Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CITP - Certified Information Technology Professional Exam > Exam Questions > Flashcards

Exam Questions Flashcards

1
Q

One reason why IT auditing evolved from traditional auditing was that:

A. Auditors realized that computers had impacted their ability to perform the attestation function.
B. Computers and information processing were not a key resource.
C. Professional Associations such as AICPA and ISACA did not recognize the need.
D. Government did not recognize the need.

A

A. Auditors realized that computers had impacted their ability to perform the attestation function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IT auditing may involve:

A. Organizational IT audits
B. Application IT audits
C. Development / implementation IT audits
D. All of the above.

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Breadth and depth of knowledge required to audit IT and systems are extensive and may include:

A. Application of risk-oriented audit approaches
B. Reporting to management and performing follow-up review to insure action taken
C. Assessment of security and privacy issues that can put the organization at risk
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

COBIT stands for:

A. A computer language
B. A derafel agency
C. Control Objective for Information and Related Technology
D. None of the above

A

C. Control Objective for Information and Related Technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ISACA stands for:

A. Information Systems Security Association
B. Institute of Internal Auditors.
C. Information Systems Audit and Control Association.
D. International Association for Computer Educators.

A

C. Information Systems Audit and Control Association

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ISO is:

A. A government organization
B. A private company
C. International Organization for Standardization
D. None of the above

A

C. International Organization for Standardization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Federal government plan for improving security on the Internet is called:

A. FIP 102 Computer Security and Accreditation
B. National Strategy for Securing Cyberspace
C. Computer Abuse Act of 1984
D. Privacy Act of 1974

A

B. National Strategy for Securing Cyberspace

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Sarbanes-Oxley Act of 2002:

A. Does not affect the attestation function
B. Applies only to the Big Four accounting firms
C. Requires auditor rotation
D. Does not apply to small accounting / audit firms

A

C. Requires auditor rotation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which is the most recent federal law that addresses computer security or privacy?

A. Computer Fraud and Abuse Act
B. Computer Security Act
C. Homeland Security Act
D. Electronic Communications Privacy Act

A

C. Homeland Security Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which act has a provision where punishment can be up to life in prison if electronic hackers are found guilty of causing death to others through their actions/

A. Computer Fraud and Abuse Act
B. Freedom of Information Act
C. Communications DeenDcey Ac
D. Homeland Security Act

A

D. Homeland Security Act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

According to a recent CSI and FBI study:

A. 90 percent of respondents have detected computer security breaches within the last 12 months
B. 74 percent cited their Internet connection as the frequent point of attack
C. 80 percent acknowledged financial losses due to computer security breaches
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Cyber law is:

A. State law
B. Federal law
C. Law governing use of the computer and the internet
D. International law

A

C. Law governing use of the computer and the internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Software piracy costs the computer industry more than

A. $1 billion per year
B. $4 billion per year
C. $9 billion per year
D. More than $10 billion per year

A

D. More than $10 billion per year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CFAA covers:

A. Fraudulent trespass
B. Intentional destructive trespass
C. Reckless destructive trespass
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Sarbanes-Oxley Act requires that the board of an organization must:

A. Register public accounting firms
B. Establish or adopt, by rule, auditing, quality control, ethics, independence, and other standards related to preparation of the audit report for issuers
C. Conduct inspections of accounting firms
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cyber Security Enhancement Act as incorporated into the Homeland Security Act of 2002.

A. Demands life sentences for those hackers who recklessly endanger lives
B. Does not require ISPs to hand over records
C. Does not outlaw publications such as details of PGP
D. None of the above

A

A. Demands life sentences for those hackers who recklessly endanger lives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Key areas to look at in IT contracts are:

A. Vendor contract terms that limit vendor liability
B. Contract objectives and performance measurements to ensure objectives have been met
C. Review and inclusion in future contracts specific clauses for protecting customer interests
D. All of the above.

A

D. All of the above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A federal agency that protects consumers and has increased its monitoring and review of the Internet for customer and identity theft is the:

A. NSA
B. CIA
C. FTC
D. None of the above

A

C. FTC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

National Strategy for Securing Cyberspace:

A. Applies only to defense area
B. Applies only to medical records
C. Provides a framework for protecting the nation’s infrastructures that is essential to the economy, security, and the way of life
D. None of the above

A

C. Provides a framework for protecting the nation’s infrastructures that is essential to the economy, security, and the way of life

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which act is the first ever federal privacy standard to protect patients’ medical records

A. Encrypted Communications Privacy Act of 1966
B. Privacy Act of 1974
C. HIPAA of 1996
D. All of the above

A

C. HIPAA of 1996

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following is not one of the 10 top reasons for the start up of IT audit?

A. Auditing around the computer was becoming unsatisfactory for the purposes of database reliance
B. Accessibility of personal computers for office and home use
C. Very little advancement in technology
D. Growth of corporate hackers

A

C. Very little advancement in technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Professional associations that have Standards of Practice:

A. IIA
B. ISACA
C. AICPA
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A federal agency that develops and issues government auditing standards is:

A. GSA
B. GAO
C. Federal Bureau of Investigation (FBI)
D. Federal Trade Commission (FTC)

A

B. GAO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A special condition where an auditor must be free of any bias or influence, and have

A. IT skills
B. Good writing skills
C. Professional development
D. Independence

A

D. Independence.

I’m not sure of the context of this question, it will be interesting to actually see if it’s on the exam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which federal law was developed and passed by the U.S. lawmakers in reaction to recent financial frauds such as Enron?

A. FCPA
B. SEC Act
C. Sarbanes-Oxley Act
D. Computer Fraud and Abuse Act

A

C. Sarbanes-Oxley Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In the author’s opinion, an auditor must have:

A. High ethical standards
B. Limited training
C. Poor communication skills
D. Poor time management skills

A

A. High ethical standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

GAAS was developed and issued by:

A. NIST
B. AICPA
C. FTC
D. NSA

A

B. AICPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Certifications that may be helpful to an IT auditor are:

A. CIA
B. CFE
C. CISSP
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

An auditor who works for IBM directly and is on its audit staff is considered to be:

A. An external auditor
B. An internal auditor
C. A consultant
D. None of the above

A

B. An internal auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Computer forensic specialists are experts who:

A. Investigate under extreme secrecy so that other individuals do not know exactly what they are doing or what information they have gathered
B. May testify in court where an independent opinion is needed on complex technical issues
C. Have an extensive background working with computers and dealing with technical issues and are, of course, familiar with gathered information and the methods used to acquire that information
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which audit area involves definition of audit scope, initial contacts and communication with auditees, and audit team selection?

A. Fact gathering
B. Audit tests
C. Audit preparation
D. Audit objectives

A

C. Audit preparation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which audit area involves a formal plan for reviewing and testing each significant audit subject area disclosed during fact gathering?

A. Audit objectives
B. Audit program
C. Audit tests
D. Use of audit tools

A

C. Audit tests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which IT audit area involves formal statements that describe a course of action that should be implemented to restore or provide accuracy, efficiency, or adequate control of an audit subject?

A. Audit tests
B. Findings of the audit reports
C. Recommendations of an audit report
D. Conclusion of an audit report

A

D. Conclusion of an audit report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

At the minimum, an audit plan should include all but:

A. Definition of scope
B. Objectives stated
C. An orderly, structured approach
D. A lack of flexibility in approach

A

D. A lack of flexibility in approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Activities of a preliminary review may include:

A. General data gathering
B. Identifying financial application areas
C. Preparing the audit plan
B. All of the above

A

B. Identifying financial application areas

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

The first step in conducting fieldwork and implementing audit methodology is:

A. Design audit procedures
B. Define audit objectives
C. Evaluate results
D. Build a detailed understanding of the area being audited

A

B. Define audit objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Purpose of follow up is to:

A. Determine if the audit recommendations have been implemented
B. Determine the progress made in implementing the audit recommendations
C. Assess any potential savings / value added as a result of the recommendations
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

The advantage of tying the audit universe to organization objectives is that:

A. Links the entire audit process to business objectives
B. Improves management’s understanding of the audit process
C. Develops the communication plan for the audit
D. None of the above

A

A. Links the entire audit process to business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Audit risk assessment is an important step in the audit process because:

A. It leverages the abilities of the audit staff by minimizing redundant activity
B. It provides a framework for communicating audit results
C. It provides a framework for allocating audit resources to achieve maximum benefit
D. None of the above

A

C. It provides a framework for allocating audit resources to achieve maximum benefit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Auditing is a cyclical process because

A. Performing audit tests is an iterative process
B. Audit results are used in subsequent risk assessments
C. The audit universe is aligned to the business cycle
D. All of the above

A

B. Audit results are used in subsequent risk assessments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Audit productivity tools can be used in:

A. Planning and tracking
B. Documentation and presentations
C. Communications and data transfer
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Generalized audit software can:

A. Validate calculations
B. Select specific records for examination
C. Analyze and compare files
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

The task of examining a spreadsheet for reasonableness checks and comparison with known outputs is:

A. Documentation
B. Extent of training
C. Verification of logic
D. Support commitment

A

C. Verification of logic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which is not a database integrity control?

A. Value constraints
B. Biometrics
C. Backup and recovery protection
D. Referential integrity

A

B. Biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

A testing approach used to validate processing by setting up a fictitious company or branch in an application for testing transaction processing is called

A. Snapshot
B. SARF
C. Integrated test facility
D. Transaction tagging

A

C. Integrated test facility

WHY? I’m not sure of this answer - google it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

A technique used to follow a selected transaction through the entire application to verify the integrity, validity, and reliability is called:

A. Snapshot
B. Transaction tagging
C. SCARF
D. Test data

A

B. Transaction tagging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which of the following are categories of computer audit functions?

A. Items of audit interest.
B. Data analysis
C. Systems validation
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Histogram analysis technique allows the auditor to:

A. Apply judgment in identifying and selecting appropriate testing techniques
B. Validate transmission of data
C. Prepare the audit plan
D. All of the above.

A

A. Apply judgment in identifying and selecting appropriate testing techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Which automated technique can apply a sampling methodology to the collection of transaction or records?

A. Test data
B. Snapshot
C. SARF
D. None of the above

A

C. SARF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Computer forensic tools are increasingly used to:

A. Support law enforcement
B. Support computer security investigations
C. Support computer audit investigations
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Some of the following elements should be included in a career development plan:

A. Career path planning with management support
B. Definition of knowledge, skills, and abilities
C. Performance assessment and counseling
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Which professional certification can be helpful to an IT auditor’s career?

A. CISA
B. CISSP
C. CPA
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Which IT audit area involves audit selection, definition of audit scope, initial contacts and communication with auditees and audit team selection?

A. Fact gathering
B. Audit tests
C. Audit preparation
D. Audit objectives

A

C. Audit preparation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Which IT audit area involves a formal plan for reviewing and testing each significant audit subject area disclosed during the fact gathering?

A. Audit objectives
B. Audit program
C. Audit tests
D. Use of audit tools

A

B. Audit program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Which IT audit area involves formal statements that describe a course of action that should be implemented to restore or provide accuracy, efficiency, or adequate control of an audit subject?

A. Audit status
B. Finding on an audit report
C. Recommendations of an audit report
D. Conclusion of an audit report

A

C. Recommendations of an audit report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

IT audit assessment is very important and, at a minimum, consists of reviewing:

A. Completeness of the audit
B. Pertinence of the information presented
C. Accuracy of the audit work and supporting work papers
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Some of the areas that one can assess for the IT auditor’s individual performance are:

A. Communication skills
B. Judgment
C. Auditing knowledge
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Why is it important to learn about best practices?

A. Efficiency
B. Add value to client/auditee or organization
C. Advancement in technology
D. All of the above

A

D. All of the above.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

“A” is the best practice that consists of a document that sets the tone or course of action you plan to take with your client / auditee:

A. Benchmarking
B. Planning memo
C. Risk analysis
D. None of the above

A

B. Planning memo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Reason for risk analysis are:

A. Loss or corruption of information and IS assets
B. Impaired and ineffective management decision making
C. Disruption to customer service or other critical operations
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

IT auditing involves:

A. People
B. Technology
C. Operations and systems
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

COBIT was developed and issued by

A. AICPA
B. IIA
C. ISACA
D. ACFE

A

C. ISACA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

SAC reports were issued by

A. IIA
B. ISSA
C. ISACA
D. AICPA

A

A. IIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Information assurance is defined as

A. Information integrity
B. Level of confidence and trust that can be placed on the information
C. Level of trust and confidence that can be placed on service availability
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Which of the following US federal act has pledged almost a billion dollars toward curriculum, research, and skill development in IT audit, control, security, and information assurances issues:

A. Computer Fraud and Abuse Act of 1984
B. Computer Security Act of 1987
C. Cyber Security Research and Development Act
D. HIPAA Act of 1996

A

C. Cyber Security Research and Development Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Which organization operating under U.S. national authority and its initiatives provides the foundation for a dramatic increase in the population of trained and professionalized security experts?

A. AICPA
B. ISACA
C. NIETP
D. None of the above

A

C. NIETP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Standards for information security officers have been issued by

A. CIA
B. FPI
C. GAO
D. NSTISSC

A

D. NSTISSC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

A new field of opportunity and career growth is

A. Business systems analyst
B. Computer forensic analyst
C. Network administrator
D. None of the above

A

B. Computer forensic analyst

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

The number of universities within the United States identified as centers of excellence in information assurances is:

A. 10
B. 25
C. 40
D. Greater than 49

A

D. Greater than 49

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

An IT auditor’s role in IT governance can be as

A. A counselor
B. A partner of senior management
C. An educator
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

IT governance is

A. A process by which an enterprise’s IT is directed and controlled
B. An evaluation of computers and information processing not as key resources
C. Management that is only involved in making decisions
D. User dominance in IT decision making

A

A. A process by which an enterprise’s IT is directed and controlled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

IT governance is controlled through a series of processes and procedures that:

A. Determine how investments are managed
B. Identify who can make decisions
C. Determine how results are measured
D. None of the above

A

D. None of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

For IT to be an effective partner in organizational decision making, the CIO must

A. Offer proactive solutions to organizational needs
B. Get agreement on the measures of IT performance
C. Regularly attend board meetings
D. None of the above

A

A. Offer proactive solutions to organizational needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Which of the following is not a main reason for ERM functions being established within organizations?

A. Increasing software patches
B. Magnitude of problem
C. Increasing business risks
D. Organizational oversight

A

A. Increasing software patches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Compliance with laws and regulations is a key business risk because of

A. Controls outlined in COBIT
B. Impact on security of an organization
C. Sheer number of laws and regulations
D. Automation of financial processes

A

C. Sheer number of laws and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Continuous auditing is a technique used to

A. Create a sample of production data to test controls
B. Detect and report on control breakdowns as they occur
C. Provide a tool for business users to manage IT
D. All of the above

A

B. Detect and report on control breakdowns as they occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Measuring IT performance is dependent on

A. Delivering successful projects
B. Keeping operations running
C. Reducing operating costs
D. Strategy and objectives of the organization

A

D. Strategy and objectives of the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Developing a successful measurement process requires

A. Alignment between IT organization objectives
B. Mature measurement processes
C. Support from IT and organizational management
D. Automated measurement tools to report accurate metrics

A

C. Support from IT and organizational management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

A successful measurement process includes all of the following, except

A. Ownership of the measurement process from the area to be measured
B. Measure the effective use of resources and alignment with business objectives
C. Measurement of events and processes rather than individuals
D. Measurement must be meaningful, reliable, and accurately represent the area measured

A

B. Measure the effective use of resources and alignment with business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

IT governance requires management action taken at all levels to

A. Decrease the probability of carelessness
B. Reduce outside threat and the probability of hostile penetration
C. Decrease fraud and corruption within the organization
D. All of the above

A

D. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What is the purpose of developing an IS strategic plan?

A. Define the IT goals and objectives.
B. guide he acquisition, allocation, and management of IT resources.
C. Define the technology to be used by the organization for the current year.
D. Provide a process for governing investments in IT.

A

B. guide he acquisition, allocation, and management of IT resources.

82
Q

COBIT model is based on the following:

A. COSO model of internal controls
B. Capability Maturity Model
C. Project Management Body of Management
D. ISO 9000 - Quality Management and Quality Assurance Standards

A

A. COSO model of internal controls

83
Q

Planning and Organization domain includes all of the following except

A. Project management standards
B. Architecture planning process
C. Strategic planning process
D. Operational readiness process

A

D. Operational readiness process

84
Q

FFIEC is made up of representatives from

A. FRB and FDIC
B. Office of Comptroller of the currency
C. OTS and NCUA
D. All of the above plus representatives from each bank regulatory council

A

C. OTS and NCUA

85
Q

Basel Committee believes

A. Board of directors must be involved with approval of the operational risks management plan, which includes technology risk.
B. Senior management has responsibility for implementing the plan and spreading information about the plan throughout the organization
C. Processes must be in place to identify risk, measure them, monitor their occurrence, and control or mitigate their occurrence.
D. All of the above.

A

D. All of the above

86
Q

One of the obstacles to the success of CRM has been:

A.  Project management standards
B.  Lack of strategic plan
C.  Strategic planning process
D.  Architecture planning process
E.  None of the above
A

D. Architecture planning process

87
Q

Portfolio management processes are needed to

A. Ensure new technology is approved by appropriate groups
B. Ensure projects are completed on time, on budget, and with full functionality
C. Ensure effective and efficient IT operations
D. Ensure the effective use of resources and alignment with business objectives

A

D. Ensure the effective use of resources and alignment with business objectives

88
Q

A technical review process helps ensure that:

A. Project has included all of the costs of the technology solution
B. Right solution is selected that integrates with other technology components
C. Current infrastructure is sufficient to support the new technology
D. Appropriate level of senior management approvals has been received

A

B. Right solution is selected that integrates with other technology components

89
Q

Architectural standards are needed to:

A. Determine which vendor products to use
B. Simplify and standardize infrastructure costs
C. Communicate programming standards to software developers
D. Speed the implementation process for new technology

A

B. Simplify and standardize infrastructure costs

90
Q

A technical steering committee provides:

A. A control mechanism for evaluating and approving new technology solutions
B. A framework for organizing and assessing software development and maintenance
C. Leadership in advancing the practice of software engineering
D. Guidance in the acquisition, allocation, and management of IT resources

A

A. A control mechanism for evaluating and approving new technology solutions

91
Q

NIST stands for which of the following?

A. National Information Security Test
B. National Institute of Standards and Testing
C. National Institute of Standards and Technology
D. National Institute of Security and Technology

A

C. National Institute of Standards and Technology

92
Q

GAO conducts audits, surveys, investigation’s and evaluations of

A. Federal agencies
B. Businesses
C. State agencies
D. All of the above

A

D. All of the above

93
Q

Which of the following organizations consists of representatives from industry, public, accounting, investment firms, and the New York Stock Exchange?

A. IIA
B. COSO
C. ISACA
D. AICPA

A

B. COSO

94
Q

Risk retention (self-insurance) methods should meet all of the following criteria, except:

A. Risk should be spread physically to distribute exposure across several locations
B. Determine whether a self-insurance reserve should be established to cover a possible loss
C. Develop an internal risk management group to monitor exposures
D. Determine the maximum exposure to loss

A

C. Develop an internal risk management group to monitor exposures

95
Q

A threat to integrity and privacy from inside the organization include:

A. Loss or destruction of assets by malicious acts
B. Errors from incompetence or carelessness
C. Deliberate exposure of private or privileged information
D. All of the above

A

D. All of the above

96
Q

Cost of risks include all of the following, except:

A. Cost of loss-prevention measures
B. Cost of security controls
C. Cost of losses sustained
D. Insurance premiums

A

B. Cost of security controls

97
Q

Tools used to identify risks include all of the following except:

A. Risk analysis questionnaire
B. Flowchart of operations.
C. Audit workflow software
D. Insurance policy checklist

A

C. Audit workflow software

98
Q

IT risk evaluation involves:

A. Ranking of the size and probability of potential loss.
B. Evaluation of the level of risk of a given process or function
C. Ensuring that risk losses do not prevent organization management from meeting its objectives.
D. Retaining a portion of the risk to reduce the insurance or premium costs.

A

A. Ranking of the size and probability of potential loss.

“Size” and “Probability” are the same thing as “Significance” and “Likelihood”

99
Q

Reasons for risk analysis are:

A. Loss or corruption of information and IS assets
B. Impaired and ineffective management decision making
C. Disruption of customer service or other critical operations.
D. All of the above.

A

D. All of the above

100
Q

Which of the following statements regarding the effect of insurance on risk is true?

A. Prevents loss or damage to the organization
B. Transfers risk of loss or damage to the insurance company
C. Risks are not managed when insured.
D. None of the above

A

B. Transfers risk of loss or damage to the insurance company

101
Q

Advantages of a centralized organization model include all of the following, except:

A. Ability to leverage scale for pricing concessions
B. Flexibility and responsiveness to customer needs
C. Shared services only add incremental costs to increased volumes.
D. Centrally located server environment.

A

B. Flexibility and responsiveness to customer needs

102
Q

To ensure consistent and effective implementation of technology, IT management should be responsible for:

A. Information systems strategy
B. Standards
C. User support
D. All of the above.

A

D. All of the above.

103
Q

Resource management ensures:

A. IT has the right resources at the right time
B. Appropriate organizational structure is selected
C. Quality assurance processes are followed.
D. None of the above.

A

A. IT has the right resources at the right time

104
Q

Quality Management Standards include;

A. National Strategy for Securing Cyberspace
B. ISO 9000
C. ISACA
D. All of the above

A

B. ISO 9000

105
Q

Which of the following is not true about ISO 9001 certification?

A. Accreditation is accomplished after being certified by a notified body.
B. All organizations can establish ISO 9001 compliance.
C. A most important benefit from the registration is access to markets such as the EC that require compliance.
D. The NACCB approves an organization to operate an assessment and registration or certification scheme.

A

B. All organizations can establish ISO 9001 compliance.

106
Q

All of the following are CMM key processes, except:

A. Requirements management
B. Subcontract management
C. Asset classification and control
D. Software configuration management

A

C. Asset classification and control

107
Q

A process framework is needed to:

A. Ensure noncompliance issues are addressed with senior management
B. Ensure all critical processes are defined, reviewed, validated and maintained
C. Describe the steps that a person is directed to perform
D. None of the above

A

B. Ensure all critical processes are defined, reviewed, validated and maintained

108
Q

Which of the following is not true about well-documented policies and procedures?

A. Describe the function of activities.
B. Define interrelationships with other departments
C. Ensure quality systems are implemented.
D. Should tie directly to goals and objectives of the organization

A

C. Ensure quality systems are implemented.

109
Q

Objectives of a quality assurance audit include all of the following, except:

A. Satisfies performance guidelines
B. Adherence of project activities to standards and procedures.
C. All impacted groups cooperate with quality assurance activities.
D. Quality assurance activities are planned and documented.

A

A. Satisfies performance guidelines

110
Q

The purpose of a procedure is to:

A. Describe steps that a person is directed to perform
B. Describe steps to achieve some objective
C. Describe how to produce a product
D. All of the above

A

D. All of the above

111
Q

IT asset management delivers the following benefit(s):

A. More accurate cost assignments for computer assets
B. Improved planning for future acquisitions.
C. Better purchase and deployment decisions.
D. Better use of warranty and service contracts.
E. All of the above

A

E. All of the above

112
Q

Project capital budget requests should include:

A. Business benefits of the proposed solution
B. Financial impact on the operating budget
C. Total development costs and infrastructure costs.
D. Project staffing and schedule.
E. All of the above

A

E. All of the above

113
Q

An investment approval request should include all of the following, except:

A.  Business issues and assumptions
B.  Financial return and contingencies
C.  SLAs
D.  Resources required and proposed technology
E.  None of the above
A

C. SLAs

Service Level Agreements

114
Q

Project benefits should be stated in measurable terms:

A. To audit the investment approval request
B. To determine the financial impact on the operating budget
C. To provide a means for validating the benefits
D. To determine the resources required for the project
E. None of the above

A

C. To provide a means for validating the benefits

115
Q

Approaches to developing a pricing model include:

A.  IT-based consumption model
B.  Business-based consumption model
C.  Fee-based chargeback
D.  Profit-oriented chargeback model
E.  All of the above
A

E. All of the above

116
Q

Developing a pricing model requires knowledge of:

A.  Security requirements
B.  Tax and regulatory requirements
C.  Third party charging models
D.  Project pricing model
E.  All of the above
A

B. Tax and regulatory requirements

117
Q

Steps to successfully implement a new pricing model include all of the following except:

A. Gain an understanding of the underlying costs structure
B. Benchmark existing services to the industry
C. Compare the new to the old pricing model
D. Develop SLAs
E. Gather IT measurements

A

B. Benchmark existing services to the industry

118
Q

Project cost estimate should include:

A. Alignment to enterprise architecture standards
B. Financial return and contingencies
C. The total development and infrastructure costs.
D. The business benefits of the proposed solution.
E. All of the above

A

C. The total development and infrastructure costs.

119
Q

Financial planning in IT begins with an understanding of:

A.  Business volume growth projections
B.  Enterprise architecture standards
C.  IT organizational model
D.  Regulatory compliance requirements
E.  None of the above
A

A. Business volume growth projections

120
Q

Managing demand and service levels:

A. Is a prerequisite to implementing a pricing model
B. Ensures performance meets expectations
C. Aligns demand with service offerings
D. Keeps costs from running out of control
E. None of the above

A

D. Keeps costs from running out of control

121
Q

PMLC:

A. Provides a structure for defining requirements and developing applications
B. Is focused on project scope, schedule and budget
C. Is focused on the analysis, construction and testing of applications
D. Provides a structure for evaluating IT investments

A

B. Is focused on project scope, schedule and budget

122
Q

Effective project management ensures that:

A. Processes are explicitly defined, managed, measured, controlled, and effective
B. Applications are designed, developed, and implemented
C. Project tasks are defined, and resources are available and completed on time and within budget
D. Project has included all the costs of the technology solution

A

C. Project tasks are defined, and resources are available and completed on time and within budget

123
Q

During the planning phase, the auditor can:

A. Review project deliverables to identify control weaknesses
B. Review project management processes for appropriateness
C. Facilitate communication between the project team and senior management.
D. Facility communication between functions and raise issues.

A

D. Facility communication between functions and raise issues.

124
Q

A project management process review would:

A. Assess the adequacy of the control environment for managing projects.
B. Ensure the right solution is selected that integrates with other technology components.
C. Ensure clearly defined requirements in the request for proposal.
D. Ensure projects are completed on time, on budget, and with full functionality

A

A. Assess the adequacy of the control environment for managing projects.

125
Q

Project management tools allow the user to:

A. Track metrics for measuring third-party vendors
B. Helpdetermine which vendor products to use
C. Provide a process for governing investments in IT
D. Define tasks, dependencies, and track progress

A

D. Define tasks, dependencies, and track progress

126
Q

Key tasks during a project management review are:

A. Check project management tools for proper usage
B. Assess readiness for implementation
C. Maintain independence to remain objective
D. All of the above

A

D. All of the above

127
Q

Which of the following is not a process risk?

A. Processes are explicitly defined, managed, measured, controlled, and effective.
B. Lack of strategic direction
C. Lack of project management standards
D. Negative organizational climate

A

A. Processes are explicitly defined, managed, measured, controlled, and effective.

128
Q

Which of the following is not a project risk?

A. Review of project deliverables to identify control weaknesses
B. Inexperienced staff
C. Lack of management commitment
D. Project complexity and magnitude

A

A. Review of project deliverables to identify control weaknesses

129
Q

One of the biggest obstacles in implementation is:

A. Adequacy of the control environment for managing projects.
B. User resistance
C. Clearly defined requirements in the request for proposal
D. Ensure projects are staffed

A

B. User resistance

130
Q

Project management tools could be:

A. Microsoft Project
B. Open Plan
C. CPM or PERT
D. All of the above

A

D. All of the above

131
Q

A well-controlled implementation minimizes the following risks, except:

A. Staff turnover
B. System bugs
C. Misaligned staff
D. Performance issues

A

A. Staff turnover

132
Q

Which of the following is not a test event?

A. Functional testing
B. Negative testing
C. Unit testing
D. Acceptance testing

A

B. Negative testing

133
Q

Risks associated with prototypes and RAD are:

A. Incomplete system design
B. Inefficient processing performance
C. Inadequate documentation
D. All of the above

A

D. All of the above

134
Q

All of the following are examples of EUD, except:

A. Mainframe-based query tools
B. Vendor packages that automate a generic business process
C. Operating systems
D. End-user developed applications

A

C. Operating systems

135
Q

Which of the following risk is associated with end-user computing?

A. Weak security
B. Inadequate support
C. Inadequate training
D. All of the above

A

D. All of the above

136
Q

Testing, which verifies that the application can be implemented without interruption to business and there is enough capacity is:

A. Unit testing
B. Functional testing
C. Technical stintge
D. Performance and load testing

A

D. Performance and load testing

137
Q

End-user acceptance testing ensures that the system:

A.  Fulfils the agreed-upon functional expectations
B.  Meets established usability
C.  Satisfies performance guidelines
D.  Meets state regulations
E.  Answers a, b and c
A

E. Answers a, b and c

138
Q

Conversion is defined as the process of:

A. Cleaning data in the legacy system
B. Testing data
C. Transferring data from the legacy system to the new system
D. Testing data during an implementation

A

C. Transferring data from the legacy system to the new system

139
Q

What is not considered a form of documentation in a system implementation?

A. Sequence of programs and steps to be taken in case of processing failure
B. Code with comments embedded
C. IS Strategy
D. Pseudo-code and flowcharts

A

C. IS Strategy

140
Q

Key tasks an auditor might perform during systems development are:

A. Reviewing user requirements
B. Checking all technical specifications for compliance with organizational standards
C. Reviewing test plans
D. All of the above

A

D. All of the above

141
Q

One of the basic steps in the software acquisition process is:

A. Identifying a single alternative
B. Defining the information and system requirements
C. Performing user and site surveys
D. Replacing existing hardware platforms

A

B. Defining the information and system requirements

142
Q

What is the most important step in the software acquisition process?

A. Defining information requirements
B. Identifying alternatives
C. Performing the feasibility analysis
D. Conducting risk analysis

A

A. Defining information requirements

143
Q

As a means of increasing user support, many projects are now including as part of their project plans:

A. Infrastructure diagrams
B. Outsourcing
C. Communication and business change management
D. Sales and marketing

A

C. Communication and business change management

144
Q

Gathering information and systems requirements can be accomplished by all of the following, except:

A. Interviewing those expected to use the information produced by the system as well as those expected to produce the information input into the system
B. Interviewing the software supplier to find the best-selling software in the market
C. Developing a prototype of the proposed system
D. Researching other companies

A

B. Interviewing the software supplier to find the best-selling software in the market

145
Q

A document that specifies the minimal acceptable requirements as well as the evaluation criteria for a solution is called a:

A. Request for bid
B. Request for information
C. Request for proposal
D. Request for quote

A

C. Request for proposal

146
Q

Participants in the selection process may not include representatives from:

A. Management
B. Anticipated users
C. IT department
D. Supplier

A

D. Supplier

147
Q

Contract terms and conditions normally do not include the following:

A. An organizational chart of the customer’s IT department
B. A functional definition of the work to be performed
C. Supplier staffing and specified qualifications
D. Methods of providing progress reports

A

A. An organizational chart of the customer’s IT department

148
Q

What is not an advantage of purchasing off-the-shelf solutions?

A. Shorter implementation time
B. Ability to use the company’s existing IT infrastructure
C. Use of proven technology
D. Easier to define costs

A

B. Ability to use the company’s existing IT infrastructure

149
Q

When selecting a supplier package, organizations should consider all of the following, except:

A. Stability of the supplier company
B. Supplier’s ability to provide support
C. Required modifications to the base software
D. Sales and marketing literature

A

D. Sales and marketing literature

150
Q

Effective supplier management is based on:

A. SLAs with contract penalties
B. Clearly defined requirements in the RFP
C. Measurable service levels and regular monitoring
D. Strong negotiation skills of the procurement team

A

C. Measurable service levels and regular monitoring

151
Q

All of the following are examples of application risks, except:

A. Inaccurate data
B. Incomplete data
C. Repeated data
D. Duplicate data

A

C. Repeated data

152
Q

Within a convenient store register system used to total orders and receive payment from customers, which of the following has the highest risk?

A. Duplicate transactions
B. Communications failure
C. Unauthorized remote access
D. Misuse by authorized users

A

D. Misuse by authorized users

153
Q

All of the following are examples of application controls, except:

A. Testing the data-entry screen
B. User ergonomic requirements
C. Documentation of the backup procedures
D. A list of valid sources of input

A

B. User ergonomic requirements

154
Q

A company allows data from their sales tracking system to be extracted to spreadsheets by all users. Which of the following is the highest risk associated with this practice?

A. Copyright violations
B. Inefficient use of resources
C. Unauthorized access to data
D. Incompatible systems

A

C. Unauthorized access to data

155
Q

Which of the following is an example of a risk associated with EUC?

A. Employees make copies of software to work at home
B. Employees enter time into company time sheet system
C. Employees can view all sales data within the company’s sales tracking system
D. Employee can modify his time sheet data after he has entered it into the time sheet system

A

A. Employees make copies of software to work at home

156
Q

All of the following are examples of misuse of resources associated with EUC, except:

A. Employees can purchase their own computer equipment for work
B. Employees can purchase their own software to be used at work
C. Employees can purchase their own computer training
D. Employees create their own end-user procedure manuals

A

C. Employees can purchase their own computer training

157
Q

A department employee creates and maintains a spreadsheet for the employees in that department to enter hours they worked. Spreadsheets are subsequently used to load the employees’ working time into the system. Which of the following is the highest risk associated with the specific use of the spreadsheet?

A. Time sheet does not accurately compute the total time worked
B. Employees may see the time worked by their fellow employees
C. Employees do not enter their time correctly
D. Spreadsheets are not signed by the employee

A

A. Time sheet does not accurately compute the total time worked

158
Q

Viruses pose all of the following risks, except:

A. Loss of data
B. Loss of paper documents
C. Loss of hardware
D. Loss of performance

A

B. Loss of paper documents

159
Q

Interfaces are another form of:

A. Output
B. Report
C. Input
D. Processing

A

C. Input

160
Q

Which form of documentation would be the most critical to an applications programmer?

A. Procedures
B. Flowcharts
C. Report layout
D. Processing logic

A

D. Processing logic

161
Q

In classifying the importance of each of the goals for change management, which one is the most important?

A. Identification
B. Categorization
C. Prioritization
D. Authorization

A

D. Authorization

162
Q

In the change request process, the following information should be obtained, except:

A. User contact and responsibility
B. List of future changes
C. IT contact and responsibility
D. Management approval

A

B. List of future changes

163
Q

In an emergency change control process, which of the following is the highest risk?

A. Unauthorized changes re made
B. Emergency change introduces performance problems
C. Changes are approved after they are implemented
D. Lack of analysis

A

A. Unauthorized changes re made

164
Q

In the following list of criteria for approving changes, select the one that is most important:

A. Criticality
B. State of the production environment
C. Resource availability
D. Effect of all proposed changes

A

B. State of the production environment

165
Q

Following a change, the condition of which of the following should be evaluated?

A. Requestor
B. Change objectives
C. Technical support
D. Staffing

A

B. Change objectives

166
Q

All of the following are components of organizational culture that affect the success of IT, except:

A. Incentives
B. Company politics
C. Inter-organizational relationships
D. Government politics

A

D. Government politics

167
Q

Managing organizational change would include all of the following, except:

A. Marketing plans
B. Training and professional development plans
C. User involvement in design
D. Communication plans

A

A. Marketing plans

168
Q

Business process review sessions review:

A. Requests for systems changes
B. Requests for business process changes
C. Changes introduced by the new system
D. Training requests

A

C. Changes introduced by the new system

169
Q

An IT system that now allows the corporate office to view data from their individual sales offices introduces the most change to:

A. Social relationships
B. Technical support
C. Inter-organizational relationships
D. Company politics

A

D. Company politics

170
Q

In auditing an automated change control system, an auditor would review all of the following, except:

A. License agreements
B. Rules
C. Access lists
D. Log files

A

A. License agreements

171
Q

Formal service-level agreements are required when:

A. Services are provided across tax jurisdictions
B. Charging for IT services
C. Applications share the same processor
D. None of the above

A

A. Services are provided across tax jurisdictions

172
Q

Service-level agreements should include:

A. Definition of services
B. Service quality
C. Roles and responsibilities
D. All of the above

A

Answer: A, C

A. Definition of services
C. Roles and responsibilities

173
Q

Customer service-level agreements:

A. Define services from the customer’s perspective
B. Describe operating platform availability
C. List key applications
D. All of the above

A

A. Define services from the customer’s perspective

174
Q

Operating-level agreements are used to:

A. Measure platform availability
B. Set expectations between application and operations groups
C. Define application development and maintenance services
D. All of the above

A

B. Set expectations between application and operations groups

175
Q

Supplier service-level agreements:

A. Define services and quality
B. Help manage third-party services
C. Align to customer service-level agreements
D. All of the above

A

D. All of the above

176
Q

Service design and pricing requires:

A. Allocation of overhead to all services
B. Inclusion of disaster recovery
C. Aggregation of the underlying process costs.
D. All of the above

A

C. Aggregation of the underlying process costs.

177
Q

Service provisioning processes are needed to:

A. Crete user information for security
B. Create asset information for inventory
C. Create usage information for finance
D. All of the above

A

D. All of the above

178
Q

A relationship manager’s role is to:

A. Develop and maintain a close relationship with the customer
B. Ensure that IT services are aligned with customer needs
C. Influence the strategic direction of IT investments to maximize future benefits
D. All of above

A

D. All of above

179
Q

Service measurement should be:

A. Coordinated with IT process improvement and governance metrics
B. Frequent and detailed
C. Based on peak usage
D. None of the above

A

A. Coordinated with IT process improvement and governance metrics

180
Q

A customer is responsible for:

A. Reporting issues
B. Following procedures
C. Defining requirements
D. All of the above

A

D. All of the above

181
Q

Providing end users with training is important because users:

A. Make fewer calls to the help desk
B. Will use applications more effectively
C. Make few mistakes and have fewer questions
D. All of the above

A

D. All of the above

182
Q

Responsibilities of the service desk include all of the following, except:

A. Log and route service requests
B. Handle problem calls
C. Provide desk-side support
D. Prepare standard monthly reports

A

C. Provide desk-side support

183
Q

Information gathered by the service desk can be used by the following process:

A. Asset management
B. Change management
C. Service management
D. All of the above

A

D. All of the above

184
Q

Specialized service support groups provide:

A. Resolution of more complex issues
B. Primary diagnosis and resolution of common problems
C. Support for more knowledgeable users
D. None of the above

A

A. Resolution of more complex issues

185
Q

Advantages of outsourcing the service desk include:

A. Quicker implementation time
B. Lower customer satisfaction
C. More comprehensive training
D. None of the above

A

A. Quicker implementation time

186
Q

Knowledge management includes:

A. Documenting how-to-use applications
B. Sharing information on problems and fixes
C. Making information available to users
D. All of the above

A

D. All of the above

187
Q

An objective of incident management is to:

A. Minimize the adverse impact of incidents and problems
B. Restore operations as soon as possible
C. Develop a workaround
D. Resolve problems

A

B. Restore operations as soon as possible

188
Q

Problem severity is an important aspect of problem management needed to:

A. Prioritize problem resolution
B. Determine the cost / benefit of resolving individual problems
C. Identify regulatory compliance issues
D. All of the above

A

D. All of the above

189
Q

Problem management tools should be part of a common toolset integrated with:

A. Asset management
B. Change management
C. Service desk
D. All of the above

A

D. All of the above

190
Q

A problem reporting process is needed to:

A. Measure against SLAs
B. Identify the root cause of problems
C. Follow upon action responses
D. All of the above

A

A. Measure against SLAs

191
Q

ISO 17799 covers:

A. Security policy
B. Security organization
C. Asset classification and control
D. All of the above

A

D. All of the above

192
Q

An information security policy provides all of the following, except:

A. Guide to decision making about information security
B. High-level statements of security objectives
C. Instructions for implementing security attributes
D. Ways to prevent and respond to threats

A

C. Instructions for implementing security attributes

193
Q

According to the CERT, what percent of actual security incidents goes unreported?

A. 20 percent
B. 40 percent
C. 60 percent
D. 80 percent

A

D. 80 percent

194
Q

Information security requires participation and support from which one of the following groups:

A. Local system administrators
B. Department managers
C. Contractors
D. All of the above

A

D. All of the above

195
Q

Vulnerability management includes which one of the following processes:

A. Inventory of physical assets
B. Change management
C. Virus protection software
D. None of the above

A

B. Change management

196
Q

Implementing identity management can result in all of the following benefits, except:

A. Reduced help desk call volume
B. Consistent security and accountability
C. Improved password selection
D. Improved turnaround time for adding users

A

C. Improved password selection

197
Q

Encryption technologies electronically store information in an encoded form that can only be decoded by an authorized individual who has the appropriate decryption technology and a:

A. Private key
B. Public key
C. Authorization to decrypt
D. Ability to decrypt

A

C. Authorization to decrypt

198
Q

To be effective, which one of the following groups must support a contingency and disaster recovery plan to offer a business the best chance to survive?

A. Auditors and management
B. Technical personnel and management
C. Management and staff
D. Auditors and security officers

A

C. Management and staff

199
Q

To be usable, a disaster recovery plan must be:

A. Written
B. Approved
C. Tested
D. Enforced

A

C. Tested

200
Q

Which of the following would not be included in a companywide policy on end-user computing (EUC)?

A. Wireless encryption standards
B. Appropriate documentation
C. Segregation of duties
D. Backup procedures

A

A. Wireless encryption standards

CITP - Certified Information Technology Professional Exam (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions