ELITE INSTITUTE OF SYSTEM AUDIT (EISA), Chennai

eisa@infosysauditor.com

MOCK TEST

1. What is the purpose of beta testing?

a. Vendor support
b. Security & training
c. Employee’s always want to work with leading edge companies and
this beta test helps towards that cause
d. Helps to retain employee’s in the organization

2. Which one of the following is not a compliance review or test?

a. Reconciling accounts
b. Determining whether policies are available
c. Determining whether controls are functioning
d. Determining whether documentation is available

3. Which of the following is not required in single sign-on?

a. Access list
b. Encrypted password
c. Remote logon procedure
d. Application log-on procedure

4. There is a possibility that incompatible functions may be performed by the

same individual either in IS or in the user department. One compensating
control for this situation is the use of:

a. A log
b. Hash totals
c. Batch totals
d. A check-digit control

5. Which of the following is LEAST important in single sign-on?

a. Access list
b. Encrypted password
c. Remote log-on procedure
d. Application log-on procedure
6. An Information Systems Auditor’s primary consideration regarding internal
control policies, procedures, and standards available in the IS department
is whether they are:

a. Documented
b. Distributed
c. Followed
d. Approved

7. What is audit charter?

a. Provides audit procedures

b. Outlines the overall authority, scope, and responsibility of the audit
c. Helps with the required steps in audit program
d. A detailed staff training plan to conduct IS audit

8. Factoring is the process of:

a. Identifying the components of a system

b. Identifying the interfaces between subsystems
c. Decomposing a system into component activities
d. Decomposing a system into subsystems

9. When an organization is outsourcing the IS function from another country,

which of the following aspects are to be considered?

a. Trans-border privacy laws

b. Time Zone
c. Cultural differences
d. Availability of Information security policy

10. Auditors may decide to test compensating controls because:

a. They possess insufficient technical knowledge to test computer

controls
b. It may be more cost-effective to rely on compensating controls
c. They have decided to proceed directly to substantive testing
d. The internal control system cannot be relied upon anyway

11. While doing the audit under regulatory requirements; auditor suspects a
fraud. In such case to whom he shall report?

a. The management
b. The stakeholders
c. Shall consult the legal experts

Elite Institute of System Audit (EISA) 2

 d. Regulatory authority under which he’s conducting the audit

12. Which of the following is not a substantive test:

a. A test to compare data with a physical count

b. A test to assess the quality of data
c. A test to compare data with an outside source
d. A test to determine whether a data definition standard has been
followed.

13. In an organization where there is no substitute for IS audit one individual,

and such person was asked by the management to involve in the design
and development of application. Once implemented, the same person will
have to audit the same application. In such situations, what shall be the IS
auditor’s reaction?

a. Inform the management about this situation and take up the audit
b. Decline to perform the audit
c. Involve in the development of application
d. Perform the audit. Since, the IS auditor was part of development
team he could perform the audit in a better manner.

14. Which of the following is the most likely sequence of phases in the system
development process:

a. Analysis of the existing system, software acquisition and

development, organizational and job design
b. Acceptance testing, procedures development, management of the
change process
c. Entry and feasibility assessment, organizational and job design,
information processing system design
d. Entry and feasibility assessment, problem definition, analysis of the
existing system

15. During the exit interview, the IS manager argues with the IS auditor about
the correctness of findings. What IS auditor should do in this situation?

a. Monitor the observed deficiency and submit the observation report

b. Support his claims with the working papers
c. Leave it to the IS manager’s discretion
d. Agree with the claims of the IS manager; because he is
experienced person and his views may be correct.

16. Top-down testing proceeds:

a. After the program stubs have been designed

Elite Institute of System Audit (EISA) 3

 b. Concurrently with top-down design
c. As soon as the first lower-level module is compiled
d. After proofs of program correctness have first been attempted

17. What is the purpose of Control Self Assessment (CSA)?

a. Identify the high-risk areas for later review

b. Relinquishes the responsibility of Management
c. Reduce the scope of audit
d. Motivating the talented and high skilled employees

18. The database administrator has primary responsibility for defining the:

a. Internal schema
b. Logical schema
c. External schema
d. Conceptual schema

19. Which of the following ensures that IT governance is aligned with business
and enterprise strategy?

a. Value analysis
b. Business impact analysis
c. Critical path analysis
d. Break-even point analysis

20. Which of the following activities carried out by the database administrator
is unlikely to be recorded on a machine log maintained by the operating
system or by the database management system:

a. Access to the database

b. Change of a password
c. Disclosure of a password to an unauthorized user
d. Deletion of a database record

21. During the implementation of Enterprise Resource Management (ERM)

software, the review of auditor should begin in which of the following
phase?

a. Post-implementation
b. Just before going live
c. During acceptance test
d. During implementation

22. The unchecked emission of electromagnetic signals is a concern because:

Elite Institute of System Audit (EISA) 4

 a. The signals can be picked up and printed on a remote device
b. The signals interfere with the correct functioning of the central
processor
c. Noise pollution levels increase as a result
d. They facilitate visual eavesdropping

23. Feasibility report should include?

a. Cost-benefit analysis
b. Design phase
c. Development tools
d. Requirement analysis

24. Which of the following plans specifies the actions to be undertaken

immediately when a disaster occurs:

a. The backup plan

b. The recovery plan
c. The restart plan
d. The emergency plan

25. An organization is replacing the existing mainframe infrastructure with new

acquisition. What is the FIRST step to do?

a. Inventory register must be updated

b. Applications should be tested in mainframe
c. Business case for replacing the existing facility
d. Sociability testing

26. Residual risk is:

a. The risk that cannot be handled by the installation and will not be
handled by an insurance company
b. The risk remaining after risks have been controlled by system
design, installation of security measures, and regular security
audits
c. The risk that must be treated as a cost of doing normal operations
d. The risk not covered in the insurance policies for data processing
assets

27. Integrated Development Environment (IDE) helps in

a. Faster program development

b. Reduces proliferation of multiple versions of programs
c. Decreases unauthorized access
d. Prevents overwriting of programs

Elite Institute of System Audit (EISA) 5

28. The purpose of degaussing magnetic tapes before the ends are clipped is
to:

a. Indicate which section of the tape should be clipped

b. Delete sensitive information so data privacy is protected
c. Transfer information to another tape
d. Encrypt the information to preserve data privacy

29. Object-oriented programming is used because?

a. When the calculations are complex

b. It breaks the modules in smaller parts
c. Program development is based on data structure
d. Real-time integration of code across platforms

30. A sound information security policy will MOST likely include a:

a. Response program to handle suspected intrusions

b. Correction program to handle suspected intrusions
c. Detection program to handle suspected intrusions
d. Monitoring program to handle suspected intrusions

31. Which of the following works in degraded mode?

a. Fall-back procedures
b. Fault tolerant
c. Re-configuration
d. Hardware redundancy

32. Which of the following actions should be undertaken when a file retention
date expires:

a. The storage medium on which the file resides should be retired

from use
b. The file should be removed to archival storage
c. The file should be purged
d. The file should be retrieved from backup storage

33. The use of Simple Object Access Protocol (SOAP) does the following?

a. Reduced remote procedure calls

b. Performs redundant tasks in web applications
c. Creates static web pages
d. Increases the performance of middleware

Elite Institute of System Audit (EISA) 6

34. The class of authentication information to which a password belongs is :

a. Possessed objects
b. Personal information
c. Remembered information
d. Dialog information

35. A manager wants his department’s performance to be compared with the

best practice in similar industry. Which of the following helps him to
achieve that?

a. Benchmark
b. ISO standards
c. Risk assessment
d. IS audit

36. Which of the following is not a desirable property of a cipher system:

a. Simplicity
b. Small Key
c. Low error propagation
d. Low work factor

37. When the organization reviews its performance with the similar industry,
which of the following can be used as an effective tool?
a. Benchmark
b. IT scorecard
c. Gap Analysis
d. Business Process Re-engineering (BPR)

38. To send a signed message to a receiver when a public-key cryptosystem

is used, the sender encrypts the message under the:

a. Sender’s private key

b. Receiver’s public key
c. Sender’s public key
d. Receiver’s private key

39. In the Business Process Re-engineering (BPR) process, the auditor

should be concerned with which of the following?

a. Removed controls
b. Performance monitoring
c. Process efficiency
d. Customer satisfaction

Elite Institute of System Audit (EISA) 7

40. Which of the following situations is likely to lead to more serious
exposures in a digital signature system:

a. Compromise of a receiver’s private key

b. Compromise of a sender’s private key
c. Compromise of a key server’s private key
d. Use of a fake public key

41. When an organization is continuously improves process, which of the

following stages of CMM is the enterprise is in?

a. Defined
b. Managed
c. Optimizing
d. Ad-hoc

42. Which of the following actions should not be undertaken when plastic
debit/credit cards are issued:

a. Mail the cards in an envelope that does not identify the name of the
issuing institution
b. Make two different groups responsible for the mailing of cards and
the investigation of returned cards
c. Use pre-mailers to detect invalid addresses
d. Mail the card and the PIN mailer together in a registered envelope

43. The enterprise follows standard change management procedures, which

of the following assures that the organization is in fact adhering to change
control procedure?

a. User acceptance test is carried out prior to implementation

b. Change requests are initiated by the top management
c. Since user’s satisfaction is crucial for the successful
implementation; every request for change ought to be accepted for
modifying the existing system
d. The programmer who did modification to the system in
development is migrating the changes into production

44. Which of the following events is not recorded on a public audit trail in a
digital signature system:

a. Registration of public keys

b. Registration of signatures
c. Notification of key compromises
d. Modifications to private keys

Elite Institute of System Audit (EISA) 8

45. Which of the following ensures that the source program and production
object executable is synchronized?

a. Time stamp review of source and production object

b. Code comparison of source and production object
c. Code review
d. Access control

46. A check for missing data/blanks is an example of a :

a. Record check
b. Set membership check
c. Field check
d. Batch check

47. When an intrusion is suspected the employee of the organization shall

a. Report the matter to IS auditor

b. Inform his manager
c. Shut down the system he/she is working with
d. Do nothing

48. A check for valid sign (numeric) is an example of a:

a. Record check
b. Batch check
c. Field check
d. Alphabetic/numeric check

49. Normalization helps in

a. Reducing anomalies
b. Operation efficiency
c. Enforcing data security
d. Storing database related index and description

50. The purpose of an input validation sequence check is to:

a. Check that input files are loaded in the correct order

b. Check that multiple physical records for a single logical record
follow the required order
c. Check that the transaction type is always the first data item on a
follower card
d. Check that the batch serial number is in ascending order

Elite Institute of System Audit (EISA) 9

51. The master file records were accidentally deleted, which of the following
would have prevented this?

a. Referential integrity
b. Table lookup
c. Existence check
d. Completeness check

52. The purpose of a retention date for a magnetic tape file is to:

a. Enable files with the same generation number to be distinguished

b. Indicate when the file should be recovered from production
activities
c. Prevent the file from being overwritten before expiry of the retention
date
d. Prevent the file from being read before expiry of the retention date.

53. Which of the following can be spoofed while sending an email?

a. Sender identity
b. Sender host identity
c. Message path traveled
d. Recipient’s identity

54. During the data input process, the primary purpose of registers and control
totals is to:
a. Ensure errors are corrected and corrected only once
b. Ensure all data enters the system
c. Enable changes in the patterns of input errors to be identified
d. Identify which types of input resources are being consumed so the
efficiency of input validation processes can be improved

55. The retention period of audit trail and log depends upon?

a. Control risks involved

b. Regulatory requirements
c. Auditor’s recommendation
d. Storage Capacity of the host which stores the log

56. Which of the following types of subversive attacks on a communication

network is a passive attack:

a. Message modification
b. Denial of message service
c. Traffic analysis
d. Changed message order

Elite Institute of System Audit (EISA) 10

57. To retain the data required under the regulatory requirement what is the
best method?

a. Ensure the integrity of data

b. Ensure that the data are stored in reliable media and test it’s
restoration
c. Ensure that the data are stored in safe vault
d. Ensure that the data are stored in remote location far away from the
usual place

58. Which of the following usually is not a purpose of a modem:

a. Reduce line errors caused by noise

b. Produce encrypted messages
c. Convert digital signals to analog signals
d. Increase the speed of data transmission

59. When disposing the write-once media, what is the best course of action?

a. Degauss the media

b. Destroy the media
c. Delete the file
d. Format the media

60. The type of modulation method that performs best in terms of the number
of line errors that arises is:

a. Phase modulation
b. Analog modulation
c. Frequency modulation
d. Amplitude modulation

61. To ensure the efficiency of telecommunication which of the following is

used?

a. Downtime reports
b. Response time
c. Call Log Report of help desk
d. Utilization report

62. Which of the following is not a desirable control feature in a modem:

a. Dynamic equalization
b. Automatic dial-up capabilities
c. Multiple transmission speeds

Elite Institute of System Audit (EISA) 11

 d. Attenuation amplification

63. In an unmanned data processing facility, which of the following can be

used?

a. CO2
b. Dry-pipe
c. Wet-pipe
d. Halon

64. A communication line that prevents wiretapping is:

a. A digital line
b. A conditioned line
c. An optical fiber line
d. A satellite line

65. Which of the following not suitable topology when there is heavy traffic in
the network?

a. Bus
b. Ring
c. Star
d. Mesh

66. Packet switching is an example of a:

a. Multiplexing technique
b. Line conditioning technique
c. Concentration technique
d. Modulation technique

67. Which of the following ensures the security of wireless network?

a. WEP security
b. WPA security
c. MAC filtering
d. SSID was disabled

68. In network topology, maximum reliability is achieved using a:

a. Star network
b. Completely connected network
c. Ring network
d. Multidrop line network

Elite Institute of System Audit (EISA) 12

69. When the semi-passive tag of RFID is disposed; it affects which of the
following?

a. Integrity
b. Privacy
c. Availability
d. Confidentiality

70. End-to-end encryption provides only limited protection against a

subversive attack that uses:

a. Message insertion
b. Traffic analysis
c. Spurious associations
d. Change of message order

71. If enabled, which of the following will pose great risk to the organization?

a. FTP
b. HTTP
c. SNMP
d. SMTP

72. When encryption is used in the communication subsystem, the primary

purpose of an error propagation code is to protect against:

a. Release of message contents

b. Spurious associations
c. Denial of message services
d. Change of message order

73. To prevent the virus spreading through the network, which of the following
service should be blocked?

a. Anonymous FTP
b. Uploading of files
c. Access to external websites
d. Mail services

74. A message authentication code is used to protect against:

a. Changes to the content of a message

b. Traffic analysis
c. Release of message contents
d. Exposures that arise when PIN are transmitted in the clear

Elite Institute of System Audit (EISA) 13

75. When an intruder breaks into the firewall; it implies that the following is
compromised?

a. Identification
b. Authentication
c. Privacy
d. Availability

76. Which of the following security services can best be provided by

Kerberos?

a. Authentication
b. Confidentiality
c. Integrity
d. Availability

77. When an organization uses dial-up access extensively, which of the

following is an effective security?

a. Centralized modem pool

b. User must get the consent of management for every new modem
installation
c. Install modem in every host of the organization
d. Monitor the usage of modem with CCTV

78. Cryptography provides all of the following services except:

a. Authentication
b. Confidentiality
c. Integrity
d. Availability

79. Which of the following enables the IS auditor to understand the firewall
configuration?

a. Review parameter settings

b. Interview System Administrator
c. Review firewall installation manual
d. Conduct business impact analysis

80. User authentication means determining who is making a system request

or access. Users can identify themselves to a computer system in several
ways. Which of the following identification techniques provide the best
means of user authentication?

a. What the user is

Elite Institute of System Audit (EISA) 14

 b. What the user has
c. What the user knows
d. What the user has and what the user knows

81. Which of the following ensures that the firewall is configured in

accordance with the corporate security policy?

a. Review rule-base
b. Conduct penetration test
c. Interview the Security Admin
d. Review firewall installation manual

82. Which of the following is a major problem in implementing the Rivest,

Shamir and Addleman (RSA) encryption algorithm?
a. Computing power required to generate the keys
b. Large numbers used in the algorithm
c. Prime numbers needed in the algorithm
d. History of known security break ins

83. While auditing the IS function of an organization the IS auditor was told by
the client that recently an external auditor has completed the assessment.
Which of the following an IS auditor can do?

a. Don’t rely on the external auditor’s findings

b. Rely on the findings of external auditor
c. Review the qualification and competencies of external auditor
d. Discuss this matter with IS audit manager and decide

84. Authentication is a protection against fraudulent transactions. Which of the

following does the authentication process not assume?

a. The validity of messages being sent

b. The validity of the workstations that sent the message
c. The integrity of the message that is being transmitted
d. The validity of the message originator

85. Digital signature prevents

a. Repudiation
b. Confidentiality
c. Integrity
d. Availability

86. Contingency planning for local area networks should consider all of the
following except:

Elite Institute of System Audit (EISA) 15

 a. Incident response
b. Remote computing
c. Backup operations
d. Recovery plans

87. The use of hash in digital signature ensures

a. Integrity of the message transmitted

b. Confidentiality of the message transmitted
c. Availability of the message transmitted
d. Prevention of man in the middle attack

88. Passwords are used as a basic mechanism to identify and authenticate a

system user. Which of the following password-related factors cannot be
tested with automated vulnerability testing tools?

a. Password length
b. Password lifetime
c. Password Secrecy
d. Password Storage

89. SSL provides confidentiality by

a. Encrypting the message with server’s private key

b. Encrypting the message with browser’s private key
c. Encrypting the message with browser’s public key
d. Encrypting the message with server’s public key

90. A function of a data dictionary is to:

a. Document processing steps

b. Ensure design consistency
c. Maintain data integrity
d. Coordinate program interfaces

91. Which of the following is concern while using Voice over Internet Protocol
(VOIP)

a. The quality of the voice is degraded because loss of packets

b. The unavailability of VPN
c. Data communication is lost
d. Both voice and data communication is disrupted

92. Indicate the most objective and relevant evidence in a computer

environment involving fraud.

Elite Institute of System Audit (EISA) 16

 a. Physical examination
b. Physical observation
c. Inquiries of people
d. Computer logs

93. When the organization is experiencing temporary increase and sags in

power supply, which of the following can be used to overcome that?

a. Redundant power supply

b. Backup power supply
c. Uninterrupted power supply (UPS)
d. Emergency power off switch

94. A digital signature is:

a. A form of authenticator
b. An actual signature written on the computer
c. The same as the checksum
d. Different from analog signature

95. Which of the following is the first step in BCP?

a. Business impact analysis

b. Identification of critical applications
c. Business continuity plan development
d. Identification and formation of BCP team

96. Identify the computer-related crime and fraud method, which involves
obtaining information that, may be left in or around a computer system
after the execution of a job.

a. Data diddling
b. Salami technique
c. Scavenging
d. Piggybacking

97. When a cold-site is used, which of the following is concern?

a. Application’s ability to restoration in alternate processing facility

b. Hardware-software incompatibility
c. Activation of the site may take several weeks
d. Not suitable for emergency operations

98. In an electronic data interchange (EDI) system, which one of the following
is not a formatting standard?

Elite Institute of System Audit (EISA) 17

 a. Type of document
b. Electronic envelopes
c. Sequence of document
d. Content of document

99. When an e-commerce application is used, which of the following is

necessary?

a. Fault tolerant hardware

b. Redundant Array of Inexpensive Disk (RAID)
c. Clustering of server
d. Long haul network diversity

100. Control techniques for ensuring data accuracy are:

a. Reasonableness checks, hash totals, document counts, and key

verifications
b. Existence checks, range checks, batch sequence checks, and bath
controls
c. Computer matching, dependency checks, batch sequence checks,
and key verifications
d. Reasonableness checks, range checks, check digit verifications,
and key verifications.

101. An organization takes full backup and incremental backup, which of the
following ensures its recoverability when any disruption occurs?

a. Backups are stored off-site on daily basis

b. Backups are stored along with incremental backup on weekly basis
in off-site
c. Incremental backups are stored in off-site on daily basis
d. Incremental backups are stored in off-site on weekly basis

102. What should the audit strategy be?

a. It should be knowledge-based
b. It should be cycle-based
c. It should be request-based
d. It should be risk-based

103. An organization is using EFT chooses to go ahead with known

vulnerability without implementing appropriate control. This is risk

a. Mitigation
b. Avoidance

Elite Institute of System Audit (EISA) 18

 c. Acceptance
d. Transfer

104. Which one of the following items includes the other three items?

a. Inherent risk
b. Control risk
c. Audit risk
d. Detection risk

105. Which of the following techniques can be used to evaluate the

effectiveness of IT governance?

a. IT balanced scorecard
b. Benchmarking
c. IS auditor’s report
d. IS Policy & Strategy defined by the Board

106. An effective internal control system requires an ultimate:

a. User
b. Sponsor
c. Owner
d. Customer

107. Which of the following ensures the security of web application?

a. Firewall
b. Password encryption
c. IDS
d. SSL

108. COBIT is the model for which of the following?

a. IT planning
b. IT governance
c. IT standards
d. IT infrastructure

109. Software baseline refers

a. Stop entry
b. Exit entry
c. Entry point
d. Pause entry

Elite Institute of System Audit (EISA) 19

110. The IT function should not be used or viewed solely to:

a. Make money
b. Expand the business
c. Save money
d. Increase revenues

111. What is the role of auditor in Control Self assessment (CSA)?

a. Assessment facilitator
b. Risk assessment
c. Control assessment
d. Independent review

112. The IT direction must be aligned with which of the following?

a. Cost drivers
b. Business drivers
c. Technology drivers
d. Decision drivers

113. The authority, which is responsible for maintenance of certificates in PKI?

a. Certification authority
b. Registration authority
c. Certificate revocation list
d. Certificate of practice

114. Which of the following establishes the boundaries for IT direction?

a. Cost strategy
b. Business strategy
c. Staffing strategy
d. Computing strategy

115. The certification authority is responsible for issuing private key in PKI.
When Certification Authority (CA) encrypts message, it will encrypt

a. Encrypt with the sender’s public key

b. Decrypt with the receiver’s public key
c. Encrypt with the sender’s private key
d. Decrypt with the receiver’s private key

116. Preventive controls against private branch exchange (PBX) or voice mail
system attacks do not include which of the following?

Elite Institute of System Audit (EISA) 20

 a. Disconnecting maintenance lines when not used
b. Enforcing strict rules on password usage
c. Installing physical switches on telephone lines
d. Implementing training and awareness programs

117. The auditor concludes that the internal control is strong, and expected to
find the errors at a minimum level. Which of the sampling the auditor can
make use?

a. Attribute sampling
b. Stop or go sampling
c. Variable sampling
d. Discovery sampling

118. All of the following are controls against network service attacks except:

a. Using a floppy disk prior to decompression

b. Removing the network service
c. Concealing the network service
d. Creating traps for network services

119. IS strategy contains the following except

a. Mission and vision

b. IS policy
c. Hardware requirement
d. System software

120. Which of the following tools is most useful in detecting security intrusions?

a. Data mining tools

b. Data optimization tools
c. Data reorganization tools
d. Data access tools

121. IS auditor founds that the PC was used to perpetrate a fraud. The auditor
should report this matter to

a. IS audit line manager

b. Police
c. IS audit manager
d. Audit committee

122. Which of the following design objectives is most important for a local area
network?

Elite Institute of System Audit (EISA) 21

 a. Security
b. Availability
c. Throughput
d. Responsiveness

123. To measure the performance of an enterprise with regard to customer

satisfaction and efficiency which of the following techniques are used?

a. IT balanced scorecard
b. Risk assessment
c. Benchmark
d. Business Process re-engineering (BPR)

124. Accountability is important to implementing security policies. Which of the

following is least effective in exacting accountability from system users?

a. Auditing requirements
b. Passwords
c. Identification controls
d. Authentication controls

125. Which of the following to be identified FIRST in risk analysis?

a. Asset
b. Threat
c. Vulnerability
d. Controls

126. Which of the following provide both integrity and confidentiality services for
data and messages?

a. Digital signatures
b. Encryption
c. Cryptographic checksums
d. Granular access control

127. An organization used public switched infrastructure for its communication.

The organization should consider which of the following for its disaster
recovery?

a. Leased line
b. Alternate site for processing
c. Off-site backup facilities
d. Hardware maintenance program

Elite Institute of System Audit (EISA) 22

128. Rivest, Shamir, Adleman (RSA) algorithm differs from digital signature
standard (DSS) in:

a. Digital signature
b. Authentication
c. Encryption
d. Data integrity

129. An organization makes use of DBMS software for data and information
storage. Which of the following is less risky when considered for data
retrieval?

a. View
b. Join
c. Trigger
d. Merge

130. Intrusion detection refers to the process of identifying attempts to

penetrate a computer system and gain unauthorized access. Which of the
following would assist in intrusion detection?

a. Audit trails
b. Access control lists
c. Security clearances
d. Host-based authentication

131. An IS auditor conducts review of data center, what should the auditor do
for evaluation of performance?

a. Compliance with service level agreements

b. Software escrow clause
c. Hardware maintenance as specified by the vendor
d. Utilization report analysis

132. The best approach to maintaining a contingency plan in order to recover

from computer–related disasters would be to use a:

a. Top–down approach
b. Bottom-up approach
c. Combination of top–down and bottom-up approaches
d. Consultant-directed approach

133. The objective of capacity management is

a. Resource utilization should always be around 85%

b. Efficient utilization of resources

Elite Institute of System Audit (EISA) 23

 c. Acquisition of hardware
d. Reduction of hardware resources

134. What is the inherent limitation of a disaster recovery planning exercise?

a. Inability to include all types of disasters

b. Assembling disaster management and recovery teams
c. Developing early warning monitors that will trigger alerts and
responses
d. Conducting periodic drills

135. Which of the following provides BEST security for wireless network?

a. Wired Equivalent privacy

b. Service set identifier (SSID) set to obtrusive value
c. MAC address based authentication
d. Virtual Private Network (VPN)

136. The most costly disaster recovery alternative is:

a. Mutual backup site agreements

b. Hot-site backup
c. Cold-site backup
d. Off–site archival storage of data

137. Entity Relationship Diagram (ERD) shows

a. Linkage between objects

b. The data flow and the components or parts of data
c. The hierarchy of the entity’s reporting structure
d. Audit trail

138. In which of the following system development approaches are systems

analysis, design, and testing activities repeated during the life cycle?

a. Prototype
b. Iterative
c. Pilot
d. Grand design

139. User acceptance test planning happens at which stage of SDLC process?

a. Feasibility study
b. Requirement analysis
c. Design
d. Implementation

Elite Institute of System Audit (EISA) 24

140. In project implementations, the management tool that is most commonly
used is called a: -

a. Flowchart
b. Process chart
c. Gantt chart
d. Data chart

141. Which of the following about Alpha and Beta test is not correct?

a. Alpha and Beta test helps to plug the loopholes in security and
controls of the product
b. It helps to retain the IS skilled employees in the organization as
skilled software professionals always like to work with leading edge
technology companies
c. It helps to establish relationship with the users
d. It helps to penetrate in the market much earlier than the
competitors

142. The major problem in information systems departments is:

a. Inadequate management of system development projects

b. Ineffective control of resources
c. Project cost overruns
d. Project schedule delays

143. An organization wants to fast track the implementation as it is running

against the critical deadline for the project. The IS auditor should
recommend?

a. Documentation of the project development

b. User-acceptance test
c. Review the enhanced controls added in the last minute
d. Implementation planning

144. The major purpose of continuous improvement is to:

a. Increase the productivity of employees

b. Document policies and procedures
c. Draw a flowchart of the processes
d. Increase the productivity of systems

145. A software development company has its process certified by ISO under
ISO 9001 quality process. This implies that

Elite Institute of System Audit (EISA) 25

 a. The software developed by the company must get the accreditation
of ISO
b. The software quality standards of ISO must be implemented in the
software developed by the organization and should get its
certification
c. The development company must follow quality process in the
development of software
d. Periodic risk assessment is not required as the company follows
quality standards

146. The major purpose of change management implementation is to:

a. Allocate resources to implement the change

b. Address people's concerns about the change
c. Develop tools to implement the change
d. Facilitate change agents in the organization

147. Which of the following is critical process in Biometric

a. Easy in use
b. Enrollment
c. Acceptance of users
d. Security of the biometric sample

148. Business process re-engineering (BPR) changes are constrained by:

a. Taking small improvement steps

b. Existing organizational structure
c. Current thinking
d. Current culture of the organization

149. The risk of network based Intrusion Detection System (IDS) are?

a. Consumes more resources in the network

b. Doest not detect the attacks from hosts
c. Active monitoring is not performed
d. Requires that the firewall be placed

150. Incorrect data in a computer system is likely to have more serious

consequences for a (an):

a. Strategic planning system

b. Expert system
c. Personal decision support system
d. Management control system

Elite Institute of System Audit (EISA) 26

151. The benefit with the incremental backup of transactions where the master
file contains more records, but the transaction are minimal is

a. Increased CPU speed

b. Ease in maintenance of backup media
c. Cost associated with incremental backup is low as it is requires less
number of storage media
d. Backup procedures could be automated

152. Computer abuse is best defined as:

a. Malicious damage carried out to hardware and software

b. Any incident associated with computer technology whereby a
Victim suffered loss and a perpetrator gained
c. A fraud perpetrated by modifying software or hardware
d. Any incident whereby a hacker breaches controls in a computer
System and destroys-software or data

153. The BEST media for storage of information for archival purpose is

a. Magnetic Tape
b. Hard Disk
c. WORM disk drives
d. Floppy Disk

154. From information systems audit perspective, which of the following is the
most valuable asset in an information system facility:

a. Hardware
b. Database
c. Personnel
d. Software

155. Few master file records containing the details of suppliers with standing
order is deleted accidentally. Which of the following would have prevented
such occurrence?

a. Existence Check
b. Referential integrity
c. Limit Check
d. Reasonableness Check

156. Which of the following statements about controls is false?

a. The primary focus of controls is unlawful events

b. Controls are systems of interacting components

Elite Institute of System Audit (EISA) 27

 c. Controls cover all unlawful events in a system
d. An unlawful event in a system can be covered by more than one
control

157. When converting the data from the legacy old system to newly migrated
system of a foreign exchange dealer the exchange rate was accidentally
modified. Which of the following would detect that

a. Limit Check
b. Range Check
c. Sequence check
d. Validity check

158. Which of the following is unlikely to be an objective of a control?

a. Reduce expected losses from irregularities

b. Reduce the probability of an error occurring
c. Reduce the amount of loss if an error occurs
d. Reduce the normality of the loss distribution

159. To protect the hardware from the surge of power, which of the following is
to be used: -

a. Uninterruptible Power System (UPS)

b. Backup power generator
c. Redundant power supply
d. Power-off switch in the computer room

160. A program check that ensures data entered by a data-entry operator is

complete is an example of a:

a. Detective control
b. Corrective control
c. Preventive control
d. Redundancy control

161. In environmental control the power should be disconnected when using

which of the following fire suppression systems

a. Halon Gas
b. Carbon die Oxide
c. Dry-pipe sprinkler system
d. FM2

162. Under which circumstance will the level of achieved audit risk decrease?

Elite Institute of System Audit (EISA) 28

 a. An increase in inherent risk
b. A decrease in detection risk
c. An increase in control risk
d. A decrease in desired audit risk

163. When making emergency change by the programmers which of the

following should be performed

a. The authorization from business manager to carryout such changes

and oral agreement
b. Only the key personnel should be authorized to perform this
c. Making use of emergency ID to make changes in the object code
d. Strict adherence to change management process

164. Over which type of risk does the auditor have greatest control?

a. Desired audit risk

b. Inherent risk
c. Control risk
d. Detection risk

165. The best authentication mechanism is

a. Password
b. Encryption with password tables
c. Smart card and user password
d. Smart card and bio-metrics

166. The primary objective of test of controls is to:

a. Determine whether controls are operating effectively

b. Identify any material any material errors that have occurred in
major classes of transactions
c. Understand whether a control is in place
d. Identify major patterns of errors or irregularities that might exist in
final account balances

167. The measure which would protect the information when the password in
sniffed

a. Enhancing password length

b. Forced password change after predetermined period
c. Notifying the security administrator to reset the password
d. One-way encryption of passwords internally in the computer system

168. The primary factor affecting the design of a data-entry screen is:

Elite Institute of System Audit (EISA) 29

 a. The amount of data to be collected on the screen
b. The expertise and experience of the keyboard operator
c. How frequently the screen will be used
d. Whether or not the screen is to be based on a dedicated source
document

169. When installing firewall, which of the following should be considered

a. Hardening of operating system

b. Firewall security rules
c. Evaluation of firewall products of vendors
d. Block access to particular sites on the Internet

170. Under what circumstances will a data-entry screen keyboard operator

tolerate the slowest response time?

a. The transition between one screen and the next screen

b. The transition between one field and the next field
c. When data entry for a transaction has been completed
d. When keying is based on a dedicated source document

171. An IS auditor contended that there are weakness in the controls, and
recommended implementation of further controls. But the management
argued that it is unnecessary, as no incident has taken place so far. What
evidence would have forced the auditor to come to this conclusion?

a. Vulnerability assessment
b. A report in media about the fraud happened in similar industry due
to lack of internal control
c. Statistical sampling findings
d. Auditor’s own judgment based on his past experience

172. If the product number A5723 is coded as A2753, this is an example of a:

a. Truncation error
b. Double transposition error
c. Random error
d. Transcription error

173. Which of the following would prevent piggybacking

a. Dead man door

b. Electronic bolting door
c. Cipher Lock
d. Security guards

Elite Institute of System Audit (EISA) 30

174. A strategy for reducing coding errors is to:

a. Have only numeric codes

b. Group more characters in a chunk of information
c. If a mixed alphabetic-numeric code is used, group alphabetics
together and numeric together
d. Use frequently occurring character pairs like B8 and S5

175. A banking company uses fireproof cabinet to store the backup of data. In
using the fireproof cabinet, which of the following should be considered?

a. The heat and humidity level in the fireproof container

b. The humidity level around the place where this container is stored
c. The location of the fireproof cabinet container
d. The cost of purchase of the container

176. Given the code 7215, modulus 13, and the weights 2-1-2-1, the check digit
is:
a. 1
b. 10
c. 0
d. 3

177. A fireproof alarm was installed in the computer operation area of an

organization. The fire alarm control panel should be located in the

a. Computer server room

b. Operation area of server room
c. Security personnel’s booth
d. Security administrator’s room

178. Which of the following guidelines should not be used when designing a
batch?

a. Have only one type of document in the batch

b. Have the batch small enough to facilitate locating errors
c. Have the batch large enough to constitute a reasonable size unit of
work
d. Minimize the amount of information that is recorded on the batch cover
sheet

179. Which of the following testing of disaster recovery should be performed

very often.

a. Walkthrough with the help of vendors

Elite Institute of System Audit (EISA) 31

 b. Full interruption test during off-peak business hour
c. Review of the recovery plan
d. Preparedness test

180. In a database there are often conditions that constrain database

records. For example, a sales order cannot exist unless the
corresponding customer exists. This kind of constraint is an example
of:

a. Normalization
b. Entity integrity
c. Internal Scheme
d. Referential integrity

181. The main advantage of Electronic Fund Transfer (EFT) is

a. Decrease in improper authorization of payment

b. Efficient processing of payments
c. Decrease in the paper work
d. Decreased dependency of personnel

182. What type of functional capabilities of generalized audit software do

auditors use when they instruct the software to read a zoned field?

a. Arithmetic capabilities
b. File reorganization capabilities
c. File access capabilities
d. File creation and updating capabilities

183. A banking organization uses data warehousing for its decision-making.

Due to time-zone differences update is not happening immediately. Which of
the following controls is desirable

a. Concurrency control
b. Atomicity
c. Integrity
d. Durability

184. Which of the following functional capabilities in generalized audit software

are auditors most likely to use to examine whether the entities that the data
purports to represent do, in fact, exist?

a. Statistical sampling capability

b. Stratification and frequency analysis capability
c. Analytical review capability
d. Arithmetic capability

Elite Institute of System Audit (EISA) 32

185. In e-commerce, the load balancing should happen at

a. Database and external gateway

b. Web server and external gateway
c. User and external gateway
d. Database and user

186. Which of the following is not a functional limitation of generalized audit

software?

a. Permits ex post auditing only and not concurrent auditing

b. Difficult to determine an application system’s propensity for error
using generalized audit software
c. Limited capabilities for verifying processing logic
d. Limited capabilities for re-computing material arithmetic
expressions

187. The best network for extranet is

a. VPN
b. SSL
c. Symmetric encryption
d. Asymmetric encryption

188. Which of the following tasks probably would be most difficult to perform
using utility software?

a. Merging data on two files

b. Dumping several records in a database to check their format
c. Selecting a dollar unit sample for confirmation
d. Converting one data format to another data format

189. The quality of bio-metric authentication feature is improved when

a. The user is educated about the correct enrollment process

b. The sample of bio-metric is taken until satisfactory
c. Wait until the user accepts the bio-metric as authentication
mechanism
d. The extract of biometric samples are stored with maximum security

190. Which of the following utilities can be used to directly examine the
authenticity, accuracy, and completeness of program logic?

a. Transaction profile analyzer

b. Output analyzer
c. Prompter

Elite Institute of System Audit (EISA) 33

 d. Text manager

191. Logic bomb is detected by

a. Test data
b. Independent program review
c. Source and object code comparison
d. Time stamp review of source and object code

192. Which of the following is least likely to be an outcome of auditor’s use of

expert systems?

a. Increased consensus in evaluation judgments

b. Better dissemination of expertise in relation to new technology
c. Better documentation in support of audit judgments made
d. Improved efficiency in the conduct of an audit

193. Brute-force attack is prevented by

a. Disabling login after 3 to 5 unsuccessful attempts

b. Password table encryption
c. Enhancing password length
d. Forced password change after predetermined period

194. The component in an expert system that provides information to auditors

about the line of reasoning used to reach a conclusion is the:

a. Inference engine
b. Knowledge acquirer
c. Knowledge base
d. Tutor

195. The advantage of prototyping

a. Increased interaction with the user

b. Developed in incremental fashion
c. Concentrates on Screen layouts and GUI
d. Product is delivered to the user immediately

196. Which of the following components of a neural network designed to assist

auditors to detect fraud will be altered during its training period?

a. Input components
b. Output components
c. Hidden components
d. Connection weight components

Elite Institute of System Audit (EISA) 34

197. Which of the following is concern when an organization is subject to
Denial of Service (Dos) attack?

a. Confidentiality
b. Integrity
c. Availability
d. Durability

198. Which of the following types of database access control will prevent
personnel clerks from accessing the names of employees whose salaries
exceed Rs. 30,000 unless they are seeking to perform some type of
statistical function?

a. Content-dependent access control

b. History-dependent access control
c. Contact-dependent access control
d. Name-dependent access control

199. A DBMS can control user access at the following levels?

a. User and database

b. Program and database
c. Transaction and database
d. Program and system software

200. An Audit trail record should include sufficient information to trace a user's
actions and events. Which of the following items of information in the Audit
trail record would help determine if the user was a masquerader or the
actual person specified?

a. The user identification associated with the event.

b. Date and time associated with the event.
c. The program used to initiate the event.
d. The command used to initiate the event

Elite Institute of System Audit (EISA) 35