Mock Test-Paper No.1-CISA course
(Ref:QB9F50/QB10F50/QB11F50/QB13.130-179)
1. In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid?
A. Testing whether inappropriate personnel can change application parameters
B. Tracing purchase orders to a computer listing
C. Comparing receiving reports to purchase order details
D. Reviewing the application documentation
2. The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information.
B. auditor's familiarity with the circumstances.
C. auditee's ability to find relevant evidence.
D. purpose and scope of the audit being done.
3. The responsibility, authority and accountability of the IS audit function is appropriately documented in an audit charter and MUST be:
A. approved by the highest level of management.
B. approved by audit department management.
C. approved by user department management.
D. changed every year before commencement of IS audits.
4. A key element in a risk analysis is:
A. audit planning.
B. controls.
C. vulnerabilities.
D. liabilities.
5. An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the:
A. manager's assistant perpetrated the fraud.
B. perpetrator cannot be established beyond doubt.
C. fraud must have been perpetrated by the manager.
D. system administrator perpetrated the fraud.
6. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:
A. test data to validate data input.
B. test data to determine system sort capabilities.
C. generalized audit software to search for address field duplications.
D. generalized audit software to search for account field duplications.
7. The IS department of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n):
A. control procedure.
B. control objective.
C. corrective control.
D. operational control.
8. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A. create the procedures document.
B. terminate the audit.
C. conduct compliance testing.
D. identify and evaluate existing practices.
9. When implementing continuous monitoring systems, an IS auditor's first step is to identify:
A. reasonable target thresholds.
B. high-risk areas within the organization.
C. the location and format of output files.
D. applications that provide the highest potential payback.
10. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools is MOST suitable for performing that task?
A. CASE tools
B. Embedded data collection tools
C. Heuristic scanning tools
D. Trend/variance detection tools
11. An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:
A. the probability of error must be objectively quantified.
B. the auditor wishes to avoid sampling risk.
C. generalized audit software is unavailable.
D. the tolerable error rate cannot be determined.
12. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate.
13. The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module
14. Which of the following would be the BEST population to take a sample from when testing program changes?
A. Test library listings
B. Source program listings
C. Program change requests
D. Production library listings
15. Which of the following normally would be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance
B. Assurance from line management that an application is working as designed
C. Trend data obtained from World Wide Web (Internet) sources
D. Ratio analysis developed by the IS auditor from reports supplied by line management
16. During a review of the controls over the process of defining IT service levels, an IS auditor would MOST likely interview the:
A. systems programmer.
B. legal staff.
C. business unit manager.
D. application programmer.
17. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, an IS auditor should:
A. identify and assess the risk assessment process used by management.
B. identify information assets and the underlying systems.
C. disclose the threats and impacts to management.
D. identify and evaluate the existing controls.
18. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:
A can identify high-risk areas that might need a detailed review later.
B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
D. allows management to relinquish responsibility for control.
19. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor.
B. inform management of his/her inability to conduct future audits.
C. perform the assignment and future audits with due professional care.
D. obtain the approval of user management to perform the implementation and follow-up.
20. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?
A. Multiple cycles of backup files remain available.
B. Access controls establish accountability for e-mail activity.
C. Data classification regulates what information should be communicated via e-mail.
D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.
21. Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern.
22. An audit charter should:
A. be dynamic and change often to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for and the delegation of authority to the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
23. An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?
A. There are a number of external modems connected to the network.
B. Users can install software on their desktops.
C. Network monitoring is very limited.
D. Many user ids have identical passwords.
24. While planning an audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items.
B. definite assurance that material items will be covered during the audit work.
C. reasonable assurance that all items will be covered by the audit.
D. sufficient assurance that all items will be covered during the audit work.
25. To identify the value of inventory that has been kept for more than eight weeks, an IS auditor would MOST likely use:
A. test data.
B. statistical sampling.
C. an integrated test facility.
D. generalized audit software.
26. An integrated test facility is considered a useful audit tool because it:
A. is a cost-efficient approach to auditing application controls.
B. enables the financial and IS auditors to integrate their audit tests.
C. compares processing output with independently calculated data.
D. provides the IS auditor with a tool to analyze a large range of information.
27. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent B. Detection C. Control D. Business
28. Data flow diagrams are used by IS auditors to:
A. order data hierarchically.
B. highlight high-level data definitions.
C. graphically summarize data paths and storage.
D. portray step-by-step details of data generation.
29. Reviewing management's long-term strategic plans helps the IS auditor:
A. gain an understanding of an organization's goals and objectives.
B. test the enterprise's internal controls.
C. assess the organization's reliance on information systems.
D. determine the number of audit resources needed.
30. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:
A. of the point at which controls are exercised as data flow through the system.
B. that only preventive and detective controls are relevant.
C. that corrective controls can only be regarded as compensating.
D. that classification allows an IS auditor to determine which controls are missing.
31. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do is an example of:
A. inherent risk.
B. control risk.
C. detection risk.
D. audit risk.
32. The PRIMARY purpose of an audit charter is to:
A. document the audit process used by the enterprise.
B. formally document the audit department's plan of action.
C. document a code of professional conduct for the auditor.
D. describe the authority and responsibilities of the audit department.
33. An IS auditor has evaluated the controls for the integrity of the data in a financial application. Which of the following findings would be the MOST significant?
A. The application owner was unaware of several changes applied to the application by the IT department.
B. The application data are backed up only once a week.
C. The application development documentation is incomplete.
D. Information processing facilities are not protected by appropriate fire detection systems.
34. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
B. the magnitude of the impact should a threat source successfully exploit the vulnerability.
C. the likelihood of a given threat source exploiting a given vulnerability.
D. the collective judgment of the risk assessment team.
35. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines?
A. Domain integrity test
B. Relational integrity test
C. Referential integrity test
D. Parity checks
36. An IS auditor reviews an organizational chart PRIMARILY for:
A. an understanding of workflows.
B. investigating various communication channels.
C. understanding the responsibilities and authority of individuals.
D. investigating the network connected to different employees.
37. An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:
A. the controls already in place.
B. the effectiveness of the controls in place.
C. the mechanism for monitoring the risks related to the assets.
D. the threats/vulnerabilities affecting the assets.
38. Which of the following is an objective of a control self-assessment (CSA) program?
A. Concentration on areas of high risk
B. Replacement of audit responsibilities
C. Completion of control questionnaires
D. Collaborative facilitative workshops
39. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?
A. Evaluate physical access test results.
B. Determine the risks/threats to the data center site.
C. Review business continuity procedures.
D. Test for evidence of physical access at suspect locations.
40. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of:
A. facilitator.
B. manager.
C. partner.
D. stakeholder.
41. The use of statistical sampling procedures helps minimize:
A. sampling risk.
B. detection risk.
C. inherent risk.
D. control risk.
42. An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit?
A. Design further tests of the calculations that are in error.
B. Identify variables that may have caused the test results to be inaccurate.
C. Examine some of the test cases to confirm the results.
D. Document the results and prepare a report of findings, conclusions and recommendations.
43. An IS auditor is assigned to perform a post implementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:
A. implemented a specific control during the development of the application system.
B. designed an embedded audit module exclusively for auditing the application system.
C. participated as a member of the application system project team, but did not have operational responsibilities.
D. provided consulting advice concerning application system best practices.
44. The BEST method of proving the accuracy of a system tax calculation is by:
A. detailed visual review and analysis of the source code of the calculation programs.
B. recreating program logic using generalized audit software to calculate monthly totals.
C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.
45. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?
A. Integrated test facility (ITF)
B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots
46. The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.
B. requires the IS auditor to review and follow up immediately on all information collected.
C. can improve system security when used in time-sharing environments that process a large number of transactions.
D. does not depend on the complexity of an organization's computer systems.
47. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling
B. Variable sampling
C. Stratified mean per unit
D. Difference estimation
48. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:
A. variable sampling.
B. substantive testing.
C. compliance testing.
D. stop-or-go sampling.
49. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:
A. information assets are overprotected.
B. a basic level of protection is applied regardless of asset value.
C. appropriate levels of protection are applied to information assets.
D. an equal proportion of resources are devoted to protecting all information assets.
50. In a risk-based audit approach, an IS auditor should FIRST complete a(n):
A. inherent risk assessment.
B. control risk assessment.
C. test of control assessment.
D. substantive test assessment.
51. The development of an IS security policy is ultimately the responsibility of the:
A. IS department.
B. security committee.
C. security administrator.
D. board of directors.
52. To minimize costs and improve service levels an outsourcer should seek which of the
following contract clauses?
A. O/S and hardware refresh frequencies
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics
53. Involvement of senior management is MOST important in the development of:
A. strategic plans.
B. IS policies.
C. IS procedures.
D. standards and guidelines.
54. An IS auditor should be concerned when a telecommunication analyst:
A. monitors systems performance and tracks problems resulting from program changes.
B. reviews network load requirements in terms of current and future transaction volumes.
C. assesses the impact of the network load on terminal response times and network data
transfer rates.
D. recommends network balancing procedures and improvements.
55. The output of the risk management process is an input for making:
A. business plans.
B. audit charters.
C. security policy decisions.
D. software design decisions.
56. The risks associated with electronic evidence gathering would MOST likely be reduced
by an e-mail:
A. destruction policy.
B. security policy.
C. archive policy.
D. audit policy.
57. An IT steering committee should review information systems PRIMARILY to assess:
A. whether IT processes support business requirements.
B. if proposed system functionality is adequate.
C. the stability of existing software.
D. the complexity of installed technology.
58. An IS auditor reviewing an organization's IT strategic plan should FIRST review:
A. the existing IT environment.
B. the business plan.
C. the present IT budget.
D. current technology trends.
59. As an outcome of information security governance, strategic alignment provides:
A. security requirements driven by enterprise requirements.
B. baseline security following best practices.
C. institutionalized and commoditized solutions.
D. an understanding of risk exposure.
60. A team conducting a risk analysis is having difficulty projecting the financial losses that
could result from a risk. To evaluate the potential losses, the team should:
A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define exactly the loss amount.
61. The IT balanced scorecard is a business governance tool intended to monitor IT
performance evaluation indicators other than:
A. financial results.
B. customer satisfaction.
C. internal process efficiency.
D. innovation capacity.
62. Establishing the level of acceptable risk is the responsibility of:
A. quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.
63. Which of the following is the MOST critical for the successful implementation and
maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a
security policy
C. Enforcement of security rules by providing punitive actions for any violation of security
rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer
through access control software
64. To ensure an organization is complying with privacy requirements, the IS auditor
should FIRST review:
A. the IT infrastructure.
B. the organization's policies, standards and procedures.
C. legal and regulatory requirements.
D. the adherence to organizational policies, standards and procedures.
65. Which of the following controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
66. Which of the following is the MOST important function to be performed by IS
management when a service has been outsourced?
A. Ensuring that invoices are paid to the provider
B. Participating in systems design with the provider
C. Renegotiating the provider's fees
D. Monitoring the outsourcing provider's performance
67. Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
68. The MOST likely effect of the lack of senior management commitment to IT strategic
planning is:
A. a lack of investment in technology.
B. a lack of a methodology for systems development.
C. the technology not aligning with the organization's objectives.
D. an absence of control over technology contracts.
69. Which of the following would BEST provide assurance of the integrity of new staff?
A. Background screening
B. References
C. Bonding
D. Qualifications listed on a resumé
70. Which of the following is the GREATEST risk of an inadequate policy definition for
ownership of data and systems?
A. User management coordination does not exist.
B. Specific user accountability cannot be established.
C. Unauthorized users may have access to originate, modify or delete data.
D. Audit recommendations may not be implemented.
71. Effective IT governance will ensure that the IT plan is consistent with the
organization's:
A. business plan.
B. audit plan.
C. security plan.
D. investment plan.
72. Which of the following is a function of an IS steering committee?
A. Monitoring vendor-controlled change control and testing
B. Ensuring a separation of duties within the information's processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users
73. A long-term IS employee with a strong technical background and broad managerial
experience has applied for a vacant position in the IS audit department. Determining
whether to hire this individual for this position should be based on the individual's
experience and:
A. the length of service since this will help ensure technical competence.
B. age as training in audit techniques may be impractical.
C. IS knowledge since this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IS relationships.
74. Which of the following programs would a sound information security policy MOST
likely include to handle suspected intrusions?
A. Response
B. Correction
C. Detection
D. Monitoring
75. An organization has outsourced its software development. Which of the following is the
responsibility of the organization's IT management?
A. Paying for provider services
B. Participating in systems design with the provider
C. Managing compliance with the contract for the outsourced services
D. Negotiating contractual agreement with the provider
76. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy
supports the organizations' business objectives by determining if IS:
A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.
77. Which of the following is the PRIMARY objective of an IT performance measurement
process?
A. Minimize errors.
B. Gather performance data.
C. Establish performance baselines.
D. Optimize performance.
78. Which of the following is the initial step in creating a firewall policy?
A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally
accessed
D. Creation of an applications traffic matrix showing protection methods
79. Many organizations require an employee to take a mandatory vacation (holiday) of a
week or more to:
A. ensure the employee maintains a good quality of life, which will lead to greater
productivity.
B. reduce the opportunity for an employee to commit an improper or illegal act.
C. provide proper cross-training for another employee.
D. eliminate the potential disruption caused when an employee takes vacation one day at a
time.
80. In reviewing the IS short-range (tactical) plan, the IS auditor should determine
whether:
A. there is an integration of IS and business staffs within projects.
B. there is a clear definition of the IS mission and vision.
C. there is a strategic information technology planning methodology in place.
D. the plan correlates business objectives to IS goals and objectives.
81. An organization acquiring other businesses continues using its legacy EDI systems and
uses three separate value-added network (VAN) providers. No written VAN agreements
exist. The IS auditor should recommend that management:
A. obtains independent assurance of the third-party service providers.
B. sets up a process for monitoring the service delivery of the third party.
C. ensures that formal contracts are in place.
D. considers agreements with third-party service providers in the development of
continuity plans.
82. Which of the following goals would you expect to find in an organization's strategic
plan?
A. Test a new accounting package.
B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.
83. Assessing IT risks is BEST achieved by:
A. evaluating threats associated with existing IT assets and IT projects.
B. using the firm's past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.
84. An IS auditor was hired to review e-business security. The IS auditor's first task was to
examine each existing e-business application looking for vulnerabilities. Which would be
the next task?
A. Report the risks to the CIO and CEO immediately.
B. Examine e-business application in development.
C. Identify threats and likelihood of occurrence.
D. Check the budget available for risk management.
85. Which of the following IT governance best practices improves strategic alignment?
A. Supplier and partner risks are managed.
B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information.
D. Top management mediate between the imperatives of business and technology
86. Which of the following would be a compensating control to mitigate risks resulting
from an inadequate segregation of duties?
A. Sequence check
B. Check digit
C. Source documentation retention
D. Batch control reconciliations
87. The lack of adequate security controls represents a(n):
A. threat.
B. asset.
C. impact.
D. vulnerability.
88. IT control objectives are useful to IS auditors, as they provide the basis for
understanding the:
A. desired result or purpose of implementing specific control procedures.
B. best IT security control practices relevant to a specific entity.
C. techniques for securing information.
D. security policy.
89. To support an organization's goals, the IS department should have:
A. a low-cost philosophy.
B. long- and short-range plans.
C. leading-edge technology.
D. planned to acquire new hardware and software.
90. An IS auditor finds that not all employees are aware of the enterprise's information
security policy. The IS auditor should conclude that:
A. this lack of knowledge may lead to unintentional disclosure of sensitive information
B. information security is not critical to all functions.
C. IS audit should provide security training to the employees.
D. the audit finding will cause management to provide continuous training to staff.
91. The general ledger setup function in an enterprise resource planning (ERP) system
allows for setting accounting periods. Access to this function has been permitted to users in
finance, the warehouse and order entry. The MOST likely reason for such broad access is
the:
A. need to change accounting periods on a regular basis.
B. requirement to post entries for a closed accounting period.
C. lack of policies and procedures for the proper segregation of duties.
D. need to create/modify the chart of accounts and its allocations.
92. A comprehensive and effective e-mail policy should address the issues of e-mail
structure, policy enforcement, monitoring and:
A. recovery.
B. retention.
C. rebuilding.
D. reuse.
93. A top-down approach to the development of operational policies will help ensure:
A. that they are consistent across the organization.
B. that they are implemented as a part of risk assessment.
C. compliance with all policies.
D. that they are reviewed periodically.
94. When developing a risk management program, the FIRST activity to be performed is
a(n):
A. threat assessment.
B. classification of data.
C. inventory of assets.
D. criticality analysis.
95. A probable advantage to an organization that has outsourced its data processing
services is that:
A. needed IS expertise can be obtained from the outside.
B. greater control can be exercised over processing.
C. processing priorities can be established and enforced internally.
D. greater user involvement is required to communicate user needs.
96. When an organization is outsourcing their information security function, which of the
following should be kept in the organization?
A. Accountability for the corporate security policy
B. Defining the corporate security policy
C. Implementing the corporate security policy
D. Defining security procedures and guidelines
97. When segregation of duties concerns exist between IT support staff and end users, what
would be a suitable compensating control?
A. Restricting physical access to computing equipment
B. Reviewing transaction and application logs
C. Performing background checks prior to hiring IT staff
D. Locking user sessions after a specified period of inactivity
98. Which of the following reduces the potential impact of social engineering attacks?
A. Compliance with regulatory requirements
B. Promoting ethical understanding
C. Security awareness programs
D. Effective performance incentives
99. An IS auditor reviewing an organization that uses cross-training practices should assess
the risk of:
A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.
100. When performing a review of the structure of an electronic funds transfer (EFT)
system, an IS auditor observes that the technological infrastructure is based on a
centralized processing scheme that has been outsourced to a provider in another country.
Based on this information, which of the following conclusions should be the main concern
of the IS auditor?
A. There could be a question with regards to the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distances.
D. There could be different auditing norms.
101. Which of the following is critical to the selection and acquisition of the correct operating
system software?
A. Competitive bids
B. User department approval
C. Hardware configuration analysis
D. Purchasing department approval
102. A single digitally signed instruction was given to a financial institution to credit a
customer's account. The financial institution received the instruction three times and
credited the account three times. Which of the following would be the MOST appropriate
control against such multiple credits?
A. Encrypting the hash of the payment instruction with the public key of the financial
institution
B. Affixing a time stamp to the instruction and using it to check for duplicate payments
C. Encrypting the hash of the payment instruction with the private key of the instructor
D. Affixing a time stamp to the hash of the instruction before having it digitally signed by
the instructor
103. Assumptions while planning an IS project involve a high degree of risk because they are:
A. based on known constraints.
B. based on objective past data.
C. a result of a lack of information.
D. often made by unqualified people.
104. An existing system is being extensively enhanced by extracting and reusing design and
program components. This is an example of:
A. reverse engineering.
B. prototyping.
C. software reuse.
D. reengineering.
105. When implementing an acquired system in a client-server environment, which of the
following tests would confirm that the modifications in the Windows registry do not
adversely impact the desktop environment?
A. Sociability testing
B. Parallel testing
C. White box testing
D. Validation testing
106. Information for detecting unauthorized input from a terminal would be BEST provided
by the:
A. console log printout.
B. transaction journal.
C. automated suspense file listing.
D. user error report.
107. The IS auditor finds that a system under development has 12 linked modules and each
item of data can carry up to 10 definable attribute fields. The system handles several
million transactions a year. Which of these techniques could the IS auditor use to estimate
the size of the development effort?
A. Program evaluation review technique (PERT)
B. Counting source lines of code (SLOC)
C. Function point analysis
D. White box testing
108. The editing/validation of data entered at a remote site would be performed MOST
effectively at the:
A. central processing site after running the application system.
B. central processing site during the running of the application system.
C. remote processing site after transmission of the data to the central processing site.
D. remote processing site prior to transmission of the data to the central processing site.
109. Which of the following is the FIRST thing an IS auditor should do after the discovery of a Trojan horse program in a computer system?
A. Investigate the author.
B. Remove any underlying threats.
C. Establish compensating controls.
D. Have the offending code removed.
110. The GREATEST benefit in implementing an expert system is the:
A. capturing of the knowledge and experience of individuals in an organization.
B. sharing of knowledge in a central repository.
C. enhancement of personnel productivity and performance.
D. reduction of employee turnover in key departments.
111. An IS auditor reviewing a proposed application software acquisition should ensure that
the:
A. operating system (OS) being used is compatible with the existing hardware platform.
B. planned OS updates have been scheduled to minimize negative impacts on company
needs.
C. OS has the latest versions and updates.
D. products are compatible with the current or planned OS.
112. Which of the following is MOST likely to occur when a system development project is
in the middle of the programming/coding phase?
A. Unit tests
B. Stress tests
C. Regression tests
D. Acceptance tests
113. An organization planning to purchase a software package asks the IS auditor for a risk
assessment. Which of the following is the MAJOR risk?
A. Unavailability of the source code
B. Lack of a vendor-quality certification
C. Absence of vendor/client references
D. Little vendor experience with the package
114. An IS auditor assigned to audit a reorganized process should FIRST review which of
the following?
A. A map of existing controls
B. Eliminated controls
C. Process charts
D. Compensating controls
115. The PRIMARY benefit of integrating total quality management (TQM) into a software
development project is:
A. comprehensive documentation.
B. on-time delivery.
C. cost control.
D. end-user satisfaction.
116. When reviewing the quality of an IS department's development process, the IS auditor
finds that he/she does not use any formal, documented methodology and standards. The IS
auditor's MOST appropriate action would be to:
A. complete the audit and report the finding.
B. investigate and recommend appropriate formal standards.
C. document the informal standards and test for compliance.
D. withdraw and recommend a further audit when standards are implemented.
117. During unit testing, the test strategy applied is:
A. black box.
B. white box.
C. bottom-up.
D. top-down.
118. A decision support system (DSS):
A. is aimed at solving highly structured problems.
B. combines the use of models with nontraditional data access and retrieval functions.
C. emphasizes flexibility in the decision-making approach of users.
D. supports only structured decision-making tasks.
119. Which of the following phases represents the optimum point for software baselining to
occur?
A. Testing
B. Design
C. Requirement
D. Development
120. A proposed transaction processing application will have many data capture sources and
outputs in paper and electronic form. To ensure that transactions are not lost during
processing, the IS auditor should recommend the inclusion of:
A. validation controls.
B. internal credibility checks.
C. clerical control procedures.
D. automated systems balancing.
121. When auditing the conversion of an accounting system an IS auditor should verify the
existence of a:
A. control total check.
B. validation check.
C. completeness check.
D. limit check.
122. A debugging tool, which reports on the sequence of steps executed by a program, is
called a(n):
A. output analyzer.
B. memory dump.
C. compiler.
D. logic path monitor.
123. Which of the following facilitates program maintenance?
A. More cohesive and loosely coupled programs
B. Less cohesive and loosely coupled programs
C. More cohesive and strongly coupled programs
D. Less cohesive and strongly coupled programs
124. Which of the following ensures completeness and accuracy of accumulated data?
A. Processing control procedures
B. Data file control procedures
C. Output controls
D. Application controls
125. The MAJOR concern for an IS auditor reviewing a CASE environment should be that
the use of CASE does not automatically:
A. result in a correct capture of requirements.
B. ensure that desirable application controls have been implemented.
C. produce ergonomic and user-friendly interfaces.
D. generate efficient code.
126. The MOST likely explanation for the use of applets in an Internet application is that:
A. it is sent over the network from the server.
B. the server does not run the program and the output is not sent over the network.
C. they improve the performance of the web server and network.
D. it is a JAVA program downloaded through the web browser and executed by the web
server of the client machine.
127. Ideally, stress testing should be carried out in a:
A. test environment using test data.
B. production environment using live workloads.
C. test environment using live workloads.
D. production environment using test data.
128. Good quality software is BEST achieved:
A. through thorough testing.
B. by finding and quickly correcting programming errors.
C. by determining the amount of testing using the available time and budget.
D. by applying well-defined processes and structured reviews throughout the project.
129. A company undertakes a business process reengineering (BPR) project in support of a
new and direct marketing approach to its customers. Which of the following would be the
IS auditor's main concern about the new process?
A. Are key controls in place to protect assets and information resources?
B. Does it address the corporate customer requirements?
C. Does the system meet the performance goals (time and resources)?
D. Have owners been identified who will be responsible for the process?
130. A company has contracted with an external consulting firm to implement a commercial
financial system to replace its existing in-house-developed system. In reviewing the
proposed development approach, which of the following would be of GREATEST concern?
A. Acceptance testing is to be managed by users.
B. A quality plan is not part of the contracted deliverables.
C. Not all business functions will be available on initial implementation.
D. Prototyping is being used to confirm that the system meets business requirements.
131. The use of a GANTT chart can:
A. aid in scheduling project tasks.
B. determine project checkpoints.
C. ensure documentation standards.
D. direct the postimplementation review.
132. Using test data as part of a comprehensive test of program controls in a continuous
online manner is called a(n):
A. test data/deck.
B. base-case system evaluation.
C. integrated test facility (ITF).
D. parallel simulation.
.
133. Testing the connection of two or more system components that pass information from
one area to another is:
A. pilot testing.
B. parallel testing
C. interface testing.
D. regression testing.
134. Regression testing is the process of testing a program to determine if:
A. the new code contains errors.
B. discrepancies exist between functional specifications and performance.
C. new requirements have been met.
D. changes have introduced any errors in the unchanged code.
135. Which of the following groups/individuals should assume overall direction and
responsibility for costs and timetables of system development projects?
A. User management
B. Project steering committee
C. Senior management
D. Systems development management
136. The difference between white box testing and black box testing is that white box testing:
A. involves the IS auditor.
B. is performed by an independent programmer team.
C. examines a program's internal logical structure.
D. uses the bottom-up approach.
137. An IS auditor reviewing a project, where quality is a major concern, should use the
project management triangle to explain that a(n):
A. increase in quality can be achieved, even if resource allocation is decreased.
B. increase in quality is only achieved, if resource allocation is increased.
C. decrease in delivery time can be achieved, even if resource allocation is decreased.
D. decrease in delivery time can only be achieved, if quality is decreased.
138. Which of the following integrity tests examines the accuracy, completeness, consistency
and authorization of data?
A. Data
B. Relational
C. Domain
D. Referential
139. Which of the following is MOST effective in controlling application maintenance?
A. Informing users of the status of changes
B. Establishing priorities on program changes
C. Obtaining user approval of program changes
D. Requiring documented user specifications for changes
140. Which of the following groups should assume ownership of a systems development
project and the resulting system?
A. User management
B. Senior management
C. Project steering committee
D. Systems development management
141. To make an electronic funds transfer (EFT), one employee enters the amount field and
another employee reenters the same data again, before the money is transferred. The
control adopted by the organization in this case is:
A. sequence check.
B. key verification.
C. check digit.
D. completeness check.
142. An IS auditor is told by IS management that the organization has recently reached the
highest level of the software capability maturity model (CMM). The software quality
process MOST recently added by the organization is:
A. continuous improvement.
B. quantitative quality goals.
C. a documented process.
D. a process tailored to specific projects.
143. The use of fourth-generation languages (4GLs) should be weighed carefully against
using traditional languages, because 4GLs:
A. can lack the lower-level detail commands necessary to perform data intensive
operations.
B. cannot be implemented on both the mainframe processors and microcomputers.
C. generally contain complex language subsets that must be used by skilled users.
D. cannot access database records and produce complex online outputs.
144. During the development of an application, the quality assurance testing and user
acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the
project is that there will be:
A. increased maintenance.
B. improper documentation of testing.
C. inadequate functional testing.
D. delays in problem resolution.
145. An organization has contracted with a vendor for a turnkey solution for their electronic
toll collection system (ETCS). The vendor has provided its proprietary application software
as part of the solution. The contract should require that:
A. a backup server be available to run ETCS operations with up-to-date data.
B. a backup server be loaded with all the relevant software and data.
C. the systems staff of the organization be trained to handle any event.
D. source code of the ETCS application be placed in escrow.
146. Which of the following is a dynamic analysis tool for the purpose of testing software
modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
147. The impact of EDI on internal controls will be:
A. that fewer opportunities for review and authorization will exist.
B. an inherent authentication.
C. a proper distribution of EDI transactions while in the possession of third parties.
D. that IPF management will have increased responsibilities over data center controls.
148. Which of the following tasks occurs during the research stage of the benchmarking
process?
A. Critical processes are identified.
B. Benchmarking partners are visited.
C. Findings are translated into core principles.
D. Benchmarking partners are identified.
149. Which of the following would be a risk specifically associated with the agile
development process?
A. Lack of documentation
B. Lack of testing
C. Poor requirements definition
D. Poor project management practices
150. An IS auditor evaluating data integrity in a transaction-driven system environment
should review atomicity to determine whether:
A. the database survives failures (hardware or software).
B. each transaction is separated from other transactions.
C. integrity conditions are maintained.
D. a transaction is completed or a database is updated.
Now evaluate your score – Find Answers at
http://datainfosec.blogspot.in/2016/04/answer-to-cisa-mock-test-1.html
No comments:
Post a Comment