CISA

Question 1

QUESTION 1 - (Topic 1)
Structured programming is BEST described as a technique that:
A. provides knowledge of program functions to other programmers via peer reviews.
B. reduces the maintenance time of programs by the use of small-scale program modules.
C. makes the readable coding reflect as closely as possible the dynamic execution of the program.
D. controls the coding and testing of the high-level functions of the program in the development process.

Answer 1

Answer: B
Explanation:
A characteristic of structured programming is smaller, workable units. Structured programming has evolved because
smaller, workable units are easier to maintain. Structured programming is a style of programming which restricts the
kinds of control structures. This limitation is not crippling. Any program can be written with allowed control structures.
Structured programming is sometimes referred to as go-to-less programming, since a go-to statement is not allowed. This
is perhaps the most well known restriction of the style, since go-to statements were common at the time structured
programming was becoming more popular. Statement labels also become unnecessary, except in languages where
subroutines are identified by labels.

Question 2

QUESTION 2 - (Topic 1)
After identifying potential security vulnerabilities, what should be the IS auditor’s next step?
A. To evaluate potential countermeasures and compensatory controls
B. To implement effective countermeasures and compensatory controls
C. To perform a business impact analysis of the threats that would exploit the vulnerabilities
D. To immediately advise senior management of the findings

Answer 2

Answer: C
Explanation: After identifying potential security vulnerabilities, the IS auditor’s next step is to perform a business impact
analysis of the threats that would exploit the vulnerabilities.

Question 3

QUESTION 3 - (Topic 1)
When should an application-level edit check to verify that availability of funds was completed at the electronic funds
transfer (EFT) interface?
A. Before transaction completion
B. Immediately after an EFT is initiated
C. During run-to-run total testing
D. Before an EFT is initiated

Answer 3

Answer: D
Explanation: An application-level edit check to verify availability of funds should be completed at the electronic funds
transfer (EFT) interface before an EFT is initiated.

Question 4

QUESTION 4 - (Topic 1)
Why does the IS auditor often review the system logs?
A. To get evidence of password spoofing
B. To get evidence of data copy activities
C. To determine the existence of unauthorized access to data by a user or program
D. To get evidence of password sharing

Answer 4

Answer: C
Explanation: When trying to determine the existence of unauthorized access to data by a user or program, the IS auditor
will often review the system logs

Question 5

QUESTION 5 - (Topic 1)
Which of the following is a telecommunication device that translates data from digital form to analog form and back to
digital?
A. Multiplexer
B. Modem
C. Protocol converter
D. Concentrator

Answer 5

Answer: B
Explanation:
A modem is a device that translates data from digital to analog and back to digital.

Question 6

QUESTION 6 - (Topic 1)
The initial step in establishing an information security program is the:
A. development and implementation of an information security standards manual.
B. performance of a comprehensive security control review by the IS auditor.
C. adoption of a corporate information security policy statement.
D. purchase of security access control software.

Answer 6

Answer: C
Explanation:
A policy statement reflects the intent and support provided by executive management for proper security and establishes
a starting point for developing the security program.

Question 7

QUESTION 7 - (Topic 1)
Establishing data ownership is an important first step for which of the following processes? Choose the BEST answer.
A. Assigning user access privileges
B. Developing organizational security policies
C. Creating roles and responsibilities
D. Classifying data

Answer 7

Answer: D
Explanation: To properly implement data classification, establishing data ownership is an important first step.

Question 8

QUESTION 8 - (Topic 1)
Which of the following is the MOST critical step in planning an audit?
A. Implementing a prescribed auditing framework such as COBIT
B. Identifying current controls
C. Identifying high-risk audit targets
D. Testing controls

Answer 8

Answer: C
Explanation: In planning an audit, the most critical step is identifying the areas of high risk.

Question 9

QUESTION 9 - (Topic 1)
What is used as a control to detect loss, corruption, or duplication of data?
A. Redundancy check
B. Reasonableness check
C. Hash totals
D. Accuracy check

Answer 9

Answer: C
Explanation: Hash totals are used as a control to detect loss, corruption, or duplication of
data

Question 10

QUESTION 10 - (Topic 1)
Which of the following best characterizes “worms”?
A. Malicious programs that can run independently and can propagate without the aid of a carrier program such as email
B. Programming code errors that cause a program to repeatedly dump data
C. Malicious programs that require the aid of a carrier program such as email
D. Malicious programs that masquerade as common applications such as screensavers or macro-enabled Word documents

Answer 10

Answer: A
Explanation: Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email

Question 11

11 - (Topic 1)
The use of statistical sampling procedures helps minimize:
A. Detection risk
B. Business risk
C. Controls risk
D. Compliance risk

Answer 11

Answer: A
Explanation: The use of statistical sampling procedures helps minimize detection risk.

Question 12

QUESTION 12 - (Topic 1)
Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of which of the following? Choose the BEST answer.
A. IT strategic plan
B. Business continuity plan
C. Business impact analysis
D. Incident response plan

Answer 12

Answer: B
Explanation: Any changes in systems assets, such as replacement of hardware, should be immediately recorded within the assets inventory of a business continuity plan.

Question 13

QUESTION 13 - (Topic 1)
Which of the following hardware devices relieves the central computer from performing network control, format conversion and message handling tasks?
A. Spool
B. Cluster controller
C. Protocol converter
D. Front end processor

Answer 13

Answer: D
Explanation:
A front-end processor is a hardware device that connects all communication lines to a central computer to relieve the central computer.

Question 14

QUESTION 14 - (Topic 1)
What kind of testing should programmers perform following any changes to an application or system?
A. Unit, module, and full regression testing
B. Module testing
C. Unit testing
D. Regression testing

Answer 14

Answer: A
Explanation: Programmers should perform unit, module, and full regression testing following any changes to an
application or system.

Question 15

QUESTION 15 - (Topic 1)
For which of the following applications would rapid recovery be MOST crucial?
A. Point-of-sale system
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback

Answer 15

Answer: A
Explanation:
A point-of-sale system is a critical online system that when inoperable will jeopardize the ability of Company.com to
generate revenue and track inventory properly.

Question 16

QUESTION 16 - (Topic 1)
________________ (fill in the blank) is/are ultimately accountable for the functionality, reliability, and security within IT governance. Choose the BEST answer.
A. Data custodians
B. The board of directors and executive officers
C. IT security administration
D. Business unit managers

Answer 16

Answer: B
Explanation: The board of directors and executive officers are ultimately accountable for the functionality, reliability,
and security within IT governance.

Question 17

QUESTION 17 - (Topic 1)
Which of the following is MOST is critical during the business impact assessment phase of business continuity planning?
A. End-user involvement
B. Senior management involvement
C. Security administration involvement
D. IS auditing involvement

Answer 17

Answer: A
Explanation: End-user involvement is critical during the business impact assessment phase of business continuity
planning.

Question 18

QUESTION 18 - (Topic 1)
What is the recommended initial step for an IS auditor to implement continuous-monitoring systems?
A. Document existing internal controls
B. Perform compliance testing on internal controls
C. Establish a controls-monitoring steering committee
D. Identify high-risk areas within the organization

Answer 18

Answer: D
Explanation: When implementing continuous-monitoring systems, an IS auditor’s first step is to identify high risk areas within the organization.

Question 19

QUESTION 19 - (Topic 1)
Which of the following is a guiding best practice for implementing logical access controls?
A. Implementing the Biba Integrity Model
B. Access is granted on a least-privilege basis, per the organization’s data owners
C. Implementing the Take-Grant access control model
D. Classifying data according to the subject’s requirements

Answer 19

Answer: B
Explanation: Logical access controls should be reviewed to ensure that access is granted on a least-privilege basis, per the organization’s data owners.

Question 20

QUESTION 20 - (Topic 1)
Which of the following is an effective method for controlling downloading of files via FTP? Choose the BEST answer.
A. An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
B. An application-layer gateway, or proxy firewall
C. A circuit-level gateway
D. A first-generation packet-filtering firewall

Answer 20

Answer: B
Explanation: Application-layer gateways, or proxy firewalls, are an effective method for controlling downloading of files via FTP. Because FTP is an OSI application-layer protocol, the most effective firewall needs to be capable of inspecting through the application layer.

Question 21

QUESTION 21 - (Topic 1)
When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false?
A. True
B. False

Answer 21

Answer: B
Explanation: When participating in a systems-development project, an IS auditor should also strive to ensure that
adequate and complete documentation exists for all projects.

Question 22

QUESTION 22 - (Topic 1)
Fourth-Generation Languages (4GLs) are most appropriate for designing the application’s graphical user interface (GUI).
They are inappropriate for designing any intensive data-calculation procedures. True or false?
A. True
B. False

Answer 22

Answer: A
Explanation: Fourth-generation languages(4GLs) are most appropriate for designing the application’s graphical user
interface (GUI). They are inappropriate for designing any
intensive data-calculation procedures.

Question 23

QUESTION 23 - (Topic 1)
Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data?
A. Redundancy check
B. Completeness check
C. Accuracy check
D. Parity check

Answer 23

Answer: A
Explanation: A redundancy check can help detect transmission errors by appending especially calculated bits onto the
end of each segment of data

Question 24

QUESTION 24 - (Topic 1)
If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further:
A. Documentation development
B. Comprehensive integration testing
C. Full unit testing
D. Full regression testing

Answer 24

Answer: B
Explanation: If an IS auditor observes that individual modules of a system perform correctly in development project tests, the auditor should inform management of the positive results and recommend further comprehensive integration testing.

Question 25

QUESTION 25 - (Topic 1)
The quality of the metadata produced from a data warehouse is _______________ in the warehouse’s design. Choose the
BEST answer.
A. Often hard to determine because the data is derived from a heterogeneous data
environment
B. The most important consideration
C. Independent of the quality of the warehoused databases
D. Of secondary importance to data warehouse content

Answer 25

Answer: B
Explanation: The quality of the metadata produced from a data warehouse is the most important consideration in the
warehouse’s design.

Question 26

QUESTION 26 - (Topic 1)
What protects an application purchaser’s ability to fix or change an application in case the application vendor goes out of business?
A. Assigning copyright to the organization
B. Program back doors
C. Source code escrow
D. Internal programming expertise

Answer 26

Answer: C
Explanation: Source code escrow protects an application purchaser’s ability to fix or change an application in case the application vendor goes out of business.

Question 27

QUESTION 27 - (Topic 1)
Which of the following devices extends the network and has the capacity to store frames and act as a storage and forward device?
A. Router
B. Bridge
C. Repeater
D. Gateway

Answer 27

Answer: B
Explanation:
A bridge connects two separate networks to form a logical network (e.g., joining an ethernet and token network) and has the storage capacity to store frames and act as a storage and forward device. Bridges operate at the OSI data link layer by examining the media access control header of a data packet.

Question 28

QUESTION 28 - (Topic 1)
What is essential for the IS auditor to obtain a clear understanding of network management?
A. Security administrator access to systems
B. Systems logs of all hosts providing application services
C. A graphical map of the network topology
D. Administrator access to systems

Answer 28

Answer: C
Explanation: A graphical interface to the map of the network topology is essential for the IS auditor to obtain a clear understanding of net work management.

Question 29

QUESTION 29 - (Topic 1)
What is often the most difficult part of initial efforts in application development? Choose the BEST answer.
A. Configuring software
B. Planning security
C. Determining time and resource requirements
D. Configuring hardware

Answer 29

Answer: C
Explanation: Determining time and resource requirements for an application-development project is often the most
difficult part of initial efforts in application development.

Question 30

QUESTION 30 - (Topic 1)
What kind of protocols does the OSI Transport Layer of the TCP/IP protocol suite provide to ensure reliable
communication?
A. Nonconnection-oriented protocols
B. Connection-oriented protocols
C. Session-oriented protocols
D. Nonsession-oriented protocols

Answer 30

Answer: B
Explanation: The transport layer of the TCP/IP protocol suite provides for connection-oriented protocols to ensure
reliable communication.

Question 31

QUESTION 31 - (Topic 1)
Which of the following provides the BEST single-factor authentication?
A. Biometrics
B. Password
C. Token
D. PIN

Answer 31

Answer: A
Explanation: Although biometrics provides only single-factor authentication, many consider it to be an excellent method for user authentication.

Question 32

QUESTION 32 - (Topic 1)
IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial evaluation of the
controls, they conclude that control risks are within the acceptable limits. True or false?
A. True
B. False

Answer 32

Answer: A
Explanation: IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. Think of it this way: If any reliance is placed on internal controls, that reliance must be validated through compliance testing. High control risk results in little reliance on internal controls, which results in additional substantive testing.

Question 33

QUESTION 33 - (Topic 1)
Why is a clause for requiring source code escrow in an application vendor agreement important?
A. To segregate systems development and live environments
B. To protect the organization from copyright disputes
C. To ensure that sufficient code is available when needed
D. To ensure that the source code remains available even if the application vendor goes out of business

Answer 33

Answer: D
Explanation: A clause for requiring source code escrow in an application vendor agreement is important to ensure that the source code remains available even if the application vendor goes out of business.

Question 34

QUESTION 34 - (Topic 1)
Which of the following could lead to an unintentional loss of confidentiality? Choose the BEST answer.
A. Lack of employee awareness of a company’s information security policy
B. Failure to comply with a company’s information security policy
C. A momentary lapse of reason
D. Lack of security policy enforcement procedures

Answer 34

Answer: A
Explanation: Lack of employee awareness of a company’s information security policy could lead to an unintentional loss of confidentiality.

Question 35

QUESTION 35 - (Topic 1)
Whenever an application is modified, what should be tested to determine the full impact of the change? Choose the BEST answer.
A. Interface systems with other applications or systems
B. The entire program, including any interface systems with other applications or systems
C. All programs, including interface systems with other applications or systems
D. Mission-critical functions and any interface systems with other applications or systems

Answer 35

Answer: B
Explanation: Whenever an application is modified, the entire program, including any interface systems with other
applications or systems, should be tested to determine the full impact of the change.

Question 36

QUESTION 36 - (Topic 1)
Database snapshots can provide an excellent audit trail for an IS auditor. True or false?
A. True
B. False

Answer 36

Answer: A
Explanation: Database snapshots can provide an excellent audit trail for an IS auditor.

Question 37

QUESTION 37 - (Topic 1)
How do modems (modulation/demodulation) function to facilitate analog transmissions to enter a digital network?
A. Modems convert analog transmissions to digital, and digital transmission to analog.
B. Modems encapsulate analog transmissions within digital, and digital transmissions within analog.
C. Modems convert digital transmissions to analog, and analog transmissions to digital.
D. Modems encapsulate digital transmissions within analog, and analog transmissions within digital.

Answer 37

Answer: A
Explanation: Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to
analog, and are required for analog transmissions to enter a digital network.

Question 38

QUESTION 38 - (Topic 1)
When storing data archives off-site, what must be done with the data to ensure data completeness?
A. The data must be normalized.
B. The data must be validated.
C. The data must be parallel-tested.
D. The data must be synchronized.

Answer 38

Answer: D
Explanation: When storing data archives off-site, data must be synchronized to ensure data completeness.

Question 39

QUESTION 39 - (Topic 1)
Which of the following tests is an IS auditor performing when a sample of programs is selected to determine if the source and object versions are the same?
A. A substantive test of program library controls
B. A compliance test of program library controls
C. A compliance test of the program compiler controls
D. A substantive test of the program compiler controls

Answer 39

Answer: B
Explanation:
A compliance test determines if controls are operating as designed and are being applied in a manner that complies with
management policies and procedures. For example, if the IS auditor is concerned whether program library controls are
working properly, the IS auditor might select a sample of programs to determine if the source and object versions are the
same. In other words, the broad objective of any compliance test is to provide auditors with reasonable assurance that a
particular control on which the auditor plans to rely is operating as the auditor perceived it in the preliminary evaluation.

Question 40

QUESTION 40 - (Topic 1)
What should IS auditors always check when auditing password files?
A. That deleting password files is protected
B. That password files are encrypted
C. That password files are not accessible over the network
D. That password files are archived

Answer 40

Answer: B
Explanation: IS auditors should always check to ensure that password files are encrypted.

Question 41

QUESTION 41 - (Topic 1)
Which of the following is MOST likely to result from a business process reengineering (BPR) project?
A. An increased number of people using technology
B. Significant cost savings, through a reduction in the complexity of information technology
C. A weaker organizational structures and less accountability
D. Increased information protection (IP) risk will increase

Answer 41

Answer: A
Explanation:
A BPR project more often leads to an increased number of people using technology, and this would be a cause for
concern. Incorrect answers:
B. As BPR is often technology oriented, and this technology is usually more complex and volatile than in the past, cost
savings do not often materialize in this area.
D. There is no reason for IP to conflict with a BPR project, unless the project is not run properly.

Question 42

QUESTION 42 - (Topic 1)
Which of the following help(s) prevent an organization’s systems from participating in a distributed denial-of-service (DDoS) attack? Choose the BEST answer.
A. Inbound traffic filtering
B. Using access control lists (ACLs) to restrict inbound connection attempts
C. Outbound traffic filtering
D. Recentralizing distributed systems

Answer 42

Answer: C
Explanation: Outbound traffic filtering can help prevent an organization’s systems from participating in a distributed
denial-of-service (DDoS) attack

Question 43

QUESTION 43 - (Topic 1)
Which of the following is a passive attack method used by intruders to determine potential network vulnerabilities?
A. Traffic analysis
B. SYN flood
C. Denial of service (DoS)
D. Distributed denial of service (DoS)

Answer 43

Answer: A
Explanation: Traffic analysis is a passive attack method used by intruders to determine potential network vulnerabilities. All others are active attacks.

Question 44

QUESTION 44 - (Topic 1)
What must an IS auditor understand before performing an application audit? Choose the BEST answer.
A. The potential business impact of application risks.
B. Application risks must first be identified.
C. Relative business processes.
D. Relevant application risks.

Answer 44

Answer: C
Explanation: An IS auditor must first understand relative business processes before performing an application audit.

Question 45

QUESTION 45 - (Topic 1)
A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:
A. reasonableness check.
B. parity check.
C. redundancy check.
D. check digits.

Answer 45

Answer: C
Explanation:
A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data.

Question 46

QUESTION 46 - (Topic 1)
An intentional or unintentional disclosure of a password is likely to be evident within control logs. True or false?
A. True
B. False

Answer 46

Answer: B
Explanation: An intentional or unintentional disclosure of a password is not likely to be evident within control logs.

Question 47

QUESTION 47 - (Topic 1)
What is a primary high-level goal for an auditor who is reviewing a system development project?
A. To ensure that programming and processing environments are segregated
B. To ensure that proper approval for the project has been obtained
C. To ensure that business objectives are achieved
D. To ensure that projects are monitored and administrated effectively

Answer 47

Answer: C
Explanation: A primary high-level goal for an auditor who is reviewing a systems-development project is to ensure that business objectives are achieved. This objective guides all other systems development objectives.

Question 48

QUESTION 48 - (Topic 1)
Which of the following can degrade network performance? Choose the BEST answer.
A. Superfluous use of redundant load-sharing gateways
B. Increasing traffic collisions due to host congestion by creating new collision domains
C. Inefficient and superfluous use of network devices such as switches
D. Inefficient and superfluous use of network devices such as hubs

Answer 48

Answer: D
Explanation: Inefficient and superfluous use of network devices such as hubs can degrade network performance.

Question 49

QUESTION 49 - (Topic 1)
What type(s) of firewalls provide(s) the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic?
A. A first-generation packet-filtering firewall
B. A circuit-level gateway
C. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls
D. An application-layer gateway, or proxy firewall, but not stateful-inspection firewalls

Answer 49

Answer: C
Explanation: An application-layer gateway, or proxy firewall, and stateful-inspection firewalls provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic.

Question 50

QUESTION 50 - (Topic 1)
A call-back system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password using a telephone number from its database.
B. dials back to the user machine based on the user id and password using a telephone number provided by the user
during this connection.
C. waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using its database.
D. waits for a redial back from the user machine for reconfirmation and then verifies the user id and password using the
sender’s database.

Answer 50

Answer: A
Explanation:
A call-back system in a net centric environment would mean that a user with an id and password calls a remote server through a dial-up line first, and then the server disconnects and dials back to the user machine based on the user id and password using a telephone number from its database. Although the server can depend upon its own database, it cannot know the authenticity of the dialer when the user dials again. The server cannot depend upon the sender’s database to dial back as the same could be manipulated.

Question 51

51 - (Topic 1)
Using the OSI reference model, what layer(s) is/are used to encrypt data?
A. Transport layer
B. Session layer
C. Session and transport layers
D. Data link layer

Answer 51

Answer: C
Explanation: User applications often encrypt and encapsulate data using protocols within the OSI session layer or farther
down in the transport layer.

Question 52

QUESTION 52 - (Topic 1)
Which of the following is a data validation edit and control?
A. Hash totals
B. Reasonableness checks
C. Online access controls
D. Before and after image reporting

Answer 52

Answer: B
Explanation:
A reasonableness check is a data validation edit and control, used to ensure that data conforms to predetermined criteria.

Question 53

QUESTION 53 - (Topic 1)
What type of approach to the development of organizational policies is often driven by risk assessment?
A. Bottom-up
B. Top-down
C. Comprehensive
D. Integrated

Answer 53

Answer: B
Explanation: A bottom-up approach to the development of organizational policies is often driven by risk assessment.

Question 54

QUESTION 54 - (Topic 1)
What are intrusion-detection systems (IDS) primarily used for?
A. To identify AND prevent intrusion attempts to a network
B. To prevent intrusion attempts to a network
C. Forensic incident response
D. To identify intrusion attempts to a network

Answer 54

Answer: D
Explanation: Intrusion-detection systems (IDS) are used to identify intrusion attempts on a network.

Question 55

QUESTION 55 - (Topic 1)
What topology provides the greatest redundancy of routes and the greatest network fault tolerance?
A. A star network topology
B. A mesh network topology with packet forwarding enabled at each host
C. A bus network topology
D. A ring network topology

Answer 55

Answer: B
Explanation: A mesh network topology provides a point-to-point link between every network host. If each host is
configured to route and forward communication, this topology provides the greatest redundancy of routes and the greatest network fault tolerance.

Question 56

QUESTION 56 - (Topic 1)
An advantage of a continuous audit approach is that it can improve system security when used in time-sharing
environments that process a large number of transactions. True or false?
A. True
B. False

Answer 56

Answer: A
Explanation: It is true that an advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions.

Question 57

QUESTION 57 - (Topic 1)
What is an acceptable recovery mechanism for extremely time-sensitive transaction processing?
A. Off-site remote journaling
B. Electronic vaulting
C. Shadow file processing
D. Storage area network

Answer 57

Answer: C
Explanation: Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive
transaction processing.

Question 58

QUESTION 58 - (Topic 1)
Key verification is one of the best controls for ensuring that:
A. Data is entered correctly
B. Only authorized cryptographic keys are used
C. Input is authorized
D. Database indexing is performed properly

Answer 58

Answer: A
Explanation: Key verification is one of the best controls for ensuring that data is entered correctly

Question 59

QUESTION 59 - (Topic 1)
Which of the following provides the strongest authentication for physical access control?
A. Sign-in logs
B. Dynamic passwords
C. Key verification
D. Biometrics

Answer 59

Answer: D
Explanation: Biometrics can be used to provide excellent physical access control.

Question 60

QUESTION 60 - (Topic 1)
Which of the following is a program evaluation review technique that considers different scenarios for planning and control projects?
A. Function Point Analysis (FPA)
B. GANTT
C. Rapid Application Development (RAD)
D. PERT

Answer 60

Answer: D
Explanation: PERT is a program-evaluation review technique that considers different scenarios for planning and control projects.

Question 61

QUESTION 61 - (Topic 1)
An IS auditor is using a statistical sample to inventory the tape library. What type of test would this be considered?
A. Substantive
B. Compliance
C. Integrated
D. Continuous audit

Answer 61

Answer: A
Explanation: Using a statistical sample to inventory the tape library is an example of a substantive test.

Question 62

QUESTION 62 - (Topic 1)
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ (fill in the blank) should be implemented as early as data preparation to support data integrity at the earliest point possible.
A. Control totals
B. Authentication controls
C. Parity bits
D. Authorization controls

Answer 62

Answer: A
Explanation: Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible.

Question 63

QUESTION 63 - (Topic 1)
In a public key infrastructure (PKI), the authority responsible for the identification and authentication of an applicant for a digital certificate (i.e., certificate subjects) is the:
A. registration authority (RA).
B. issuing certification authority (CA).
C. subject CA.
D. policy management authority.

Answer 63

Answer: A
Explanation:
A RA is an entity that is responsible for identification and authentication of certificate subjects, but the RA does not sign or issue certificates. The certificate subject usually interacts with the RA for completing the process of subscribing to the services of the certification authority in terms of getting identity validated with standard identification documents, as detailed in the certificate policies of the CA. In the context of a particular certificate, the issuing CA is the CA that issued
the certificate. In the context of a particular CA certificate, the subject CA is the CA whose public key is certified in the certificate.

Question 64

QUESTION 64 - (Topic 1)
A LAN administrator normally would be restricted from:
A. having end-user responsibilities.
B. reporting to the end-user manager.
C. having programming responsibilities.
D. being responsible for LAN security administration.

Answer 64

Answer: C
Explanation:
A LAN administrator should not have programming responsibilities but may have end- user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator also may be responsible for security administration over the LAN.

Question 65

QUESTION 65 - (Topic 1)
Which of the following is BEST characterized by unauthorized modification of data before or during systems data entry?
A. Data diddling
B. Skimming
C. Data corruption
D. Salami attack

Answer 65

Answer: A
Explanation: Data diddling involves modifying data before or during systems data entry.

Question 66

QUESTION 66 - (Topic 1)
An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST cost effective test of the DRP?
A. Full operational test
B. Preparedness test
C. Paper test
D. Regression test

Answer 66

Answer: B
Explanation:
A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for the disaster recovery.

Question 67

QUESTION 67 - (Topic 1)
What type of fire-suppression system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities?
A. A dry-pipe sprinkler system
B. A deluge sprinkler system
C. A wet-pipe system
D. A halon sprinkler system

Answer 67

Answer: A
Explanation: A dry-pipe sprinkler system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities.

Question 68

QUESTION 68 - (Topic 1)
Which of the following fire-suppression methods is considered to be the most environmentally friendly?
A. Halon gas
B. Deluge sprinklers
C. Dry-pipe sprinklers
D. Wet-pipe sprinklers

Answer 68

Answer: C
Explanation: Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most
environmentally friendly.

Question 69

QUESTION 69 - (Topic 1)
Which of the following is a benefit of using callback devices?
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding

Answer 69

Answer: A
Explanation:
A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches. Call forwarding (choice D) is a means of potentially bypassing callback control. By dialing through an authorized phone number from an unauthorized phone number, a perpetrator can gain computer access. This vulnerability can be controlled through callback systems that are available.

Question 70

QUESTION 70 - (Topic 1)
An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated data. True or false?
A. True
B. False

Answer 70

Answer: B
Explanation: An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated data.

Question 71

QUESTION 71 - (Topic 1)
Who assumes ownership of a systems-development project and the resulting system?
A. User management
B. Project steering committee
C. IT management
D. Systems developers

Answer 71

Answer: A
Explanation: User management assumes ownership of a systems-development project and the resulting system.

Question 72

QUESTION 72 - (Topic 1)
Ensuring that security and control policies support business and IT objectives is a primary objective of:
A. An IT security policies audit
B. A processing audit
C. A software audit
D. A vulnerability assessment

Answer 72

Answer: A
Explanation: Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit.

Question 73

QUESTION 73 - (Topic 1)
Why is the WAP gateway a component warranting critical concern and review for the IS auditor when auditing and testing controls enforcing message confidentiality?
A. WAP is often configured by default settings and is thus insecure.
B. WAP provides weak encryption for wireless traffic.
C. WAP functions as a protocol-conversion gateway for wireless TLS to Internet SSL.
D. WAP often interfaces critical IT systems.

Answer 73

Answer: C
Explanation: Functioning as a protocol-conversion gateway for wireless TLS to Internet SSL, the WAP gateway is a component warranting critical concern and review for the IS auditor when auditing and testing controls that enforce message confidentiality.

Question 74

QUESTION 74 - (Topic 1)
What influences decisions regarding criticality of assets?
A. The business criticality of the data to be protected
B. Internal corporate politics
C. The business criticality of the data to be protected, and the scope of the impact upon the organization as a whole
D. The business impact analysis

Answer 74

Answer: C
Explanation: Criticality of assets is often influenced by the business criticality of the data to be protected and by the
scope of the impact upon the organization as a whole. For example, the loss of a network backbone creates a much
greater impact on the organization as a whole than the loss of data on a typical user’s workstation.

Question 75

QUESTION 75 - (Topic 1)
When are benchmarking partners identified within the benchmarking process?
A. In the design stage
B. In the testing stage
C. In the research stage
D. In the development stage

Answer 75

Answer: C
Explanation: Benchmarking partners are identified in the research stage of the benchmarking process.

Question 76

QUESTION 76 - (Topic 1)
What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?
A. Business risk
B. Detection risk
C. Residual risk
D. Inherent risk

Answer 76

Answer: B
Explanation: Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material
errors do not exist when errors actually exist.

Question 77

QUESTION 77 - (Topic 1)
Off-site data backup and storage should be geographically separated so as to
________________ (fill in the blank) the risk of a widespread physical disaster such as a hurricane or earthquake.
A. Accept
B. Eliminate
C. Transfer
D. Mitigate

Answer 77

Answer: D
Explanation: Off-site data backup and storage should be geographically separated, to mitigate the risk of a widespread
physical disaster such as a hurricane or an earthquake.

Question 78

QUESTION 78 - (Topic 1)
Who is responsible for implementing cost-effective controls in an automated system?
A. Security policy administrators
B. Business unit management
C. Senior management
D. Board of directors

Answer 78

Answer: B
Explanation: Business unit management is responsible for implementing cost-effective controls in an automated system.

Question 79

QUESTION 79 - (Topic 1)
Mitigating the risk and impact of a disaster or business interruption usually takes priority over transference of risk to a third party such as an insurer. True or false?
A. True
B. False

Answer 79

Answer: A
Explanation: Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer.

Question 80

QUESTION 80 - (Topic 1)
What can be used to help identify and investigate unauthorized transactions? Choose the BEST answer.
A. Postmortem review
B. Reasonableness checks
C. Data-mining techniques
D. Expert systems

Answer 80

Answer: C
Explanation: Data-mining techniques can be used to help identify and investigate unauthorized transactions

Question 81

QUESTION 81 - (Topic 1)
Authentication techniques for sending and receiving data between EDI systems is crucial to prevent which of the following? Choose the BEST answer.
A. Unsynchronized transactions
B. Unauthorized transactions
C. Inaccurate transactions
D. Incomplete transactions

Answer 81

Answer: B
Explanation: Authentication techniques for sending and receiving data between EDI systems are crucial to prevent
unauthorized transactions.

Question 82

QUESTION 82 - (Topic 1)
What are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information? Choose the BEST answer.
A. Referential integrity controls
B. Normalization controls
C. Concurrency controls
D. Run-to-run totals

Answer 82

Answer: C
Explanation: Concurrency controls are used as a countermeasure for potential database corruption when two processes attempt to simultaneously edit or update the same information.

Question 83

QUESTION 83 - (Topic 1)
A check digit is an effective edit check to:
A. Detect data-transcription errors
B. Detect data-transposition and transcription errors
C. Detect data-transposition, transcription, and substitution errors
D. Detect data-transposition errors

Answer 83

Answer: B
Explanation: A check digit is an effective edit check to detect data-transposition and transcription errors

https://en.wikipedia.org/wiki/Check_digit

Question 84

QUESTION 84 - (Topic 1)
A hub is a device that connects:
A. two LANs using different protocols.
B. a LAN with a WAN.
C. a LAN with a metropolitan area network (MAN).
D. two segments of a single LAN.

Answer 84

Answer: D
Explanation: A hub is a device that connects two segments of a single LAN. A hub is a repeater. It provides transparent connectivity to users on all segments of the same LAN. It is a level 1 device

Question 85

QUESTION 85 - (Topic 1)
What should an IS auditor do if he or she observes that project-approval procedures do not exist?
A. Advise senior management to invest in project-management training for the staff
B. Create project-approval procedures for future project implementations
C. Assign project leaders
D. Recommend to management that formal approval procedures be adopted and documented

Answer 85

Answer: D
Explanation: If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented.

Question 86

QUESTION 86 - (Topic 1)
What is an edit check to determine whether a field contains valid data?
A. Completeness check
B. Accuracy check
C. Redundancy check
D. Reasonableness check

Answer 86

Answer: A
Explanation: A completeness check is an edit check to determine whether a field contains valid data.

Question 87

QUESTION 87 - (Topic 1)
What is the most common reason for information systems to fail to meet the needs of users? Choose the BEST answer.
A. Lack of funding
B. Inadequate user participation during system requirements definition
C. Inadequate senior management participation during system requirements definition
D. Poor IT strategic planning

Answer 87

Answer: B
Explanation: Inadequate user participation during system requirements definition is the most common reason for
information systems to fail to meet the needs of users.

Question 88

QUESTION 88 - (Topic 1)
What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Choose the BEST answer.
A. Employee security awareness training
B. Administrator alerts
C. Screensaver passwords
D. Close supervision

Answer 88

Answer: C
Explanation: Screensaver passwords are an effective control to implement as a countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off.

Question 89

QUESTION 89 - (Topic 1)
Input/output controls should be implemented for which applications in an integrated systems environment?
A. The receiving application
B. The sending application
C. Both the sending and receiving applications
D. Output on the sending application and input on the receiving application

Answer 89

Answer: C
Explanation: Input/output controls should be implemented for both the sending and receiving applications in an
integrated systems environment

Question 90

QUESTION 90 - (Topic 1)
What increases encryption overhead and cost the most?
A. A long symmetric encryption key
B. A long asymmetric encryption key
C. A long Advance Encryption Standard (AES) key
D. A long Data Encryption Standard (DES) key

Answer 90

Answer: B
Explanation: A long asymmetric encryption key (public key encryption) increases encryption overhead and cost. All
other answers are single shared symmetric keys.