customer to make a small number of PIN entry attempts, do not close the account after the limit has been reach
Use of a Accounts Receivable Section password
appropriate, because technical support personnel need to access all data and program files
encryption is required
Configuration management
Detective
data confidentiality
System B - Likelihood 15%, Losses(in$) 5 million
Establishing data custodianship outlines
Cost of file conversion
Permit updating and read access for everyone in IS
Twisted-pair (shielded) cable
coaxial cabling would have to be installed throughout the building
Reading the operator's manual
the methodology for implementing the controls is not the same in both
Simulation tools
Black-box, code-based, data-driven technique
A test to access the quality of data.
Audit programs and audit procedures.
State the audit s objective for the delegation of authority for maintenance and review of internal controls.
Combined with neural network technologies
Testing
Detailed Design
Defect counts
the design is for a human resources division of the organization

Page 207

Sheet1

unauthorised access and activity


Twisted-pair (shielded) cable
The length of cable to connect a workstation to the network
the mechanism associates with each user the resources they can access together with the action privileges they have wit
Record check
inability to disconnect after invalid access attempts
Retina scanner
ciphertext form produced only from an reversible encryption algorithm
blocking a card if it is not used for a period of 3 months
starting and terminating lines and processes
Name of the TTP/CA
project leader
data capture, data preparation, data input
Parallel physical circuits
the sender from forging a message using the receiver s private key
Halt and error controls
Acceptance testing
Pessimistic time
Policies on segregation of duties in IS must highlight the variations between the logical and physical access to assets.
down line loading a program
Design metrics
Capturing the working of an application at a point in time.
Mean-time-between-failure
Guiding the ^assistants in performing planned procedures.
the loss likely to occur in the ordinary course of business
Adherence of established standards by programs, program changes and documentation.
Dependency check
Compensating control
Terminal access controls
Equipment shutdown procedures
The rate at which computer technology is expected to advance
conduct a test of controls to ensure that the no necessary control is omitted in the design
Component modularity
The work of a Data entry clerk is also done by a Tape Librarian.
Synchronous communication
Frame relay
project leader
Detective
performed by the operations manager responsible for the mainframe computer
produce encrypted messages
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Better communications between developers and users
ciphertext form produced only from an reversible encryption algorithm
Data usage
A Pareto diagram
Integration testing
Were the test strategies sufficient to determine whether the 'software is safe and effective?
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
whether only valid and authorised transactions were processed
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
Collision of tokens during transmission may occur
Beforeimages
captured data are converted into machine readable form
Draw a random sample from the population.
Discover sampling
Operation personnel did not follow a procedure due to an oversight

Page 208

Sheet1

Documented
Analytical review capability
The limiting the conditions to be tested in the system
Program Logic flow charts and file definition.
Job submission
Dependency check
a dedicated power generator
Use of a single value-added network
systems development management subsystem
Anticipation and hash total
Permit updating and read access for everyone in IS
port
Biometric checks
parallel port
blocking a card if it is not used for a period of 3 months
Processing and computing power
Quality
whether unauthorised use is being made of hardware/system software resources
Design metrics
Fibre optic cable is small and flexible
File transfer protocol
Establishing data custodianship outlines
the design is for a human resources division of the organization
Regression test
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Macro
Restrict access to prevent installation of unauthorized utility software.
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
spurious associations
make the same groups responsible for the mailing of cards and the investigation of returned cards
The expected population error rate does not affect the sample size.
Performs a post-implementation evaluation of the application independently.
Adherence of established standards by programs, program changes and documentation.
Review the data field definitions and logic in the audit software.
Preventive controls
The entire storage devices in all the servers
Risk Assessment
Solve the problems encountered by the detective controls.
Consideration of external environment likely to benefit / affect the organisation.
attaches all channel messages along one common line with communication to the appropriate location via direct access
Security administrator
ciphertext form produced only from an reversible encryption algorithm
Review the network with reference to the ISO/OSI model of seven layers
Anti-virus and anti-piracy softwares
analysing user specifications
Name of the TTP/CA
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Broadband ISDN, fiber optics, and ATM
Parallel physical circuits
ISO/OSI
Number of defects over the life of a software product
Parallel physical circuits
availability of alternate processing sites, in case of a disaster
Check digit
Changing the order of the message
Review the data field definitions and logic in the audit software.

Page 209

Sheet1
down line loading a program
Keep the test data to a minimum to conserve testing time
reduce the probability of the threat materializing
analytical review
Consider the use of utility software
Physical verification of actual data entry operations
the controls available and implemented for the protection of the log file
satellite transmission
Anticipating problems
The information systems audit plan
the design is for a human resources division of the organization
Purchase and tailor
liability relating to protection of proprietary business data decreases
two different keys are used for the encryption and decryption
Parallel physical circuits
Cost of file conversion
personal details
the design is for a human resources division of the organization
Sharing of common data
Batched sequential structure
encrypt the message with the sender's private key and sign the message with the receiver's public key
32 bit key system
Adherence of established standards by programs, program changes and documentation.
Passive data dictionary system
Monitor usage of the device.
encrypt the messages transmitted and decrypt them on reception
unauthorised changes to data and program can take place
captured data are converted into machine readable form
Probabilities of occurrence of threats
There has been a dearth of IS personnel from the initial days
Restricting privileged access to test versions of applications.
Review the data field definitions and logic in the audit software.
Central processing site after application program processing.
All information system processes
Beforeimages of the modified records have been kept in the primary file
System programmer mailbox
Develop a freeware application
Risk Assessment
Defining backup procedures.
availability of alternate processing sites, in case of a disaster
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
whether only valid and authorised transactions were processed
Magnetic Card reader
Edit checks of data entered
An existence check
Mr. S 's public key
low work factor
Privilege based on an application
data confidentiality
Design metrics
Switch
data encryption technique
produce encrypted messages
Completing the system requirements document
Design metrics
Design

Page 210

Sheet1

Review and scrutiny of error listing.


file library
Framing and adherence of a Corporate IS policy statement
Discover sampling
controlling all the networks connected in a better way
CIS requires modification of the database management system used by the application
Audit programs and audit procedures.
Clerks will enter an incorrect but valid code for payment.
Passive data dictionary system
Hash totals
A detailed review by the IS Auditor of the security controls
Digital signature standard (DSS)
Wiretapping
Star networks are more easily maintained than a bus network
ensures that even if compromise of encryption key takes place, the loss is restricted to a single user associated with the c
Inform and advise the Senior Management of the high risks involved in it.
Synchronous communication
Parallel physical circuits
inability to disconnect after invalid access attempts
Human-computer interaction guidelines
project leader
data capture, data preparation, data input
file library maintenance
encrypt the message with the sender's private key and sign the message with the receiver's public key
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
Program changes due to errors discovered
Distributed computing infrastructure
Policy and procedural variations
Central processing site after application program processing.
recording the time sequence of the successful transactions alone
Eliminate the need for substantive auditing
the loss likely to occur in the ordinary course of business
Altering physical data definitions for improving performance.
Restrict access to prevent installation of unauthorized utility software.
blocking of CPU functions
Logical bombs
RC2 and RC4
Beforeimages
After a disaster, the transactions can be reentered easily, if needed
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Application-oriented user interfaces
Changes in hardware
Defect counts
conduct a test of controls to ensure that the no necessary control is omitted in the design
System maintenance constitutes about 65% of the programming costs.
line conditioning technique
unauthorised changes to data and program can take place
Twisted-pair (shielded) cable
the controls that provide reasonable assurance that all transactions are processed as authorised
Biometric checks
Network utilization by the existing users
Principle of highest privilege should be implemented to perform the file backup function
file library maintenance
Completing the system requirements document
Interface test
Pessimistic time

Page 211

Sheet1
Program Logic flow charts and file definition.
Encryption of data files and safe keeping of encryption keys
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Performance management
It allows the auditor to substitute sampling technique for his judgement.
After a disaster, the transactions can be reentered easily, if needed
Beforeimages of the modified records have been kept in the primary file
Inherent Risk
Linking to external systems thro a firewall
commitment of the management for the implementation of the policy
They both have same uses
encrypt the messages transmitted and decrypt them on reception
Physical
systems development management subsystem
attaches all channel messages along one common line with communication to the appropriate location via direct access
electronic data interchange
starting and terminating lines and processes
whether only valid and authorised transactions were processed
Distributed computing infrastructure
short key cipher system
it allows efficient administration of capabilities
Anti-virus and anti-piracy softwares
An operations control
Code
Certain phases can be dropped
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
Data dictionary
To prove a new concept
sender's private key
Halt and error controls
ISO/OSI
Detective
File servers
It allows the auditor to substitute sampling technique for his judgement.
Macro
reduce the wiretapper s capabilities to tap more data
The higher the Return on Investment by the application.
The expected population error rate does not affect the sample size.
Guiding the ^assistants in performing planned procedures.
the loss likely to occur in the ordinary course of business
more difficult because employees access the system remotely and perform duties electronically
protection of stored data in the server by encryption or otherwise
Compensating control
Plan is tested once in a year.
Digital signature standard (DSS)
Hot sites can be made ready for operation within a short period of time.
Keep the test data to a minimum to conserve testing time
The waterfall model
Establishment and enforcement of processing priorities internally.
organisations must use firewalls if they wish to maintain security over internal data
Preformatted screens
provide security
Retina scanner
duplicate circuitry, echo check and internal header labels
Detective
ITF

Page 212

Sheet1

Such access authority is appropriate because they have the full knowledge and understanding about the entire system.
Known fact
is a direct access storage medium whereas a floppy disk is a sequential access storage medium
Program changes due to errors discovered
Distributed computing infrastructure
identifying questionable data
Cross train with another employee of another department.
HIPO charter
Policy and procedural variations
Attenuation is the delay in transmission of signals due to difference in frequency
usage of a secure web connection
library control software
the authorisation procedure for accessing data
Plan is tested once in a year.
They both have same uses
Verify authenticity of a transaction or document
Wiretapping
an operating system error
Changing the computing platform may not improve the legacy system
IRR
Design
Implementation and monitoring of the new process is the management s responsibility.
Networking
unauthorised changes to data and program can take place
Business continuity plan for the mainframe system's non - critical applications is not proper
the sender from disowning the message
Authorisation of access to program files
Vendor support
Systems management
ISO/OSI
all data are split evenly across pairs of drives
System requirements definition
Better communications between developers and users
missing data validity checks
User access to the corporate database is controlled by passwords
Fault tolerance
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
The limiting the conditions to be tested in the system
Statistical sampling.
the last residual dump
Client/server technology
Performing aging analysis
Performs a post-implementation evaluation of the application independently.
Inherent risk
Preventive controls
Ensuring that the passwords are not distributed indiscriminately
With different business activities
Changing the order of the message
Source code generation tool
Preformatted screens
altering source data to correct input errors
Planning of adequate security and controls in the computer center
QA personnel are charged with being knowledgeable about and remaining up-to-date with best practice in information sys
An operations control
Indicate when the file should be again backed up
Data input validation programs should highlight the situation by showing input controls do not balance

Page 213

Sheet1

Master file lookup


Component modularity
Certain phases can be dropped
Network utilization by the existing users
Data dictionary
starting and terminating lines and processes
two different keys are used for the encryption and decryption
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
denial of message services
appropriate, because technical support personnel need to access all data and program files
Whether assets are properly valued.
Cost of file conversion
two units that provide read-after-write and dual-read capabilities
Network utilization by the existing users
availability of alternate processing sites, in case of a disaster
Attribute sample tests
HIPO charter
Constructing a processing system for accounting applications and processing actual data from throughout the period thro
The auditee s oral explanation / statement of the evidence
Tests only pre-conceived situations
Strategic Planning System
Hash totals
Usage of backup tapes
spurious associations
queue length at each network node the message traverses before reaching the destination
Coding standards
Quality
Eliminate mainframe computer processing
Developing screen flows with specifications
Consideration of external environment likely to benefit / affect the organisation.
implement corrective actions as and when compliance failure occurs
data encryption technique
Acceptance testing
Establishing data custodianship outlines
System design and programming
Deliverables
whether unauthorised use is being made of hardware/system software resources
missing data validity checks
ciphertext form produced only from an reversible encryption algorithm
Review the network with reference to the ISO/OSI model of seven layers
Recompile infected programs from source code backups.
satellite transmission
Implementation and monitoring of the new process is the management s responsibility.
automatic message purge facility when maximum queue size at the node is exceeded
Performing aging analysis
Regression Testing
Collection evidence process has been rendered more difficult
Updating from privileged utilities.
blocking of CPU functions
the authorisation procedure for accessing data
Ensuring that the passwords are not distributed indiscriminately
multiplexing technique
Formal specification languages
The waterfall model
Incremental development model
Risk Assessment

Page 214

Sheet1

User friendly features built in.


dedicated phone lines
unauthorised access and activity
Planning of adequate security and controls in the computer center
Use of a Accounts Receivable Section password
ciphertext form produced only from an reversible encryption algorithm
Sharing of common data
the sender from forging a message using the receiver s private key
Broadband ISDN, fiber optics, and ATM
all data are split evenly across pairs of drives
ITF
two units that provide read-after-write and dual-read capabilities
personal details
Statement of due care and confidentiality.
Parallel physical circuits
Synchronous communication
spurious associations
Document the conditions that lead to a particular action.
an operating system error
install secured sockets layer (SSL)
Design
captured data are converted into machine readable form
analytical review
deleting all the files in the hard disk
Sensitive systems
Use of a single value-added network
Changing the order of the message
the last residual dump
the inability of the backup operation to run in the background while operations are being carried out
Infeasible requirements errors
Risk Assessment
User friendly features built in.
Establishment and enforcement of processing priorities internally.
review the open systems interconnect network model
training in general QA standards should be provided by QA personnel whereas training in specific QA standards should b
Ensuring concurrent access control
duplicate circuitry, echo check and internal header labels
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
project leader
new account numbers must be issued to customers if their PINs are lost or compromised
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
the recipient uses the sender's public key, verified with a certificate authority, to decrypt the pre-hash code
all data are split evenly across pairs of drives
DBA
low work factor
unless authorisation information specifies users cannot access the resource
Dependency check
Use of a Accounts Receivable Section password
organisations must use firewalls if they wish to maintain security over internal data
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
down line loading a program
Capturing the working of an application at a point in time.
Loss of data while executing a program.
a dedicated power generator
Compensating control

Page 215

Sheet1

Electronic funds transfer system (EFTS)


encrypt the messages transmitted and decrypt them on reception
auto-dial features
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Cost of file conversion
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
32 bit key system
write protect security
Master file lookup
encryption is required
Supplies
Interaction between modules should be minimal
User expectations are inflated
Detective
two units that provide read-after-write and dual-read capabilities
A Pareto diagram
Organizational issues
Were the test strategies sufficient to determine whether the 'software is safe and effective?
Tape Management systems
Analysis of degradation of the system.
Setting up a password for the screensaver program on the notebook computer.
Encryption of data files and safe keeping of encryption keys
whether unauthorised use is being made of hardware/system software resources
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
spurious associations
down line loading a program
Carrying out corrections in the master file.
Compensating control
Multiple encryption
Develop a freeware application
Design phase
Low cohesion of modules, high coupling of modules, and high modularity of programs
Incremental development model
Integrated packages are examples of operating systems for microcomputers
Fault tolerance
training in general QA standards should be provided by QA personnel whereas training in specific QA standards should b
Biometric checks
Examination of logged activity
Permit updating and read access for everyone in IS
Anticipating problems
blocking a card if it is not used for a period of 3 months
losing data stored in main memory
File transfer protocol
Paid EDI invoices
Detective
two units that provide read-after-write and dual-read capabilities
low work factor
Unit test, systems test, integration test, acceptance test
multiplexing technique
electronic data interchange
Reading the operator's manual
encrypt the messages transmitted and decrypt them on reception
A Letter of confirmation received from an outsider regarding the account balance.
Monitor usage of the device.
Loading and returning of transaction data tape files
the last residual dump

Page 216

Sheet1

The Delphi method


Changes in hardware
Testing
Client/server technology
coaxial cabling would have to be installed throughout the building
Control and Output
Planning of adequate security and controls in the computer center
Frame relay
project leader
training in general QA standards should be provided by QA personnel whereas training in specific QA standards should b
A call back procedure
write protect security
Unaffected by stringent legal and/or organizational controls
Reliability
theft of machine time
completeness
Sharing of common data
Low MTBF values imply good reliability
Screens, interactive edits, and sample reports
Purchase and tailor
multiplexer
two units that provide read-after-write and dual-read capabilities
data capture, data preparation, data input
missing data validity checks
Switch
Completing the system requirements document
Acceptance testing
Checking to see whether any programs terminated abnormally
spurious associations
separate persons are responsible for initiation and authorization in manual systems whereas execution and maintenance
Analysis of degradation of the system.
Create destination defaults for printing based on each employee s departmental affiliation.
Encryption routine
Applications, transactions and trading partners supported remain static over time
Duplicated transactions
The Delphi method
Known fact
generated always by the updating routines
The primary methods of controls usually involves general controls
multiplexor channeling
QA personnel will be best placed to recommend corrective actions when they formulate, promulgate, and maintain standa
Mr. S 's public key
Data owner
duplicate circuitry, echo check and internal header labels
Incremental development model
procedure to ensure that the workstation is logged off automatically when not in use for a particular period of time
An entity relationship diagram
Hygrometer
Expert system computations are performed through symbolic reasoning
Proximity to earthquake zone.
Attenuation and propagation delay
Quality
Parallel physical circuits
Create destination defaults for printing based on each employee s departmental affiliation.
Inform and advise the Senior Management of the high risks involved in it.
Stratified sampling selection technique

Page 217

Sheet1
Passive data dictionary system
Central processing site after application program processing.
Stratified sampling selection technique
Environmental control within the IS department.
Determining adherence of regulatory requirements by conducting compliance tests.
deleting all the files in the hard disk
library control software
Recommend that the processing capacity of the alternate site should be increased.
auto-dial features
Design
System maintenance constitutes about 65% of the programming costs.
Fiber optic cable is small and flexible
multiplexer
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Edit checks of data entered
Retina scanner
Authentication Techniques
Ensuring concurrent access control
If operators are given access to the system documentation, they may help in tracing the cause of a potential error
a program that deposits a virus on a client
DBA
Hygrometer
Parallel physical circuits
Purchase and tailor
receiver's public key
Program Logic flow charts and file definition.
Fault tolerance
Reading the operator's manual
It allows the auditor to substitute sampling technique for his judgement.
temperature increases
Design
Operation personnel did not follow a procedure due to an oversight
Guiding the ^assistants in performing planned procedures.
Dependency check
Whether the computer has viruses.
Encryption routine
rules for protecting resources can be minimised
Beforeimages of the modified records have been kept in the primary file
IRR
Testing
unauthorised access and activity
Distributed computing infrastructure
a two public keys
a list oriented approach to authorisation
inability to disconnect after invalid access attempts
Indicate when the file should be again backed up
Unaffected by stringent legal and/or organizational controls
encryption is required
Design
Network utilization by the existing users
Detective
Data dictionary
ensure that the transaction amount entered is within the cardholder's credit limit
Review the network with reference to the ISO/OSI model of seven layers
data capture, data preparation, data input
analysing user specifications

Page 218

Sheet1

Whether assets are properly valued.


32 bit key system
Process improvement
The connectors in a bus topology attenuate the signals and distort them, whereas repeaters in a ring topology are relative
Loss of data while executing a program.
Sensitive systems
Equipment shutdown procedures
Star networks are more easily maintained than a bus network
After a disaster, the transactions can be reentered easily, if needed
System programmer mailbox
Application-oriented user interfaces
Design
Inform and advise the Senior Management of the high risks involved in it.
Read Only Memory (ROM)
Batched sequential structure
provide security
multiplexor channeling
to reduce the amount of monitoring of compliance with standards that QA personnel will have to undertake
Data input validation programs should highlight the situation by showing input controls do not balance
Computers systems commit errors sporadically and not in a pattern
Database authorizations
Configuration management
submission proof
the sender from forging a message using the receiver s private key
Faster delivery of the system
Findings are generally more material to the organisation
Design metrics
The information systems audit plan
low work factor
Review the network with reference to the ISO/OSI model of seven layers
Authentication Techniques
Cross train with another employee of another department.
Capturing the working of an application at a point in time.
A test to access the quality of data.
controlling all the networks connected in a better way
Inherent Risk
Whether the computer has viruses.
all new software before loaded should be scanned for viruses and cleaned
Use of a single value-added network
Ring topology network
Data being transmitted to the wrong recipient
IRR
Code reading
Deliverables
Data are shared by passing files between programs or systems
The primary methods of controls usually involves general controls
Sharing of common data
Networking
implement corrective actions as and when compliance failure occurs
QA personnel are charged with being knowledgeable about and remaining up-to-date with best practice in information sys
Mr. S 's public key
users should be educated about weak password
DBA
Proximity to earthquake zone.
appropriate, because technical support personnel need to access all data and program files
two units that provide read-after-write and dual-read capabilities

Page 219

Sheet1

data encryption technique


Ensuring concurrent access control
Design metrics
Wiretapping
Design
attaches all channel messages along one common line with communication to the appropriate location via direct access
Monitor usage of the device.
Mean-time-between-failure
down line loading a program
Checking to see whether any programs terminated abnormally
Encryption routine
Review the data field definitions and logic in the audit software.
satellite transmission
queue length at each network node the message traverses before reaching the destination
Planting Trojan horses
Warranty provisions
System requirements definition
Eliminate mainframe computer processing
organisations must use firewalls if they wish to maintain security over internal data
Because of the increase in use of distributed system, the need for mainframes will increase in the near future
whether unauthorised use is being made of hardware/system software resources
QA personnel are likely to check information systems controls more comprehensively than auditors
software
a list oriented approach to authorisation
Data input validation programs should highlight the situation by showing input controls do not balance
parallel port
Detective
Controls exist over efficient usage of hardware
the sender from forging a message using the receiver s private key
Quality
two different keys are used for the encryption and decryption
Systems management
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Controls exist over efficient usage of hardware
data capture, data preparation, data input
32 bit key system
Pilot projects
Fault tolerance
file library
Check digit
traffic analysis by sniffing
Lengthy retraining
Design
Documentation
make the same groups responsible for the mailing of cards and the investigation of returned cards
Environmental control within the IS department.
separate persons are responsible for initiation and authorization in manual systems whereas execution and maintenance
Suggesting and enforcing security measures (ex. Changes in password)
Expert system computations are performed through symbolic reasoning
Cost of file conversion
Incremental development model
implement corrective actions as and when compliance failure occurs
low work factor
it allows efficient administration of capabilities
Record check
ciphertext form produced only from an reversible encryption algorithm

Page 220

Sheet1
two units that provide read-after-write and dual-read capabilities
Computing environment
Increasing of the transmission speed of documents
sender's private key
DBA
altering source data to correct input errors
Low MTBF values imply good reliability
ITF
Test summaries, test execution reports
The length of cable to connect a workstation to the network
Microwave transmission
unauthorised changes to data and program can take place
dedicated phone lines
multiplexer
In the rapid development of technology, the duties change very frequently.
Macro
Updating from privileged utilities.
Reading the operator's manual
Programming options permitting printout of specific transactions.
Proximity to earthquake zone.
It provides sender authenticity
Cost of implementation of management directives
Testing
Warranty provisions
Code
Design
User friendly features built in.
Worries over cost effectiveness are well addressed.
Twisted-pair (shielded) cable
they are prone to changing jobs frequently. This may lead to the loss of experience about a particular machine
users should be educated about weak password
Data dictionary
Acceptance testing
Parallel physical circuits
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
Detective
32 bit key system
Logs
Design
Altering physical data definitions for improving performance.
Database authorizations
starting and terminating lines and processes
Physical
recording the time sequence of the successful transactions alone
The higher the Return on Investment by the application.
A decrease in detection risk
Whether the computer has viruses.
Review the data field definitions and logic in the audit software.
deleting all the files in the hard disk
blocking of CPU functions
all new software before loaded should be scanned for viruses and cleaned
Usage of backup tapes
Known fact
Deliverables
Purchase and tailor
provide translations from clients computer applications to a standard protocol used for EDI communication

Page 221

Sheet1

repeaters to physically connect separate local area networks (LANs)


Batched sequential structure
QA personnel will perform better when their organisation adopts national and international information systems standards
Acceptance testing
a program that deposits a virus on a client
Switch
File transfer protocol
The waterfall model
two units that provide read-after-write and dual-read capabilities
missing data validity checks
Design
Pessimistic time
Consider the use of utility software
Data streaming
two different keys are used for the encryption and decryption
Suggesting and enforcing security measures (ex. Changes in password)
line conditioning technique
HIPO charter
Consistent with the IS department s preliminary budget
Updating from privileged utilities.
Clerks will enter an incorrect but valid code for payment.
To set right the situation, all the elements that have been updated after the corruption must be traced and efforts started f
Beforeimages of the modified records have been kept in the primary file
Warranty provisions
Interaction between modules should be minimal
Incremental development model
losing data stored in main memory
Sharing of common data
whether only valid and authorised transactions were processed
Microwave transmission
Magnetic Card reader
Mr. S 's public key
Output control
Developing screen flows with specifications
theft of machine time
Certification and accreditation
it must be enforced by a more complex access control mechanism compared with a discretionary access control policy
they need to be maintained in a secure file
Paid EDI invoices
project leader
personal details
ciphertext form produced only from an reversible encryption algorithm
Change control
Job submission
unauthorised access and activity
Passive data dictionary system
Statistical sampling.
User access to the corporate database is controlled by passwords
Initial password assignment shall be done by the user department incharge
physical access to back up storage devices can be restricted effectively
the inability of the backup operation to run in the background while operations are being carried out
Design
Debugging follows testing
The right people
Quality
System requirements definition

Page 222

Sheet1

It improves the product, service and profitability.


a digital line
Integrated packages are examples of operating systems for microcomputers
File servers
a list oriented approach to authorisation
Detailed logical access control procedures
Unaffected by stringent legal and/or organizational controls
Idempotence
provide security
Statistical software packages
hosting site over the confidentiality of message sent to the customer
Increasing of the transmission speed of documents
System design and programming
Paid EDI invoices
submission proof
Parallel physical circuits
Wireless Local area network
Program Logic flow charts and file definition.
Sign-on verification security when logging on to the database management system
packet lengths are variable and each packet contains the same amount of information
Interviews with the IS personnel and the end users.
Collection evidence process has been rendered more difficult
Lengthy retraining
Packet replay
Determining adherence of regulatory requirements by conducting compliance tests.
the methodology for implementing the controls is not the same in both
Updating from privileged utilities.
Preventive controls
Code reading
User expectations are inflated
Preparation and monitoring of System implementation plans.
Systems development manager.
database subsystem
automatic message purge facility when maximum queue size at the node is exceeded
spurious associations
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
QA personnel are charged with being knowledgeable about and remaining up-to-date with best practice in information sys
blocking a card if it is not used for a period of 3 months
data confidentiality
DBA
Hygrometer
Data are shared by passing files between programs or systems
Detective
submission proof
Demodulation is the process of converting an analog telecommunications signal into a digital computer signal
Restricting privileged access to test versions of applications.
The date and time of access attempt.
Completeness of batch processing
organisations must use firewalls if they wish to maintain security over internal data
automatic message purge facility when maximum queue size at the node is exceeded
Even if an intermediate node in the network is broken into, the traffic passing through that node does not get exposed
Interviews with the IS personnel and the end users.
Review the data field definitions and logic in the audit software.
Clerks will enter an incorrect but valid code for payment.
unless authorisation information specifies users cannot access the resource
Probabilities of occurrence of threats

Page 223

Sheet1
Checking and reconciling of postings done in the General Ledger.
Plan is tested once in a year.
Home banking system
Code reading
Black-box, code-based, data-driven technique
Purchase and tailor
the processing time required in private key cryptosystem is faster than that of public key cryptosystem
Frame relay
software
Biometric checks
The output could be redirected to another printer.

Page 224

Sheet1

Option C
A legacy system uses a proprietary programming language
Bio-metric devices
Inadequate backup and recovery procedures
Snapshot
applets recording keystrokes made by the client and, therefore passwords
The physical structure of the data is independent of user needs
Permanent Virtual Circuit (PV(c)
program source code modification
Integration test
Implementation
whether the system being monitored has provided users with a strategic advantage over their competitors
the work is boring so high turnover always occurs
Only targeted transactions can be examined using CIS.
Use write-protect tabs on disks.
send different packets of the same message over different available lines
Variable sample tests
Source documents do not have to be redesigned.
The Organisation s critical and high risk business areas
deleting all the data on the hard disk
improving the overall reliability of the networks
Data Link
Detail design documents
Increased productivity
Observation
Allow individuals to understand all parts of a system.
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
channel
DES Cryptosystem
Prohibition of random access
Tests of general controls
errors and omissions
Mr. R 's public key
secrecy
forging of messages by the receiver
verify the format of the number entered and then locate it on the database
It is the total functioning life of an item divided by the total number of failures during the measurement interval
System C - Likelihood 20%, Losses(in$) 2.5 million
Integration test
transmittal control
Increased business activity and revenue
Prevention
Observing the system operator's work
Statistical sampling
Humidity increase
transmitting system warning and status messages
Spreadsheets
Designing database applications
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or des
All valid transactions
duplicity of backup operations more than other techniques
It facilitates identification of the users that have effected changes to the database
Expert system's knowledge is combined into program control
Software independence
A legacy system uses a proprietary programming language
Spiral model

Page 225

Sheet1

Concurrent / parallel existence of Duplicate Information system functions.


preventive control
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
traffic analysis
Ensuring that provisions are made to minimise damage or abuse to hardware and to maintain the hardware in good ope
Testing the system thoroughly
Access control lists and access control privileges
No attention is paid to cosmetic details
the designer is circumspect of the user s cooperation in spelling out their requirements
password encryption technique
dial-disconnect-callback features
The physical structure of the data is independent of user needs
program source code modification
A run chart
Identify the various layers of ISO/OSI model to which each component belongs
Implementation
Scanning the output for obvious errors
duplicate transaction processing
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or destr
Deadlock resolution
More accountability
adequate definition in contractual relationship
the work is boring so high turnover always occurs
The sample size decreases with a decrease in the standard deviation.
Reviewing audit reports of the previous years.
Data base structures and the source codes.
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would
Generalized audit software.
carrying out personal examination of the existing physical access environment
Output fault
Increased productivity
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
authorizations are in-built into application systems
program source code modification
Check digit
Data encryptor
hosting site over the authenticity of the customer
Establishing data usage guidelines
Distributed applications or services
They are unaffected by electrical interference
Programming and testing
Interactive edits, process programs and sample reports
Systems Programming
program source code modification
authentication message's origin
Control-oriented techniques
Implementation
Grand design projects
Authorized user access privileges for each data file or element
Routers
transmitting system warning and status messages
Ergonomics
It facilitates identification of the users that have effected changes to the database
provides an automatic audit trail, whereas a floppy disk does not
Evaluating methodology of the audit test results.
Institute program change control procedures.

Page 226

Sheet1

Critical systems
It facilitates identification of the users that have effected changes to the database
Invalid transactions
Detail requirements document
Evolutionary development model
program source code modification
Shielded Twisted pair
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
Key compromise notifications
Testing the system thoroughly
Corrective
31 bit cipher system
verify the format of the number entered and then locate it on the database
plastic cards with magnetic stripe and a PIN
Corrective
the decryption key should be kept a secret
Software compilers
Batch controls
Review and analysis of user specifications.
Variable sample tests
Taking the afterimages of all data items changed for accuracy and completeness.
Source code comparison
Central processing site during application program processing.
It facilitates identification of the users that have effected changes to the database
have to authenticate themselves only once, and not after that
Consider the use of Data Base Management System
IS security measures including controls over access to data should be strengthened.
Implementation
Each phase will have to be present
Lease or purchase
Decrease in complexity and volatility in IT leads to considerable decrease in costs.
Personnel like the DBA and systems analysts
fax/modem software
provides an automatic audit trail, whereas a floppy disk does not
message switching
Coordinate and resolve conflicting needs and desires of users in their diverse application areas
to clarify the basis on which QA personnel will evaluate whether quality goals have been met
QA personnel should have most experience of information systems development, implementation, operations, and main
A wrong tape reel is loaded in a multireel file
accountability system and the ability to properly identify any terminal accessing system resources
Identifying major purpose(s) of the system
Distributed databases and application programs
Systems Programming
Known procedure
program source code modification
ciphertext form produced only from an irreversible encryption algorithm
Integration test
Checklists
Routers
generating a control total for a point-of-sale device
fast transmission of a message once it arrives at a node
Terminal simulator
Recommendations and conclusions based on the findings from the audit.
reduce the expected loss from a threat
Maintaining the error log.
Review and analysis of user specifications.

Page 227

Sheet1

an UPS and spike buster


authorized files are logically allowed access to authorized users
Meeting user requirements
Testing the system thoroughly
Inference engine
Integration test
Spiral model
Maintenance costs
A tape librarian are carried out by an application programmer.
Twisted-pair (unshielded) cable
Concurrency and sequence number
Completeness, accuracy and validity of update
the controls that prevents unauthorised and improper use of data and program
identifying what the user knows or remembers
A list of all cards issued and the individuals to whom they were issued.
Maintenance
possessed objects
31 bit cipher system
Barometer
reviewing software quality
Interactive edits, process programs and sample reports
Integration test
Select a random sample of actual data to ensure adequate testing
data preparation, data input
Batch controls
Wireless Local Area Network
Operating systems
Variable sample tests
send different packets of the same message over different available lines
Export/import tools
Performing system activity analysis
substantive test
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would
Detective control
transmission on terrestrial microwave
If a connector in bus topology is malfunctioning, the whole network will not be brought down, whereas malfunctioning rep
Developing design documents
Screen-oriented manipulation user interfaces
The probability of continued availability of system support
widespread acceptance of national and international information systems standards can undermine an organisation s co
small key
Data owner
Materials ordered file
Ensuring seamless integration
Presentation layer
Test drivers
Snapshot
Actual time
Maintaining the error log.
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Data Encyption Standard (DES) is a typical type of private key cryptosystem
long key cipher system
Oversight omissions of data.
Ensuring completeness and correctness of the data
fast transmission of a message once it arrives at a node
channel

Page 228

Sheet1

The staff change the jobs with high frequency.


More accountability
Verify specific) balance-sheet and Profit and loss account values
Overall risk assessment of operations in the organisation.
ensuring accountability and identifying terminals accessing system resources
installation of proper physical security cover over the data processing installation
Test should simulate actual prime time processing conditions
It facilitates repudiation by the sender
time and date of dispatch of the message
Rule based policy
Cost of recovery action
Sequencing
Multiple occurrences of data items are useful for consistency checking
tape file protection, cryptographic protection and limit checks
QA personnel should alert management on a timely basis when they suspect a compliance deviation has occurred
Only managers typically receive online reports so less misuse is likely.
Call-back techniques
transmittal control
DES Cryptosystem
The organization's information technology architecture
Audit resources are more effectively directed.
standards should be prepared to guide their maintenance
Incorporate into software upgrades
The organization's information technology architecture
Testing the system thoroughly
Activity logs, incident reports, software versioning
Behavioral issues
Software requirements management
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing com
Review and analysis of user specifications.
Centrally print and distribute the outputs.
Licensed software
Authorisation of file updates
identify the operating costs of the network
automatic dial-up capabilities
spurious associations
convert digital signals to analog signals
adequate definition in contractual relationship
Overall risk assessment of operations in the organisation.
Centrally print and distribute the outputs.
authorized files are logically allowed access to authorized users
Electronic data interchange (EDI)
It facilitates identification of the users that have effected changes to the database
A legacy system uses a proprietary programming language
Ensuring that provisions are made to minimise damage or abuse to hardware and to maintain the hardware in good ope
A single link failure, a repeater failure, or a break in the cable could disable a large part or all of the network.
Prevention
identifying what the user knows or remembers
Corrective
Establishing data usage guidelines
Public key of the sender
provides an automatic audit trail, whereas a floppy disk does not
Testing the system thoroughly
have to authenticate themselves only once, and not after that
Implementation
Detailed specifications of the vendor s hardware.

Page 229

Sheet1

Institute program change control procedures.


Routers
whether the system being monitored has provided users with a strategic advantage over their competitors
decreased requirements for backup and contingency planning
thunder and lighting
Only targeted transactions can be examined using CIS.
Use write-protect tabs on disks.
does not require each node through which the message passes to be protected against hacking
Batch control totals
Priorities the audit area by performing risk analysis.
Terminal simulator
the implementation of advanced technology in the application
Delay in transmission of the data
White-box, specification-based, logic-driven technique
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
Assessing the required Security procedures for the IS environment.
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
high error propagation
DES Cryptosystem
Organisation control
Application software
channel
Implementation
Cost of computer downtime
sender's public key
small key
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Software independence
double wiring of the CPU and peripheral equipment to prevent malfunctioning
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing com
Limit test
Oversight omissions of data.
Variable sample tests
Rerun the audit software against a backup of the inventory master file.
does not require each node through which the message passes to be protected against hacking
Interception
have to authenticate themselves only once, and not after that
Nature of the population
Exposure based on threats and vulnerabilities
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Expert system
authorized files are logically allowed access to authorized users
System that performs based on business needs and activities
Automated teller machine system
Malfunctioning in one node will not bring a star network down
It facilitates identification of the users that have effected changes to the database
Implementation
data management subsystem
Mr. R 's public key
Completeness, accuracy and validity of update
Duplicate record check
Group logons are being used for critical functions
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Inadequate backup and recovery procedures
they have available special hardware/software tools that enable them to breach data integrity
data preparation, data input

Page 230

Sheet1
reviewing software quality
provides an automatic audit trail, whereas a floppy disk does not
The organization's information technology architecture
A bar graph
Control-oriented techniques
Consider the use of Data Base Management System
Centrally print and distribute the outputs.
batch containing errors would be rejected for correction prior to processing
Observing the system operator's work
Result of substantive audit procedure
A test to compare data with an output source
transmission on terrestrial microwave
Export/import tools
the second-last full dump
Observing the system operator's work
Exhibits the rules for different conditional value
Pre-usage scan of all secondary storage media brought from outside.
the implementation of advanced technology in the application
Designing database applications
The user-id used to make the attempt
Initiating computer applications.
call-back features
segregation of duties becomes increasingly important
the controls that prevents unauthorised and improper use of data and program
data security
Group logons are being used for critical functions
Testing the system thoroughly
Data encryptor
a malicious operator can undermine a disaster recovery operation by corrupting backup files progressively over time
receiver's public key
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Scanning the output for obvious errors
Designing database applications
Delay distortion
Scanning the output for obvious errors
long key cipher system
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Taking the afterimages of all data items changed for accuracy and completeness.
concentration technique
Scanning the output for obvious errors
Determining whether access controls are in place
the loss likely to occur if the threat materializes multiplied by the probability of the threat
Use write-protect tabs on disks.
Rerun the audit software against a backup of the inventory master file.
IS security measures including controls over access to data should be strengthened.
Traffic analysis
All valid transactions
The transactions shall be recorded chronologically as they are put through
Process errors
Implementation
Each phase will have to be present
System navigation guidelines
Scanning the output for obvious errors
the recipients of project based reports should be agreed upon at the start of a project
Prevent the file from being overwritten before the expiry of the retention date
the designer is circumspect of the user s cooperation in spelling out their requirements

Page 231

Sheet1

resources provided/denied
Authorisation of file updates
manager in charge of the information systems function
Snapshot
Scanning the output for obvious errors
A run chart
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or destr
companies that wish to engage in electronic commerce on the Internet must meet required security standards establishe
Observing the system operator's work
A sandwich approach
Result of substantive audit procedure
Vendors not in the table file will be paid.
List of applications under development
transmitting system warning and status messages
Batch control totals
The Organisation s critical and high risk business areas
An increase in inherent risk
substantive test
Developing and implementing an IS security standards manual
Screen-oriented manipulation user interfaces
Known procedure
Component redundancy
Develop CAATs in detecting such instances.
call-back features
automatic dial-up capabilities
thunder and lighting
long key cipher system
small key
Frequently changed access controls
a single person do not have the complete control over a transaction from start to finish
to prevent compromises when using a private key
enabling use of a multiplicity of formats and coding standards
Repeater
staging and job set-up procedures compensate for the tape label control weakness
Distributed applications or services
Program changes due to fine tuning of existing systems
Identify the various layers of ISO/OSI model to which each component belongs
Duplicate record check
Operating systems
Implemented
Access only to authorized logical views.
Rerun the audit software against a backup of the inventory master file.
the work is boring so high turnover always occurs
White-box, specification-based, logic-driven technique
communicate the PIN to the cardholder over phone
Dollar unit sampling
Generally, the tasks performed by IS personnel are more complex than those in manual systems
documenting the major milestones to be achieved in the system development process
All the back up storage devices and the backed up floppies & disks
Electronic data interchange (EDI)
Production mailbox
Develop an API application
Observation
preventive control
data management subsystem
Firmware

Page 232

Sheet1

The physical structure of the data is independent of user needs


Data custodian
Prohibition of random access
Input control
verify the format of the number entered and then locate it on the database
a single person do not have the complete control over a transaction from start to finish
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
the decryption key should be kept a secret
PCs and notebook computers must be programmed directly in machine language while mainframes use higher level lang
Increasing MIS staff output in order for both systems to be installed
communicate the PIN to the cardholder over phone
the work is boring so high turnover always occurs
System development tools
Coordinate and resolve conflicting needs and desires of users in their diverse application areas
verifying control totals
fax/modem software
Access only to authorized logical views.
All valid transactions
Scanning the output for obvious errors
Nature of the population
Cost of recovery action
Develop an API application
Detail design documents
Flow-charting tool
Inference engine
The spiral model
Develop a data synchronization software
Maintenance costs
Communication protocol
dropping bits in data transmission
whether the system being monitored has provided users with a strategic advantage over their competitors
Licensed software
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, but do not retain the
Keep them motivated
be easily accessible by a majority of company personnel
Protocol analyser
Corrective
batch containing errors would be rejected for correction prior to processing
encrypt the message with the receiver's public key and sign the message with the sender's private key
increase the speed of data transmission
Establishing data usage guidelines
Software acceptance criteria
the decryption key should be kept a secret
Increased business activity and revenue
Program changes due to fine tuning of existing systems
Data editing
fax/modem software
A sandwich approach
A random structured
Taking the afterimages of all data items changed for accuracy and completeness.
All valid transactions
Cluster sampling selection technique
Installing an access control software.
Vendors not in the table file will be paid.
Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive
Foresee important problems prior to occurring.

Page 233

Sheet1

Software Life Cycle activities are improved.


authorizations are in-built into application systems
investment in hardware is smaller for each site than for a central site
program source code modification
Data editing
Completeness, accuracy and validity of update
Tests of general controls
Polymorphism
To help the top management in assessing the capabilities of personnel.
A state transition diagram
Establishing data usage guidelines
Authorisation of file updates
Bypass Label Processing and Central Processing Unit
the decryption key should be kept a secret
an unauthorised person from reading the message
Maintaining the error log.
Implementation
Implementation
Dollar unit sampling
Result of substantive audit procedure
ensuring accountability and identifying terminals accessing system resources
Editing of corrupted message by the network staff
Data Link
Detailed design documents
Requirements follow design
Testing the system thoroughly
White-box, specification-based, logic-driven technique
Identifying major purpose(s) of the system
Focusing on broad problems to a specific view.
Assumptions and analysis of costs and benefits.
Information from clients and customers will not be required.
investment in hardware is smaller for each site than for a central site
traffic analysis
channel
Scanning the output for obvious errors
forging of messages by the receiver
Data owner
Maintainability
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
Decreasing of contingency and backup planning efforts
data preparation, data input
message authentication
Reviewing change controls
Review and analysis of user specifications.
time and date of dispatch of the message
Implemented
A random structured
Output analyser
Exhibits the rules for different conditional value
less difficult because audit trails can be looked upon for tracing out unauthorized activities
Data ownership resides with the most appropriate users
Evacuation procedures
They both encrypt messages
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Cost of recovery action
Implementation

Page 234

Sheet1

System navigation guidelines


Diminish chances of committing improper / illegal acts by the employee.
Ascertaining user needs for application programming.
Firmware
program source code modification
Licensed software
Coordinate and resolve conflicting needs and desires of users in their diverse application areas
widespread acceptance of national and international information systems standards can undermine an organisation s com
A wrong tape reel is loaded in a multireel file
Application software
Access control at application system level
Software acceptance criteria
errors and omissions
Inadequate backup and recovery procedures
possessed objects
an unauthorised person from reading the message
Quality
increase the speed of data transmission
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing comp
Installing an access control software.
Duplicate record check
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
whether a storage medium should be retired
Terminal simulator
transmitting system warning and status messages
High cohesion of modules, high coupling of modules, and high modularity of programs
Possess knowledge in the area of current technical words.
IS security measures including controls over access to data should be strengthened.
Tokens may be captured by a node and before releasing it the node may fail
time and date of dispatch of the message
Warm site
The probability of continued availability of system support
Function points
Foresee important problems prior to occurring.
Decrease in complexity and volatility in IT leads to considerable decrease in costs.
Firmware
Network structure
They are unaffected by electrical interference
batch containing errors would be rejected for correction prior to processing
manager in charge of the information systems function
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
Develop a data synchronization software
Prototyping model
Each phase will have to be present
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
whether the system being monitored has provided users with a strategic advantage over their competitors
Incorporate into software upgrades
Corrective
Interactive edits, process programs and sample reports
Reviewing change controls
Disk utility
Limiting and monitoring the use of privileged software.
channel
Ergonomics
Use write-protect tabs on disks.
Manually reperforming, as of a moment in time, the processing of input data and comparing the simulated results with the

Page 235

Sheet1

Telecommunication
Performing system activity analysis
Requires the minimum computer usage and manual personnel.
naming convention gives a unique identity to the resources
Reporting of before and after images
duplicity of backup operations more than other techniques
The transactions shall be recorded chronologically as they are put through
Spiral model
Component redundancy
Implementation
They are unaffected by electrical interference
Operating systems
to clarify the basis on which QA personnel will evaluate whether quality goals have been met
Bio-metric devices
the controls that prevents unauthorised and improper use of data and program
service type
identifying what the user knows or remembers
Presentation layer
Component redundancy
Frequently changed access controls
Corrective
PIN entry via a secure terminal
Software independence
The physical structure of the data is independent of user needs
Known procedure
long key cipher system
Centrally print and distribute the outputs.
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
ring network
to increase the efficiency of the payment process
Result of substantive audit procedure
Design of authorization tables for operating system access.
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
Use write-protect tabs on disks.
no demonstration packages should be allowed to be run on the company owned machines
Process errors
Maintenance costs
Automatic error correction
The internal control of data accuracy and access and inconsistencies within common data fields
Modularity
Operating systems
the quality of QA training is an important indicator of top management s commitment to the attainment of quality assuranc
into which user s password falls
A development control
Configuration status accounting
small key
Twisted-pair (unshielded) cable
Snapshot
Data Entry
batch containing errors would be rejected for correction prior to processing
Batch controls
Corrective
Interactive edits, process programs and sample reports
whether the system being monitored has provided users with a strategic advantage over their competitors
Permanent Virtual Circuit (PVC)

Page 236

Sheet1
Format check
Authorized user access privileges for each data file or element
A single link failure, a repeater failure, or a break in the cable could disable a large part or all of the network.
Diminish chances of committing improper / illegal acts by the employee.
Librarian forgot to log tape movement
Central processing site during application program processing.
convert digital signals to analog signals
Implementation
Data base structures and the source codes.
Limiting and monitoring the use of privileged software.
One-time pad
Editing of corrupted message by the network staff
Detailed design documents
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
a microwave radio system
Firmware
message switching
Data Encyption Standard (DES) is a typical type of private key cryptosystem
private key and a public key
Ensuring seamless integration
service type
Component redundancy
Distributed databases and application programs
manager in charge of the information systems function
Corrective
Attribute Sampling
The organization's information technology architecture
Reviewing change controls
Installing an access control software.
Duplicate record check
batch containing errors would be rejected for correction prior to processing
Implementation
It requires the hardware vendor to provide compatible computer equipment.
Source documents do not have to be redesigned.
Recommendations and conclusions based on the findings from the audit.
Calculation of Foot Totals
Access only to authorized logical views.
Malfunctioning in one node will not bring a star network down
the second-last full dump
If afterimages have been corrupted, rollback is not achievable
Developing design documents
Reviews
High cohesion of modules, high coupling of modules, and high modularity of programs
Lease or purchase
Ascertaining user needs for application programming.
Systems management
Reliability
data security
Of higher volume and of bigger size
The spiral model
Problem support
Input control
small key
verify the format of the number entered and then locate it on the database
It is the total functioning life of an item divided by the total number of failures during the measurement interval
inappropriate, since access should be limited to a need-to-know basis, regardless of position

Page 237

Sheet1
have to authenticate themselves only once, and not after that
Completing the system design document
Control-oriented techniques
What actions were taken in response to the metrics results?
Wireless Local Area Network
Segregation of duties is maintained
Librarian forgot to log tape movement
Only targeted transactions can be examined using CIS.
have to authenticate themselves only once, and not after that
Suggests the management of control and system enhancements.
Control risk
less difficult because audit trails can be looked upon for tracing out unauthorized activities
Logging of console transaction
Detective controls
Preparation of the information security standards manual
line conditioning technique
Production mailbox
Function points
getting distributed than in a manual system
decreased requirements for backup and contingency planning
channel
forging of messages by the receiver
Access control at application system level
transmittal control
Input control
they have available special hardware/software tools that enable them to breach data integrity
the designer is circumspect of the user s cooperation in spelling out their requirements
DES Cryptosystem
Software independence
Code metrics
standards should be prepared to guide their maintenance
Sudden increase in number of users
Incorporate into software upgrades
Paid non-EDI invoices
whether the system being monitored has provided users with a strategic advantage over their competitors
Software requirements management
Resource management
investment in hardware is smaller for each site than for a central site
identify the operating costs of the network
Diminish chances of committing improper / illegal acts by the employee.
Taking the afterimages of all data items changed for accuracy and completeness.
Access only to authorized logical views.
communicate the PIN to the cardholder over phone
Sensitivity of transactions
A random structured
Exhibits the rules for different conditional value
Recommendations and conclusions based on the findings from the audit.
Whether all the software on the computer is properly licensed.
Encryption will solve all problems of industrial espionage
an application program error
Allow individuals to understand all parts of a system.
Capacity planning
Organisation control
Identity-based policy
Inference engine
Each phase will have to be present

Page 238

Sheet1

to educate the customer about the importance of card security


PIN entry via a secure terminal
The idea that not every theory tested will work as expected
Authorisation of file updates
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Testing the system thoroughly
message authentication
increase the speed of data transmission
Grand design projects
Maintaining the error log.
Shielded Twisted pair
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
spurious associations
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Librarian forgot to log tape movement
dynamic equalization
White-box, specification-based, logic-driven technique
Variable sample tests
The staff change the jobs with high frequency.
System that performs based on business needs and activities
If a connector in bus topology is malfunctioning, the whole network will not be brought down, whereas malfunctioning repe
Joint application design (JAD)
Integration test
The spiral model
Data encryptor
message switching
into which user s password falls
Maintainability
sender's public key
possessed objects
Evolutionary development model
Integration test
The organization's information technology architecture
enabling use of a multiplicity of formats and coding standards
program source code modification
TCP/IP
Systems Programming
twisted pair wire transmission
transmitting system warning and status messages
the work is boring so high turnover always occurs
Develop CAATs in detecting such instances.
automatic dial-up capabilities
Statistical sampling
Mean-time-to-repair
A confirmation letter received by the IS auditor directly from an outside source
While evaluating an organisation s policy of segregation of duty, the competancy of the employees are of no relevance.
Rectification of errors
Diminish chances of committing improper / illegal acts by the employee.
Initiating computer applications.
investment in hardware is smaller for each site than for a central site
Firmware
widespread acceptance of national and international information systems standards can undermine an organisation s com
the recipients of project based reports should be agreed upon at the start of a project
it is less likely to be used in a business systems environment than a discretionary access control policy
Prohibition of random access
Tests of general controls

Page 239

Sheet1

Transaction processing delay


service type
A list of all cards issued and the individuals to whom they were issued.
Assure the correct execution of machine instructions
determined by and the individuals who use the microcomputers
dropping bits in data transmission
Decreasing of contingency and backup planning efforts
whether a storage medium should be retired
Bypass Label Processing and Central Processing Unit
It is the total functioning life of an item divided by the total number of failures during the measurement interval
possessed objects
Active user involvement is more in the system development.
Licensed software
It provides a means for measuring the actual misstatement statement in assertions
Segregation of duties is maintained
Application system errors
duplicity of backup operations more than other techniques
to increase the efficiency of the payment process
economic events that are relevant to the ongoing operations of an organisation are identified and recorded
Determining whether access controls are in place
Access only to authorized logical views.
Generalized audit software.
Detective control
IS security measures including controls over access to data should be strengthened.
Concurrent / parallel existence of Duplicate Information system functions.
high error propagation
the recipients of project based reports should be agreed upon at the start of a project
QA personnel require high level of interpersonal skills because of potential conflict between QA personnel and information
the inherent risk associated with an organisation decreases considerably when an organisation has an information system
Users need not remember multiple passwords rather than a single passwords
A wrong tape reel is loaded in a multireel file
service type
Presentation layer
Modules should have only one entry and one exit point
sender's public key
Bypass Label Processing and Central Processing Unit
Incorporate into software upgrades
Security Administration
Public key of the sender
encrypt the message with the receiver's public key and sign the message with the sender's private key
password encryption technique
Value-added network
Permit updating for everyone in IS but restrict read access to source code to one position
Detect the presence of viruses.
It requires the hardware vendor to provide compatible computer equipment.
Performing compliance tests and evaluating the adequacy of procedures that were implemented by the management to c
Calculation of Foot Totals
Document the procedures designed to achieve the planned audit objectives.
With compatible equipment and applications
Cost of recovery action
Maintenance costs
Modularity
tape file protection, cryptographic protection and limit checks
Routers
Data editing
QA personnel should have most experience of information systems development, implementation, operations, and mainte

Page 240

Sheet1

bit cipher
commodity
Determine the risks/threats to thedata center site
existence of call forwarding devices
Photo identification card
Keep them motivated
Inference engine
Each phase will have to be present
Coding
Increased business activity and revenue
Software licensing
Twisted-pair (unshielded) cable
A state transition diagram
The organization's information technology architecture
Meeting user requirements
Scanning the output for obvious errors
small key
Comparator
Data editing
Shielded Twisted pair
twisted pair wire transmission
traffic analysis
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
have to authenticate themselves only once, and not after that
Cluster sampling selection technique
Overall risk assessment of operations in the organisation.
The system should display the password to enable the user to enter it correctly
Implementation
Maintenance
Concurrent / parallel existence of Duplicate Information system functions.
Capacity planning
bit cipher
the recipients of project based reports should be agreed upon at the start of a project
QA personnel require high level of interpersonal skills because of potential conflict between QA personnel and information
Call-back techniques
timed authentication is required
Examine the accounting data recorded in the system for any irregularities
Input control
be easily accessible by a majority of company personnel
The internal control of data accuracy and access and inconsistencies within common data fields
Snapshot
unsuccessful attempts after a specified number of times, should result in the automatic log off of the workstation
Network structure
They are unaffected by electrical interference
The organization's information technology architecture
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing comp
Institute program change control procedures.
investment in hardware is smaller for each site than for a central site
channel
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
Code metrics
ring network
Output analyser
Inductive wiretaps can pick up the free space emissions emanating from amplifiers
All the back up storage devices and the backed up floppies & disks
list of persons authorised to alter the log file contents and the software controlling the log file updating.

Page 241

Sheet1

Processing controls
Detailed design documents
Testing
Known procedure
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
Foresee important problems prior to occurring.
Automatic error correction
whether a storage medium should be retired
Licensed software
Prototyping model
Corrective
Decreasing of contingency and backup planning efforts
PCs and notebook computers must be programmed directly in machine language while mainframes use higher level lang
Implementation
Software acceptance criteria
Increased productivity
Data base structures and the source codes.
Rectification of errors
Wireless Local Area Network
Centrally print and distribute the outputs.
Implementation
Developing and implementing an IS security standards manual
Source documents do not have to be redesigned.
changing the order of the message
List of applications under development
Exhibits the rules for different conditional value
Pre-usage scan of all secondary storage media brought from outside.
Redundant log-on Ids are removed
Processes in priority order, as defined by the business manager
Tokens may be captured by a node and before releasing it the node may fail
Invalid transactions
resistance to change
Testing
High cohesion of modules, high coupling of modules, and high modularity of programs
Software independence
Often being used as tool in evaluation of performance.
the system cannot easily handle large volumes of data
generating a control total for a point-of-sale device
Twisted-pair (unshielded) cable
Maintenance costs
receiver's public key
standards should be prepared to guide their maintenance
the work is boring so high turnover always occurs
Presentation layer
A run chart
Data base structures and the source codes.
Access control at application system level
Limit test
verifying control totals
Batch control totals
Stratification and frequency analysis capability
Output analyser
Overall risk assessment of operations in the organisation.
Logical access controls
security awareness programme
regular scanning of all network drives as per the established routines

Page 242

Sheet1

error correction in the data entry


Warm site
Developing design documents
resistance to change
boundary controls
identify the operating costs of the network
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
provides an automatic audit trail, whereas a floppy disk does not
program source code modification
Twisted-pair (unshielded) cable
QA personnel should have most experience of information systems development, implementation, operations, and mainte
Only managers typically receive online reports so less misuse is likely.
Access control at application system level
Group logons are being used for critical functions
accountability system and the ability to properly identify any terminal accessing system resources
Modules should have only one entry and one exit point
Implementation
System navigation guidelines
whether the system being monitored has provided users with a strategic advantage over their competitors
Establishing data usage guidelines
System C - Likelihood 20%, Losses(in$) 2.5 million
they have available special hardware/software tools that enable them to breach data integrity
Ensuring seamless integration
Data base structures and the source codes.
Transaction processing delay
Licensed software
the decryption key should be kept a secret
companies that wish to engage in electronic commerce on the Internet must meet required security standards established
Detect the presence of viruses.
Source code comparison
Deadlock resolution
Telecommunication
Librarian forgot to log tape movement
Review and analysis of user specifications.
Date and time stamps are not recorded automatically but only with manual interferance
Are usually located in populous areas to prevent theft or vandalism
Modules should have only one entry and one exit point
System navigation guidelines
Communication protocol
decreased requirements for backup and contingency planning
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
long key cipher system
Tests of general controls
Lease or purchase
Access control lists and access control privileges
determined by and the individuals who use the microcomputers
dropping bits in data transmission
Cost of computer downtime
Integration test
Variable sample tests
a microwave radio system
send different packets of the same message over different available lines
does not require each node through which the message passes to be protected against hacking
time and date of dispatch of the message
White-box, specification-based, logic-driven technique
High cohesion of modules, high coupling of modules, and high modularity of programs

Page 243

Sheet1
Possess knowledge in the area of current technical words.
Reviewing audit reports of the previous years.
Data base structures and the source codes.
Disk utility
List of all authorised users of IPF
Costs associated with the hot sites are low.
Increased productivity
Maintainability
Ascertaining user needs for application programming.
investment in hardware is smaller for each site than for a central site
the system cannot easily handle large volumes of data
message switching
program source code modification
Scanning the output for obvious errors
long key cipher system
Data editing
Processing control
Modules should have only one entry and one exit point
they have available special hardware/software tools that enable them to breach data integrity
the designer is circumspect of the user s cooperation in spelling out their requirements
small key
the decryption key should be kept a secret
Code metrics
Corrective
Attribute Sampling
high error propagation
Terminal simulator
Access only to authorized logical views.
Detect the presence of viruses.
improving the overall reliability of the networks
More accountability
Source documents do not have to be redesigned.
A test to compare data with an output source
The Organisation s critical and high risk business areas
Calculation of Foot Totals
Whether all the software on the computer is properly licensed.
deleting all the data on the hard disk
no demonstration packages should be allowed to be run on the company owned machines
list of persons authorised to alter the log file contents and the software controlling the log file updating.
Line conditioning technique
improving the overall reliability of the networks
Identifying major purpose(s) of the system
A tape librarian are carried out by an application programmer.
Wireless Local Area Network
small key
PIN entry via a secure terminal
Permit updating for everyone in IS but restrict read access to source code to one position
reviewing software quality
Network structure
Incorporate into software upgrades
bit cipher
Attribute Sampling
Ensuring seamless integration
ciphertext form produced only from an irreversible encryption algorithm
Batch controls
Reviewing change controls

Page 244

Sheet1

Use of individual passwords


The user-id used to make the attempt
the work is boring so high turnover always occurs
investment in hardware is smaller for each site than for a central site
Access only to authorized logical views.
Rerun the audit software against a backup of the inventory master file.
the second-last full dump
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
More accountability
Implementation
Evaluating methodology of the audit test results.
Generally, the tasks performed by IS personnel are more complex than those in manual systems
One-time pad
Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive
Flow-charting tool
Each phase will have to be present
Implementation
Assumptions and analysis of costs and benefits.
Data encryptor
Modularity
Photo identification card
Implementation
Sound an alarm and begin a timed countdown.
Prototyping model
sender's public key
to educate the customer about the importance of card security
Data encryptor
it does not have to be stored. Hence preserving privacy is easier
Design of authorization tables for operating system access.
Batch controls
the designer is circumspect of the user s cooperation in spelling out their requirements
communicate the PIN to the cardholder over phone
Licensed software
Designing database applications
batch containing errors would be rejected for correction prior to processing
changing the order of the message
Observing the system operator's work
there is a perceptible difference in the basic control objectives
Design of authorization tables for operating system access.
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
Rerun the audit software against a backup of the inventory master file.
Logical access controls
List of all authorised users of IPF
The transactions shall be recorded chronologically as they are put through
If afterimages have been corrupted, rollback is not achievable
Creeping functions
Maintenance
Foresee important problems prior to occurring.
forging of messages by the receiver
Processing control
Photo identification card
A legacy system uses a proprietary programming language
Keep them motivated
Lease or purchase
Access control lists and access control privileges
data preparation, data input

Page 245

Sheet1

It is the total functioning life of an item divided by the total number of failures during the measurement interval
Programming and testing
Corrective
Maintainability
encrypt the message with the receiver's public key and sign the message with the sender's private key
Duplicate record check
whether a storage medium should be retired
identify the operating costs of the network
Code metrics
Access only to authorized logical views.
send different packets of the same message over different available lines
Variable sample tests
Nature of the population
the implementation of advanced technology in the application
Procurement procedures are complied with.
Source code comparison
security awareness programme
Access to Job control languages/script files
Humidity increase
Delay distortion
Implementation
Spiral model
Software Life Cycle activities are improved.
automatic dial-up capabilities
Transaction processing delay
identifying what the user knows or remembers
during the data preparation
Corrective
determined by and the individuals who use the microcomputers
Barometer
Audit resources are more effectively directed.
Quality
Permanent Virtual Circuit (PV(c)
provides an automatic audit trail, whereas a floppy disk does not
Access control lists and access control privileges
message authentication
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
increase the speed of data transmission
Rectification of errors
Systems management
Determining whether access controls are in place
Only targeted transactions can be examined using CIS.
violating the confidentiality of the message
time and date of dispatch of the message
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Librarian forgot to log tape movement
Overall risk assessment of operations in the organisation.
Unique user ID and password
Rivest, Shamir, Adleman (RSA)
Traffic analysis
User satisfaction
Coding phase
Modules should have only one entry and one exit point
Control and arithmetic-logic
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
during the data preparation

Page 246

Sheet1

PIN entry via a secure terminal


Snapshot
dropping bits in data transmission
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
It is the total functioning life of an item divided by the total number of failures during the measurement interval
data preparation, data input
Integration test
Format check
Twisted-pair (unshielded) cable
the work is boring so high turnover always occurs
Deadlock resolution
Use write-protect tabs on disks.
If afterimages have been corrupted, rollback is not achievable
Implemented
Review and analysis of user specifications.
Date and time stamps are not recorded automatically but only with manual interferance
Are usually located in populous areas to prevent theft or vandalism
Electronic data interchange (EDI)
Rivest, Shamir, Adleman (RSA)
If a connector in bus topology is malfunctioning, the whole network will not be brought down, whereas malfunctioning repe
violating the confidentiality of the message
Used to build hard disk controllers
Resiliency testing
Modules should have only one entry and one exit point
Maintainability
An operating system program is a critical software package for microcomputers
Routers
Reliability
A wrong tape reel is loaded in a multireel file
Users need not remember multiple passwords rather than a single passwords
A list of all cards issued and the individuals to whom they were issued.
Input control
Inadequate backup and recovery procedures
Identify the various layers of ISO/OSI model to which each component belongs
Shielded Twisted pair
they have available special hardware/software tools that enable them to breach data integrity
Snapshot
possessed objects
Review of the payroll by the payroll department on a regular basis.
Call-back techniques
Systems management
Oversight omissions of data.
gateways to allow personal computers to connect to mainframe computers
Statistical sampling
Traffic analysis
transmitting system warning and status messages
It provides a means for measuring the actual misstatement statement in assertions
Designing database applications
The user-id used to make the attempt
Prohibiting the usage of disk drives in workstations
Detective controls
Evacuation procedures
All valid transactions
Package fixes
Modules should have only one entry and one exit point
Coordinate and resolve conflicting needs and desires of users in their diverse application areas

Page 247

Sheet1

Prohibition of random access


existence of call forwarding devices
Photo identification card
Inference engine
Distributed databases and application programs
Corrective
Limiting access to local drives and directories
it is less likely to be used in a business systems environment than a discretionary access control policy
Whether appropriate controls have been incorporated.
The spiral model
Increased productivity
Select a random sample of actual data to ensure adequate testing
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Disk utility
A single link failure, a repeater failure, or a break in the cable could disable a large part or all of the network.
twisted pair wire transmission
Sensitivity of transactions
An increase in inherent risk
Review and analysis of user specifications.
The user-id used to make the attempt
List of all authorised users of IPF
Rivest, Shamir, Adleman (RSA)
Use of two VANs
transmission on terrestrial microwave
Resiliency testing
Known procedure
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
Initiating computer applications.
the system cannot easily handle large volumes of data
The physical structure of the data is independent of user needs
Reliability
Restricted physical access
Transaction processing delay
Corrective
determined by and the individuals who use the microcomputers
a single person do not have the complete control over a transaction from start to finish
manager in charge of the information systems function
Evolutionary development model
Routers
Code metrics
PCs and notebook computers must be programmed directly in machine language while mainframes use higher level lang
Acceptance test, unit test, integration test, systems test
transmitting system warning and status messages
Implementation
Observation
Application system errors
a microwave radio system
Librarian forgot to log tape movement
Variable sample tests
Terminal simulator
Data ownership resides with the most appropriate users
The user-id used to make the attempt
Generalized audit software.
Detective control
Under normal circumstances only about 25% of the processing is critical to an organisation. Hence, there is no need to ta
Output fault

Page 248

Sheet1
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
data management subsystem
generating a control total for a point-of-sale device
Wireless Local Area Network
data security
Application software
Authorized user access privileges for each data file or element
A list of all cards issued and the individuals to whom they were issued.
Lease or purchase
authentication message's origin
password encryption technique
data preparation, data input
receiver's public key
Implementation
Vendors may go out of business and discontinue service support on their products
double wiring of the CPU and peripheral equipment to prevent malfunctioning
ciphertext form produced only from an irreversible encryption algorithm
Maintaining the error log.
Authorized user access privileges for each data file or element
Operating systems
Stratification and frequency analysis capability
Exhibits the rules for different conditional value
dynamic equalization
The transactions shall be recorded chronologically as they are put through
More accountability
Run-to-run totals
Traffic analysis
Invalid transactions
Coding phase
Flow-charting tool
Design bugs
Inference engine
Allow individuals to understand all parts of a system.
Information from clients and customers will not be required.
the work is boring so high turnover always occurs
Twisted-pair (unshielded) cable
it is less likely to be used in a business systems environment than a discretionary access control policy
Group logons are being used for critical functions
Examine the accounting data recorded in the system for any irregularities
Inference engine
secrecy
No attention is paid to cosmetic details
data preparation, data input
it is less likely to be used in a business systems environment than a discretionary access control policy
Maintainability
channel
Value-added network
Quality assurance audit
Systems management
Diminish chances of committing improper / illegal acts by the employee.
It provides a means for measuring the actual misstatement statement in assertions
transmission on terrestrial microwave
All valid transactions
Determining whether access controls are in place
separation of duties is easy to achieve in manual systems and impossible in computerized systems
Designing database applications

Page 249

Sheet1

Disk utility
unsuccessful attempts after a specified number of times, should result in the automatic log off of the workstation
no demonstration packages should be allowed to be run on the company owned machines
Disabling all the redundant passwords
System that performs based on business needs and activities
Encrypting once with the same key
Cost of computer downtime
Identifying major purpose(s) of the system
existence of call forwarding devices
Photo identification card
Call-back techniques
No attention is paid to cosmetic details
Integration test
receiver's public key
compromise of a sender's private key
Establishing data usage guidelines
traffic analysis
Data transfer speed
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Authorisation of file updates
Data Encyption Standard (DES) is a typical type of private key cryptosystem
long key cipher system
Observation
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
the work is boring so high turnover always occurs
Librarian forgot to log tape movement
Sensitivity of transactions
Nature of the population
An analytical review of the ratios by the IS auditor from the information received from the internal line management.
While evaluating an organisation s policy of segregation of duty, the competancy of the employees are of no relevance.
Data ownership resides with the most appropriate users
does not require each node through which the message passes to be protected against hacking
Rule based policy
preventive control
boundary controls
dropping bits in data transmission
Batch controls
high error propagation
access control lists are stored on a fast memory device to facilitate easy access to the list
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, but do not retain th
Duplicate record check
dropping bits in data transmission
the decryption key should be kept a secret
Programming and testing
Data transfer speed
Number of customer problems reported to the size of the product
Reviewing change controls
Procurement procedures are complied with.
Institute program change control procedures.
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
program source code modification
Ergonomics
Deadlock resolution
Rerun the audit software against a backup of the inventory master file.
Data Link
transmitting system warning and status messages

Page 250

Sheet1

Select a random sample of actual data to ensure adequate testing


Nature of the population
Rivest, Shamir, Adleman (RSA)
send different packets of the same message over different available lines
Cost of recovery action
Implementation
The spiral model
Each phase will have to be present
Assumptions and analysis of costs and benefits.
Data Encyption Standard (DES) is a typical type of private key cryptosystem
the work is boring so high turnover always occurs
take action to mitigate the effects of the compliance failure on shareholders
Key compromise notifications
Spoofing.
Only managers typically receive online reports so less misuse is likely.
Frequently changed access controls
snap shots of all transactions are taken
To help the top management in assessing the capabilities of personnel.
receiver's public key
whether the system being monitored has provided users with a strategic advantage over their competitors
they have available special hardware/software tools that enable them to breach data integrity
Software acceptance criteria
data preparation, data input
TCP/IP
Control-oriented techniques
What actions were taken in response to the metrics results?
Limiting and monitoring the use of privileged software.
Prevention
whether the system being monitored has provided users with a strategic advantage over their competitors
generating a control total for a point-of-sale device
investment in hardware is smaller for each site than for a central site
call-back features
decreased requirements for backup and contingency planning
Ensuring completeness and correctness of the data
thunder and lighting
It facilitates identification of the users that have effected changes to the database
Data ownership resides with the most appropriate users
One-time pad
Resiliency testing
The probability of continued availability of system support
Integration test
Evolutionary development model
Operations Manager.
Modularity
existence of call forwarding devices
Maintainability
Architecture of the firewall hiding the internal network
Implementation
determined by and the individuals who use the microcomputers
Security Administration
staging and job set-up procedures compensate for the tape label control weakness
snap shots of all transactions are taken
The organization's information technology architecture
Integration test
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or dest
traffic analysis

Page 251

Sheet1

fax/modem software
Malfunctioning in one node will not bring a star network down
Implemented
Substantive testing tests validation while compliance testing tests for regulatory requirements.
carrying out personal examination of the existing physical access environment
procedure for authorising access to computer resources
Access to Job control languages/script files
Plan is reviewed and updated regularly.
installation of proper physical security cover over the data processing installation
Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive
Malfunctioning in one node will not bring a star network down
Software independence
Object-oriented technology
System navigation guidelines
Operations Manager.
the decryption key should be kept a secret
private key and a public key
Determine the risks/threats to thedata center site
Breaching in the security of the IS resulting in destruction of hardware or software
Presentation layer
Distributed databases and application programs
dial-disconnect-callback features
Security Administration
The physical structure of the data is independent of user needs
a single person do not have the complete control over a transaction from start to finish
Integration test
Maintainability
Increased productivity
double wiring of the CPU and peripheral equipment to prevent malfunctioning
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
A run chart
Checklists
Review of the payroll by the payroll department on a regular basis.
Duplicate record check
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
Variable sample tests
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Code metrics
an application program error
It requires the hardware vendor to provide compatible computer equipment.
economic events that are relevant to the ongoing operations of an organisation are identified and recorded
A random structured
An increase in inherent risk
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing comp
Detective controls
A legacy system uses a proprietary programming language
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
be easily accessible by a majority of company personnel
Tests of general controls
Identifying major purpose(s) of the system
Bio-metric devices
Cost of computer downtime
Input control
Testing the system thoroughly
Inadequate backup and recovery procedures
The internal control of data accuracy and access and inconsistencies within common data fields

Page 252

Sheet1
Public key of the sender
Corrective
a single person do not have the complete control over a transaction from start to finish
Presentation layer
Grand design projects
Limiting and monitoring the use of privileged software.
the work is boring so high turnover always occurs
fast transmission of a message once it arrives at a node
Librarian forgot to log tape movement
adequate definition in contractual relationship
Librarian forgot to log tape movement
The Organisation s critical and high risk business areas
Limiting and monitoring the use of privileged software.
The system should display the password to enable the user to enter it correctly
authorized files are logically allowed access to authorized users
Are usually located in populous areas to prevent theft or vandalism
Developing design documents
Implementation
Aspects affecting the customer satisfaction in an organisation are dealt in the ISO 9000 standard.
generated as a printer output necessarily
Check digit
Only managers typically receive online reports so less misuse is likely.
Transaction processing delay
Identity-based policy
Architecture of the firewall hiding the internal network
Testing the system thoroughly
secrecy
message authentication
Data Entry
Meeting user requirements
Known procedure
Increasing MIS staff output in order for both systems to be installed
Presentation layer
Estimating electrical load
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
Dollar - unit sampling
a microwave radio system
Data Link
It facilitates identification of the users that have effected changes to the database
the work is boring so high turnover always occurs
Cluster sampling selection technique
Format check
The right training
White-box, specification-based, logic-driven technique
Software Life Cycle activities are improved.
the maintenance of data integrity
getting distributed than in a manual system
virtual storage
Data editing
Reliability
Wireless Local Area Network
small protection domains
Prevent the file from being overwritten before the expiry of the retention date
Inadequate backup and recovery procedures
long key cipher system
forging of messages by the receiver

Page 253

Sheet1

Implementation
bit cipher
inappropriate, since access should be limited to a need-to-know basis, regardless of position
a single person do not have the complete control over a transaction from start to finish
Repeater
possessed objects
Integration test
Grand design projects
verifying control totals
Detect the presence of viruses.
transmitting system warning and status messages
to increase the efficiency of the payment process
Reject the statistical hypothesis that value is not misstated when the true value is materially misstated.
Librarian forgot to log tape movement
Preparation of multiple reports and output files.
Consider the use of Data Base Management System
Preparation of the information security standards manual
twisted pair wire transmission
the second-last full dump
Reviews
Baseline
Cost of computer downtime
Develop a data synchronization software
Maintenance costs
Foresee important problems prior to occurring.
Transmission cost is not charged by packet
DES Cryptosystem
transmittal control
Identifying major purpose(s) of the system
they have available special hardware/software tools that enable them to breach data integrity
Access control lists and access control privileges
Identify the various layers of ISO/OSI model to which each component belongs
modem
Expert system's knowledge is combined into program control
A run chart
Control-oriented techniques
Behavioral issues
line conditioning technique
verifying control totals
duplicate transaction processing
Determining whether access controls are in place
provides an automatic audit trail, whereas a floppy disk does not
Pre-usage scan of all secondary storage media brought from outside.
substantive test
Access only to authorized logical views.
manual control procedures
no demonstration packages should be allowed to be run on the company owned machines
List of all authorised users of IPF
Evacuation procedures
Invalid transactions
Implementation
Allow individuals to understand all parts of a system.
spurious associations
the inherent risk associated with an organisation decreases considerably when an organisation has an information system
commodity
Corrected errors should be initialed by the person correcting the error

Page 254

Sheet1

Authorized user access privileges for each data file or element


Ensuring seamless integration
Identity-based policy
Assure the correct execution of machine instructions
Component redundancy
Distributed databases and application programs
they have available special hardware/software tools that enable them to breach data integrity
file server
No attention is paid to cosmetic details
Either allow access to all resources or none
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
modem
Baseline
small key
Integration testing
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Taking the afterimages of all data items changed for accuracy and completeness.
Detailed specifications of the vendor s hardware.
Review and analysis of user specifications.
carrying out personal examination of the existing physical access environment
Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive
User satisfaction
Observation
Ascertaining user needs for application programming.
segregation of duties becomes increasingly important
batch containing errors would be rejected for correction prior to processing
Twisted-pair (unshielded) cable
small key
Tests of general controls
data security
If a program is erroneously coded, it commits errors at a very high speed resulting in wastage of resources for locating an
Bio-metric devices
Input control
a single person do not have the complete control over a transaction from start to finish
A state transition diagram
Establishing data usage guidelines
Public key of the sender
Shielded Twisted pair
Establishing data usage guidelines
Software acceptance criteria
Scanning the output for obvious errors
have to authenticate themselves only once, and not after that
Checklists
The information technology infrastructure
Institute program change control procedures.
Determining whether access controls are in place
substantive test
less difficult because audit trails can be looked upon for tracing out unauthorized activities
Data ownership resides with the most appropriate users
Detect the presence of viruses.
the installation of the anti-virus software should be properly authorised
Humidity increase
Rule based policy
Process errors
Software independence
Develop a data synchronization software

Page 255

Sheet1

Ascertaining user needs for application programming.


provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
companies that wish to engage in electronic commerce on the Internet must meet required security standards established
snap shots of all transactions are taken
Call-back techniques
Polymorphism
the designer is circumspect of the user s cooperation in spelling out their requirements
Identify the various layers of ISO/OSI model to which each component belongs
program source code modification
Increasing MIS staff output in order for both systems to be installed
The organization's information technology architecture
Design of authorization tables for operating system access.
Call-back techniques
Institute program change control procedures.
the system cannot easily handle large volumes of data
Variable sample tests
Exhibits the rules for different conditional value
the work is boring so high turnover always occurs
Statistical sampling
Result of substantive audit procedure
Recommendations and conclusions based on the findings from the audit.
Document the procedures designed to achieve the planned audit objectives.
Substantive testing tests validation while compliance testing tests for regulatory requirements.
transmission delay
the second-last full dump
Detailed design documents
Creeping functions
Implementation
Implementation
concentration technique
fast transmission of a message once it arrives at a node
Scanning the output for obvious errors
into which user s password falls
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
Use of individual passwords
Problem support
Public key of the sender
Batch controls
Maintainability
inappropriate, since access should be limited to a need-to-know basis, regardless of position
TCP/IP
Code metrics
Yes, since the vendor s plan could be adequately evaluated for preparing a complementary plan for the outsourcing comp
Review and analysis of user specifications.
Scanning the output for obvious errors
program source code modification
Reject the statistical hypothesis that value is not misstated when the true value is materially misstated.
Source documents do not have to be redesigned.
Tokens may be captured by a node and before releasing it the node may fail
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Segregation of duties is maintained
A random structured
An analytical review of the ratios by the IS auditor from the information received from the internal line management.
Data base structures and the source codes.
Centrally print and distribute the outputs.
list of persons authorised to alter the log file contents and the software controlling the log file updating.

Page 256

Sheet1
The probability of continued availability of system support
Package fixes
preventive control
concentration technique
small protection domains
Bio-metric devices
Key compromise notifications
Input control
achieving system effectiveness
Attribute Sampling
The internal control of data accuracy and access and inconsistencies within common data fields
applets recording keystrokes made by the client and, therefore passwords
the encrypted pre-hash code and the message are encrypted using a secret key
Narrowband ISDN, central office switches, Voice Mail system
Software acceptance criteria
Systems Programming
have to authenticate themselves only once, and not after that
It is the total functioning life of an item divided by the total number of failures during the measurement interval
Acceptance test, unit test, integration test, systems test
Reviewing change controls
Maintaining the error log.
Transaction processing delay
Authorized user access privileges for each data file or element
Data ownership resides with the most appropriate users
Capacity planning
a microwave radio system
provides an automatic audit trail, whereas a floppy disk does not
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Access only to authorized logical views.
violating the confidentiality of the message
Modules should have only one entry and one exit point
Ascertaining user needs for application programming.
Best IS expertise from the outside source.
identify the operating costs of the network
whether the system being monitored has provided users with a strategic advantage over their competitors
the controls that prevents unauthorised and improper use of data and program
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
Prevent the file from being overwritten before the expiry of the retention date
achieving system effectiveness
Corrective
resources provided/denied
compromise of a sender's private key
Expert system's knowledge is combined into program control
Control-oriented techniques
Access control at application system level
A dependency check
Implementation
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Taking the afterimages of all data items changed for accuracy and completeness.
Vendors not in the table file will be paid.
does not require each node through which the message passes to be protected against hacking
improving the overall reliability of the networks
All valid transactions
A random structured
Rectification of errors
BHAGWAN SRIGANESH

Page 257

Sheet1

authorized files are logically allowed access to authorized users


If afterimages have been corrupted, rollback is not achievable
Designing quality into the process
Data entry operators
call-back features
the system cannot easily handle large volumes of data
whether the system being monitored has provided users with a strategic advantage over their competitors
long key cipher system
QA personnel should have most experience of information systems development, implementation, operations, and mainte
cryptologist
access control lists are stored on a fast memory device to facilitate easy access to the list
data security
Breaching in the security of the IS resulting in destruction of hardware or software
Attribute Sampling
channel
Input control
Inadequate backup and recovery procedures
Integration test
high error propagation
Establishing data usage guidelines
Number of customer problems reported to the size of the product
The information technology infrastructure
Authorisation of file updates
Implementation
Ergonomics
Taking the afterimages of all data items changed for accuracy and completeness.
Only targeted transactions can be examined using CIS.
Procurement procedures are complied with.
Consider the use of Data Base Management System
Whether all the software on the computer is properly licensed.
Limiting and monitoring the use of privileged software.
Data Link
Coding phase
Creeping functions
White-box, specification-based, logic-driven technique
Ascertaining user needs for application programming.
Decrease in complexity and volatility in IT leads to considerable decrease in costs.
fax/modem software
concentration technique
snap shots of all transactions are taken
Ensuring that provisions are made to minimise damage or abuse to hardware and to maintain the hardware in good opera
program source code modification
Completeness, accuracy and validity of update
The spiral model
errors and omissions
possessed objects
The idea that not every theory tested will work as expected
Distributed applications or services
Incorporate into software upgrades
Program changes due to fine tuning of existing systems
While evaluating an organisation s policy of segregation of duty, the competancy of the employees are of no relevance.
Routers
Authorisation of file updates
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
Exhibits the rules for different conditional value
A test to compare data with an output source

Page 258

Sheet1

It requires the hardware vendor to provide compatible computer equipment.


Performing compliance tests and evaluating the adequacy of procedures that were implemented by the management to c
Detailed specifications of the vendor s hardware.
The user-id used to make the attempt
Trojan Horse
Critical systems
Automated teller machine system
Tokens may be captured by a node and before releasing it the node may fail
the second-last full dump
If afterimages have been corrupted, rollback is not achievable
resistance to change
Resiliency testing
Modules should have only one entry and one exit point
Increased productivity
Operations Manager.
whether the system being monitored has provided users with a strategic advantage over their competitors
QA personnel require high level of interpersonal skills because of potential conflict between QA personnel and information
Snapshot
accountability system and the ability to properly identify any terminal accessing system resources
Maintenance
Inadequate backup and recovery procedures
they have available special hardware/software tools that enable them to breach data integrity
a malicious operator can undermine a disaster recovery operation by corrupting backup files progressively over time
Data ownership resides with the most appropriate users
The user-id used to make the attempt
Communication protocol
investment in hardware is smaller for each site than for a central site
Developing and implementing an IS security standards manual
dynamic equalization
does not require each node through which the message passes to be protected against hacking
Observing the system operator's work
A test to compare data with an output source
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Review and analysis of user specifications.
Centrally print and distribute the outputs.
Source code comparison
manual control procedures
installation of proper physical security cover over the data processing installation
Electronic data interchange (EDI)
It facilitates identification of the users that have effected changes to the database
resistance to change
Implementation
boundary controls
Systems management
Twisted-pair (unshielded) cable
Restricted physical access
data security
Users need not remember multiple passwords rather than a single passwords
Software acceptance criteria
Input control
Each phase will have to be present
secrecy
Software licensing
a single person do not have the complete control over a transaction from start to finish
standards should be prepared to guide their maintenance
TCP/IP

Page 259

Sheet1

staging and job set-up procedures compensate for the tape label control weakness
the decryption key should be kept a secret
increase the speed of data transmission
What actions were taken in response to the metrics results?
a microwave radio system
Variable sample tests
Output analyser
An analytical review of the ratios by the IS auditor from the information received from the internal line management.
Generalized audit software.
Source code comparison
deleting all the data on the hard disk
authorized files are logically allowed access to authorized users
violating the confidentiality of the message
Design bugs
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
Identifying major purpose(s) of the system
Focusing on broad problems to a specific view.
automatic dial-up capabilities
31 bit cipher system
Frequently changed access controls
Check digit
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Modules should have only one entry and one exit point
authentication message's origin
applets recording keystrokes made by the client and, therefore passwords
Distributed applications or services
Paid non-EDI invoices
long key cipher system
Resource management
Whether all the software on the computer is properly licensed.
Data ownership resides with the most appropriate users
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
the work is boring so high turnover always occurs
investment in hardware is smaller for each site than for a central site
Observation
Ergonomics
Librarian forgot to log tape movement
Export/import tools
improving the overall reliability of the networks
the work is boring so high turnover always occurs
Output analyser
Group logons are being used for critical functions
deleting all the data on the hard disk
Tokens may be captured by a node and before releasing it the node may fail
Process errors
Focusing on broad problems to a specific view.
duplicate transaction processing
Network structure
widespread acceptance of national and international information systems standards can undermine an organisation s com
the inherent risk associated with an organisation decreases considerably when an organisation has an information system
Users need not remember multiple passwords rather than a single passwords
Software licensing
proper validation procedures to be built in during user creation and password change
to educate the customer about the importance of card security
PIN entry via a secure terminal
plastic cards with magnetic stripe and a PIN

Page 260

Sheet1

dial-disconnect-callback features
The mainframe computer should subject the data to the same edits and validation routines that on-line data entry would r
generating a control total for a point-of-sale device
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Data base structures and the source codes.
The user-id used to make the attempt
Implementation
Develop CAATs in detecting such instances.
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
Segregation of duties is maintained
Only targeted transactions can be examined using CIS.
have to authenticate themselves only once, and not after that
Batch control totals
Substantive testing tests validation while compliance testing tests for regulatory requirements.
reduce the expected loss from a threat
Data ownership resides with the most appropriate users
line conditioning technique
Invalid transactions
Modules should have only one entry and one exit point
Maintenance
fax/modem software
double wiring of the CPU and peripheral equipment to prevent malfunctioning
whether the system being monitored has provided users with a strategic advantage over their competitors
31 bit cipher system
Concurrency and sequence number
Software acceptance criteria
Access control lists and access control privileges
Increased productivity
Corrective
Data encryptor
Whether appropriate controls have been incorporated.
password encryption technique
a single person do not have the complete control over a transaction from start to finish
Distributed applications or services
TCP/IP
increase the speed of data transmission
Systems testing
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
A random structured
Dollar - unit sampling
Tokens may be captured by a node and before releasing it the node may fail
an application program error
Scanning the output for obvious errors
Batch control totals
A confirmation letter received by the IS auditor directly from an outside source
Detailed specifications of the vendor s hardware.
Generalized audit software.
Port
the installation of the anti-virus software should be properly authorised
Star topology network
Process errors
generated as a printer output necessarily
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com
Inappropriate, since access should be limited to a need-to-know basis, regardless of position.
Prevent the file from being overwritten before the expiry of the retention date
Cost of computer downtime

Page 261

Sheet1

receiver's public key


Repeater
Sudden increase in number of users
provides an automatic audit trail, whereas a floppy disk does not
Increased productivity
data preparation, data input
sender's public key
have to authenticate themselves only once, and not after that
Checklists
Design of authorization tables for operating system access.
line conditioning technique
decreased requirements for backup and contingency planning
program source code modification
Exhibits the rules for different conditional value
Expert system
Resource management
A site where the computer environment is maintained without any equipment.
Rivest, Shamir, Adleman (RSA)
twisted pair wire transmission
time and date of dispatch of the message
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Used to build hard disk controllers
The right training
System navigation guidelines
Evolutionary development model
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
Assumptions and analysis of costs and benefits.
Data editing
QA personnel should have the greatest incentives to effect improvements to information systems standards
Ensuring seamless integration
channel
dropping bits in data transmission
data preparation, data input
Paid non-EDI invoices
Integration test
double wiring of the CPU and peripheral equipment to prevent malfunctioning
Activity logs, incident reports, software versioning
Checklists
Software reengineering
Limiting and monitoring the use of privileged software.
Estimating electrical load
Permit updating for everyone in IS but restrict read access to source code to one position
whether the system being monitored has provided users with a strategic advantage over their competitors
twisted pair wire transmission
Exhibits the rules for different conditional value
send different packets of the same message over different available lines
Tokens may be captured by a node and before releasing it the node may fail
Exposure based on threats and vulnerabilities
Taking the afterimages of all data items changed for accuracy and completeness.
Substantive testing tests validation while compliance testing tests for regulatory requirements.
Use write-protect tabs on disks.
Preparation of the information security standards manual
Rivest, Shamir, Adleman (RSA)
changing the order of the message
Identifying major purpose(s) of the system
Modularity

Page 262

Sheet1

batch containing errors would be rejected for correction prior to processing


whether a storage medium should be retired
into which user s password falls
accountability system and the ability to properly identify any terminal accessing system resources
resources provided/denied
traffic analysis
a single person do not have the complete control over a transaction from start to finish
Snapshot
Testing the system thoroughly
Value-added network
Prevention
The user-id used to make the attempt
Capacity planning
Twisted-pair (unshielded) cable
verifying control totals
decreased requirements for backup and contingency planning
Diminish chances of committing improper / illegal acts by the employee.
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
concentration technique
Inductive wiretaps can pick up the free space emissions emanating from amplifiers
Statistical sampling
separation of duties is easy to achieve in manual systems and impossible in computerized systems
The staff change the jobs with high frequency.
Oversight omissions of data.
Limiting and monitoring the use of privileged software.
BHAGWAN SRIGANESH
Cost of computer downtime
preventive control
decreased requirements for backup and contingency planning
Automatic error correction
Reliability
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, but do not retain th
Use of individual passwords
inappropriate, since access should be limited to a need-to-know basis, regardless of position
timed authentication is required
Configuration status accounting
Corrective
message authentication
System C - Likelihood 20%, Losses(in$) 2.5 million
Establishing data usage guidelines
Cost of computer downtime
Permit updating for everyone in IS but restrict read access to source code to one position
Twisted-pair (unshielded) cable
the system cannot easily handle large volumes of data
Observing the system operator's work
there is a perceptible difference in the basic control objectives
Export/import tools
White-box, specification-based, logic-driven technique
A test to compare data with an output source
Recommendations and conclusions based on the findings from the audit.
Document the procedures designed to achieve the planned audit objectives.
Used to build hard disk controllers
Reviews
Implementation
Function points
the designer is circumspect of the user's cooperation in spelling out their requirements

Page 263

Sheet1

duplicate transaction processing


Twisted-pair (unshielded) cable
A single link failure, a repeater failure, or a break in the cable could disable a large part or all of the network.
into which user s password falls
Check digit
existence of call forwarding devices
Photo identification card
ciphertext form produced only from an irreversible encryption algorithm
to educate the customer about the importance of card security
generating a control total for a point-of-sale device
Public key of the sender
manager in charge of the information systems function
data preparation, data input
Licensed software
an unauthorised person from reading the message
Batch controls
Integration testing
Actual time
While evaluating an organisation s policy of segregation of duty, the competancy of the employees are of no relevance.
transmitting system warning and status messages
Code metrics
Taking the afterimages of all data items changed for accuracy and completeness.
Mean-time-to-repair
Overall risk assessment of operations in the organisation.
the loss likely to occur if the threat materializes multiplied by the probability of the threat
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or dest
Format check
Detective control
Processing controls
Evacuation procedures
The probability of continued availability of system support
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
Component redundancy
A tape librarian are carried out by an application programmer.
Communication protocol
Wireless Local Area Network
manager in charge of the information systems function
Corrective
determined by and the individuals who use the microcomputers
increase the speed of data transmission
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Increased productivity
ciphertext form produced only from an irreversible encryption algorithm
System development tools
A run chart
Systems testing
What actions were taken in response to the metrics results?
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
whether a storage medium should be retired
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
Tokens may be captured by a node and before releasing it the node may fail
All valid transactions
economic events that are relevant to the ongoing operations of an organisation are identified and recorded
Reject the statistical hypothesis that value is not misstated when the true value is materially misstated.
Dollar unit sampling
Librarian forgot to log tape movement

Page 264

Sheet1

Implemented
Stratification and frequency analysis capability
Source documents do not have to be redesigned.
Data base structures and the source codes.
Resource management
Format check
an UPS and spike buster
Use of two VANs
data management subsystem
Concurrency and sequence number
Permit updating for everyone in IS but restrict read access to source code to one position
service type
Frequently changed access controls
file server
to educate the customer about the importance of card security
Maintenance costs
Software independence
whether the system being monitored has provided users with a strategic advantage over their competitors
Code metrics
They are unaffected by electrical interference
Permanent Virtual Circuit (PV(c)
Establishing data usage guidelines
the designer is circumspect of the user s cooperation in spelling out their requirements
Integration test
the decryption key should be kept a secret
Output analyser
Detect the presence of viruses.
does not require each node through which the message passes to be protected against hacking
changing the order of the message
communicate the PIN to the cardholder over phone
The sample size decreases with a decrease in the standard deviation.
Suggests the management of control and system enhancements.
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or dest
Rerun the audit software against a backup of the inventory master file.
Detective controls
All the back up storage devices and the backed up floppies & disks
Observation
Foresee important problems prior to occurring.
Assessing the required Security procedures for the IS environment.
organises itself along hierarchical lines of communication to a central host computer.
Data owner
ciphertext form produced only from an irreversible encryption algorithm
Identify the various layers of ISO/OSI model to which each component belongs
DES Cryptosystem
reviewing software quality
Public key of the sender
it is less likely to be used in a business systems environment than a discretionary access control policy
Narrowband ISDN, central office switches, Voice Mail system
Licensed software
TCP/IP
Number of customer problems reported to the size of the product
Licensed software
investment in hardware is smaller for each site than for a central site
Batch control totals
Traffic analysis
Rerun the audit software against a backup of the inventory master file.

Page 265

Sheet1

transmitting system warning and status messages


Select a random sample of actual data to ensure adequate testing
reduce the expected loss from a threat
substantive test
Consider the use of Data Base Management System
Usage of CAATs to verify the interest rates
list of persons authorised to alter the log file contents and the software controlling the log file updating.
twisted pair wire transmission
Testing the system thoroughly
The organization's information technology architecture
the designer is circumspect of the user's cooperation in spelling out their requirements
Lease or purchase
decreased requirements for backup and contingency planning
Data Encyption Standard (DES) is a typical type of private key cryptosystem
Licensed software
Cost of computer downtime
possessed objects
the designer is circumspect of the user s cooperation in spelling out their requirements
The internal control of data accuracy and access and inconsistencies within common data fields
Network structure
encrypt the message with the receiver's public key and sign the message with the sender's private key
long key cipher system
Developing and designing standards and procedures to protect data in case of accidental disclosure, modification or dest
Deadlock resolution
Use write-protect tabs on disks.
convert digital signals to analog signals
the work is boring so high turnover always occurs
economic events that are relevant to the ongoing operations of an organisation are identified and recorded
Exposure based on threats and vulnerabilities
Generally, the tasks performed by IS personnel are more complex than those in manual systems
Limiting and monitoring the use of privileged software.
Rerun the audit software against a backup of the inventory master file.
Central processing site during application program processing.
Processes in priority order, as defined by the business manager
It facilitates identification of the users that have effected changes to the database
Production mailbox
Develop an API application
Observation
Maintaining the systems in production.
investment in hardware is smaller for each site than for a central site
the decryption key should be kept a secret
whether a storage medium should be retired
Bio-metric devices
Tests of general controls
A dependency check
Mr. R 's public key
small key
Either allow access to all resources or none
message authentication
Code metrics
Repeater
password encryption technique
increase the speed of data transmission
Completing the system design document
Code metrics
Implementation

Page 266

Sheet1

Rectification of errors
program source code modification
Developing and implementing an IS security standards manual
Dollar - unit sampling
improving the overall reliability of the networks
Only targeted transactions can be examined using CIS.
Recommendations and conclusions based on the findings from the audit.
Vendors not in the table file will be paid.
Deadlock resolution
Run-to-run totals
Preparation of the information security standards manual
Rivest, Shamir, Adleman (RSA)
Delay distortion
Malfunctioning in one node will not bring a star network down
does not require each node through which the message passes to be protected against hacking
Develop CAATs in detecting such instances.
Communication protocol
Licensed software
existence of call forwarding devices
System navigation guidelines
manager in charge of the information systems function
data preparation, data input
program source code modification
encrypt the message with the receiver's public key and sign the message with the sender's private key
they have available special hardware/software tools that enable them to breach data integrity
Program changes due to fine tuning of existing systems
Systems management
Application system errors
Central processing site during application program processing.
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
Verify specific) balance-sheet and Profit and loss account values
the loss likely to occur if the threat materializes multiplied by the probability of the threat
Designing database applications
Detect the presence of viruses.
transmission delay
Trojan Horse
One-time pad
All valid transactions
The transactions shall be recorded chronologically as they are put through
If afterimages have been corrupted, rollback is not achievable
Screen-oriented manipulation user interfaces
Creeping functions
Function points
make an evaluation of the whole process to quantify the substantive test required for the specialized audit of the process
Concurrent / parallel existence of Duplicate Information system functions.
concentration technique
the work is boring so high turnover always occurs
Twisted-pair (unshielded) cable
the controls that prevents unauthorised and improper use of data and program
Frequently changed access controls
Increased business activity and revenue
Limiting access to local drives and directories
program source code modification
Completing the system design document
Integration test
Actual time

Page 267

Sheet1

Data base structures and the source codes.


Access control at application system level
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Capacity planning
It provides a means for measuring the actual misstatement statement in assertions
The transactions shall be recorded chronologically as they are put through
It facilitates identification of the users that have effected changes to the database
Sensitivity of transactions
Pre-usage scan of all secondary storage media brought from outside.
procedure for authorising access to computer resources
They both encrypt messages
convert digital signals to analog signals
Data Link
data management subsystem
organises itself along hierarchical lines of communication to a central host computer.
fax/modem software
generating a control total for a point-of-sale device
whether a storage medium should be retired
Systems management
31 bit cipher system
access control lists are stored on a fast memory device to facilitate easy access to the list
DES Cryptosystem
A development control
Implementation
Each phase will have to be present
they have available special hardware/software tools that enable them to breach data integrity
Data encryptor
The idea that not every theory tested will work as expected
receiver's public key
Batch controls
TCP/IP
Corrective
Routers
It provides a means for measuring the actual misstatement statement in assertions
Output analyser
send different packets of the same message over different available lines
The Organisation s critical and high risk business areas
The sample size decreases with a decrease in the standard deviation.
Overall risk assessment of operations in the organisation.
the loss likely to occur if the threat materializes multiplied by the probability of the threat
less difficult because audit trails can be looked upon for tracing out unauthorized activities
ensuring accountability and identifying terminals accessing system resources
Detective control
Plan is reviewed and updated regularly.
Rivest, Shamir, Adleman (RSA)
Costs associated with the hot sites are low.
Select a random sample of actual data to ensure adequate testing
The spiral model
Best IS expertise from the outside source.
companies that wish to engage in electronic commerce on the Internet must meet required security standards established
Automatic error correction
be easily accessible by a majority of company personnel
Photo identification card
tape file protection, cryptographic protection and limit checks
Corrective
Snapshot

Page 268

Sheet1
Such access authority is inappropriate because it violates the principle of "access on need - to - know basis, irrespective
Known procedure
provides an automatic audit trail, whereas a floppy disk does not
Program changes due to fine tuning of existing systems
Systems management
verifying control totals
Diminish chances of committing improper / illegal acts by the employee.
Terminal simulator
Application system errors
Inductive wiretaps can pick up the free space emissions emanating from amplifiers
acceptance of executable only from the established and trusted source
tape librarian
security awareness programme
Plan is reviewed and updated regularly.
They both encrypt messages
Encryption will solve all problems of industrial espionage
Delay distortion
an application program error
resistance to change
User satisfaction
Implementation
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
Modularity
the work is boring so high turnover always occurs
Regular back ups by many of the LAN nodes are not taken in the file server.
forging of messages by the receiver
Completeness, accuracy and validity of update
Software licensing
Distributed applications or services
TCP/IP
snap shots of all transactions are taken
Software acceptance criteria
Increased productivity
transmittal control
Data ownership resides with the most appropriate users
Operating systems
the decryption key should be kept a secret
Source documents do not have to be redesigned.
Generalized audit software.
the second-last full dump
Object-oriented technology
Performing system activity analysis
Suggests the management of control and system enhancements.
Control risk
Detective controls
Disabling all the redundant passwords
With compatible equipment and applications
Traffic analysis
Flow-charting tool
Automatic error correction
batch containing errors would be rejected for correction prior to processing
Estimating electrical load
QA personnel should have the greatest incentives to effect improvements to information systems standards
A development control
Prevent the file from being overwritten before the expiry of the retention date
Corrected errors should be initialed by the person correcting the error

Page 269

Sheet1

Duplicate record check


Component redundancy
Each phase will have to be present
Increased business activity and revenue
Data encryptor
generating a control total for a point-of-sale device
Data Encyption Standard (DES) is a typical type of private key cryptosystem
it is less likely to be used in a business systems environment than a discretionary access control policy
traffic analysis
inappropriate, since access should be limited to a need-to-know basis, regardless of position
Whether appropriate controls have been incorporated.
Cost of computer downtime
double wiring of the CPU and peripheral equipment to prevent malfunctioning
Increased business activity and revenue
investment in hardware is smaller for each site than for a central site
Variable sample tests
Terminal simulator
Manually reperforming, as of a moment in time, the processing of input data and comparing the simulated results with the
A confirmation letter received by the IS auditor directly from an outside source
Requires the minimum computer usage and manual personnel.
Expert system
Run-to-run totals
Frequency of offsite backup
changing the order of the message
time and date of dispatch of the message
Detail design documents
Software independence
Develop a data synchronization software
Identifying major purpose(s) of the system
Assessing the required Security procedures for the IS environment.
take action to mitigate the effects of the compliance failure on shareholders
password encryption technique
Regression analysis and testing
Establishing data usage guidelines
Programming and testing
Baseline
whether the system being monitored has provided users with a strategic advantage over their competitors
transmittal control
ciphertext form produced only from an irreversible encryption algorithm
Identify the various layers of ISO/OSI model to which each component belongs
Institute program change control procedures.
twisted pair wire transmission
The Success of a BPR is reached when the business and the risk suits the re-engineering process.
fast transmission of a message once it arrives at a node
Performing system activity analysis
Spreadsheets
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
Access only to authorized logical views.
transmission delay
security awareness programme
Disabling all the redundant passwords
line conditioning technique
Detail requirements document
The spiral model
Evolutionary development model
Observation

Page 270

Sheet1

Focusing on broad problems to a specific view.


call-back features
duplicate transaction processing
Estimating electrical load
Use of individual passwords
ciphertext form produced only from an irreversible encryption algorithm
The internal control of data accuracy and access and inconsistencies within common data fields
an unauthorised person from reading the message
Narrowband ISDN, central office switches, Voice Mail system
snap shots of all transactions are taken
Snapshot
double wiring of the CPU and peripheral equipment to prevent malfunctioning
possessed objects
Detailed specifications of the vendor s hardware.
Licensed software
Communication protocol
traffic analysis
Exhibits the rules for different conditional value
an application program error
adequate definition in contractual relationship
Implementation
economic events that are relevant to the ongoing operations of an organisation are identified and recorded
substantive test
deleting all the data on the hard disk
Critical systems
Use of two VANs
Traffic analysis
the second-last full dump
duplicity of backup operations more than other techniques
Conflicting requirements errors
Observation
Focusing on broad problems to a specific view.
Best IS expertise from the outside source.
identify the operating costs of the network
the quality of QA training is an important indicator of top management s commitment to the attainment of quality assuranc
Ensuring seamless integration
tape file protection, cryptographic protection and limit checks
a malicious operator can undermine a disaster recovery operation by corrupting backup files progressively over time
manager in charge of the information systems function
it does not have to be stored. Hence preserving privacy is easier
the decryption key should be kept a secret
it is less likely to be used in a business systems environment than a discretionary access control policy
the encrypted pre-hash code and the message are encrypted using a secret key
snap shots of all transactions are taken
Security Administration
small key
have to authenticate themselves only once, and not after that
Format check
Use of individual passwords
companies that wish to engage in electronic commerce on the Internet must meet required security standards established
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
transmitting system warning and status messages
Taking the afterimages of all data items changed for accuracy and completeness.
Oversight omissions of data.
an UPS and spike buster
Detective control

Page 271

Sheet1

Electronic data interchange (EDI)


convert digital signals to analog signals
dynamic equalization
If afterimages have been corrupted, rollback is not achievable
Cost of computer downtime
the decryption key should be kept a secret
long key cipher system
data security
Duplicate record check
timed authentication is required
Maintenance
Modules should have only one entry and one exit point
No attention is paid to cosmetic details
Corrective
double wiring of the CPU and peripheral equipment to prevent malfunctioning
A run chart
Behavioral issues
What actions were taken in response to the metrics results?
Project Management softwares
Review and analysis of user specifications.
Installing an access control software.
Access control at application system level
whether the system being monitored has provided users with a strategic advantage over their competitors
the decryption key should be kept a secret
traffic analysis
transmitting system warning and status messages
Maintaining the error log.
Detective control
Encrypting once with the same key
Develop an API application
Coding phase
High cohesion of modules, high coupling of modules, and high modularity of programs
Evolutionary development model
An operating system program is a critical software package for microcomputers
Operating systems
the quality of QA training is an important indicator of top management s commitment to the attainment of quality assuranc
Frequently changed access controls
Prohibition of random access
Permit updating for everyone in IS but restrict read access to source code to one position
Testing the system thoroughly
to educate the customer about the importance of card security
dropping bits in data transmission
Permanent Virtual Circuit (PV(c)
Paid non-EDI invoices
Corrective
double wiring of the CPU and peripheral equipment to prevent malfunctioning
small key
Acceptance test, unit test, integration test, systems test
line conditioning technique
fax/modem software
Observing the system operator's work
convert digital signals to analog signals
An analytical review of the ratios by the IS auditor from the information received from the internal line management.
Use write-protect tabs on disks.
Verifying the key data
the second-last full dump

Page 272

Sheet1

Joint application design (JAD)


Creeping functions
Reviews
Object-oriented technology
the system cannot easily handle large volumes of data
Control and arithmetic-logic
Estimating electrical load
Wireless Local Area Network
manager in charge of the information systems function
the quality of QA training is an important indicator of top management s commitment to the attainment of quality assuranc
An error-correcting code
data security
Of higher volume and of bigger size
Maintainability
errors and omissions
secrecy
The internal control of data accuracy and access and inconsistencies within common data fields
It is the total functioning life of an item divided by the total number of failures during the measurement interval
Interactive edits, process programs and sample reports
Lease or purchase
channel
double wiring of the CPU and peripheral equipment to prevent malfunctioning
data preparation, data input
transmittal control
Repeater
Completing the system design document
Integration testing
Scanning the output for obvious errors
traffic analysis
separation of duties is easy to achieve in manual systems and impossible in computerized systems
Review and analysis of user specifications.
Centrally print and distribute the outputs.
Disk utility
System that performs based on business needs and activities
Invalid transactions
Joint application design (JAD)
Known procedure
generated as a printer output necessarily
segregation of duties becomes increasingly important
virtual storage
QA personnel should have most experience of information systems development, implementation, operations, and mainte
Mr. R 's public key
Data custodian
tape file protection, cryptographic protection and limit checks
Evolutionary development model
unsuccessful attempts after a specified number of times, should result in the automatic log off of the workstation
A state transition diagram
Barometer
Expert system's knowledge is combined into program control
Design of authorization tables for operating system access.
Sudden increase in number of users
Software independence
Licensed software
Centrally print and distribute the outputs.
Develop CAATs in detecting such instances.
Cluster sampling selection technique

Page 273

Sheet1

Deadlock resolution
Central processing site during application program processing.
Cluster sampling selection technique
Daily control totals.
Reviewing audit reports of the previous years.
deleting all the data on the hard disk
tape librarian
Under normal circumstances only about 25% of the processing is critical to an organisation. Hence, there is no need to ta
dynamic equalization
Implementation
Concurrent / parallel existence of Duplicate Information system functions.
They are unaffected by electrical interference
channel
it is less likely to be used in a business systems environment than a discretionary access control policy
Tests of general controls
Photo identification card
Call-back techniques
Ensuring seamless integration
a malicious operator can undermine a disaster recovery operation by corrupting backup files progressively over time
applets recording keystrokes made by the client and, therefore passwords
Data Entry
Barometer
Licensed software
Lease or purchase
sender's public key
Data base structures and the source codes.
Operating systems
Observing the system operator's work
It provides a means for measuring the actual misstatement statement in assertions
thunder and lighting
Implementation
Librarian forgot to log tape movement
Overall risk assessment of operations in the organisation.
Format check
Whether all the software on the computer is properly licensed.
Disk utility
naming convention gives a unique identity to the resources
It facilitates identification of the users that have effected changes to the database
User satisfaction
Reviews
duplicate transaction processing
Systems management
private key and a public key
small protection domains
existence of call forwarding devices
Prevent the file from being overwritten before the expiry of the retention date
Of higher volume and of bigger size
timed authentication is required
Coding
Increased business activity and revenue
Corrective
Data encryptor
verify the format of the number entered and then locate it on the database
Identify the various layers of ISO/OSI model to which each component belongs
data preparation, data input
reviewing software quality

Page 274

Sheet1

Whether appropriate controls have been incorporated.


long key cipher system
Software reengineering
If a connector in bus topology is malfunctioning, the whole network will not be brought down, whereas malfunctioning repe
Oversight omissions of data.
Critical systems
Evacuation procedures
Malfunctioning in one node will not bring a star network down
The transactions shall be recorded chronologically as they are put through
Production mailbox
Screen-oriented manipulation user interfaces
Implementation
Develop CAATs in detecting such instances.
Firmware
Network structure
be easily accessible by a majority of company personnel
virtual storage
to clarify the basis on which QA personnel will evaluate whether quality goals have been met
Corrected errors should be initialed by the person correcting the error
If a program is erroneously coded, it commits errors at a very high speed resulting in wastage of resources for locating an
Application software
Configuration status accounting
authentication message's origin
an unauthorised person from reading the message
Meeting user requirements
Audit resources are more effectively directed.
Code metrics
The organization's information technology architecture
small key
Identify the various layers of ISO/OSI model to which each component belongs
Call-back techniques
Diminish chances of committing improper / illegal acts by the employee.
Taking the afterimages of all data items changed for accuracy and completeness.
A test to compare data with an output source
improving the overall reliability of the networks
Sensitivity of transactions
Whether all the software on the computer is properly licensed.
no demonstration packages should be allowed to be run on the company owned machines
Use of two VANs
Star topology network
Delay in transmission of the data
User satisfaction
Testing
Baseline
The physical structure of the data is independent of user needs
segregation of duties becomes increasingly important
The internal control of data accuracy and access and inconsistencies within common data fields
Modularity
take action to mitigate the effects of the compliance failure on shareholders
QA personnel should have the greatest incentives to effect improvements to information systems standards
Mr. R 's public key
proper validation procedures to be built in during user creation and password change
Security Administration
Design of authorization tables for operating system access.
inappropriate, since access should be limited to a need-to-know basis, regardless of position
double wiring of the CPU and peripheral equipment to prevent malfunctioning

Page 275

Sheet1

password encryption technique


Ensuring seamless integration
Code metrics
Delay distortion
Implementation
organises itself along hierarchical lines of communication to a central host computer.
Use write-protect tabs on disks.
Mean-time-to-repair
transmitting system warning and status messages
Scanning the output for obvious errors
Disk utility
Rerun the audit software against a backup of the inventory master file.
twisted pair wire transmission
time and date of dispatch of the message
Writing incorrect program code
Package fixes
Software acceptance criteria
Develop a data synchronization software
companies that wish to engage in electronic commerce on the Internet must meet required security standards established
PCs and Laptops must be programmed directly in machine language while mainframes use higher level language
whether the system being monitored has provided users with a strategic advantage over their competitors
the inherent risk associated with an organisation decreases considerably when an organisation has an information system
commodity
small protection domains
Corrected errors should be initialed by the person correcting the error
file server
Corrective
a single person do not have the complete control over a transaction from start to finish
an unauthorised person from reading the message
Software independence
Data Encyption Standard (DES) is a typical type of private key cryptosystem
Distributed applications or services
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
a single person do not have the complete control over a transaction from start to finish
data preparation, data input
long key cipher system
Grand design projects
Operating systems
program source code modification
Batch control totals
violating the confidentiality of the message
More accountability
Implementation
Telecommunication
communicate the PIN to the cardholder over phone
Daily control totals.
separation of duties is easy to achieve in manual systems and impossible in computerized systems
Ensuring completeness and correctness of the data
Expert system's knowledge is combined into program control
Cost of computer downtime
Evolutionary development model
take action to mitigate the effects of the compliance failure on shareholders
small key
access control lists are stored on a fast memory device to facilitate easy access to the list
Check digit
ciphertext form produced only from an irreversible encryption algorithm

Page 276

Sheet1

double wiring of the CPU and peripheral equipment to prevent malfunctioning


Inference engine
Decreasing of contingency and backup planning efforts
receiver's public key
Data Entry
batch containing errors would be rejected for correction prior to processing
It is the total functioning life of an item divided by the total number of failures during the measurement interval
Snapshot
Activity logs, incident reports, software versioning
A single link failure, a repeater failure, or a break in the cable could disable a large part or all of the network.
Shielded Twisted pair
the work is boring so high turnover always occurs
call-back features
channel
The staff change the jobs with high frequency.
Output analyser
Access only to authorized logical views.
Observing the system operator's work
Technique enabling to enter test data into a live computer for processing verification.
Design of authorization tables for operating system access.
It facilitates repudiation by the sender
Cost of recovery action
Reviews
Package fixes
Implementation
Implementation
Focusing on broad problems to a specific view.
Software Life Cycle activities are improved.
Twisted-pair (unshielded) cable
they have available special hardware/software tools that enable them to breach data integrity
proper validation procedures to be built in during user creation and password change
Data encryptor
Regression analysis and testing
Licensed software
it is less likely to be used in a business systems environment than a discretionary access control policy
Corrective
long key cipher system
Checklists
Implementation
Designing database applications
Application software
generating a control total for a point-of-sale device
Data Link
avoiding the reappearing of rejection messages when the transactions are resubmitted after a disaster and a restoration o
The Organisation s critical and high risk business areas
An increase in inherent risk
Whether all the software on the computer is properly licensed.
Rerun the audit software against a backup of the inventory master file.
deleting all the data on the hard disk
transmission delay
no demonstration packages should be allowed to be run on the company owned machines
Frequency of offsite backup
Known procedure
Baseline
Lease or purchase
provide common interfaces across organisations thereby eliminating the need for one organisation to establish direct com

Page 277

Sheet1

gateways to allow personal computers to connect to mainframe computers


Network structure
widespread acceptance of national and international information systems standards can undermine an organisation s com
Regression analysis and testing
applets recording keystrokes made by the client and, therefore passwords
Repeater
Permanent Virtual Circuit (PV(c)
The spiral model
double wiring of the CPU and peripheral equipment to prevent malfunctioning
transmittal control
Implementation
Actual time
Consider the use of Data Base Management System
Data editing
Data Encyption Standard (DES) is a typical type of private key cryptosystem
Ensuring completeness and correctness of the data
concentration technique
Terminal simulator
Procurement procedures are complied with.
Access only to authorized logical views.
Vendors not in the table file will be paid.
If afterimages have been corrupted, rollback is not achievable
It facilitates identification of the users that have effected changes to the database
Package fixes
Modules should have only one entry and one exit point
Evolutionary development model
dropping bits in data transmission
The internal control of data accuracy and access and inconsistencies within common data fields
whether a storage medium should be retired
Shielded Twisted pair
Bio-metric devices
Mr. R 's public key
Input control
Identifying major purpose(s) of the system
errors and omissions
Access control lists and access control privileges
it is less likely to be used in a business systems environment than a discretionary access control policy
standards should be prepared to guide their maintenance
Paid non-EDI invoices
manager in charge of the information systems function
possessed objects
ciphertext form produced only from an irreversible encryption algorithm
Comparator
Resource management
duplicate transaction processing
Deadlock resolution
Generalized audit software.
Data ownership resides with the most appropriate users
The system should display the password to enable the user to enter it correctly
authorized files are logically allowed access to authorized users
duplicity of backup operations more than other techniques
Implementation
Requirements follow design
The right training
Software independence
Software acceptance criteria

Page 278

Sheet1

Information from clients and customers will not be required.


a microwave radio system
An operating system program is a critical software package for microcomputers
Routers
small protection domains
Restricted physical access
Of higher volume and of bigger size
Polymorphism
be easily accessible by a majority of company personnel
Test drivers
hosting site over the authenticity of the customer
Decreasing of contingency and backup planning efforts
Programming and testing
Paid non-EDI invoices
authentication message's origin
Licensed software
Value-added network
Data base structures and the source codes.
Authorized user access privileges for each data file or element
Transmission cost is not charged by packet
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Introduction of newer technology by the day has made their understanding a difficult task for the auditor
More accountability
Interception
Reviewing audit reports of the previous years.
there is a perceptible difference in the basic control objectives
Access only to authorized logical views.
Detective controls
Testing
No attention is paid to cosmetic details
Initiating computer applications.
Operations Manager.
boundary controls
fast transmission of a message once it arrives at a node
traffic analysis
the decryption key should be kept a secret
QA personnel should have the greatest incentives to effect improvements to information systems standards
to educate the customer about the importance of card security
message authentication
Security Administration
Barometer
The physical structure of the data is independent of user needs
Corrective
authentication message's origin
With a multiplexer, the total bandwidth entering the device is normally different from the bandwidth leaving it
Limiting and monitoring the use of privileged software.
The user-id used to make the attempt
Authorisation of file updates
companies that wish to engage in electronic commerce on the Internet must meet required security standards established
fast transmission of a message once it arrives at a node
If an encryption key is compromised the exposure is restricted to a single user to who the key applies
Working Notes of the IS audit staff of the minutes of the IS Steering committee meetings.
Rerun the audit software against a backup of the inventory master file.
Vendors not in the table file will be paid.
have to authenticate themselves only once, and not after that
Exposure based on threats and vulnerabilities

Page 279

Sheet1
Calculation of Foot Totals
Plan is reviewed and updated regularly.
Automated teller machine system
Testing
White-box, specification-based, logic-driven technique
Lease or purchase
the decryption key should be kept a secret
Wireless Local Area Network
commodity
Frequently changed access controls
It can be used to obtain an unauthorized copy of a report.

Page 280

Sheet1

Option C
A legacy system is difficult to port to other environments
Laser activated photo identification.
Duplicate transaction processing
Audit hooks
downloaded codes reading files on the client s hard disk
Each request for data made by an application program must be analysed by DBMS.
Integrated services digital network (ISDN)
production work flow control
Volume test
Maintenance
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
it can be a major bottleneck in the work flow in a data processing installation
CIS is can not write exceptions identified to a log file
Examine the creation date and file size.
free channel utilization to make more capacity available for the user
Compliance tests
Test transactions are representative of normal application system processing.
Availability of adequate manpower for the effective implementation of the system.
demagnetising the hard disk
restricting access to sensitive messages by restricting them to specific parts of the network
Transport
Unit test cases
Faster delivery
Detailed Testing
Does not provide backup in the event of absence.
It is easy to assign the cost of using link encryption to the users of the link
Link editor
Digital signature.
Analysis of system generated core dumps
Substantive tests of executed program logic
machine room fires
Mr. S 's private key
availability
defrauding by the receiver by colluding with the sender.
confirm that the card is not listed as hot
High MTBF values imply good reliability
System D - Likelihood 25%, Losses(in$) 4 million
Configuration test
error log
Extension of the network to new users
Recovery
Interviewing the system operator's supervisor
Tolerable rate and the expected deviation rate.
Temperature increase
altering the audit trail to correct an error
Paralled simulation
Specifying physical data definition
Reviewing execution of computer processing tasks.
All input transactions
lesser flexibility in leveling system workloads
The technique provides for taking the backup on a high speed medium like CDROM
Expert systems can explain their own actions
Productivity
A legacy system is difficult to port to other environments
Incremental model

Page 281

Sheet1
Development time of a high priority system is more than 12 months.
redundancy control
It is easy to assign the cost of using link encryption to the users of the link
denial of message services
Ensure that management s hardware acquisition plan has taken into consideration technological obsolescence.
Managing end-user expectations
Accreditation and assurance
The model is iterated too many times
the designer is uncertain as well as the user about the requirements and it is likely to evolve as the design progresses
maintaining a test deck
dedicated telephone lines
Each request for data made by an application program must be analysed by DBMS.
production work flow control
A control chart
Estimate the operating costs of the communication subsystem
Maintenance
checking the transaction log
inadequate backup and recovery capabilities
Reviewing execution of computer processing tasks.
d. Record locking
Less computer equipment
network defence program
it can be a major bottleneck in the work flow in a data processing installation
The confidence level increases as the sample size decreases.
Touring key activities of the organisation.
Recovery actions for the error codes.
The users should be required to review a random sample of processed data.
The audit review file.
using CAAT techniques to know the access provided in the software
Design fault
Faster delivery
Both the Internal and External business processes are covered under the standard.
authorizations are no more needed
production work flow control
Field-size check
Decision table
customer over the authenticity of the hosting site
Establishing data disclosure guidelines
Windows NT platform
It has high risk of wire-tapping
Test case preparation and test case execution
Screens, interactive edits, process programs and sample reports
Application Programming
production work flow control
non-repudiation
Information-oriented techniques
Maintenance
Conversion projects
Sign-on verification security at the operating system level
Terminal controllers
altering the audit trail to correct an error
System performance
The technique provides for taking the backup on a high speed medium like CDROM
is suitable for an online system whereas a floppy disk is not
Skills and judgement that are commonly possessed by IS practitioners of that speciality.
Test all new software on a stand-alone microcomputer.

Page 282

Sheet1

Non-critical systems
The technique provides for taking the backup on a high speed medium like CDROM
Repudiated transactions
Fourth-generation programming languages
Rapid prototyping model
production work flow control
Optical fiber
Such access authority is inappropriate because they have the full knowledge and understanding about the system
Private key modifications
Managing end-user expectations
Suggestive
15 bit cipher system
confirm that the card is not listed as hot
call-back telephone facility
Suggestive
the decryption key is the same as the encryption key
Software testing
Duplicate files and backup procedures
Analysing system schedules
Compliance tests
Taking picture of transaction as it flows through a system
Manual recalculation of sample items
Remote processing site prior to transmission to the central processing site.
The technique provides for taking the backup on a high speed medium like CDROM
with full access to read, write and execute
Expand the use of the built-in access controls to new applications.
Offsite storage location should be secured and should not be easily identified from the outside.
Maintenance
The sequence of the phases cannot vary
Rent or purchase
Increased number of people using the technology causes a serious concern for BPR projects.
Hardware
private branch exchange
is suitable for an online system whereas a floppy disk is not
time sharing
Logical design of a database
to alleviate conflict between the Statutory Auditors and Information Systems Auditors
QA personnel should have incentives to ensure their organisation adopts the best set of
quality assurance standards
The program contained a serious logic error
whether users are authorised and authenticated prior to granting access to system resources
Developing system justification
Security mechanisms
Application Programming
Guaranteed procedure
production work flow control
ciphertext form that is a function of the account number
Volume test
Face-to-face communications
Terminal controllers
correcting a hardware error in a modem
facility to change queue sizes at a node
Decision- table preprocessor
Functional business areas under audit.
control the normality of the distribution curve of the loss from the threat
Custody and control over the non IS assets.
Analysing system schedules

Page 283

Sheet1

a continuous voltage stabilizer


data entry by the user department is made easy
Reduced software maintenance efforts
Managing end-user expectations
End user interface
Configuration test
Incremental model
System size and complexity
Systems analyst and database administrator are done by the same person.
Coaxial cable
logging and restart verification
Completeness, accuracy and validity of input
the control that reconciles input with processing control totals to ensure that all transactions have been processed and g
identifying what the user is and what she/he knows/remembers
Identification on the cardkeys documenting the name and address of the data centre.
Obsolescence
remembered information
15 bit cipher system
Voltmeter
troubleshooting electrical connections failure
Screens, interactive edits, process programs and sample reports
Configuration test
Include data which represent conditions that occur in actual processing
data capture, data preparation, data capture, data input
Duplicate files and backup procedures
Public switched telephone network
Destruction of the logging and auditing data
Compliance tests
free channel utilization to make more capacity available for the user
Diagram checking tools
Performing job activity analysis
understanding of internal controls
The users should be required to review a random sample of processed data.
Corrective control
transmission on satellite microwave
Encryption is resorted to as a control technique more in bus topology than ring topology
Developing conversion plans
Menu-oriented user interfaces
The time required for subsequent acquisition to meet the requirement
the adoption of national and international information systems standards reduces for conflict within the management
low error propagation
The database administrator
Contingent liabilities file
Allowing distribution processing
Application layer
Network traffic analyzers
Audit hooks
Optimistic Time
Custody and control over the non IS assets.
A communications terminal control hardware unit that controls a number of computer terminals.
For the decryption, the decryption key should be equivalent to the encryption key
encryption system that can not be used more than once
Inadequate volume testing.
Preparation of data classification methodology.
facility to change queue sizes at a node
Link editor

Page 284

Sheet1

Ownership is irrelevant on account of diversified control.


Less computer equipment
Determine the degree to which substantive auditing may be limited.
Providing audit documentation for review and reference.
proper procedure for verification of User ID and passwords, ensuring authorisation and authentication before granting ac
preparations and plans for the accidental damage or loss in the IPF
Advance information about the test to non-business continuity team members.
It prevents repudiation by the sender
the unique identifier of the sender s node from which it was sent
Identity based policy
Cost of technical action
Portability
Backup and recovery procedures are minimised
duplicate circuitry, echo checks and dual reading
QA personnel should avoid making comments to management about the consequences of compliance failures
The only way to breach the privacy of online reports is to wiretap the communications line
Cryptographic devices
error log
Digital signature.
How the new application will fit with other applications
Current decisions can be based on audited information.
an offsite back copy should be maintained
Incorporate into revision procedures
How the new application will fit with other applications
Managing end-user expectations
Test cases rejected, test cases accepted
Contractual issues
Software project management
No, since this backup provision is adequately provided for in the agreement.
Analysing system schedules
Train current users in how to specify the right destination codes for their printing.
Standby power supplies
Appropriate accounting for rejections and exceptions
map the network software and hardware products into their respective layers
multiple transmission speeds
denial of message services
convert analog signals to digital signals
network defence program
Providing audit documentation for review and reference.
Train current users in how to specify the right destination codes for their printing.
data entry by the user department is made easy
Electronic benefits transfer system (EBTS)
The technique provides for taking the backup on a high speed medium like CDROM
A legacy system is difficult to port to other environments
Ensure that management s hardware acquisition plan has taken into consideration technological obsolescence.
The ability of a personal computer to act as a data terminal
Recovery
identifying what the user is and what she/he knows/remembers
Suggestive
Establishing data disclosure guidelines
Time period for which the key is valid
is suitable for an online system whereas a floppy disk is not
Managing end-user expectations
with full access to read, write and execute
Maintenance
The ownership rights for the programs and files.

Page 285

Sheet1

Test all new software on a stand-alone microcomputer.


Terminal controllers
whether there is any abnormal work load during a particular shift which may be because of private use of resources by s
improved business relationships with trading partners
poor contacts
CIS is can not write exceptions identified to a log file
Examine the creation date and file size.
renders charge back system easier and effective
Range check
Begin with previous year s IS audit plan and carry over any IS audit that had not been accomplished.
Decision- table preprocessor
the strategic nature of the system
The data being intercepted and disclosed to others without authorisation
Black-box, specification-based, data-driven technique
The IS auditor is not concerned with the key controls that once existed but with the one which exists in the new business
Review of Short and Long term IS strategies.
It is easy to assign the cost of using link encryption to the users of the link
high work factor
Digital signature.
A Processing control
Operating System
Link editor
Maintenance
Cost of initial debugging of software
receiver's private key
low error propagation
inappropriate, because technical support personnel are capable of running the system
Productivity
validations logic to fields and records based o their interrelationships with controls established for the batch.
No, since this backup provision is adequately provided for in the agreement.
Control total
Inadequate volume testing.
Compliance tests
Process the data using a different generalized audit software.
renders charge back system easier and effective
Relay
with full access to read, write and execute
Standard deviation of the population
Controls to contain the threat.
The basic objectives of auditing have undergone change
Management control system
data entry by the user department is made easy
Provides utility programs for a limited number of application systems
Telephone bill paying system
Malfunctioning of the hub will bring the star network down
The technique provides for taking the backup on a high speed medium like CDROM
Maintenance
security administration subsystem
Mr. S 's private key
Completeness, accuracy and validity of input
Range check
The same user can initiate transactions and also change related parameters
inappropriate, because technical support personnel are capable of running the system
Duplicate transaction processing
for them to carry out their work, normally the application system controls have to be relaxed
data capture, data preparation, data capture, data input

Page 286

Sheet1

troubleshooting electrical connections failure


is suitable for an online system whereas a floppy disk is not
How the new application will fit with other applications
A Pareto diagram
Information-oriented techniques
Expand the use of the built-in access controls to new applications.
Train current users in how to specify the right destination codes for their printing.
follow-up on unpaid accounts if a transfer pricing scheme is being used
Interviewing the system operator's supervisor
Assessing control risk too high
A test to evaluate the validation controls in an input program.
transmission on satellite microwave
Diagram checking tools
the second-last residual dump
Interviewing the system operator's supervisor
Indicates the action to be taken when a rules is saisfied)
Updation of anti-virus configuration settings on logging in by the user.
the strategic nature of the system
Specifying physical data definition
The password used to make the attempt.
Ensuring data processing resources are efficiently used.
enforcing regular password changes
With the increase in use, the degree of concern regarding physical security decreases
the control that reconciles input with processing control totals to ensure that all
transactions have been processed an
physical security
The same user can initiate transactions and also change related parameters
Managing end-user expectations
Decision table
operators do not need to rely on documentation during a disaster recovery operation
sender's public key and receiver's private key
inappropriate, because technical support personnel are capable of running the system
checking the transaction log
Specifying physical data definition
White noise
checking the transaction log
encryption system that can not be used more than once
The basic objectives of auditing have undergone change
Taking picture of transaction as it flows through a system
modulation technique
checking the transaction log
Determining whether system specification documents are available
the loss likely to occur if the threat materializes
Examine the creation date and file size.
Process the data using a different generalized audit software.
Offsite storage location should be secured and should not be easily identified from the outside.
Modification of the message
All input transactions
There will be no need for taking a data dump
Data errors
Maintenance
The sequence of the phases cannot vary
System migration guidelines
checking the transaction log
QA report must degenerate into a long list of defects that have been identified
Prevent the file from being read before expiry of the retention date
the designer is uncertain as well as the user about the requirements and it is likely to evolve as the design progresses

Page 287

Sheet1

modifications to private keys


Appropriate accounting for rejections and exceptions
manager responsible for the internal audit function
Audit hooks
checking the transaction log
A control chart
Reviewing execution of computer processing tasks.
all of the above
Interviewing the system operator's supervisor
A big bang approach
Assessing control risk too high
Unauthorized vendors invoices will be paid.
Responsibilities of each organizational unit
altering the audit trail to correct an error
Range check
Availability of adequate manpower for the effective implementation of the system.
An increase in control risk
understanding of internal controls
The IS auditor conducting a comprehensive security control study.
Menu-oriented user interfaces
Guaranteed procedure
Information hiding
Review system logs on such occasions to identify irregularities encountered if any.
enforcing regular password changes
multiple transmission speeds
poor contacts
encryption system that can not be used more than once
low error propagation
Call back procedures
none of the above
to prevent misuse of e-mail facilities
increasing inventory by reducing order lead-time
Modems
tape management system is putting processing at risk and that the parameters must be set correctly.
Windows NT platform
Program changes due to changes in data formats
Estimate the operating costs of the communication subsystem
Range check
Destruction of the logging and auditing data
Distributed
User updates of their access profiles.
Process the data using a different generalized audit software.
it can be a major bottleneck in the work flow in a data processing installation
Black-box, specification-based, data-driven technique
mail the card and PIN mailer separately in registered envelopes
Ratio and difference estimation.
IS personnel do not enjoy the as much power and clout in organizations as manual systems personnel do like the HR pers
narrate the competitive advantages of the proposed development
Data ownership and classification
Electronic benefits transfer system (EBTS)
Application programmer mailbox
Develop a GUI application
Detailed Testing
redundancy control
security administration subsystem
Random Access Memory (RAM)

Page 288

Sheet1

Each request for data made by an application program must be analysed by DBMS.
database administrator
Analysis of system generated core dumps
Access control
confirm that the card is not listed as hot
none of the above
The users should be required to review a random sample of processed data.
the decryption key is the same as the encryption key
The cost per transaction to process on each type of computer has decreased in recent years
Having the information systems steering committee set the priority
mail the card and PIN mailer separately in registered envelopes
it can be a major bottleneck in the work flow in a data processing installation
Data storage
Logical design of a database
establishing control over output
private branch exchange
User updates of their access profiles.
All input transactions
checking the transaction log
Standard deviation of the population
Cost of technical action
Develop a GUI application
Unit test cases
Project Management tool
End user interface
The iterative model
Develop a client/server system
System size and complexity
Communication channel
crashing disk drives read-write heads
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Standby power supplies
allow a reasonable number of PIN entry attempts, close the account after the limit has been reached, and retain the card
Continuous training
be in the top floor
Database replication
Suggestive
follow-up on unpaid accounts if a transfer pricing scheme is being used
encrypt the message with the receiver's private key and sign the message with the sender's public key
dynamically share a smaller number of output channels
Establishing data disclosure guidelines
System external specifications
the decryption key is the same as the encryption key
Extension of the network to new users
Program changes due to changes in data formats
Data compression
private branch exchange
A big bang approach
A index sequential
Taking picture of transaction as it flows through a system
All input transactions
Sequential sampling selection technique
Using a locking device that can secure the notebook computer to an immovable object.
Unauthorized vendors invoices will be paid)
Should be easily identified from outside so that in the event of an emergency it can be easily found
Reduce risks of existing or anticipated control weaknesses.

Page 289

Sheet1

Maturity of the implemented quality system is irrelevant.


authorizations are no more needed
security measures are easier to provide
production work flow control
Data compression
Completeness, accuracy and validity of input
Substantive tests of executed program logic
Inheritance
To ensure that no statutory regulations are violated using networks.
A data dictionary
Establishing data disclosure guidelines
Appropriate accounting for rejections and exceptions
Routers and gateways
the decryption key is the same as the encryption key
the receiver forging a message using the sender s private key
Custody and control over the non IS assets.
Maintenance
Maintenance
Ratio and difference estimation.
Assessing control risk too high
proper procedure for verification of User ID and passwords, ensuring authorisation and authentication before granting acc
Introduction of automated checks to detect corruption of messages
Transport
General design documents
Coding follows implementation
Managing end-user expectations
Black-box, specification-based, data-driven technique
Developing system justification
Including other features of word processing, spreadsheets and e-mails.
Assessing the organisation s business needs.
Business priorities will not be modified.
security measures are easier to provide
denial of message services
Link editor
checking the transaction log
defrauding by the receiver by colluding with the sender.
The database administrator
Portability
conduct a substantive test of the application system
Decreasing of the legal liabilities over proprietary data
data capture, data preparation, data capture, data input
message integrity
Evaluating software distribution
Analysing system schedules
the unique identifier of the sender s node from which it was sent
Distributed
A index sequential
Code optimiser
Indicates the action to be taken when a rules is saisfied)
less difficult because monitoring the employee activities electronically is feasible
Access privileges are established on a need-to-know basis
Restart procedures
They both sign messages
elimination of control total problems when the transactions are resubmitted after a disaster and a restoration of the backu
Cost of technical action
Maintenance

Page 290

Sheet1

System migration guidelines


Ensure a standard quality of life is lead by the employee which could enhance productivity.
Corporate database definition.
Random Access Memory (RAM)
production work flow control
Standby power supplies
Logical design of a database
the adoption of national and international information systems standards reduces for conflict within the management
The program contained a serious logic error
Operating System
Access control at data base management system level
System external specifications
machine room fires
Duplicate transaction processing
remembered information
the receiver forging a message using the sender s private key
Resources
dynamically share a smaller number of output channels
No, since this backup provision is adequately provided for in the agreement.
Using a locking device that can secure the notebook computer to an immovable object.
Range check
A communications terminal control hardware unit that controls a number of computer terminals.
whether a master file should be stored on a particular storage medium
Decision- table preprocessor
altering the audit trail to correct an error
Low cohesion of modules, low coupling of modules, and low modularity of programs
Only possess a knowledge of auditing
Offsite storage location should be secured and should not be easily identified from the outside.
The receiver might not have captured the token but it might have passed the addressee node
the unique identifier of the sender s node from which it was sent
Cold site
The time required for subsequent acquisition to meet the requirement
Test coverage
Reduce risks of existing or anticipated control weaknesses.
Increased number of people using the technology causes a serious concern for BPR projects.
Random Access Memory (RAM)
Relational structure
It has high risk of wire tapping
follow-up on unpaid accounts if a transfer pricing scheme is being used
manager responsible for the internal audit function
Such access authority is inappropriate because they have the full knowledge and understanding about the system
Develop a client/server system
Incremental model
The sequence of the phases cannot vary
Such access authority is inappropriate because they have the full knowledge and understanding about the system
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Incorporate into revision procedures
Suggestive
Screens, interactive edits, process programs and sample reports
Evaluating software distribution
Multiplexor
Keeping sensitive programs and data on an isolated machine.
Link editor
System performance
Examine the creation date and file size.
Periodically submitting auditor prepared test data to the same computer process and evaluating the results

Page 291

Sheet1

Hard disk free space


Performing job activity analysis
High Level of IS expertise is essential.
fancy and international names can be used
Reasonableness checks and Hash totals
lesser flexibility in leveling system workloads
There will be no need for taking a data dump
Incremental model
Information hiding
Maintenance
It has high risk of wire tapping
Destruction of the logging and auditing data
to alleviate conflict between the Statutory Auditors and Information Systems Auditors
Laser activated photo identification.
the control that reconciles input with processing control totals to ensure that all transactions have been processed and giv
Internet Protocol (IP) address
identifying what the user is and what she/he knows/remembers
Application layer
Information hiding
Call back procedures
Suggestive
PIN entry at acquirer's premises
Productivity
Each request for data made by an application program must be analysed by DBMS.
Guaranteed procedure
encryption system that can not be used more than once
Train current users in how to specify the right destination codes for their printing.
maintain a log of all transactions of an organisation with its trading partner
It is easy to assign the cost of using link encryption to the users of the link
multidrop line network
to eliminate the risk that unauthorised changes may be made to the payment transactions
Assessing control risk too high
Inclusion of an uninterruptible power supply system and surge protection.
The users should be required to review a random sample of processed data.
Examine the creation date and file size.
always boot from the diskettes
Data errors
System size and complexity
Turnaround documents
The logic needed to solve a problem in an application program
Standardisation
Destruction of the logging and auditing data
QA training should be an ongoing process and all new QA employees must be inducted in the QA goals, standards and p
the users are assigned privileges only if they know the password for each resource
A documentation control
Configuration identification
low error propagation
Coaxial cable
Audit hooks
Application programmer
follow-up on unpaid accounts if a transfer pricing scheme is being used
Duplicate files and backup procedures
Suggestive
Screens, interactive edits, process programs and sample reports
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Integrated services digital network (ISDN)

Page 292

Sheet1
Check digit
Sign-on verification security at the operating system level
The ability of a personal computer to act as a data terminal
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Knowingly, an IS Manager , approved a payment for his uncle's IS software firm for a job not done by them.
Remote processing site prior to transmission to the central processing site.
convert analog signals to digital signals
Maintenance
Recovery actions for the error codes.
Keeping sensitive programs and data on an isolated machine.
Data encryption standard (DES)
Introduction of automated checks to detect corruption of messages
General design documents
conduct a substantive test of the application system
a satellite line
Random Access Memory (RAM)
time sharing
For the decryption, the decryption key should be equivalent to the encryption key
a new key is generated for each transaction
Allowing distribution processing
Internet Protocol (IP) address
Information hiding
Security mechanisms
manager responsible for the internal audit function
Suggestive
Statistical Sampling
How the new application will fit with other applications
Evaluating software distribution
Using a locking device that can secure the notebook computer to an immovable object.
Range check
follow-up on unpaid accounts if a transfer pricing scheme is being used
Maintenance
It provides for full processing capability in the event of a disaster.
Test transactions are representative of normal application system processing.
Functional business areas under audit.
Selection of testing sample data
User updates of their access profiles.
Malfunctioning of the hub will bring the star network down
the second-last residual dump
It is not always possible to determine how much damage has been done for undoing it
Developing conversion plans
Walkthroughs
Low cohesion of modules, low coupling of modules, and low modularity of programs
Rent or purchase
Corporate database definition.
Distributed applications or services
Grade of Service
physical security
Punishable by law relatively easily
The iterative model
Project staff skills
Access control
low error propagation
confirm that the card is not listed as hot
High MTBF values imply good reliability
inappropriate, because technical support personnel are capable of running the system

Page 293

Sheet1

with full access to read, write and execute


Completing the program coding work
Information-oriented techniques
What error analysis techniques were used?
Public switched telephone network
IS operations are performed in accordance with appropriate authorizations
Knowingly, an IS Manager , approved a payment for his uncle's IS software firm for a job not done by them.
CIS is can not write exceptions identified to a log file
with full access to read, write and execute
Conducts a review of the application developed)
Detection risk
less difficult because monitoring the employee activities electronically is feasible
Audit log
Programming controls
Formulation of a corporate information security policy and its adoption by the top management
concentration technique
Application programmer mailbox
Test coverage
getting concentrated at different location but becoming less valuable
improved business relationships with trading partners
Link editor
defrauding by the receiver by colluding with the sender.
Access control at data base management system level
error log
Access control
for them to carry out their work, normally the application system controls have to be relaxed
the designer is uncertain as well as the user about the requirements and it is likely to evolve as the design progresses
Digital signature.
Productivity
Test metrics
an offsite back copy should be maintained
Phase hits and amplitude jitter
Incorporate into revision procedures
Paid EDI and non-EDI invoices
whether there is any abnormal work load during a particular shift which may be because of private use of resources by so
Software project management
Output distribution
security measures are easier to provide
map the network software and hardware products into their respective layers
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Taking picture of transaction as it flows through a system
User updates of their access profiles.
mail the card and PIN mailer separately in registered envelopes
Legal requirements
A index sequential
Indicates the action to be taken when a rules is saisfied)
Functional business areas under audit.
Whether the computer has terminal emulation software on it.
Some countries will not allow transborder encryption of information
a procedural lapse
Does not provide backup in the event of absence.
Chargeback system
A Processing control
Rule-based policy
User interface
The sequence of the phases cannot vary

Page 294

Sheet1
enforced periodic change of the PINs
PIN entry at acquirer's premises
To explore the use of new technology
Appropriate accounting for rejections and exceptions
inappropriate, because technical support personnel are capable of running the system
Managing end-user expectations
message integrity
dynamically share a smaller number of output channels
Conversion projects
Custody and control over the non IS assets.
Optical fiber
maintain a log of all transactions of an organisation with its trading partner
denial of message services
Information processing facilities operations and procedures manuals.
Knowingly, an IS Manager , approved a payment for his uncle's IS software firm for a job not done by them.
attenuation amplification
Black-box, specification-based, data-driven technique
Compliance tests
Ownership is irrelevant on account of diversified control.
Provides utility programs for a limited number of application systems
Encryption is resorted to as a control technique more in bus topology than ring topology
Traditional system development life cycle
Configuration test
The iterative model
Decision table
time sharing
the users are assigned privileges only if they know the password for each resource
Portability
receiver's private key
remembered information
Rapid prototyping model
Configuration test
How the new application will fit with other applications
increasing inventory by reducing order lead-time
production work flow control
X.12
Application Programming
thin ethernet cable transmission
altering the audit trail to correct an error
it can be a major bottleneck in the work flow in a data processing installation
Review system logs on such occasions to identify irregularities encountered if any.
multiple transmission speeds
Tolerable rate and the expected deviation rate.
On-line system response times
A report generated by the accountant from internal evidence
An organisation chart provides a precise definition of the segregation of duties among the employees.
Managing distribution of outputs.
Ensure a standard quality of life is lead by the employee which could enhance productivity.
Ensuring data processing resources are efficiently used.
security measures are easier to provide
Random Access Memory (RAM)
the adoption of national and international information systems standards reduces for conflict within the management
QA report must degenerate into a long list of defects that have been identified
an audit trail is not required with a mandatory access control policy
Analysis of system generated core dumps
Substantive tests of executed program logic

Page 295

Sheet1

Concurrent transaction processing


Internet Protocol (IP) address
Identification on the cardkeys documenting the name and address of the data centre.
Ensure that run-to-run totals in application systems are consistent
formulated by the operations manager and promulgated as a standard through-out the organisation
crashing disk drives read-write heads
Decreasing of the legal liabilities over proprietary data
whether a master file should be stored on a particular storage medium
Routers and gateways
High MTBF values imply good reliability
remembered information
Change controls are more problematic to achieve than in a traditional SDLC.
Standby power supplies
It provides a means for assessing the risk that the sample results will not accurately represent the population characterist
IS operations are performed in accordance with appropriate authorizations
Lack of internal program documentation
lesser flexibility in leveling system workloads
to eliminate the risk that unauthorised changes may be made to the payment transactions
data are recorded on source documents so it can be keyed to some type of magnetic medium
Determining whether system specification documents are available
User updates of their access profiles.
The audit review file.
Corrective control
Offsite storage location should be secured and should not be easily identified from the outside.
Development time of a high priority system is more than 12 months.
high work factor
QA report must degenerate into a long list of defects that have been identified
information systems personnel tend to prefer a development role to a monitoring role
It is more likely that the external auditors will focus on the reliability of the QA function rather than undertaking direct tests
Security administration is made simple
The program contained a serious logic error
Internet Protocol (IP) address
Application layer
Modularity means program segmentation
receiver's private key
Routers and gateways
Incorporate into revision procedures
QA
Time period for which the key is valid
encrypt the message with the receiver's private key and sign the message with the sender's public key
maintaining a test deck
ISP's network
Restrict updating to one position but permit read acccess to source code for everyone in IS
Log attempts of unauthorized access.
It provides for full processing capability in the event of a disaster.
Reviewing management s response to the weaknesses in their formal report to the Board of Director s audit committee.
Selection of testing sample data
Be dynamic and often change with the technology and profession.
With similar business activities
Cost of technical action
System size and complexity
Standardisation
duplicate circuitry, echo checks and dual reading
Terminal controllers
Data compression
QA personnel should have incentives to ensure their organisation adopts the best set of quality assurance standards pos

Page 296

Sheet1

transmission cipher
data
Interviewing people at the site for the specific tasks performed by them.
required display of user codes and passwords
Magnetic card reader
Continuous training
User interface
The sequence of the phases cannot vary
Testing
Extension of the network to new users
Product reliability
Coaxial cable
A data dictionary
How the new application will fit with other applications
Reduced software maintenance efforts
checking the transaction log
low error propagation
Diagnostic routines
Data compression
Optical fiber
thin ethernet cable transmission
denial of message services
It is easy to assign the cost of using link encryption to the users of the link
with full access to read, write and execute
Sequential sampling selection technique
Providing audit documentation for review and reference.
Password files are encrypted and the system should force the user to change the initial password allotted and also at sub
Testing
Obsolescence
Development time of a high priority system is more than 12 months.
Chargeback system
transmission cipher
QA report must degenerate into a long list of defects that have been identified
information systems personnel tend to prefer a development role to a monitoring role
Cryptographic devices
traffic is exchanged through the firewall at the application layer only
Appoint a qualified computer operator on a temporary basis.
Access control
be in the top floor
The logic needed to solve a problem in an application program
Audit hooks
log of unsuccessful log on attempts are reviewed online and the active monitoring of the same by the security administrat
Relational structure
It has high risk of wire-tapping
How the new application will fit with other applications
No, since this backup provision is adequately provided for in the agreement.
Test all new software on a stand-alone microcomputer.
security measures are easier to provide
Link editor
It is easy to assign the cost of using link encryption to the users of the link
Test metrics
multidrop line network
Code optimiser
Analog signals are less attenuated than digital signals
Data ownership and classification
The period up to which the log file is retained

Page 297

Sheet1
Operations con