An IS auditor is conducting a compliance test to determine whether controls

support management policies and procedures. The test will assist the
auditor to:-confirm that the control is operating as designed.

Note: Compliance tests can be used to test the existence and effectiveness
of a defined process. Understanding the objective of a compliance test is
important. IS auditors want reasonable assurance that the controls they are
relying on are effective. An effective control is one that meets management
expectations and objectives.
The FIRST step in execution of a problem management mechanism should
be:-exception reporting.

Note: The reporting of operational issues is normally the first step in

tracking problems.
An IS auditor is evaluating data mining and auditing software to be used in
future IS audits. What is the PRIMARY requirement that the software tool
should meet? The software tool should:-accurately capture data from the
organization's systems without causing excessive performance problems.

Note: While all of the choices above are desirable in a software tool
evaluated for auditing an data mining purposes, the most critical
requirement is that the tool will work effectively on the systems of the
organization being audited.
After completing the business impact analysis (BIA), what is the NEXT step
in the business continuity planning (BCP) process?-Develop recovery
strategies.

Note: Once the BIA is completed, the next phase in the BCP development is
to identify the various recovery strategies and select the most appropriate
strategy for recovering from a disaster that will meet the time lines and
priorities defined through the BIA.
In a small organization, an employee performs computer operations and,
when the situation demands, program modifications. Which of the following
should the IS auditor recommend?-Procedures that verify that only approved
program changes are implemented.
Note: An IS auditor must consider recommending a better process. An IS
auditor should recommend a formal change control process that manages
and could detect changes to production source and object code, such as
code comparisons, so the changes can be reviewed on a regular basis by a
third party. This would be a compensating control process.
A small organization has only one database administrator (DBA). The DBA
has root access to the UNIX server, which hosts the database application.
How should segregation of duties (SoD) be enforced in this scenario?-Ensure
that the database logs are forwarded to a UNIX server where the DBA does
not have root access.

Note: By creating logs that the DBA cannot erase or modify, segregation of
duties is enforced.
An IS auditor reviewing database controls discovered that changes to the
database during normal working hours were handled through a standard set
of procedures. However, changes made after normal hours required only an
abbreviated number of steps. In this situation, which of the following would
be considered an adequate set of compensating controls?-Use the DBA
account to make changes, log the changes and review the change log the
following day.

Note: The use of a DBA account is normally set up to log all changes made
and is most appropriate for changes made outside of normal hours. The use
of a log, which records the changes, allows changes to be reviewed.
Because of an abbreviated number of steps are used, this represents an
adequate set of compensating controls.
An IS auditor reviewing the IT project management process is reviewing a
feasibility study for a critical project to build a new data center. The IS
auditor is MOST concerned about the fact that:-the organizational impact of
the project has not been assessed.

Note: The feasibility study determines the strategic benefits of the project.
Therefore, the result of the feasibility study determines the organizational
impact a comparison report of costs, benefits, risk, etc. The project
portfolio is a part of measuring the organizational strategy.
A company has contracted with an external consulting firm to implement a
commercial financial system to replace its existing system developed in
house. In reviewing the proposed development approach, which of the
following would be of GREATEST concern?-A quality plan is not part of the
contracted deliverables.
Note: A quality plan is an essential element of all projects. It is critical that
the contracted supplier be required to produce such a plan. The quality plan
for the proposed development contract should be comprehensive and
encompass all phases of the development and include which business
functions will be included and when.
Which of the following provides the GREATEST assurance of message
authenticity?-The hash code is encrypted using the sender's private key.

Note: Encrypting the hash code using the sender's private key provides
assurance of the authenticity of the message and prevents anyone from
being able to alter the hash code.
Which of the following disaster recovery testing techniques is the MOST
efficient way to determine the effectiveness of the plan?-Preparedness tests

Note: Preparedness tests involve simulation of the entire environment (in

phases) at relatively low cost and help the team to better understand and
prepare for the actual test scenario.
An IS auditor is reviewing the disaster recovery plan (DRP) for a large
organization with multiple locations requiring high systems availability.
Which of the following causes the GREATEST concern?-Backup media are not
tested.

Note: Testing backups provides assurance that the backup data are reliable
and will be available when needed. Without backup data, the organization is
not addressing the risk of availability.
The specific advantage of white box testing is that it:-determines procedural
accuracy or conditions of a program's specific logic paths.

Note: White box testing assesses the effectiveness of software program

logic. Specifically, test data are used in determining procedural accuracy or
conditions of a programs logic paths.
A company has implemented a new clientserver enterprise resource
planning (ERP) system. Local branches transmit customer orders to a central
manufacturing facility. Which of the following would BEST ensure that the
orders are processed accurately and the corresponding products are
produced?-Verifying production to customer orders

Note: Verification will ensure that produced products match the orders in the
customer order system.
During an assessment of software development practices, an IS auditor finds
that open source software components were used in an application designed
for a client. What is the GREATEST concern the auditor would have about the
use of open source software?-The organization and client must comply with
open source software license terms.

Note: There are many types of open source software licenses and each has
different terms and conditions. Some open source software licensing allows
use of the open source software component freely, but requires that the
completed software product must also allow the same rights. This is known
as viral licensing, and if the development organization is not careful, its
products could violate licensing terms by selling the product for profit. The
IS auditor should be most concerned with open source software licensing
compliance to avoid unintended intellectual property risk or legal
consequences.
The PRIMARY reason for using digital signatures is to ensure data:-integrity.

Note: Digital signatures provide integrity because the digital signature of a

signed message (file, mail, document, etc.) changes every time a single bit
of the document changes; thus, a signed document cannot be altered. A
digital signature provides for message integrity, nonrepudiation and proof of
origin.
While performing an audit of an accounting application's internal data
integrity controls, an IS auditor identifies a major control deficiency in the
change management software that supports the accounting application. The
MOST appropriate action for the IS auditor to take is to:-continue to test the
accounting application controls and include mention of the change
management software control deficiency in the final report.

Note: It is the responsibility of the IS auditor to report on findings that could

have a material impact on the effectiveness of controlswhether or not
they are within the scope of the audit.
Which of the following is the MOST important skill an IS auditor should
develop to understand the constraints of conducting an audit?-Project
management

Note: Audits often involve resource management, deliverables, scheduling

and deadlines similar to project management best practices.
Which of the following sampling methods would be the MOST effective to
determine whether purchase orders issued to vendors have been authorized
as per the authorization matrix?-Attribute sampling

Note: Attribute sampling is the method used for compliance testing. In this
scenario, the operation of a control is being evaluated, and therefore the
attribute of whether each purchase order was correctly authorized would be
used to determine compliance with the control.
While conducting an audit of a service provider, an IS auditor observes that
the service provider has outsourced a part of the work to another provider.
Because the work involves confidential information, the IS auditor's PRIMARY
concern should be that the:-requirement for protecting confidentiality of
information could be compromised.

Note: Many countries have enacted regulations to protect the confidentiality

of information maintained in their countries and/or exchanged with other
countries. When a service provider outsources part of its services to another
service provider, there is a potential risk that the confidentiality of the
information will be compromised.
In the process of evaluating program change controls, an IS auditor would
use source code comparison software to:-examine source program changes
without information from IS personnel.

Note: When an IS auditor uses a source code comparison to examine source

program changes without information from IS personnel, the IS auditor has
an objective, independent and relatively complete assurance of program
changes because the source code comparison will identify the changes.
An organization has experienced a large amount of traffic being rerouted
from its Voiceover Internet Protocol (VoIP) packet network. The organization
believes it is a victim of eavesdropping. Which of the following could result
in eavesdropping of VoIP traffic?-Corruption of the address resolution
protocol (ARP) cache in Ethernet switches

Note: On an Ethernet switch there is a data table known as the address

resolution protocol (ARP) cache, which stores mappings between media
access control (MAC) and IP addresses. During normal operations, Ethernet
switches only allow directed traffic to flow between the ports involved in the
conversation and no other ports can see that traffic. However, if the ARP
cache is intentionally corrupted with an ARP poisoning attack, some
Ethernet switches simply flood the directed traffic to all ports of the
switch, which could allow an attacker to monitor traffic not normally visible
to the port where the attacker was connected, and thereby eavesdrop on
Voiceover Internet Protocol (VoIP) traffic.
An IS auditor evaluating logical access controls should FIRST:-obtain an
understanding of the security risk to information processing.

Note: When evaluating logical access controls, an IS auditor should first

obtain an understanding of the security risk facing information processing
by reviewing relevant documentation, by inquiries, and conducting a risk
assessment. This is necessary so that the IS auditor can ensure the controls
are adequate to address risk.
A message signed with a digital signature cannot be repudiated by the
sender because a digital signature:-authenticates contents and sender at
the time of signature.

Note: Digital signatures for the sender are attested by the certificate
authority and can be verified by the recipient; therefore, repudiation is not
possible. Additionally, the digital signature mechanism ensures the integrity
of the message content by creating a oneway hash at both the source and
destination and then comparing the two.
Email message authenticity and confidentiality is BEST achieved by signing
the message using the:-sender's private key and encrypting the message
using the receiver's public key.

Note: By signing the message with the senders private key, the receiver
can verify its authenticity using the senders public key. Encrypting with the
receivers public key provides confidentiality.
An organization's IS audit charter should specify the:-role of the IS audit
function.

Note: An IS audit charter establishes the role of the information systems

audit function. The charter should describe the overall authority, scope and
responsibilities of the audit function. It should be approved by the highest
level of management and, if available, by the audit committee.
Which of the following scenarios provides the BEST disaster recovery plan
(DRP) to implement for critical applications?-Daily data backups that are
stored offsite and a hot site located 140 kilometers from the main data
center.

Note: Of the given choices, this is the most suitable answer. The disaster
recovery plan (DRP) includes a hot site that is located sufficiently away from
the main data center and will allow recovery in the event of a major
disaster. Not having realtime backups may be a problem depending on
recovery point objective (RPO).
A hot site should be implemented as a recovery strategy when the:-disaster
tolerance is low.

Note: Disaster tolerance is the time gap during which the business can
accept nonavailability of IT facilities. If this time gap is low, recovery
strategies that can be implemented within a short period of time, such as a
hot site, should be used.
Which of the following types of penetration tests simulates a real attack and
is used to test incident handling and response capability of the target?-
Doubleblind testing

Note: Doubleblind testing is also known as zeroknowledge testing. This

refers to a test where the penetration tester is not given any information
and the target organization is not given any warningboth parties are
blind to the test. This is the best scenario for testing response capability
because the target will react as if the attack were real.
The internal IS audit team is auditing controls over sales returns and is
concerned about fraud. Which of the following sampling methods would
BEST assist the IS auditors?-Discovery
Note: Discovery sampling is used when an IS auditor is trying to determine
whether a type of event has occurred, and therefore it is suited to assess
the risk of fraud and to identify whether a single occurrence has taken place.
An IS auditor is evaluating the effectiveness of the organization's change
management process. What is the MOST important control that the IS
auditor should look for to ensure system availability?-That test plans and
procedures exist and are closely followed.

Note: The most important control for ensuring system availability is to

implement a sound test plan and procedures that are followed consistently.
Which of the following would be the GREATEST cause for concern when data
are sent over the Internet using secured hypertext transmission protocol
(HTTPS) protocol?-Presence of spyware in one of the ends

Note: Encryption using Secure Sockets Layer/Transport Layer Security

(SSL/TLS) tunnels makes it difficult to intercept data in transit, but when
spyware is running on an end user's computer, data are collected before
encryption takes place.
The MAIN purpose of a transaction audit trail is to:-determine accountability
and responsibility for processed transactions.

Note: Enabling audit trails aids in establishing the accountability and

responsibility for processed transactions by tracing them through the
information system.
During which phase of software application testing should an organization
perform the testing of architectural design?-Integration testing

Note: Integration testing evaluates the connection of two or more

components that pass information from one area to another. The objective is
to utilize unittested modules, thus building an integrated structure
according to the design.
Which of the following processes will be MOST effective in reducing the risk
that unauthorized software on a backup server is distributed to the
production server?-Review changes in the software version control system.
Note: It is common practice for software changes to be tracked and
controlled using version control software. An IS auditor should review reports
or logs from this system to identify the software that is promoted to
production. Only moving the versions on the version control system (VCS)
program will prevent the transfer of development or earlier versions.
In auditing a database environment, an IS auditor will be MOST concerned if
the database administrator (DBA) is performing which of the following
functions?-Installing patches or upgrades to the operating system.

Note: Installing patches or upgrades to the operating system is a function

that should be performed by a systems administrator, not by a DBA. If a
DBA were performing this function, there would be a risk based on
inappropriate segregation of duties.
Which of the following is an advantage of an integrated test facility (ITF)?-
Periodic testing does not require separate test processes.

Note: An ITF creates a fictitious entity in the database to process test

transactions simultaneously with live input. Its advantage is that periodic
testing does not require separate test processes. Careful planning is
necessary, and test data must be isolated from production data.

When using a digital signature, the message digest is computed:-by both

the sender and the receiver.

Note: A digital signature is an electronic identification of a person or entity. It

is created by using asymmetric encryption. To verify integrity of data, the
sender uses a cryptographic hashing algorithm against the entire message
to create a message digest to be sent along with the message. Upon receipt
of the message, the receiver will recompute the hash using the same
algorithm.
The activation of an enterprise's business continuity plan should be based
on predetermined criteria that address the:-duration of the outage.
Note: The initiation of a business continuity plan (action) should primarily be
based on the maximum period for which a business function can be
disrupted before the disruption threatens the achievement of organizational
objectives.
In the event of a data center disaster, which of the following would be the
MOST appropriate strategy to enable a complete recovery of a critical
database?-Realtime replication to a remote site

Note: With realtime replication to a remote site, data are updated

simultaneously in two separate locations; therefore, a disaster in one site
would not damage the information located in the remote site. This assumes
that both sites were not affected by the same disaster.
Which of the following is the MOST efficient strategy for the backup of large
quantities of missioncritical data when the systems need to be online to
take sales orders 24 hours a day?-Implementing a faulttolerant disktodisk
backup solution

Note: Disktodisk backup, also called disktodisktotape backup or tape

cache, is when the primary backup is written to disk instead of tape. That
backup can then be copied, cloned or migrated to tape at a later time
(hence the term "disktodisktotape). This technology allows the backup
of data to be performed without impacting system performance and allows a
large quantity of data to be backed up in a very short backup window. In
case of a failure, the faulttolerant system can transfer immediately to the
other disk set.
A certificate authority (CA) can delegate the processes of:-establishing a link
between the requesting entity and its public key.

Note: Establishing a link between the requesting entity and its public key is
a function of a registration authority. This may or may not be performed by a
CA; therefore, this function can be delegated.
Which of the following goals would you expect to find in an organization's
strategic plan?-Become the supplier of choice for the product offered.

Note: Becoming the supplier of choice for the product is a strategic business
objective that is intended to focus the overall direction of the business and
would, thus, be a part of the organizations strategic plan.
Which of the following is the MOST important critical success factor (CSF) of
implementing a riskbased approach to the IT system life cycle?-Adequate
involvement of stakeholders

Note: The most important critical success factor (CSF) is the adequate
involvement and support of the various quality assurance, privacy, legal,
audit, regulatory affairs or compliance teams in high regulatory risk
situations. Some IT system changes may, based on risk ratings, require
signoff from key stakeholders before proceeding.
Which one of the following could be used to provide automated assurance
that proper data files are being used during processing?-Internal labeling,
including file header records

Note: Internal labeling, including file header records, is correct because it

can provide assurance that proper data files are being used and it allows for
automatic checking.
Which of the following is the BEST control to implement to mitigate the risk
of an insider attack?-Limit individuals access to the duties required by their
jobs.

Note: The most critical factor to consider is to limit the access granted to
individuals to only the duties required for their jobs. Insider attacks may be
initiated by employees, consultants and/or contractors of an organization.
Insiderrelated risk is the most difficult risk to defend against because
insiders typically have been granted some physical and logical access to
systems, applications and networks. Remote access to corporate networks
and data also is common, due to technology such as virtual private
networks (VPNs) and smart phones, and poses a great threat to corporate
data. There is a need to put into place strong and effective controls to
mitigate this risk, the most basic of which is limiting access to what users
need to do their jobs.
Which of the following choices is the MOST effective control that should be
implemented to ensure accountability for application users accessing
sensitive data in the human resource management system (HRMS) and
among interfacing applications to the HRMS?-Audit trails
Note: Audit trails capture which user, at what time, and date, along with
other details, has performed the transaction and this helps in establishing
accountability among application users.
Which of the following is the BEST control to mitigate the risk of pharming
attacks to an Internet banking application?-Domain name system (DNS)
server security hardening

Note: The pharming attack redirects the traffic to an unauthorized web site
by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it
is necessary to eliminate any known vulnerability that could allow DNS
poisoning. Older versions of DNS software are vulnerable to this kind of
attack and should be patched.
The PRIMARY purpose of an IT forensic audit is:-the systematic collection
and analysis of evidence after a system irregularity.

Note: The systematic collection and analysis of evidence best describes a

forensic audit. The evidence collected could then be analyzed and used in
judicial proceedings.
Which of the following database controls would ensure that the integrity of
transactions is maintained in an online transaction processing system's
database?-Commitment and rollback controls

Note: Commitment and rollback controls are directly relevant to integrity.

These controls ensure that database operations that form a logical
transaction unit will be completed entirely or not at all; i.e., if, for some
reason, a transaction cannot be fully completed, then incomplete
inserts/updates/deletes are rolled back so that the database returns to its
pretransaction state.
An IS auditor is evaluating management's risk assessment of information
systems. The IS auditor should FIRST review:-the threats/vulnerabilities
affecting the assets.

Note: One of the key factors to be considered while assessing the

information systems risk is the value of the systems (the assets) and the
threats and vulnerabilities affecting the assets. The risk related to the use of
information assets should be evaluated in isolation from the installed
controls.
Use of asymmetric encryption in an Internet ecommerce site, where there
is one private key for the hosting server and the public key is widely
distributed to the customers, is MOST likely to provide comfort to the:-
customer over the authenticity of the hosting organization

Note: Any false site will not be able to encrypt using the private key of the
real site, so the customer would not be able to decrypt the message using
the public key.
Which of the following should be an IS auditor's PRIMARY concern after
discovering that the scope of an IS project has changed and an impact study
has not been performed?-The time and cost implications caused by the
change

Note: Any scope change might have an impact on duration and cost of the
project; that is the reason why an impact study is conducted and the client
is informed of the potential impact on the schedule and cost.
Which of the following would an IS auditor use to determine if unauthorized
modifications were made to production programs?-Compliance testing

Note: Determining that only authorized modifications are made to

production programs would require the change management process be
reviewed to evaluate the existence of a trail of documentary evidence.
Compliance testing would help to verify that the change management
process has been applied consistently.
A large industrial organization is replacing an obsolete legacy system and
evaluating whether to buy a custom solution or develop a system inhouse.
Which of the following will MOST likely influence the decision?-Technical
skills and knowledge within the organization related to sourcing and
software development

Note: Critical core competencies will most likely be carefully considered

before outsourcing the planning phase of the application.
Which of the following statements is valid while drafting a business
continuity plan (BCP)?-Downtime costs increase with time.
Note: Downtime costssuch as loss of sales, idle resources, salaries
increase with time. A business continuity plan (BCP) should be drawn to
achieve the lowest downtime costs possible.
The GREATEST benefit of having welldefined data classification policies and
procedures is:-a decreased cost of controls.

Note: An important benefit of a welldefined data classification process

would be to lower the cost of protecting data by ensuring that the
appropriate controls are applied with respect to the sensitivity of the data.
Without a proper classification framework, some security controls may be
greater and, therefore, more costly than is required based on the data
classification.
Which of the following is MOST important to ensure business continuity?-
Backup data

Note: Data are the most important of all options listed, and without data, a
business cannot recover.
When auditing a proxybased firewall, an IS auditor should:-verify that the
filters applied to services such as hypertext transmission protocol (HTTP) are
effective.

Note: A proxybased firewall works as an intermediary (proxy) between the

service or application and the client. It makes a connection with the client
and opens a different connection with the server and, based on specific
filters and rules, analyzes all the traffic between the two connections. Unlike
a packetfiltering gateway, a proxybased firewall does not forward any
packets. Mapping between MAC and IP addresses is a task for protocols such
as address resolution protocol (ARP)/reverse address resolution protocol
(RARP).
During an IS risk assessment of a healthcare organization regarding
protected healthcare information (PHI), an IS auditor interviews IS
management. Which of the following findings from the interviews would be
of MOST concern to the IS auditor?-Staff have to type [PHI] in the subject
field of email messages to be encrypted.

Note: There will always be humanerror risk that staff members forget to
type certain words in the subject field. The organization should have
automated encryption set up for outgoing email for employees working with
protected health care information (PHI) to protect sensitive information.
Which of the following would an IS auditor consider the MOST relevant to
shortterm planning for an IT department?-Allocating resources

Note: The IT department should specifically consider the manner in which

resources are allocated in the short term. The IS auditor will ensure that the
resources are being managed adequately.
Which of the following is widely accepted as one of the critical components
in networking management?-Configuration management

Note: Configuration management is widely accepted as one of the key

components of any network because it establishes how the network will
function internally and externally. It also deals with the management of
configuration and monitoring performance. Configuration management
ensures that the setup and management of the network is done properly,
including managing changes to the configuration, removal of default
passwords, and possibly hardening the network by disabling unneeded
services.
Which of the following is the BEST method to ensure data confidentiality in a
commercial businesstobusiness (B2B) web application?-Encrypting
transactions using the recipient's public key

Note: Encrypting the transactions with the recipient's public key will provide
confidentiality via asymmetric cryptography. The recipient will then decrypt
with a personal private key.
Which of the following should be of GREATEST concern to an IS auditor
reviewing the business continuity plan (BCP) of an organization?-A team of
IT and information security staff conducted the business impact analysis
(BIA)

Note: To be effective, the BIA should be conducted with input from a wide
array of stakeholders. The business requirements included within the BIA are
integral in defining meantimetorepair and the data point recovery.
Without business stakeholder input, these critical requirements may not be
correctly defined, leading to critical assets being overlooked.
In a public key infrastructure (PKI), a registration authority:-verifies
information supplied by the subject requesting a certificate

Note: A registration authority is responsible for verifying information

supplied by the subject requesting a certificate, and verifies the requestor's
right to request a certificate on behalf of themselves or their organization
The decisions and actions of an IS auditor are MOST likely to affect which of
the following types of risk?-Detection

Note: Detection risk is directly affected by the IS auditor's selection of audit

procedures and techniques. Detection risk is the risk that a review will not
detect or notice a material issue.
Which of the following controls would be MOST effective to reduce the risk of
loss due to fraudulent online payment requests?-Transaction monitoring

Note: An electronic payment system could be the target of fraudulent

activities. An unauthorized user could potentially enter false transactions.
By monitoring transactions, the payment processor could identify potentially
fraudulent transactions based on the typical usage patterns, monetary
amounts, physical location of purchases, and other data that are part of the
transaction process.
An investment advisor emails periodic newsletters to clients and wants
reasonable assurance that no one has modified the newsletter. This
objective can be achieved by:-encrypting the hash of the newsletter using
the advisor's private key

Note: It is not the intention of the investment advisor to maintain the

confidentiality of the newsletter. The objective is to assure the receivers that
it came to them without any modification (i.e. to give message integrity).
The hash is encrypted using the advisor's private key. The recipients can
open the newsletter, calculate its hash over the newsletter with the same
algorithm, and decrypt the received hash using the advisor's public key. If
the two hashes are equal, the newsletter was not modified in transit.
The GREATEST benefit of implementing an expert system is the:-capturing
of the knowledge and experience of individuals in an organization.
Note: The basis for an expert system is the capture and recording of the
knowledge and experience of individuals in an organization. This will allow
other users to access information formerly held only by experts.
An IS auditor conducting a physical security audit of an organization's back
office processing facility would find which of the following techniques MOST
effective to determine that the company's sensitive information is secure?-
Social engineering

Note: It has often been said that people are the weakest link in the security
chain and social engineering is a technique used to exploit human
vulnerabilities to obtain confidential or sensitive organization information.
This technique can be used to gain unauthorized access to the organization
facilities and manipulate people to divulge sensitive information e.g. a
social engineer may walk into company facilities, obtain confidential papers
or information left on employees' desks and printers, and even pose as a
member of the help desk team to obtain user passwords.
Assignment of process ownership is essential in system development project
because it:-ensures that the system design is based on business needs.

Note: The involvement of process owners will ensure that the system will be
designed according to the needs of the business processes that depend on
system functionality. A signoff on the design by the process owners is
crucial before development begins.
The BEST filter rule for protecting a network from being used as an amplifier
in a denialofservice (DoS) attack is to deny all:-outgoing traffic with IP
source addresses external to the network.

Note: Outgoing traffic with an IP source address different than the internal IP
range in the network is invalid. In most of the cases, it signals a denialof
service (DoS) attack originated by an internal user or by a previously
compromised internal machine; in both cases, applying this filter will stop
the infected machine from participating in the attack.
Which of the following would help to ensure the portability of an application
connected to a database?-Usage of a structured query language (SQL)
Note: The use of structured query language (SQL) facilitates portability
because it is an industry standard used by many systems.
An IS auditor has discovered that a new patch is available for an application,
but the IT department has decided that the patch is not needed because
other security controls are in place. What should the IS auditor recommend?-
Assess the overall risk, then decide whether to deploy the patch

Note: While it is important to ensure that the systems are properly patched,
a risk assessment needs to be performed to determine the likelihood and
probability of the vulnerability being exploited. Therefore, the patch would
be applied only if the risk of circumventing the existing security controls is
great enough to warrant it.
Which of the following would BEST describe encrypting and decrypting data
using an asymmetric encryption algorithm?-Use the receiver's private key to
decrypt data encrypted by the receiver's public key.

Note: In asymmetric encryption, if the message was encrypted by the

receiver's public key, it can only be decrypted by the receiver's private key.
An organization has recently installed a security patch, which crashed the
production server. To minimize the probability of this occurring again, an IS
auditor should:-ensure that a good change management process is in place.

Note: An IS auditor must review the change management process, including

patch management procedures, and verify that the process has adequate
controls and make suggestions accordingly.
An IS auditor is reviewing a new webbased order entry system the week
before it goes live. The IS auditor has identified that the application, as
designed, may be missing several critical controls regarding how the system
stores customer credit card information. The IS auditor should FIRST:-verify
that the security requirements have been properly specified in the project
plan.

Note: If there are significant security issues identified by an IS auditor, the

first question is whether the security requirements were correct in the
project plan. Depending on whether the requirements were included in the
plan would affect the recommendations the auditor would make.
An IS auditor finds outofrange data in some tables of a database. Which of
the following controls should the IS auditor recommend to avoid this
situation?-Implement integrity constraints in the database

Note: Implementing integrity constraints in the database is a preventative

control because data are checked against predefined tables or rules,
preventing any undefined data from being entered.
Which of the following is the MOST important for an IS auditor to consider
when reviewing a service level agreement (SLA) with an external IT service
provider?-Uptime guarantee

Note: The most important element of an SLA is the measurable terms of

performance, such as uptime agreements.
During an application audit, the IS auditor finds several problems related to
corrupt data in the database. Which of the following is a corrective control
that the IS auditor should recommend?-Proceed with restore procedures

Note: Proceeding with restore procedures is a corrective control. Restore

procedures can be used to recover databases to their lastknown archived
version.
Which of the following issues should be the GREATEST concern to the IS
auditor when reviewing an IT disaster recovery test?-During the test, some
of the backup systems were defective or not working, causing the test of
these systems to fail.

Note: The purpose of the test is to test the backup plan. When the backup
systems are not working then the plan cannot be counted on in a real
disaster. This is the most serious problem.
Which of the following BEST helps ensure that deviations from the project
plan are identified?-Project performance criteria

Note: To identify deviations from the project plan, project performance

criteria must be established as a baseline. Successful completion of the
project plan is indicative of project success.
The success of control selfassessment (CSA) depends highly on:-having line
managers assume a portion of the responsibility for control monitoring.

Note: The primary objective of a CSA program is to leverage the internal

audit function by shifting some of the control monitoring responsibilities to
the functional area line managers. The success of a CSA program depends
on the degree to which the line managers assume responsibility for controls.
This enables line managers to detect and respond to control errors promptly.
The optimal business continuity strategy for an entity is determined by the:-
lowest sum of downtime cost and recovery cost

Note: Both costs have to be minimized, and the strategy for which the sum
of the costs is the lowest is the optimal strategy.
In the process of evaluating program change controls, an IS auditor would
use source code comparison software to:-examine source program changes
without information from IS personnel.

Note: When an IS auditor, uses a source code comparison to examine source

program changes without information from IS personnel, the IS auditor has
an objective, independent, and relatively complete assurance of program
changes because the source code comparison will identify the changes.
Which of the following is a MAJOR concern during a review of help desk
activities?-Resolved incidents are closed without reference to users.

Note: The help desk function is a serviceoriented unit. The users must sign
off before an incident can be regarded as closed.
In a riskbased IS audit, where both inherent and control risk have been
assessed as high, an IS auditor would MOST likely compensate for this
scenario by performing additional:-substantive testing

Note: Because both the inherent and control risk are high in this case,
additional testing would be required. Substantive testing obtains audit
evidence on the completeness, accuracy, or existence of activities or
transactions during the audit period.
The ultimate purpose of IT governance is to:-encourage optimal use of IT.

Note: IT governance is intended to specify the combination of decision rights

and accountability that is best for the enterprise. It is different for every
enterprise.
An organization is using symmetric encryption. Which of the following would
be a valid reason for moving to asymmetric encryption? Symmetric
encryption:-can cause key management to be difficult.

Note: In a symmetric algorithm, each pair of users needs a unique pair of

keys so the number of keys grows and key management can become
overwhelming.
Which of the following BEST supports the prioritization of new IT projects?-
Investment portfolio analysis

Note: It is most desirable to conduct an investment portfolio analysis, which

will present not only a clear focus on investment strategy, but will provide
the rationale for terminating nonperforming IT projects.
Which of the following activities performed by a database administrator
(DBA) should be performed by a different person?-Deleting database activity
logs

Note: Because database activity logs record activities performed by the

DBA, deleting them should be performed by an individual other than the
DBA. This is a compensating control to aid in ensuring an appropriate
segregation of duties is associated with the DBA's role.
During a review of an outsourced network operations center (NOC), an IS
auditor concludes that the procedures to monitor remote network
administration activities by the outsourced agency are inadequate. During
the management discussion, the chief information officer (CIO) justifies this
issue as a help desk activity, covered by help desk procedures, and points
out that intrusion detection system (IDS) logs are activated and firewall
rules are monitored. What is the BEST course of action for the IS auditor to
take?-Document the identified finding in the audit report.
Note: IS auditor independence would dictate that the additional information
provided by the auditee will be taken into consideration. Normally, an IS
auditor would not automatically retract or revise the finding.
Which of the following types of risk is MOST likely encountered in a Software
as a Service (SaaS) environment?-Performance issues due to Internet
delivery method.

Note: The risk that could be most likely encountered in a SaaS environment
is speed and availability issues, due to the fact that SaaS relies on the
Internet for connectivity.
Which technique would BEST test for the existence of dual control when
auditing the wire transfer systems of a bank?-Observation

Note: Dual control requires that two people carry out an operation. The
observation technique would help to ascertain whether two individuals do
indeed get involved in execution of the operation and an element of
oversight exists. It would also be obvious if one individual is masquerading
and filling in the role of the second person.
Who should review and approve system deliverables as they are defined
and accomplished to ensure the successful completion and implementation
of a new business system application?-User management

Note: User management assumes ownership of the project and resulting

systems, allocates qualified representatives to the team, and actively
participates in system requirements definition, acceptance testing, and user
training. User management should review and approve system deliverables
as they are defined and accomplished or implemented.
After reviewing the disaster recovery plan (DRP) process of an organization,
an IS auditor requests a meeting with company management to discuss the
findings. Which of the following BEST describes the main goal of this
meeting?-Confirming factual accuracy of the findings.

Note: The goal of the meeting is to confirm the factual accuracy of the audit
findings and present an opportunity for management to agree on or respond
to recommendations for corrective action.
Which of the following preventive controls BEST helps secure a web
application?-Developer training
Note: Of the given choices, teaching developers to write secure code is the
best way to secure a web application.
What is the BEST way to verify that a digital signature is valid?-Verify that
the sender's public key certificate is from a trusted certificate authority (CA)

Note: Digital signatures are enabled by using the sender's private key. The
CA binds the identity of the public key with sender's private key to enable
the identification of the sender.
Validated digital signatures in an email software application will:-help detect
spam.

Note: Validated electronic signatures are based on qualified certificates that

are created by a certificate authority (CA), with the technical standards
required to ensure the key can neither be forced nor reproduced in a
reasonable time. Such certificates are only delivered through a registration
authority (RA) after a proof of identity has been passed. Using strong
signatures in email traffic, nonrepudiation can be assured and a sender can
be tracked. The recipient can configure his/her email server of client to
automatically delete emails from specific senders.
An IS auditor is reviewing a contract management process to determine the
financial viability of a software vendor for a critical business application. An
IS auditor should determine whether the vendor being considered:-can
support the organization in the long term.

Note: The longterm financial viability of a vendor is essential for deriving

maximum value for the organization it is more likely that a financially
sound vendor would be in business for a long period of time and thereby
more likely to be capable of providing longterm support for the purchased
product.