CISA exam 100 practice question

1. 1. CISA 100 Practice Questions Compiled and arranged by: Arshad Ali Javed FCA, CISA,
CIA, CFE, DISA
2. 2. 1. An IS auditor, performing a review of an applications controls, discovers a
weakness in system software, which could materially impact the application. The IS
auditor should: A. Disregard these control weaknesses as a system software review is
beyond the scope of this review. B. Conduct a detailed system software review and report
the control weaknesses. C. Include in the report a statement that the audit was limited to
a review of the applications controls. D. Review the system software controls as relevant
and recommend a detailed system software review. Answer: D The IS auditor is not
expected to ignore control weaknesses just because they are outside the scope of a
current review. Further, the conduct of a detailed systems software review may hamper
the audits schedule and the IS auditor may not be technically competent to do such a
review at this time. If there are control weaknesses which have been discovered by the IS
auditor, they should be disclosed. By issuing a disclaimer, this responsibility would be
waived. Hence, the appropriate option would be to review the systems software as
relevant to the review and recommend a detailed systems software for which additional
resources may be recommended.
3. 3. 2. The reason for having controls in an IS environment: A. remains unchanged from a
manual environment, but the implemented control features may be different. B. changes
from a manual environment, therefore the implemented control features may be different.
C. changes from a manual environment, but the implemented control features will be the
same. D. remains unchanged from a manual environment and the implemented control
features will also be the same. Answer: A The internal control objectives apply to all
areas, whether manual or automated. There are additional objectives to be achieved in
the IS environment, when compared to the manual environment. Common control
objectives remain unchanged in both the IS environment and manual environment,
although the implementation of the control functions may be different in the IS
environment, e.g., the adequacy of backup/recovery in a common internal control
objective for IS and manual environment. The specific IS control objective may be to
adequately back up the files to allow for proper recovery. This may be achieved by
implementing proper control procedures, such as business continuity policy, in the IS
department. Therefore, the implementation of the control functions may be different in the
IS environment. But the common control objectives in an IS environment remains
unchanged from a manual environment.
4. 4. 3. Which of the following types of risks assumes an absence of compensating controls
in the area being reviewed? A. Control risk B. Detection risk C. Inherent risk D. Sampling
risk Answer: C The risk that an error exists that could be material or significant when
combined with other errors encountered during the audit, there being no related
compensating controls, is the inherent risk. Control risk is the risk that a material error
exists that will not be prevented or detected on a timely basis by the system of internal
controls. Detection risk is the risk when an IS auditor uses an inadequate test procedure
and concludes that material errors do not exist, when they do. Sampling risk is the risk

5.

6.

7.

8.

9.

that incorrect assumptions are made about the characteristics of a population from which
a sample is taken.
5. 4. An IS auditor is conducting substantive audit tests of a new accounts receivable
module. The IS auditor has a tight schedule and limited computer expertise. Which would
be the BEST audit technique to use in this situation? A. Test data B. Parallel simulation
C. Integrated test facility D. Embedded audit module Answer: A Test data uses a set of
hypothetical transactions to verify the program logic and internal control in short a time
and for an auditor with minimal IT background. In a parallel simulation, the results
produced for an actual program are compared with the results from a program written for
the IS auditor; this technique can be time consuming and requires IT expertise. An
integrated test facility, enables test data to be continually evaluated when transactions are
processed online; this technique is time consuming and requires IT expertise. An
embedded audit module is a programmed module that is inserted into an application
program to test controls; this technique is time consuming and requires IT expertise.
6. 5. The PRIMARY purpose of compliance tests is to verify whether: A. controls are
implemented as prescribed. B. documentation is accurate and current. C. access to users
is provided as specified. D. data validation procedures are provided. Answer: A
Compliance tests are performed primarily to verify whether controls, as chosen by
management, are implemented. Verification of documents is not directly related to
compliance testing. Verifying whether access to users is provided is an example of
compliance testing. Data validation procedures are part of application controls. Testing
whether these are set as parameters and working as envisaged is compliance testing.
7. 6. Which of the following BEST describes the early stages of an IS audit? A. Observing
key organizational facilities. B. Assessing the IS environment. C. Understanding business
process and environment applicable to the review. D. Reviewing prior IS audit reports.
Answer: C Understanding the business process and environment applicable to the review
is most representative of what occurs early on, in the course of an audit. Other choices
relate to activities actually occurring within this process.
8. 7. The document used by the top management of organizations to delegate authority
to the IS audit function is the: A. long-term audit plan. B. audit charter. C. audit planning
methodology. D. steering committee minutes. Answer: B The audit charter outlines the
overall authority, scope and responsibilities of the audit function to achieve the audit
objectives stated in it. This document serves as an instrument for the delegation of
authority to the IS audit function. Long-term audit planning relates to those aspects of the
audit plan that are impacted by the organizations IT strategy and environment. Audit
planning commences only after the audit charter has been approved by the highest level
of management. The audit planning methodologies are decided upon based on the
analysis of both long- and short-term audit issues. The steering committee minutes
should address the approval of the audit charter but is not the driver that delegates
authority.
9. 8. Before reporting results of an audit to senior management, an IS auditor should: A.
Confirm the findings with auditees. B. Prepare an executive summary and send it to
auditee management. C. Define recommendations and present the findings to the audit
committee. D. Obtain agreement from the auditee on findings and actions to be taken.
Answer: D Upon completion of an audit, an IS auditor should discuss with auditees the
audit objectives for work performed, the test and evaluation techniques used, and the

10.

11.

12.

13.

14.

outcome of those tests that led to findings. The auditor should also obtain the
agreement/disagreement of the auditee regarding the findings and the actions the auditor
plans to take.
10. 9. While developing a risk-based audit program, which of the following would the IS
auditor MOST likely focus on? A. Business processes B. Critical IT applications C.
Corporate objectives D. Business strategies Answer: A A risk-based audit approach
focuses on the understanding of the nature of the business and being able to identify and
categorize risk. Business risks impact the long-term viability of a specific business. Thus
an IS auditor using a risk-based audit approach must be able to understand business
processes.
11. 10. Which of the following is a substantive audit test? A. Verifying that a management
check has been performed regularly B. Observing that user IDs and passwords are
required to sign on the computer C. Reviewing reports listing short shipments of goods
received D. Reviewing an aged trial balance of accounts receivable Answer: D A review
of accounts receivable will provide evidence of the validity and propriety of the financial
statement balance. Choices A, B and C are compliance tests to determine that policies
and procedures are being followed.
12. 11. Which of the following tasks is performed by the same person in a well-controlled
information processing facility/computer center? A. Security administration and
management B. Computer operations and system development C. System development
and change management D. System development and systems maintenance Answer: D
It is common for system development and maintenance to be undertaken by the same
person. In both cases, the programmer requires access to the source code in the
development environment, but should not be allowed access in the production
environment. Choice A is not correct because the roles of security administration and
change management are incompatible functions. The level of security administration
access rights could allow changes to go undetected. Computer operations and system
development (choice B) are incompatible since it would be possible for an operator to run
a program that he/she had amended. Choice C is incorrect because the combination of
system development and change control would allow program modifications to bypass
change control approvals.
13. 12. Where adequate segregation of duties between operations and programming are
not achievable, the IS auditor should look for: A. compensating controls. B. administrative
controls. C. corrective controls. D. access controls. Answer: A The IS auditor should
identify compensating controls such as strong computer security, reviewing access
control logs, end-user reconciliation of control reports and control information in
transaction reports, where adequate segregation of duties is not achievable.
Administrative controls deal with operational effectiveness, efficiency and adherence to
management policies. Corrective controls are designed to correct errors, omissions and
unauthorized uses and intrusions once they are detected. Access control is the process
that limits and controls access to resources of a computer system.
14. 13. Which of the following would be included in an IS strategic plan? A. Specifications
for planned hardware purchases B. Analysis of future business objectives C. Target dates
for development projects D. Annual budgetary targets for the IS department Answer: B IS
strategic plans must address the needs of the business and meet future business
objectives. Hardware purchases may be outlined but not specified and neither budget

15.

16.

17.

18.

targets nor development projects are relevant choices. Choices A, C and D are not
strategic items.
15. 14. The MOST important responsibility of a data security officer in an organization is:
A. recommending and monitoring data security policies. B. promoting security awareness
within the organization. C. establishing procedures for IT security policies. D.
administering physical and logical access controls. Answer: A A data security officers
prime responsibility is recommending and monitoring data security policies. Promoting
security awareness within the organization is one of the responsibilities of a data security
officer. But, it is not as important as recommending and monitoring data security policies.
The IT department, not the data security officer, is responsible for establishing
procedures for IT security policies recommended by the data security officer and for the
administration of physical and logical access controls.
16. 15. Which of the following BEST describes an IT departments strategic planning
process? A. The IT department will have either short-range or long-range plans
depending on the organizations broader plans and objectives. B. The IT departments
strategic plan must be time and project oriented, but not so detailed as to address and
help determine priorities to meet business needs. C. Long-range planning for the IT
department should recognize organizational goals, technological advances and
regulatory requirements. D. Short-range planning for the IT department does not need to
be integrated into the short-range plans of the organization since technological advances
will drive the IT department plans much quicker than organizational plans. Answer: C
Long-range planning for the IT department should recognize organizational goals,
technological advances and regulatory requirements. Typically, the IT department will
have both long-range and short-range plans that are consistent and integrated with the
organizations plans. These plans must be time- and project-oriented, as well as
addressing the organizations broader plans for attaining the organizations goals.
17. 16. When a complete segregation of duties cannot be achieved in an online system
environment, which of the following functions should be separated from the others? A.
Origination B. Authorization C. Recording D. Correction Answer: B Authorization should
be separated from all aspects of record keeping (origination, recording, and correction).
Such a separation enhances the ability to detect the recording of unauthorized
transactions.
18. 17. In a small organization, where segregation of duties is not practical, an employee
performs the function of computer operator and application programmer. Which of the
following controls should the IS auditor recommend? A. Automated logging of changes to
development libraries B. Additional staff to provide segregation of duties C. Procedures
that verify that only approved program changes are implemented D. Access controls to
prevent the operator from making program modifications Answer: C In smaller
organizations, it generally is not appropriate to recruit additional staff to achieve a strict
segregation of duties. The IS auditor must look at alternatives. Of the choices, C is the
only practical one that has an impact. The IS auditor should recommend processes that
detect changes to production source and object code, such as code comparisons so that
the changes can be reviewed by a third party on a regular basis. This would be a
compensating control process. Choice A, involving logging of changes to development
libraries, would not detect changes to production libraries. Choice D is in effect requiring
a third party to do the changes, which may not be practical in a small organization.

19. 19. 18. An IT steering committee would MOST likely perform which of the following
functions? A. Placement of a purchase order with the approved IT vendor B. Installation
of systems software and application software C. Provide liaison between IT department
and user department D. Interview staff for the IT department Answer: C A steering
committee for information technology is a mechanism to ensure that the information
systems strategies are in harmony with the corporate mission and objectives. Such a
committee typically serves as a general review board for major IS projects and should not
become involved in routine operations. Placement of purchase orders, installation of
software and interviewing staff for the IT department are routine operations that are
performed by the respective departments. A steering committee would provide a liaison
between the IS department and the user department.
20. 20. 19. An IS auditor is auditing the controls relating to employee termination. Which of
the following is the MOST important aspect to be reviewed? A. The related company staff
are notified about the termination B. User ID and passwords of the employee have been
deleted C. The details of employee have been removed from active payroll files D.
Company property provided to the employee has been returned Answer: B The highest
risk is logical access to information by a terminated employee. This form of access is
possible if the user id and password of the terminated employee have not been deleted. If
the user id is not disabled or deleted, it is possible that the employee without physically
visiting the company can access the information. The potential of loss on account of
access to information is much higher, compared to payment of salary and nonreturn of
company property.
21. 21. 20. When reviewing a service level agreement for an outsourced computer center an
IS auditor should FIRST determine that: A. the cost proposed for the services is
reasonable. B. security mechanisms are specified in the agreement. C. the services in
the agreement are based on an analysis of business needs. D. audit access to the
computer center is allowed under the agreement. Answer: C The first consideration in
reviewing the agreement is to ensure that the business is asking for the most appropriate
services to meet its business requirements. There should be evidence that they have
considered what services are required, both at present and in the future. The cost is
important (choice A), since the business may be paying for levels of services that are not
required or are not appropriate, but is not of first importance. Both, audit access (choice
D) and security objectives, rather than security mechanisms (choice B), are issues to be
considered as part of the review, but are not of first importance.
22. 22. 21. The PRIMARY benefit of database normalization is the: A. minimization
redundancy of information in tables required to satisfy users needs. B. ability to satisfy
more queries. C. maximization of database integrity by providing information in more than
one table. D. minimization of response time through faster processing of information.
Answer: A The normalization means the elimination of redundant data. Hence, the
objective of normalization in relational databases is to minimize the quantum of
information by eliminating redundant data in tables, quickly processing users requests
and maintaining data integrity. Maximizing the quantum of information is against the rules
of normalization. If particular information is provided in difference tables, the objective of
data integrity may be violated because one table may be updated and not others.
Normalization rules advocate storing data in only one table, hence, minimizing the
response time through faster processing of information.

23. 23. 22. Which of the following network topologies yields the GREATEST redundancy in
the event of the failure of one node? A. Mesh B. Star C. Ring D. Bus Answer: A In mesh
configuration, devices are connected with many redundant interconnections among
network nodes, thereby, yielding the greatest redundancy in the event that one of the
nodes fail, in which case network traffic can be redirected to another node. In star
configuration, each station is linked to the main hub. The main hub establishes the
connection between stations by message or line switching. Therefore, failure of a node
results in the disruption of the network. In ring configuration, all nodes are connected to
one another forming a circle; therefore, the failure of a node results in the disruption of
the network. In bus configuration, all devices are linked along one communication line
with two end points called the backbone; therefore, the failure of a node results in the
disruption of the network.
24. 24. 23. A vendor/contractors performance against service level agreements must be
evaluated by the: A. customer. B. contractor. C. third-party. D. contractors management.
Answer: A Only the customer should evaluate the suppliers performance in a service
level agreement (SLA). This makes the customer confident of the service provided by the
supplier. However, the decision of what to measure must be decided by the customer and
the supplier.
25. 25. 24. When auditing a mainframe operating system, what would the IS auditor do to
establish which control features are in operation? A. Examine the parameters used when
the system was generated B. Discuss system parameter options with the vendor C.
Evaluate the systems documentation and installation guide D. Consult the systems
programmers Answer: A The only way to establish which controls are functioning in a
current operating system is to determine what the parameter settings were at the time the
system was generated or created (often referred to as the initial program load or IPL).
Although the findings of this exercise may well be further evaluated by discussion with the
vendor, evaluating the documentation and consulting the systems programmers, these
actions would not, by themselves, establish specific control features.
26. 26. 25. When conducting an audit of client/server database security, the IS auditor would
be MOST concerned about the availability of: A. system utilities. B. application program
generators. C. system security documentation. D. access to stored procedures. Answer:
A System utilities may enable unauthorized changes to be made to data on the clientserver database. In an audit of database security, the controls over such utilities would be
the primary concern of the IS auditor. Application program generators are an intrinsic part
of client-server technology, and the IS auditor would evaluate the controls over the
generators access rights to the database rather than their availability. Security
documentation should be restricted to authorized security staff, but this is not a primary
concern, nor is access to stored procedures.
27. 27. 26. Which of the following would allow a company to extend its enterprises intranet
across the Internet to its business partners? A. Virtual private network B. Client-Server
C. Dial-Up access D. Network service provider Answer: A VPN technology allows
external partners to securely participate in the extranet using public networks as a
transport or shared private network. Because of low cost, using public networks (Internet)
as a transport is the principal method. VPNs rely on tunneling/encapsulation techniques,
which allow the Internet protocol (IP) to carry a variety of different protocols (e.g., SNA,
IPX, NETBEUI.) Client-server does not address extending the network to business

28.

29.

30.

31.

32.

partners (I.e., client-servers refers to a group of computers within an organization

connected by a communications network where the client is the request machine and the
server is the supplying machine.) A network service provider may provide services to a
shared private network by providing Internet services, but it does not extended an
organizations intranet.
28. 27. An IS auditor auditing hardware monitoring procedures should review A. system
availability reports. B. cost-benefit reports. C. response time reports. D. database
utilization reports. Answer: A An IS auditor while auditing hardware monitoring
procedures will review system availability reports. Cost-benefit reports are reviewed
during the feasibility study. Response time reports are related to applications, not
hardware. Database utilization reports are reviewed to check the optimal usage of the
database across the organization.
29. 28. The device that connects two networks at the highest level of the ISO-OSI
framework ( i.e., application layer) is a A. Gateway B. Router C. Bridge D. Brouter Anwer:
A Gateway is used to connect two networks using dissimilar protocols at the lower layers
through which connectivity is established namely physical, data link, network and
transport layers. Router is a network layer device for which the two connecting networks
must have the same network layer protocol. Bridge operates in the data link layer. It
should have data link layer protocols, such as token ring, Ethernet, in use in both the
networks. Brouter is essentially a bridge with some routing functionality.
30. 29. Which of the following statements relating to packet switching networks is
CORRECT? A. Packets for a given message travel the same route. B. Passwords cannot
be embedded within the packet. C. Packet lengths are variable and each packet contains
the same amount of information. D. The cost charged for transmission is based on
packet, not distance or route traveled. Answer: D D is the correct answer since
transmission charges are based on packets transmitted, not the distance or route
traveled. Passwords and other data can be placed within a packet making choice B
incorrect. Choices A and C are not correct because a complete message is broken into
transmission units (packets), which are routed individually through the network.
31. 30. An IS auditor when reviewing a network used for Internet communications, will
FIRST examine the: A. validity of passwords change occurrences. B. architecture of the
client-server application. C. network architecture and design. D. firewall protection and
proxy servers. Answer: C The first step in auditing a network is to understand the network
architecture and design. This would provide an overall picture of the network of the
enterprises and its connectivity. This will be starting point for identifying the various layers
of information and the access architecture across the various layers, such as proxy
servers, firewalls and client/server application. Reviewing validity of password changes
would be performed as part of substantive testing.
32. 31. Which of the following BEST provides access control to payroll data being
processed on a local server? A. Logging of access to personal information B. Separate
password for sensitive transactions C. Software restricts access rules to authorized staff
D. System access restricted to business hours Answer: C The server and system security
should be defined to allow only authorized staff access to information about the staff
whose records they handle on a day to day basis. Choice A is a good control in that it will
allow access to be analyzed if there is concern that there is unauthorized access.
However, it will not prevent access. Choice B, restricting access to sensitive transactions,

33.

34.

35.

36.

37.

will only restrict access to part of the data. It will not prevent access to other data. Choice
D, system access restricted to business hours, only restricts when unauthorized access
can occur, and would not prevent such access at other times.
33. 32. Which of the following concerns about the security of an electronic message
would be addressed by digital signatures? A. Unauthorized reading B. Theft C.
Unauthorized copying D. Alteration Answer: D A digital signature includes an encrypted
hash total of the size of the message as it was transmitted by its originator. This hash
would no longer be accurate if the message was subsequently altered, thus indicating
that the alteration had occurred. Digital signatures will not identify or prevent any of the
other options. The signature would neither prevent nor deter unauthorized reading,
copying or theft.
34. 33. The MOST effective method for limiting the damage of an attack by a software
virus is: A. software controls. B. policies, standards and procedures. C. logical access
controls. D. data communication standards. Answer: A Software controls in the form of
virus detection and removal programs are the most effective method way to detect and
remove viruses. Policies, standards and procedures are important, because they are
people-based; however, they are generally considered less effective than software
controls. Choices C and D, are not relevant to virus detection.
35. 34. Which of the following BEST determines that complete encryption and
authentication protocols exist for protecting information while transmitted? A. A digital
signature with RSA has been implemented. B. Work is being done in tunnel mode with
the nested services of AH and ESP C. Digital certificates with RSA are being used. D.
Work is being done in transport mode, with the nested services of AH and ESP Answer:
B Tunnel mode provides encryption and authentication of the complete IP package. To
accomplish this, the AH (authentication header) and ESP (encapsulating security
payload) services can be nested. The transport mode provides primary protection for the
protocols higher layers, this is, protection extends to the data field (payload) of an IP
package. The other two mechanisms provide authentication and integrity.
36. 35. Which of the following would be MOST appropriate to ensure the confidentiality of
transactions initiated via the Internet? A. Digital signature B. Data encryption standard
(DES) C. Virtual private network (VPN) D. Public key encryption Answer: D Encryption is
the only way to ensure Internet transactions are confidential, and of the choices available,
the use of public key encryption is the best method. Digital signatures would ensure the
transaction is not changed and cannot be repudiated, but would not ensure
confidentiality.
37. 36. The PRIMARY objective of a firewall is to protect: A. internal systems from
exploitation by external threats. B. external systems from exploitation by internal threats.
C. internal systems from exploitation by internal threats. D. itself and attached systems
against being used to attack other systems. Answer: A Firewall is placed at the point
where the internal network connects to the outside world I.e., Internet. It acts as a
security guard to the network, protecting it against malicious attacks from outside the
organizations network. It screens packets coming into and going out of the internal
network and prevents malicious packets from entering it and denies access to prohibited
resources on the Internet for the internal users. It is neither the responsibility nor is it
possible for the organization to protect outside systems. Packets whose source and
destination IP addresses refer to hosts within the same network are not sent out of the

38.

39.

40.

41.

42.

network and hence do not pose a security threat. Choice D is not a primary objective as
this is just one form of attack hackers resort to that the firewall protects the internal
network form.
38. 37. Which of the following is an example of the physiological biometrics technique? A.
Hand scans B. Voice scans C. Signature scans D. Keystroke monitoring Answer: A
Physiological biometrics are based on measurement of data derived from direct
measurement of a part of the human body. Choices B, C and D are examples of behavior
biometrics.
39. 38. An IS auditor has just completed a review of an organization that has a mainframe
and a client-server environment where all production data reside. Which of the following
weaknesses would be considered the MOST serious? A. The security officer also serves
as the database administrator (DBA.) B. Password controls are not administered over the
client/server environment. C. There is no business continuity plan for the mainframe
systems non-critical applications. D. Most LANs do not back up file server fixed disks
regularly. Answer: B The absence of password controls on the client-server where
production data resides is the most critical weakness. All other findings, while they are
control weaknesses, do not carry the same disastrous impact.
40. 39. An organization is proposing to install a single sign-on facility giving access to all
systems. The organization should be aware that: A. Maximum unauthorized access
would be possible if a password is disclosed. B. User access rights would be restricted by
the additional security parameters. C. The security administrators workload would
increase. D. User access rights would be increased. Answer: A If a password is disclosed
when single sign-on is enabled, there is a risk that unauthorized access to all systems will
be possible. User access rights should remain unchanged by single sign-on as additional
security parameters are not necessarily implemented. One of the intended benefits of
single sign-on is that security administration would be simplified and an increased
workload is unlikely.
41. 40. A B-to-C e-commerce web site as part of its information security program wants
to monitor, detect and prevent hacking activities and alert the system administrator when
suspicious activities occur. Which of the following infrastructure components could be
used for this purpose? A. Intrusion detection systems B. Firewalls C. Routers D.
Asymmetric encryption Answer: A Intrusion detection systems detect intrusion activity
based on the intrusion rules. It can detect both, external and internal intrusion activity and
send an automated alarm message. Firewalls and routers prevent the unwanted and welldefined communications between the internal and external networks. They do not have
any automatic alarm messaging systems.
42. 41. During an audit of a reciprocal disaster recovery agreement between two
companies, the IS auditor would be PRIMARILY concerned about: A. the soundness of
the impact analysis. B. hardware and software compatibility. C. differences in IS policies
and procedures. D. frequency of system testing. Answer: B For a reciprocal agreement to
be effective, hardware and software at the two sites must be compatible. Processes to
ensure this occurred must be in place. Choice D, frequency of system testing, is a
concern, but the reason for considering this is that it tests hardware and software
compatibility. Choice A is an issue when examining the planning process, not the
reciprocal agreement. Choice C is not an issue since the organization can have

differences in policies and procedures and still be able to run their systems on each
others sites in the event of a disaster.
43. 43. 42. An IS auditor discovers that an organizations business continuity plan provides
for an alternate processing site that will accommodate fifty percent of the primary
processing capability. Based on this, which of the following actions should the IS auditor
take? A. Do nothing, because generally, less than twenty-five percent of all processing is
critical to an organizations survival and the backup capacity, therefore is adequate. B.
Identify applications that could be processed at the alternate site and develop manual
procedures to backup other processing. C. Ensure that critical applications have been
identified and that the alternate site could process all such applications. D. Recommend
that the information processing facility arrange for an alternate processing site with the
capacity to handle at least seventy-five percent of normal processing. Answer: C
Business continuity plans should provide for the recovery of critical systems, not
necessarily all systems. Perhaps only fifty percent of the company's systems are critical.
Therefore, careful assessment of critical systems and capacity requirements should be
part of the IS auditor's test of the plan.
44. 44. 43. Which of the following components of a business continuity plan is PRIMARILY
the responsibility of an organizations IS department? A. Developing the business
continuity plan B. Selecting and approving the strategy for business continuity plan C.
Declaring a disaster D. Restoring the IS systems and data after a disaster Answer: D The
correct choice is restoring the IT systems and data after a disaster. The IT department of
an organization is primarily responsible for restoring the IT systems and data after a
disaster at the earliest possible time. The senior management of the organization is
primarily responsible for developing the business continuity plan for an organization. They
are also responsible for selecting and approving the strategy for developing and
implementing a detailed business continuity plan. The organization should identify a
person in management as responsible for declaring a disaster. Although IT is involved in
all the other three components, it is not primarily responsible for them.
45. 45. 44. Which of the following issues should be included in the business continuity plan?
A. The staff required to maintain critical business functions in the short, medium and long
term B. The potential for a natural disaster to occur, such as an earthquake C. Disastrous
events impacting information systems processing and end-user functions D. A risk
analysis that considers systems malfunctions, accidental file deletions or other failures
Answer: A Where a unified business continuity plan does not exist, the plan for
information systems processing should be extended to include planning for all units that
are dependent upon information systems processing functions. But, when formulating a
thorough business continuity plan, a very important issue to be considered is the staff
that will be required to maintain critical business functions over time, until the organization
is fully operational again. Another important issue is the configuration of the business
facilities, e.g., desks, chairs, telephones, etc., that will be needed to maintain critical
business functions in the short, medium and long term. Choice B is incorrect because it
has to do with what a good business continuity plan will take into account in case of
disastrous events happening. This could be considered as a subset of a business
continuity plan, but it does not have the same impact as the staff required and trained to
perform in the event of a natural disaster. Choice C is incorrect because, like in the
natural disaster case, this could be considered a subset of a business continuity plan, but

46.

47.

48.

49.

50.

it does not have the same impact as the staff required and trained to perform in the event
of a disaster that would impact information systems processing and end-user functions.
Choice A would be the subject and choices B and C would be the cause to deploy the
business continuity plan. Choice D is incorrect because it deals with disruptions in
service having their roots in systems malfunctions; but again, this would be another
aspect dealt with in the business continuity plan, but not a main issue included in it.
46. 45. In an audit of a business continuity plan, which of the following findings is of
MOST concern? A. There is no insurance for the addition of assets during the year. B.
BCP manual is not updated on a regular basis. C. Testing of the backup of data has not
been done regularly. D. Records for maintenance of access system have not been
maintained. Answer: C The most vital asset for a company is data. In a business
continuity plan, it is critical to ensure that data is available. Hence, regular testing of the
backup of data must be done. If testing is not done, the organization may not be able to
retrieve data when required during a disaster; hence, the company may lose its most
valuable asset and may not be able to recover from the disaster. The loss on account of
lack of insurance is limited to the value of assets. If the BCP manual is not updated, the
company may find the BCP manual not fully relevant for recovery during a disaster.
However, recovery could be still possible. Non maintenance of records in an access
system will not directly impact the relevance of the business continuity plan.
47. 46. Classification of information systems is essential in business continuity planning.
Which of the following system types can not be replaced by manual methods? A. Critical
system B. Vital system C. Sensitive system D. Non-critical system Answer: A The
functions of a critical system can only be replaced by identical capabilities. The functions
of vital and sensitive systems can be performed manually. Choice D is a distracter.
48. 47. An IS auditor should be involved in: A. observing tests of the disaster recovery
plan. B. developing the disaster recovery plan. C. maintaining the disaster recovery plan.
D. reviewing the disaster recovery requirements of supplier contracts. Answer: A The IS
auditor should always be present when disaster recovery plans are tested, to ensure that
the test meets the required targets for restoration and recovery procedures are effective
and efficient, reporting on the results as appropriate. IS auditors may be involved in
overseeing plan development, but they are unlikely to be involved in the actual
development process. Similarly, an audit of plan maintenance may be conducted, but the
IS auditor would not normally have any responsibility for the actual maintenance. An IS
auditor may be asked to comment upon various elements of a supplier contract but,
again, this is not always the case.
49. 48. The window of time recovery of information processing capabilities is based on
the: A. criticality of the processes affected. B. quality of the data to be processed. C.
nature of the disaster. D. applications that are mainframe based. Answer: A The criticality
of the processes that are affected by the disaster is the basis for computing the window of
time recovery. The quality of the data to be processed and the nature of the disaster are
not the basis for determining the window of time. Being a mainframe application does not
of itself provide a window of time basis.
50. 49. During an IT audit of a large bank, an IS auditor observes that no formal risk
assessment exercise has been carried out for the various business applications to arrive
at their relative importance and recovery time requirements. The risk that the bank is
exposed to is that the: A. business continuity plan may not have been calibrated to the

51.

52.

53.

54.

relative risk that disruption of each application poses to the organization. B. business
continuity plan may not include all relevant applications and therefore may lack
completeness in terms of its coverage. C. business impact of a disaster may not have
been accurately understood by the management. D. business continuity plan may lack an
effective ownership by the business owners of such applications. Answer: A The first and
key step in developing a business continuity plan is a risk assessment exercise that
analyzes the various risks that an organization faces and the impact of non-availability of
individual applications. Section 4.9.1.2 of BS 7799 (Standard on Information Security
Management ) states that a strategy plan, based on appropriate risk assessment, shall
be developed for overall approach to business continuity.
51. 50. Which of the following is necessary to have FIRST in the development of a
business continuity plan? A. Risk-based classification of systems B. Inventory of all
assets C. Complete documentation of all disasters D. Availability of hardware and
software Answer: A A well-defined, risk-based classification system for all assets and
processes of the organization is one of the most important component for initializing the
business continuity planning efforts. A well-defined risk-based classification system would
assist in identifying the criticality of each of the key processes and assets used by the
organization. This would assist in the easy identification of key assets and processes to
be secured and plans to be made to recover these processes and assets at the earliest
after a disaster. Inventory of critical assets and not all assets is required for initiating a
business continuity plan. Complete documentation of all disasters is not a prerequisite for
initiating a business continuity plan, rather various disasters are considered while
developing the plan and only the one having an impact on the organization is addressed
in the plan. The availability of hardware and software is not required for initiating the
development of a plan; however, it is considered when developing the detailed plan in
accordance with the strategy adopted.
52. 51. The application test plans are developed in which of the following systems
development life cycle (SDLC) phases? A. Design B. Testing C. Requirement D.
Development Answer: A Developing test plans for the various levels of testing is one of
the key activities during the application development design phase. The test plans are
used in the actual software testing.
53. 52. Which of the following tests confirm that the new system can operate in its target
environment? A. Sociability testing B. Regression testing C. Validation testing D. Black
box testing Answer: A Sociability testing is used to confirm that the new or modified
system can operate in its target environment without adversely impacting on existing
system. Regression testing is the process of rerunning a portion of a test scenario or test
plan to ensure that changes or corrections have not introduced new errors. Validation
testing is used to test the functionality of the system against the detailed requirement to
ensure that the software that has been built is traceable to customer requirements. Black
box testing examines some aspect of the system during integration testing with little
regard for the internal logical structure of the software.
54. 53. The MOST appropriate person to chair the steering committee for a system
development project with significant impact on a business area would be the: A. business
analyst. B. chief information officer. C. project manager. D. executive level manager.
Answer: D The chair of the steering committee should be a senior person (executive level
manager) with the authority to make decisions relating to the business requirements,

55.

56.

57.

58.

59.

resources, priority and deliverables of the system. The chief information officer (CIO)
would not normally be the chair, although the CIO or his representative would be a
member to provide input on organization wide strategies. The project manager and the
business analyst do not have an appropriate level of authority within the organization,
55. 54. The PRIMARY purpose of undertaking a parallel run of a new system is to: A.
verify that the system provides required business functionality. B. validate the operation of
the new system against its predecessor. C. resolve any errors in the program and file
interfaces. D. verify that the system can process the production load. Answer: B The
objective of parallel running is to verify that the new system produces the same results as
the old system. The verification of functionality is through acceptance testing, while
resolving errors in programs is accomplished through system testing. Verifying that the
system can handle the production load may be a secondary outcome of a parallel run,
but it is not the primary purpose. If it were the primary purpose, it would be a stress test
probably run in the test environment.
56. 55. Change control procedures to prevent scope creep during an application
development project should be defined during: A. design. B. feasibility. C.
implementation. D. requirements definition. Answer: A The change control procedures
are generally common for applications within one organization; however, the applicationspecific change control procedures are to be defined during the design phase of SDLC
and should be based on the modules in the software. The other choices are incorrect. It
is too early to define change control procedures during the feasibility phase, and it would
also be too late during the implementation phase and after the implementation of
software.
57. 56. Which of the following would MOST likely ensure that a system development
project meets business objectives? A. Maintenance of program change logs B.
Development of a project plan identifying all development activities C. Release of
application changes at specific times of the year D. User involvement in system
specification and acceptance Answer: D Effective user involvement (choice D) is the most
critical factor in ensuring that the application meets business objectives. Choices A, B
and C are project management tools and techniques and are not of themselves methods
for ensuring that the business objectives are met by the application system.
58. 57. Which of the following is a measure of the size of an information system based on
the number and complexity of a systems inputs, outputs and files? A. Function point (FP)
B. Program evaluation review technique (PERT) C. Rapid application design (RAD) D.
Critical path method (CPM) Answer: A Function point (FP) analysis is a measure of the
size of an information system based on the number and complexity of the inputs, outputs
and files with which a user sees and interacts with. FPs are used in a manner analogous
to LOC as a measure of software productivity, quality and other attributes. PERT is a
network management technique used in both the planning and control of projects. RAD is
a methodology that enables organizations to develop strategically important systems
faster while reducing development costs and maintaining quality. CPM is used by network
management techniques such as PERT, to compute a critical path.
59. 58. When auditing the requirements phase of a software acquisition, the IS auditor
should: A. assess the feasibility of the project timetable. B. assess the vendors proposed
quality processes. C. ensure that the best software package is acquired. D. review the
completeness of the specifications. Answer: D The purpose of the requirements phase is

60.

61.

62.

63.

64.

65.

to specify the functionality of the proposed system; therefore the IS auditor would
concentrate on the completeness of the specifications. The decision to purchase a
package from a vendor would come after the requirements have been completed.
Therefore choices B and C are incorrect. Choice A is incorrect because a project
timetable normally would not be found in a requirements document.
60. 59. The purpose of debugging programs is to: A. generate random data that can be
used to test programs before implementing them. B. protect, during the programming
phase, valid changes from being overwritten by other changes. C. define the program
development and maintenance costs to be include in the feasibility study. D. ensure that
program abnormal terminations and program coding flaws are detected and corrected.
Answer: D Debugging provides the basis for the programmer to correct the logic errors in
a program under development before it goes into production. Tools such as logic paths
monitors, memory dumps and output analyzers aid in this process.
61. 60. Software maintainability BEST relates to which of the following software
attributes? A. Resources needed to make specified modifications. B. Effort needed to use
the system application. C. Relationship between software performance and the resources
needed. D. Fulfillment of user needs. Answer: A Maintainability is the set of attributes that
bears on the effort needed to make specified modifications. Other choices relate to
software attributes for usability, efficiency and functionality respectively.
62. 61. IT governance ensures that an organization aligns its IT strategy with: A.
Enterprise objectives. B. IT objectives. C. Audit objectives. D. Finance objectives.
Answer: A IT governance ensures that the organization aligns its IT strategy with the
enterprise/business objectives. Choices B, C and D are too limited.
63. 62. A validation which ensures that input data are matched to predetermined
reasonable limits or occurrence rates, is known as: A. Reasonableness check. B. Validity
check. C. Existence check. D. Limit check. Answer: A A reasonableness check ensures
that input data are matched to predetermined reasonable limits or occurrence rates. A
validity check is a programmed checking of the data validity in accordance with
predetermined criteria. Existence checks are checks for data reentered correctly and
agree with valid predetermined criteria. A limit check ensures data does not exceed a
predetermined amount.
64. 63. During which of the following steps in the business process reengineering should
the benchmarking team visit the benchmarking partner? A. Observation B. Planning C.
Analysis D. Adaptation Answer: A During the observation stage, the team collects data
and visits the benchmarking partner. In the planning stage, the team identifies the critical
processes for the benchmarking purpose. The analysis stage involves summarizing and
interpreting the data collected and analyzing the gaps between an organizations process
and its partners process. During the adaptation step, the team needs to translate the
findings into a few core principles and work down from principles to strategies, to action
plans.
65. 64. Which of the following procedures should be implemented to help ensure the
completeness of inbound transactions via electronic data interchange (EDI)? A. Segment
counts built into the transaction set trailer B. A log of the number of messages received,
periodically verified with the transaction originator C. An electronic audit trail for
accountability and tracking D. Matching acknowledgement transactions received to the
log of EDI messages sent Answer: A Control totals built into the trailer record of each

66.

67.

68.

69.

segment is the only option that will ensure all individual transactions sent are completely
received. The other options provide supporting evidence, but their findings are either
incomplete or not timely.
66. 65. A utility is available to update critical tables in case of data inconsistency. This
utility can be executed at the OS prompt or as one of menu options in an application. The
BEST control to mitigate the risk of unauthorized manipulation of data is to: A. delete the
utility software and install it as and when required. B. provide access to utility on a needto-use basis. C. provide access to utility to user management D. define access so that
the utility can be only executed in menu option. Answer: B Utility software in this case is a
data correction program for correcting any inconsistency in data. However, this utility can
be used to over-ride wrong update of tables directly. Hence, access to this utility should
be restricted on a need-to-use basis and a log should be automatically generated
whenever this utility is executed. The senior management should review this log
periodically. Deleting the utility and installing it as and when required may not be
practically feasible as there would be time delay. Access to utilities should not be
provided to user management. Defining access so that the utility can be executed in a
menu option may not generate a log.
67. 66. When conducting a review of business process re-engineering, an IS auditor
found that a key preventive control had been removed. In this case, the IS auditor should:
A. inform management of the finding and determine if management is willing to accept
the potential material risk of not having that preventing control. B. determine if a detective
control has replaced the preventive control during the process and if so, not report the
removal of the preventive control. C. recommend that this and all control procedures that
existed before the process was reengineered be included in the new process. D. develop
a continuous audit approach to monitor the effects of the removal of the preventive
control. Answer: A Choice A is the best answer. Management should be informed
immediately to determine if they are willing to accept the potential material risk of not
having that preventive control in place. The existence of a detective control instead of a
preventive control usually increases the risks that a material problem may occur. Often
during a BPR many non-value-added controls will be eliminated. This is good, unless
they increase the business and financial risks. The IS auditor may wish to monitor or
recommend that management monitor the new process, but this should be done only
after management has been informed and accepts the risk of not having the preventive
control in place.
68. 67. Which of the following is an output control objective? A. Maintenance of accurate
batch registers B. Completeness of batch processing C. Appropriate accounting for
rejections and exceptions D. Authorization of file updates Answer: C Exceptions and
rejections are output products that must be accounted for by appropriate output controls.
Choices A, B and D are input control objectives.
69. 68. In a system that records all receivables for a company, the receivables are posted
on a daily basis. Which of the following would ensure that receivables balances are
unaltered between postings? A. Range checks B. Record counts C. Sequence checking
D. Run-to-run control totals Answer: D Run-to-run control totals are totals of key fields - in
this case the totals of the receivables balances - taken when the receivables are posted.
If the totals are recalculated and compared with previous balance, this would detect
alterations between postings. Both record counts and sequence checking would only

70.

71.

72.

73.

detect missing records. They would not detect situations in which records are altered, but
the number of records are unchanged. Range checks would only detect when the
balances are outside a predetermined value range and not changes to balances within
those ranges.
70. 69. Which of the following is the MOST important issue to the IS auditor in a business
process re-engineering (BPR) project would be? A. The loss of middle management,
which often is a result of a BPR project B. That controls are usually given low priority in a
BPR project C. The considerable negative impact that information protection could have
on BPR D. The risk of failure due to the large size of the task usually undertaken in a
BPR project Answer: B Controls should be given high priority during a BPR project,
therefore this would be a concern for the IS auditor if they are not adequately considered
by management. The fact that middle management is lost, as stated in choice A, is not
necessarily a concern as long as controls are in place. Choices C and D do not have any
relevance to a BPR project.
71. 70. To meet pre-defined criteria, which of the following continuous audit techniques
would BEST identify transactions to audit? A. Systems Control Audit Review File and
Embedded Audit Modules (SCARF/EAM) B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facilities (ITF) D. Audit hooks Answer: B Continuous and Intermittent
Simulation (CIS) is a moderately complex set of programs that during a process run of a
transaction, simulates the instruction execution of its application. As each transaction is
entered, the simulator decides whether the transaction meets certain predetermined
criteria and if so, audits the transaction. If not, the simulator waits until it encounters the
next transaction that meets the criteria. Audits hooks which are of low complexity focus
on specific conditions instead of detailed criteria in identifying transactions for review. ITF
is incorrect because its focus is on test versus live data. And SCARF/EAM focus is on
controls versus data.
72. 71. In a risk-based audit approach, an IS auditor, in addition to risk, would be
influenced by: A. the availability of CAATs. B. management's representation. C.
organizational structure and job responsibilities. D. the existence of internal and
operational controls Answer: D The existence of internal and operational controls will
have a bearing on the IS auditor's approach to the audit. In a risk-based approach the IS
auditor is not just relying on risk, but also on internal and operational controls as well as
knowledge of the company and the business. This type of risk assessment decision can
help relate the cost-benefit analysis of the control to the known risk, allowing practical
choices. The nature of available testing techniques and management's representations,
have little impact on the risk-based audit approach. Although organizational structure and
job responsibilities need to be considered, they are not directly considered unless they
impact internal and operational controls.
73. 72. The extent to which data will be collected during an IS audit should be
determined, based on the: A. availability of critical and required information. B. auditor's
familiarity with the circumstances. C. auditee's ability to find relevant evidence. D.
purpose and scope of the audit being done. Answer: D The extent to which data will be
collected during an IS audit should be related directly to the scope and purpose of the
audit. An audit with a narrow purpose and scope would result most likely in less data
collection, than an audit with a wider purpose and scope. The scope of an IS audit should
not be constrained by the ease of obtaining the information or by the auditor's familiarity

74.

75.

76.

77.

with the area being audited. Collecting all the required evidence is a required element of
an IS audit and the scope of the audit should not be limited by the auditee's ability to find
relevant evidence.
74. 73. The PRIMARY advantage of a continuous audit approach is that it: A. does not
require an IS auditor to collect evidence on system reliability while processing is taking
place. B. requires the IS auditor to review and follow up immediately on all information
collected. C. can improve system security when used in time-sharing environments that
process a large number of transactions. D. does not depend on the complexity of an
organization's computer systems. Answer: C The use of continuous auditing techniques
can actually improve system security when used in time-sharing environments that
process a large number of transactions, but leave a scarce paper trail. Choice A is
incorrect since the continuous audit approach often does require an IS auditor to collect
evidence on system reliability while processing is taking place. Choice B is incorrect
since an IS auditor normally would review and follow up only on material deficiencies or
errors detected. Choice D is incorrect since the use of continuous audit techniques does
depend on the complexity of an organization's computer systems.
75. 74. Which of the following data entry controls provides the GREATEST assurance
that the data is entered correctly? A. Using key verification B. Segregating the data entry
function from data entry verification C. Maintaining a log/record detailing the time, date,
employee's initials/user id and progress of various data preparation and verification tasks
D. Adding check digits Answer: A Key verification or one-to-one verification will yield the
highest degree of confidence that data entered is error free. However, this could be
impractical for large amounts of data. The segregation of the data entry function from
data entry verification is an additional data entry control but does not address accuracy.
Maintaining a log/record detailing the time, date, employee's initials/user ID and progress
of various data preparation and verification tasks, provides an audit trail. A check digit is
added to data to ensure that original data have not been altered. If a check digit is
wrongly keyed, this would lead to accepting incorrect data but would only apply to those
data elements having a check digit.
76. 75. Capacity monitoring software is used to ensure: A. maximum use of available
capacity. B. that future acquisitions meet user needs. C. concurrent use by a large
number of users. D. continuity of efficient operations. Answer: D Capacity monitoring
software shows the actual usage of online systems versus their maximum capacity. The
aim is to enable software support staff to ensure that efficient operation, in the form of
response times, is maintained in the event that use begins to approach the maximum
available capacity. Systems should never be allowed to operate at maximum capacity.
Monitoring software is intended to prevent this. Although the software reports may be
used to support a business case for future acquisitions, it would not provide information
on the effect of user requirements and it would not ensure concurrent usage of the
system by users, other than to highlight levels of user access.
77. 76. Which of the following exposures associated with the spooling of sensitive reports
for offline printing would an IS auditor consider to be the MOST serious? A. Sensitive
data can be read by operators. B. Data can be amended without authorization. C.
Unauthorized report copies can be printed. D. Output can be lost in the event of system
failure. Answer: C Unless controlled, spooling for offline printing may enable additional
copies to be printed. Print files are unlikely to be available for online reading by operators.

78.

79.

80.

81.

82.

Data on spool files are no easier to amend without authority than any other file. There is
usually a lesser threat of unauthorized access to sensitive reports in the event of a
system failure.
78. 77. Which of the following types of firewalls would BEST protect a network from an
Internet attack? A. Screened subnet firewall B. Application filtering gateway C. Packet
filtering router D. Circuit-level gateway Answer: A A screened subnet firewall would
provide the best protection. The screening router can be a commercial router or a node
with routing capabilities and the ability to allow or avoid traffic between nets or nodes
based on addresses, ports, protocols, interfaces, etc. Applicationlevel gateways are
mediators between two entities that want to communicate, also known as proxy
gateways. The application level (proxy) works at the application level, not only at a
package level. The screening controls at package level, addresses, ports, etc. but does
not see the contents of the package. A packet filtering router examines the header of
every packet or data traveling between the Internet and the corporate network.
79. 78. Applying a retention date on a file will ensure that: A. data cannot be read until the
date is set. B. data will not be deleted before that date. C. backup copies are not retained
after that date. D. datasets having the same name are differentiated. Answer: B A
retention date will ensure that a file cannot be overwritten before that date has passed.
The retention date will not affect the ability to read the file. Backup copies would be
expected to have a different retention date and therefore may well be retained after the
file has been overwritten. The creation date, not the retention date, will differentiate files
with the same name.
80. 79. A digital signature contains a message digest to: A. show if the message has
been altered after transmission. B. define the encryption algorithm. C. confirm the identity
of the originator. D. enable message transmission in a digital format. Answer: A The
message digest is calculated and included in a digital signature to prove that the
message has not been altered. It should be the same value as a recalculation performed
upon receipt. It does not define the algorithm or enable the transmission in digital format
and has no effect on the identity of the user, being there to ensure integrity rather than
identity.
81. 80. Which of the following would be the BEST method for ensuring that critical fields
in a master record have been updated properly? A. Field checks B. Control totals C.
Reasonableness checks D. A before-and-after maintenance report Answer: D A beforeand-after maintenance report is the best answer because a visual review would provide
the most positive verification that updating was proper.
82. 81. A TCP/IP-based environment is exposed to the Internet. Which of the following
BEST ensures that complete encryption and authentication protocols exist for protecting
information while transmitted? A. Work is completed in tunnel mode with IP security using
the nested services of authentication header (AH) and encapsulating security payload
(ESP). B. A digital signature with RSA has been implemented. C. Digital certificates with
RSA are being used. D. Work is being completed in TCP services. Answer: A Tunnel
mode with IP security provides encryption and authentication of the complete IP package.
To accomplish this, the AH (authentication header) and ESP (encapsulating security
payload) services can be nested. Choices B and C provide authentication and integrity.
TCP services do not provide encryption and authentication.

83. 83. 82. To prevent an organization's computer systems from becoming part of a
distributed denial-of-service attack, IP packets containing addresses that are listed as
unroutable can be isolated by: A. establishing outbound traffic filtering. B. enabling
broadcast blocking. C. limiting allowable services. D. network performance monitoring.
Answer: A Routers programmed with outbound traffic filtering, drop outbound packets that
contain addresses from other than the user's organization, including source addresses
that can not be routed. Broadcast blocking can be done by filtering routers or firewalls.
When programmed, IP packets coming from the Internet and using an address that
broadcasts to every computer on the destination organization's network can be dropped.
Firewalls and filtering routers can be programmed to limit services not allowed by policy
and can help prevent use of the company's systems. However, this will not isolate packets
that can not be routed. Network performance monitoring is a way to monitor system
performance for potential intrusions on a real-time basis and could help identify unusual
traffic volumes.
84. 84. 83. An IS auditor doing penetration testing during an audit of Internet connections
would: A. evaluate configurations. B. examine security settings. C. ensure virus-scanning
software is in use. D. use tools and techniques that are available to a hacker. Answer: D
Penetration testing is a technique used to mimic an experienced hacker attacking a live
site by using tools and techniques available to a hacker. The other choices are
procedures that an IS auditor would consider undertaking during an audit of Internet
connections, but are not aspects of penetration testing techniques.
85. 85. 84. An IS auditor performing a telecommunication access control review should be
concerned PRIMARILY with the: A. maintenance of access logs of usage of various
system resources. B. authorization and authentication of the user prior to granting access
to system resources. C. adequate protection of stored data on servers by encryption or
other means. D. accountability system and the ability to identify any terminal accessing
system resources. Answer: B The authorization and authentication of users is the most
significant aspect in a telecommunications access control review as it is a preventive
control. Weak controls at this level can affect all other aspects. The maintenance of
access logs of usage of system resources is a detective control. The adequate protection
of data being transmitted to and from servers by encryption or other means is a method
of protecting information during transmission and is not an access issue. The
accountability system and the ability to identify any terminal accessing system resources
deal with controlling access through the identification of a terminal.
86. 86. 85. An organization is considering connecting a critical PC-based system to the
Internet. Which of the following would provide the BEST protection against hacking? A.
An application-level gateway B. A remote access server C. A proxy server D. Port
scanning Answer: A An application-level gateway is the best way to protect against
hacking because it can define with detail rules that describe the type of user or
connection that is, or is not permitted. It analyzes in detail each package, not only in
layers one through four of the OSI model but also layers five through seven, which means
that it reviews the commands of each higher level protocol (HTTP, FTP, SNMP, etc.) For a
remote access server there is a device (server) asking for username and passwords
before entering the network. This is good when accessing private networks, but it can be
mapped or scanned from the Internet creating security exposure. Proxy servers can
provide protection based on the IP address and ports. However, an individual is needed

87.

88.

89.

90.

91.

who really knows how to do this, and second applications can use different ports for the
different sections of their program. Port scanning works when there is a very specific task
to do, but not when trying to control what comes from the Internet (or when all the ports
available need to be controlled somehow). For example, the port for "Ping" (echo
request) could be blocked and the IP addresses would be available for the application
and browsing, but would not respond to "Ping".
87. 86. If a database is restored using before-image dumps, where should the process be
restarted following an interruption? A. Before the last transaction B. After the last
transaction C. The first transaction after the latest checkpoint D. The last transaction
before the latest checkpoint Answer: A If before images are used, the last transaction in
the dump will not have updated the database prior to the dump being taken. The last
transaction will not have updated the database and must be reprocessed. Program
checkpoints are irrelevant in this situation.
88. 87. Which of the following is a practice that should be incorporated into the plan for
testing disaster recovery procedures? A. Invite client participation. B. Involve all technical
staff. C. Rotate recovery managers. D. Install locally stored backup. Answer: C Recovery
managers should be rotated to ensure the experience of the recovery plan is spread.
Clients may be involved but not necessarily in every case. Not all technical staff should
be involved in each test. Remote or offsite backup should always be used.
89. 88. A large chain of shops with EFT at point-of-sale devices has a central
communications processor for connecting to the banking network. Which of the following
is the BEST disaster recovery plan for the communications processor? A. Offsite storage
of daily backups B. Alternative standby processor onsite C. Installation of duplex
communication links D. Alternative standby processor at another network node Answer:
D Having an alternative standby processor at another network node would be the best.
The unavailability of the central communications processor would disrupt all access to the
banking network resulting in the disruption of operations for all of the shops. This could
be caused by failure of equipment, power or communications. Offsite storage of backups
would not help since EFT tends to be an online process and offsite storage will not
replace the dysfunctional processor. The provision of an alternate processor onsite would
be fine if it were an equipment problem, but would not help if the outage were caused by
power, for example. Installation of duplex communication links would be most appropriate
if it were only the communication link that failed.
90. 89. Which of the following is an object-oriented technology characteristic that permits
an enhanced degree of security over data? A. Inheritance B. Dynamic warehousing C.
Encapsulation D. Polymorphism Answer: C Encapsulation is a property of objects, which
prevents accessing either properties or methods, that have not been previously defined
as public. This means that any implementation of the behavior of an object is not
accessible. An object defines a communication interface with the exterior and only
whatever belongs to that interface can be accessed.
91. 90. When implementing an application software package, which of the following
presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source
programs that are not synchronized with object code C. Incorrectly set parameters D.
Programming errors Answer: C Parameters that are not set correctly would be the
greatest concern when implementing an application software package. The other

92.

93.

94.

95.

96.

choices, though important, are a concern of the provider, not the organization that is
implementing the software itself.
92. 91. Which of the following controls would be MOST effective in ensuring that
production source code and object code are synchronized? A. Release-to-release source
and object comparison reports B. Library control software restricting changes to source
code C. Restricted access to source code and object code D. Date and time-stamp
reviews of source and object code Answer: D Date and time stamp reviews of source and
object code would ensure that source code, which has been compiled, matches the
production object code. This is the most effective way to ensure that the approved
production source code is compiled and is the one being used.
93. 92. During a post-implementation review of an enterprise resource management
system, an IS auditor would MOST likely: A. review access control configuration. B.
evaluate interface testing. C. review detailed design documentation. D. evaluate system
testing. Answer: A Reviewing access control configuration would be first task performed
to determine whether security has been mapped appropriately in the system. Since a
post-implementation review is done after user acceptance testing and actual
implementation, one would not engage in interface testing or detailed design
documentation. Evaluating interface testing would be part of the implementation process.
The issue of reviewing detailed design documentation is not generally relevant to an
enterprise resource management system since these are usually vendor packages with
user manuals. System testing should be performed before final user sign off.
94. 93. Which of the following types of controls is designed to provide the ability to verify
data and record values through the stages of application processing? A. Range checks
B. Run-to-run totals C. Limit checks on calculated amounts D. Exception reports Answer:
B Run-to-run totals provide the ability to verify data values through the stages of
application processing. Run-to-run total verification ensures that data read into the
computer was accepted and then applied to the updating process.
95. 94. The BEST method of proving the accuracy of a system tax calculation is by: A.
detailed visual review and analysis of the source code of the calculation programs. B.
recreating program logic using generalized audit software to calculate monthly totals. C.
preparing simulated transactions for processing and comparing the results to
predetermined results. D. automatic flowcharting and analysis of the source code of the
calculation programs. Answer: C Preparing simulated transactions for processing and
comparing the results to predetermined results is the best method for proving accuracy of
a tax calculation. Detailed visual review, flowcharting and analysis of source code are not
effective methods, and monthly totals would not address the accuracy of individual tax
calculations.
96. 95. IS management has recently informed the IS auditor of its decision to disable
certain referential integrity controls in the payroll system to provide users with a faster
report generator. This will MOST likely increase the risk of: A. data entry by unauthorized
users. B. a nonexistent employee being paid. C. an employee receiving an unauthorized
raise. D. duplicate data entry by authorized users. Answer: B Referential integrity controls
prevent the occurrence of unmatched foreign key values. Given that a nonexistent
employee does not appear in the employees' table, it will never have a corresponding
entry in the salary payments table. The other choices cannot be detected by referential
integrity controls.

97. 97. 96. Which of the following pairs of functions should not be combined to provide
proper segregation of duties? A. Tape librarian and computer operator B. Application
programming and data entry C. Systems analyst and database administrator D. Security
administrator and quality assurance Answer: B The role of application programming and
data entry should not be combined since no compensating controls exist that can mitigate
the segregation of duties risk. All other combined pairs of functions are acceptable.
98. 98. 97. An IS auditor who is reviewing application run manuals would expect them to
contain: A. details of source documents. B. error codes and their recovery actions. C.
program logic flowcharts and file definitions. D. change records for the application source
code. Answer: B Application run manuals should include actions taken on reported errors
that are essential for the operator to function properly. Source documents and source
code are irrelevant to the operator. Although dataflow diagrams may be useful, detailed
program diagrams and file definitions are not.
99. 99. 98. Which of the following IS functions may be performed by the same individual,
without compromising on control or violating segregation of duties? A. Job control analyst
and applications programmer B. Mainframe operator and system programmer C.
Change/problem and quality control administrator D. Applications and system
programmer Answer: C The change/problem and quality control administrator are two
compatible functions that would not compromise control or violate segregation of duties.
The other functions listed, if combined, would result in compromising control.
100.
100. 99. Which of the following is the MOST important function to be performed
by IT management within an outsourced environment? A. Ensuring that invoices are paid
to the provider B. Participating in systems design with the provider C. Renegotiating the
provider's fees D. Monitoring the outsourcing provider's performance Answer: D In an
outsourcing environment, the company is dependent on the performance of the service
provider. Therefore it is critical to monitor the outsourcing provider's performance to
ensure that it delivers services to the company as required. Payment of invoices is a
finance function which would be done per contractual requirements. Participating in
systems design is a by-product of monitoring the outsourcing provider's performance,
while renegotiating fees is usually a one-time activity.
101.
101. 100. An organization has outsourced network and desktop support. Although
the relationship has been reasonably successful, risks remain due to connectivity issues.
Which of the following controls should FIRST be performed to assure the organization
reasonably mitigates these possible risks? A. Network defense program B.
Encryption/Authentication C. Adequate reporting between organizations D. Adequate
definition in contractual relationship Answer: D The most effective and necessary control
that has to be in place first when a partnering arrangement is used is the contract. The
other answers are all good techniques used to minimize/mitigate controls. However, these
may not be enforceable unless detailed in the contractual arrangement.