Mock Test-Paper No.1-CISA course
(Ref:QB9F50/QB10F50/QB11F50/QB13.130-179)
1. In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid?
A. Testing whether inappropriate personnel can change application parameters B. Tracing purchase orders to a computer listing C. Comparing receiving reports to purchase order details D. Reviewing the application documentation
The correct answer is: A. Testing whether inappropriate personnel can change application parameters Explanation: To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C are based on after-the-fact approaches, and choice D does not serve the purpose because what is in the system documentation may not be the same as what is happening. ...............................................................................................................................
2. The extent to which data will be collected during an IS audit should be determined based on the:
A. availability of critical and required information. B. auditor's familiarity with the circumstances. C. auditee's ability to find relevant evidence. D. purpose and scope of the audit being done.
The correct answer is: D. purpose and scope of the audit being done. Explanation: The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An audit with a narrow purpose and scope would result most likely in less data collection, than an audit with a wider purpose and scope. The scope of an IS audit should not be constrained by the ease of obtaining the information or by the auditor's familiarity with the area being audited. Collecting all the required evidence is a required element of an IS audit, and the scope of the audit should not be limited by the auditee's ability to find relevant evidence. ...............................................................................................................................
3. The responsibility, authority and accountability of the IS audit function is appropriately documented in an audit charter and MUST be:
A. approved by the highest level of management. B. approved by audit department management. C. approved by user department management. D. changed every year before commencement of IS audits.
The correct answer is: A. approved by the highest level of management.
Explanation: The ISACA IS Auditing Standard S1 Audit Charter in section 03 on responsibility, authority and accountability states, "The responsibility, authority and accountability of the information systems audit function are to be appropriately documented in an audit charter or engagement letter." Choices B and C are incorrect because the audit charter should be approved by the highest level of management, not merely by the IS audit department or the user department. The resulting planning methodologies should be reviewed and approved by senior management and by the audit committee. Choice D is incorrect because the audit charter, once established, is not routinely revised and should be changed only if the change can be, and is, thoroughly justified. ...............................................................................................................................
4. A key element in a risk analysis is:
A. audit planning. B. controls. C. vulnerabilities. D. liabilities.
The correct answer is: C. vulnerabilities. Explanation: Vulnerabilities are a key element in the conduct of a risk analysis. Audit planning consists of short- and long-term processes that may detect threats to the information assets. Controls mitigate risks associated with specific threats. Liabilities are part of business and are not inherently a risk. ...............................................................................................................................
5. An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the:
A. manager's assistant perpetrated the fraud. B. perpetrator cannot be established beyond doubt. C. fraud must have been perpetrated by the manager. D. system administrator perpetrated the fraud.
The correct answer is: B. perpetrator cannot be established beyond doubt. Explanation: The password control weaknesses means that any of the other three options could be true. Password security would normally identify the perpetrator. In this case, it does not establish guilt beyond doubt. ...............................................................................................................................
6. During a review of a customer master file, an IS auditor discovered numerous customer name duplications arising from variations in customer first names. To determine the extent of the duplication, the IS auditor would use:
A. test data to validate data input. B. test data to determine system sort capabilities. C. generalized audit software to search for address field duplications. D. generalized audit software to search for account field duplications.
The correct answer is: C. generalized audit software to search for address field duplications. Explanation: Since the name is not the same (due to name variations), one method to detect duplications would be to compare other common fields, such as addresses. Subsequent review to determine common customer names at these addresses could then be conducted. Searching for duplicate account numbers would not likely find duplications, since customers would most likely have different account numbers for each variation. Test data would not be useful to detect the extent of any data characteristic, but simply to determine how the data were processed. ...............................................................................................................................
7. The IS department of an organization wants to ensure that the computer files used in the information processing facility are adequately backed up to allow for proper recovery. This is a(n):
A. control procedure. B. control objective. C. corrective control. D. operational control.
The correct answer is: B. control objective. Explanation: IS control objectives specify the minimum set of controls to ensure efficiency and effectiveness in the operations and functions within an organization. Control procedures are developed to provide reasonable assurance that specific objectives will be achieved. A corrective control is a category of controls that aims to minimize the threat and/or remedy problems that were not prevented or were not initially detected. Operational controls address the day-to-day operational functions and activities, and aid in ensuring that the operations are meeting the desired business objectives. ...............................................................................................................................
8. During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A. create the procedures document. B. terminate the audit. C. conduct compliance testing. D. identify and evaluate existing practices.
The correct answer is: D. identify and evaluate existing practices.
Explanation: One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, and doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance. ...............................................................................................................................
9. When implementing continuous monitoring systems, an IS auditor's first step is to identify:
A. reasonable target thresholds. B. high-risk areas within the organization. C. the location and format of output files. D. applications that provide the highest potential payback.
The correct answer is: B. high-risk areas within the organization. Explanation: The first and most critical step in the process is to identify high-risk areas within the organization. Business department managers and senior executives are in the best positions to offer insight into these areas. Once potential areas of implementation have been identified, an assessment of potential impact should be completed to identify applications that provide the highest potential payback to the organization. At this point, tests and reasonable target thresholds should be determined prior to programming. During systems development, the location and format of the output files generated by the monitoring programs should be defined. ...............................................................................................................................
10. In an IS audit of several critical servers, the IS auditor wants to analyze audit trails to discover potential anomalies in user or system behavior. Which of the following tools is MOST suitable for performing that task?
A. CASE tools B. Embedded data collection tools C. Heuristic scanning tools D. Trend/variance detection tools
The correct answer is: D. Trend/variance detection tools Explanation: Trend/variance detection tools look for anomalies in user or system behavior, for example, determining whether the numbers for prenumbered documents are sequential or increasing. CASE tools are used to assist software development. Embedded (audit) data collection software is used for sampling and to provide production statistics. Heuristic scanning tools can be used to scan for viruses to indicate possible infected code. ...............................................................................................................................
11. An IS auditor should use statistical sampling and not judgment (nonstatistical) sampling, when:
A. the probability of error must be objectively quantified. B. the auditor wishes to avoid sampling risk. C. generalized audit software is unavailable. D. the tolerable error rate cannot be determined.
The correct answer is: A. the probability of error must be objectively quantified. Explanation: Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). Choice B is incorrect because sampling risk is the risk of a sample not being representative of the population. This risk exists for both judgment and statistical samples. Choice C is incorrect because statistical sampling does not require the use of generalized audit software. Choice D is incorrect because the tolerable error rate must be predetermined for both judgment and statistical sampling. ...............................................................................................................................
12. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:
A. controls needed to mitigate risks are in place. B. vulnerabilities and threats are identified. C. audit risks are considered. D. a gap analysis is appropriate.
The correct answer is: B. vulnerabilities and threats are identified. Explanation: In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. Gap analysis would normally be done to compare the actual state to an expected or desirable state. ...............................................................................................................................
13. The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?
A. Test data B. Generalized audit software C. Integrated test facility D. Embedded audit module
The correct answer is: B. Generalized audit software
Explanation: Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. The IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll and, thereby, determine if there were overpayments and to whom they were made. Test data would test for the existence of controls that might prevent overpayments, but it would not detect specific, previous miscalculations. Neither an integrated test facility nor an embedded audit module would detect errors for a previous period. ...............................................................................................................................
14. Which of the following would be the BEST population to take a sample from when testing program changes?
A. Test library listings B. Source program listings C. Program change requests D. Production library listings
The correct answer is: D. Production library listings Explanation: The best source from which to draw any sample or test of system information is the automated system. The production libraries represent executables that are approved and authorized to process organizational data. Source program listings would be time intensive. Program change requests are the documents used to initiate change; there is no guarantee that the request has been completed for all changes. Test library listings do not represent the approved and authorized executables. ...............................................................................................................................
15. Which of the following normally would be the MOST reliable evidence for an auditor?
A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as designed C. Trend data obtained from World Wide Web (Internet) sources D. Ratio analysis developed by the IS auditor from reports supplied by line management
The correct answer is: A. A confirmation letter received from a third party verifying an account balance Explanation: Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable. ...............................................................................................................................
16. During a review of the controls over the process of defining IT service levels, an IS auditor would MOST likely interview the:
A. systems programmer. B. legal staff. C. business unit manager. D. application programmer.
The correct answer is: C. business unit manager. Explanation: Understanding the business requirements is key in defining the service levels. While each of the other entities listed may provide some definition, the best choice here is the business unit manager because of this person's knowledge of the requirements of the organization. ...............................................................................................................................
17. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, an IS auditor should:
A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. D. identify and evaluate the existing controls.
The correct answer is: D. identify and evaluate the existing controls. Explanation: It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should describe and discuss with management the threats and potential impacts on the assets. ...............................................................................................................................
18. A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:
A can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control.
The correct answer is: A can identify high-risk areas that might need a detailed review later. Explanation: CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Answer B is incorrect, because CSA requires the involvement of auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Answer C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit's responsibilities, but to enhance them. Answer D is incorrect,
because CSA does not allow management to relinquish its responsibility for control. ...............................................................................................................................
19. Senior management has requested that an IS auditor assist the departmental management in the implementation of necessary controls. The IS auditor should:
A. refuse the assignment since it is not the role of the IS auditor. B. inform management of his/her inability to conduct future audits. C. perform the assignment and future audits with due professional care. D. obtain the approval of user management to perform the implementation and follow-up.
The correct answer is: B. inform management of his/her inability to conduct future audits. Explanation: In this situation the IS auditor should inform management of the impairment of independence in conducting further audits in the auditee area. An IS auditor can perform nonaudit assignments where the IS auditor's expertise can be of use to management; however, by performing the nonaudit assignment, the IS auditor cannot conduct the future audits of the auditee as his/her independence may be compromised. However, the independence of the IS auditor will not be impaired when suggesting/recommending controls to the auditee after he audit. ...............................................................................................................................
20. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation?
A. Multiple cycles of backup files remain available. B. Access controls establish accountability for e-mail activity. C. Data classification regulates what information should be communicated via e-mail. D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available.
The correct answer is: A. Multiple cycles of backup files remain available. Explanation: Backup files containing documents that supposedly have been deleted could be recovered from these files. Access controls may help establish accountability for the issuance of a particular document, but this does not provide evidence of the e-mail. Data classification standards may be in place with regards to what should be communicated via e-mail, but the creation of the policy does not provide the information required for litigation purposes. ...............................................................................................................................
21. Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance. B. budgets are more likely to be met by the IS audit staff. C. staff will be exposed to a variety of technologies. D. resources are allocated to the areas of highest concern.
The correct answer is: D. resources are allocated to the areas of highest concern. Explanation: The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various scheduling methods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year. ...............................................................................................................................
22. An audit charter should:
A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for and the delegation of authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. outline the overall authority, scope and responsibilities of the audit function.
The correct answer is: D. outline the overall authority, scope and responsibilities of the audit function. Explanation: An audit charter should state management's objectives for and delegation of authority to IS audit. This charter should not significantly change over time and should be approved at the highest level of management. An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures. ...............................................................................................................................
23. An IS auditor is evaluating a corporate network for a possible penetration by employees. Which of the following findings should give the IS auditor the GREATEST concern?
A. There are a number of external modems connected to the network. B. Users can install software on their desktops. C. Network monitoring is very limited. D. Many user ids have identical passwords.
The correct answer is: D. Many user ids have identical passwords. Explanation: Exploitation of a known user id and password requires minimum technical knowledge and exposes the network resources to exploitation. The technical barrier is low and the impact can be very high; therefore, the fact that many user ids have identical passwords represents the greatest threat. External modems represent a security risk, but exploitation still depends on the use of a valid user account. While the impact of users installing software on their desktops can be high (for example, due to the installation of Trojans or key-logging programs), the likelihood is not high due to the level of technical knowledge
required to successfully penetrate the network. Although network monitoring can be a useful detective control, it will only detect abuse of user accounts in special circumstances and is, therefore, not a first line of defense. ...............................................................................................................................
24. While planning an audit, an assessment of risk should be made to provide:
A. reasonable assurance that the audit will cover material items. B. definite assurance that material items will be covered during the audit work. C. reasonable assurance that all items will be covered by the audit. D. sufficient assurance that all items will be covered during the audit work.
The correct answer is: A. reasonable assurance that the audit will cover material items. Explanation: The ISACA IS Auditing Guideline G15 on planning the IS audit states, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work. This assessment should identify areas with a relatively high risk of the existence of material problems." Definite assurance that material items will be covered during the audit work is an impractical proposition. Reasonable assurance that all items will be covered during the audit work is not the correct answer, as material items need to be covered, not all items. ...............................................................................................................................
25. To identify the value of inventory that has been kept for more than eight weeks, an IS auditor would MOST likely use:
A. test data. B. statistical sampling. C. an integrated test facility. D. generalized audit software.
The correct answer is: D. generalized audit software. Explanation: Generalized audit software will facilitate reviewing the entire inventory file to look for those items that meet the selection criteria. Generalized audit software provides direct access to data and provides for features of computation, stratification, etc. Test data are used to verify programs, but will not confirm anything about the transactions in question. The use of statistical sampling methods is not intended to select specific conditions, but is intended to select samples from a file on a random basis. In this case, the IS auditor would want to check all of the items that meet the criteria and not just a sample of them. An integrated test facility allows the IS auditor to test transactions through the production system. ...............................................................................................................................
26. An integrated test facility is considered a useful audit tool because it:
A. is a cost-efficient approach to auditing application controls. B. enables the financial and IS auditors to integrate their audit tests.
C. compares processing output with independently calculated data. D. provides the IS auditor with a tool to analyze a large range of information.
The correct answer is: C. compares processing output with independently calculated data. Explanation: An integrated test facility is considered a useful audit tool because it uses the same programs to compare processing using independently calculated data. This involves setting up dummy entities on an application system and processing test or production data against the entity as a means of verifying processing accuracy. ...............................................................................................................................
27. The decisions and actions of an IS auditor are MOST likely to affect which of the following risks?
A. Inherent B. Detection C. Control D. Business
The correct answer is: B. Detection Explanation: Detection risks are directly affected by the auditor's selection of audit procedures and techniques. Inherent risks usually are not affected by the IS auditor. Control risks are controlled by the actions of the company's management. Business risks are not affected by the IS auditor. ...............................................................................................................................
28. Data flow diagrams are used by IS auditors to:
A. order data hierarchically. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.
The correct answer is: C. graphically summarize data paths and storage. Explanation: Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. The flow of the data will not necessarily match any hierarchy or data generation order. ...............................................................................................................................
29. Reviewing management's long-term strategic plans helps the IS auditor:
A. gain an understanding of an organization's goals and objectives. B. test the enterprise's internal controls. C. assess the organization's reliance on information systems. D. determine the number of audit resources needed.
The correct answer is: A. gain an understanding of an organization's goals and objectives. Explanation: Strategic planning sets corporate or departmental objectives into motion. Strategic planning is time- and project-oriented, but must also address and help determine priorities to meet business needs. Reviewing long-term strategic plans would not achieve the objectives expressed by the other choices. ...............................................................................................................................
30. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware:
A. of the point at which controls are exercised as data flow through the system. B. that only preventive and detective controls are relevant. C. that corrective controls can only be regarded as compensating. D. that classification allows an IS auditor to determine which controls are missing.
The correct answer is: A. of the point at which controls are exercised as data flow through the system. Explanation: An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification. ...............................................................................................................................
31. The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they do is an example of:
A. inherent risk. B. control risk. C. detection risk. D. audit risk.
The correct answer is: C. detection risk. Explanation: This is an example of detection risk. ...............................................................................................................................
32. The PRIMARY purpose of an audit charter is to:
A. document the audit process used by the enterprise. B. formally document the audit department's plan of action. C. document a code of professional conduct for the auditor. D. describe the authority and responsibilities of the audit department.
The correct answer is: D. describe the authority and responsibilities of the audit department. Explanation: The audit charter typically sets out the role and responsibility of the internal audit department. It should state management's objectives for and delegation of authority to the audit department. It is rarely changed and does not contain the audit plan or audit process, which is usually part of annual audit planning, nor does it describe a code of professional conduct, since such conduct is set by the profession and not by management. ...............................................................................................................................
33. An IS auditor has evaluated the controls for the integrity of the data in a financial application. Which of the following findings would be the MOST significant?
A. The application owner was unaware of several changes applied to the application by the IT department. B. The application data are backed up only once a week. C. The application development documentation is incomplete. D. Information processing facilities are not protected by appropriate fire detection systems.
The correct answer is: A. The application owner was unaware of several changes applied to the application by the IT department. Explanation: Choice A is the most significant finding as it directly affects the integrity of the application's data and is evidence of an inadequate change control process and incorrect access rights to the processing environment. Although backing up the application data only once a week is a finding, it does not affect the integrity of the data in the system. Incomplete application development documentation does not affect integrity of the data. The lack of appropriate fire detection systems does not affect the integrity of the data but may affect the storage of the data. ...............................................................................................................................
34. Overall business risk for a particular threat can be expressed as:
A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability. B. the magnitude of the impact should a threat source successfully exploit the vulnerability. C. the likelihood of a given threat source exploiting a given vulnerability. D. the collective judgment of the risk assessment team.
The correct answer is: A. a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.
Explanation: Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process. ...............................................................................................................................
35. Which one of the following could an IS auditor use to validate the effectiveness of edit and validation routines?
A. Domain integrity test B. Relational integrity test C. Referential integrity test D. Parity checks
The correct answer is: A. Domain integrity test Explanation: Domain integrity testing is aimed at verifying that the data conform to definitions, i.e., the data items are all in the correct domains. The major objective of this exercise is to verify that the edit and validation routines are working satisfactorily. Relational integrity tests are performed at the record level and usually involve calculating and verifying various calculated fields, such as control totals. Referential integrity tests involve ensuring that all references to a primary key from another file actually exist in their original file. A parity check is a bit added to each character prior to transmission. The parity bit is a function of the bits making up the character. The recipient performs the same function on the received character and compares the result to the transmitted parity bit. If it is different, an error is assumed. ...............................................................................................................................
36. An IS auditor reviews an organizational chart PRIMARILY for:
A. an understanding of workflows. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating the network connected to different employees.
The correct answer is: C. understanding the responsibilities and authority of individuals. Explanation: An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network. ...............................................................................................................................
37. An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:
A. the controls already in place. B. the effectiveness of the controls in place. C. the mechanism for monitoring the risks related to the assets. D. the threats/vulnerabilities affecting the assets.
The correct answer is: D. the threats/vulnerabilities affecting the assets. Explanation: One of the key factors to be considered while assessing the risks related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risks related to the use of information assets should be evaluated in isolation from the installed controls. Similarly, the effectiveness of the controls should be considered during the risk mitigation stage and not during the risk assessment phase. A mechanism to continuously monitor the risks related to assets should be put in place during the risk monitoring function that follows the risk assessment phase. ...............................................................................................................................
38. Which of the following is an objective of a control self-assessment (CSA) program?
A. Concentration on areas of high risk B. Replacement of audit responsibilities C. Completion of control questionnaires D. Collaborative facilitative workshops
The correct answer is: A. Concentration on areas of high risk Explanation: The objectives of CSA programs include education for line management in control responsibility and monitoring and concentration by all on areas of high risk. The objectives of CSA programs include the enhancement of audit responsibilities, not replacement of audit responsibilities. Choices C and D are tools of CSA, not objectives. ...............................................................................................................................
39. Which of the following steps would an IS auditor normally perform FIRST in a data center security review?
A. Evaluate physical access test results. B. Determine the risks/threats to the data center site. C. Review business continuity procedures. D. Test for evidence of physical access at suspect locations.
The correct answer is: B. Determine the risks/threats to the data center site.
Explanation: During planning, the IS auditor should get an overview of the functions being audited and evaluate the audit and business risks. Choices A and D are part of the audit fieldwork process that occurs subsequent to this planning and preparation. Choice C is not part of a security review. ...............................................................................................................................
40. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of:
A. facilitator. B. manager. C. partner. D. stakeholder.
The correct answer is: A. facilitator. Explanation: When CSA programs are established, IS auditors become internal control professionals and assessment facilitators. IS auditors are the facilitators and the client (management and staff) is the participant in the CSA process. During a CSA workshop, instead of the IS auditor performing detailed audit procedures, they should lead and guide the clients in assessing their environment. Choices B, C and D should not be roles of the IS auditor. These roles are more appropriate for the client. ...............................................................................................................................
41. The use of statistical sampling procedures helps minimize:
A. sampling risk. B. detection risk. C. inherent risk. D. control risk.
The correct answer is: B. detection risk. Explanation: Detection risk is the risk that the IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when in fact they do. Using statistical sampling, an IS auditor can quantify how closely the sample should represent the population and quantify the probability of error. Sampling risk is the risk that incorrect assumptions will be made about the characteristics of a population from which a sample is selected. Assuming there are no related compensating controls, inherent risk is the risk that an error exists, which could be material or significant when combined with other errors found during the audit. Statistical sampling will not minimize this. Control risk is the risk that a material error exists, which will not be prevented or detected on a timely basis by the system of internal controls. This cannot be minimized using statistical sampling. ...............................................................................................................................
42. An IS auditor evaluates the test results of a modification to a system that deals with payment computation. The auditor finds that 50 percent of the
calculations do not match predetermined totals. Which of the following would MOST likely be the next step in the audit?
A. Design further tests of the calculations that are in error. B. Identify variables that may have caused the test results to be inaccurate. C. Examine some of the test cases to confirm the results. D. Document the results and prepare a report of findings, conclusions and recommendations.
The correct answer is: C. Examine some of the test cases to confirm the results. Explanation: The IS auditor should next examine cases where incorrect calculations occurred and confirm the results. After the calculations have been confirmed, further tests can be conducted and reviewed. Report preparation, findings and recommendations would not be made until all results are confirmed. ...............................................................................................................................
43. An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:
A. implemented a specific control during the development of the application system. B. designed an embedded audit module exclusively for auditing the application system. C. participated as a member of the application system project team, but did not have operational responsibilities. D. provided consulting advice concerning application system best practices.
The correct answer is: A. implemented a specific control during the development of the application system. Explanation: Independence may be impaired if the IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair the IS auditor's independence. Choice D is incorrect because the IS auditor's independence is not impaired by providing advice on known best practices. ...............................................................................................................................
44. The BEST method of proving the accuracy of a system tax calculation is by:
A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals. C. preparing simulated transactions for processing and comparing the results to predetermined results. D. automatic flowcharting and analysis of the source code of the calculation programs.
The correct answer is: C. preparing simulated transactions for processing and comparing the results to predetermined results.
Explanation: Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for proving accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of source code are not effective methods, and monthly totals would not address the accuracy of individual tax calculations. ...............................................................................................................................
45. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?
A. Integrated test facility (ITF) B. Continuous and intermittent simulation (CIS) C. Audit hooks D. Snapshots
The correct answer is: D. Snapshots Explanation: A snapshot tool is most useful when an audit trail is required. ITF can be used to incorporate test transactions into a normal production run of a system. CIS is useful when transactions meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or processes need to be examined. ...............................................................................................................................
46. The PRIMARY advantage of a continuous audit approach is that it:
A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately on all information collected. C. can improve system security when used in time-sharing environments that process a large number of transactions. D. does not depend on the complexity of an organization's computer systems.
The correct answer is: C. can improve system security when used in time-sharing environments that process a large number of transactions. Explanation: The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continuous audit approach often does require an IS auditor to collect evidence on system reliability while processing is taking place. Choice B is incorrect since an IS auditor normally would review and follow up only on material deficiencies or errors detected. Choice D is incorrect since the use of continuous audit techniques depends on the complexity of an organization's computer systems. ...............................................................................................................................
47. Which of the following sampling methods is MOST useful when testing for compliance?
A. Attribute sampling B. Variable sampling C. Stratified mean per unit D. Difference estimation
The correct answer is: A. Attribute sampling Explanation: Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity. ...............................................................................................................................
48. An IS auditor is reviewing access to an application to determine whether the 10 most recent "new user" forms were correctly authorized. This is an example of:
A. variable sampling. B. substantive testing. C. compliance testing. D. stop-or-go sampling.
The correct answer is: C. compliance testing. Explanation: Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate numerical values, such as dollar values. Substantive testing substantiates the integrity of actual processing, such as balances on financial statements. The development of substantive tests is often dependent on the outcome of compliance tests. If compliance tests indicate that there are adequate internal controls, then substantive tests can be minimized. Stop-or-go sampling allows a test to be stopped as early as possible and is not appropriate for checking whether procedures have been followed. ...............................................................................................................................
49. The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:
A. information assets are overprotected. B. a basic level of protection is applied regardless of asset value. C. appropriate levels of protection are applied to information assets. D. an equal proportion of resources are devoted to protecting all information assets.
The correct answer is: C. appropriate levels of protection are applied to information assets.
Explanation: Full risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information. However, an even bigger advantage is making sure that no information assets are over- or underprotected. The risk assessment approach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The baseline approach does not allow more resources to be directed toward the assets at greater risk, rather than equally directing resources to all assets. ...............................................................................................................................
50. In a risk-based audit approach, an IS auditor should FIRST complete a(n):
A. inherent risk assessment. B. control risk assessment. C. test of control assessment. D. substantive test assessment.
The correct answer is: A. inherent risk assessment. Explanation: The first step in a risk-based audit approach is to gather information about the business and industry to evaluate the inherent risks. After completing the assessment of the inherent risks, the next step is to complete an assessment of the internal control structure. The controls are then tested and, on the basis of the test results, substantive tests are carried out and assessed.
51. The development of an IS security policy is ultimately the responsibility of the:
A. IS department.
B. security committee.
C. security administrator.
D. board of directors.
The correct answer is:
D. board of directors.
Explanation:
Normally, the designing of an information systems security policy is the responsibility of top
management or the board of directors. The IS department is responsible for the execution of the
policy, having no authority in framing the policy. The security committee also functions within
the broad security policy framed by the board of directors. The security administrator is
responsible for implementing, monitoring and enforcing the security rules that management has
established and authorized.
..........................................................................................................
52. To minimize costs and improve service levels an outsourcer should seek which of the
following contract clauses?
A. O/S and hardware refresh frequencies
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. Charges tied to variable cost metrics
The correct answer is:
B. Gain-sharing performance bonuses
Explanation:
Because the outsourcer will share a percentage of the achieved savings, gain-sharing
performance bonuses provide a financial incentive to go above and beyond the stated terms of
the contract and can lead to cost savings for the client. Refresh frequencies and penalties for
noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly,
tying charges to variable cost metrics would not encourage the outsourcer to seek additional
efficiencies that might benefit the client.
..........................................................................................................
53. Involvement of senior management is MOST important in the development of:
A. strategic plans.
B. IS policies.
C. IS procedures.
D. standards and guidelines.
The correct answer is:
A. strategic plans.
Explanation:
Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives.
Involvement of senior management is critical to ensuring that the plan adequately addresses the
established goals and objectives. IS policies, procedures, standards and guidelines are all
structured to support the overall strategic plan.
..........................................................................................................
54. An IS auditor should be concerned when a telecommunication analyst:
A. monitors systems performance and tracks problems resulting from program changes.
B. reviews network load requirements in terms of current and future transaction volumes.
C. assesses the impact of the network load on terminal response times and network data
transfer rates.
D. recommends network balancing procedures and improvements.
The correct answer is:
A. monitors systems performance and tracks problems resulting from program changes.
Explanation:
The responsibilities of a telecommunications analyst include reviewing network load
requirements in terms of current and future transaction volumes (choice B), assessing the impact
of network load or terminal response times and network data transfer rates (choice C), and
recommending network balancing procedures and improvements (choice D). Monitoring systems
performance and tracking problems as a result of program changes (choice A) would put the
analyst in a self-monitoring role.
..........................................................................................................
55. The output of the risk management process is an input for making:
A. business plans.
B. audit charters.
C. security policy decisions.
D. software design decisions.
The correct answer is:
C. security policy decisions.
Explanation:
The risk management process is about making specific, security-related decisions, such as the
level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management
process.
..........................................................................................................
56. The risks associated with electronic evidence gathering would MOST likely be reduced
by an e-mail:
A. destruction policy.
B. security policy.
C. archive policy.
D. audit policy.
The correct answer is:
C. archive policy.
Explanation:
With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is
possible without disclosing other confidential e-mail records. Security and/or audit policies
would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
..........................................................................................................
57. An IT steering committee should review information systems PRIMARILY to assess:
A. whether IT processes support business requirements.
B. if proposed system functionality is adequate.
C. the stability of existing software.
D. the complexity of installed technology.
The correct answer is:
A. whether IT processes support business requirements.
Explanation:
The role of an IT steering committee is to ensure that the IS department is in harmony with the
organization's mission and objectives. To ensure this, the committee must determine whether IS
processes support the business requirements. Assessing proposed additional functionality and
evaluating software stability and the complexity of technology are too narrow in scope to ensure
that IT processes are, in fact, supporting the organization's goals.
..........................................................................................................
58. An IS auditor reviewing an organization's IT strategic plan should FIRST review:
A. the existing IT environment.
B. the business plan.
C. the present IT budget.
D. current technology trends.
The correct answer is:
B. the business plan.
Explanation:
The IT strategic plan exists to support the organization's business plan. To evaluate the IT
strategic plan, the IS auditor would first need to familiarize him/herself with the business plan.
..........................................................................................................
59. As an outcome of information security governance, strategic alignment provides:
A. security requirements driven by enterprise requirements.
B. baseline security following best practices.
C. institutionalized and commoditized solutions.
D. an understanding of risk exposure.
The correct answer is:
A. security requirements driven by enterprise requirements.
Explanation:
Information security governance, when properly implemented, should provide four basic
outcomes. They are strategic alignment, value delivery, risk management and performance
measurement. Strategic alignment provides input for security requirements driven by enterprise
requirements. Value delivery provides a standard set of security practices, i.e., baseline security
following best practices or institutionalized and commoditized solutions. Risk management
provides an understanding of risk exposure.
..........................................................................................................
60. A team conducting a risk analysis is having difficulty projecting the financial losses that
could result from a risk. To evaluate the potential losses, the team should:
A. compute the amortization of the related assets.
B. calculate a return on investment (ROI).
C. apply a qualitative approach.
D. spend the time needed to define exactly the loss amount.
The correct answer is:
C. apply a qualitative approach.
Explanation:
The common practice, when it is difficult to calculate the financial losses, is to take a qualitative
approach, in which the manager affected by the risk defines the financial loss in terms of a
weighted factor (e.g., one is a very low impact to the business and five is a very high impact). An
ROI is computed when there is predictable savings or revenues that can be compared to the
investment needed to realize the revenues. Amortization is used in a profit and loss statement,
not in computing potential losses. Spending the time needed to define exactly the total amount is
normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses
derived from erosion of public image due to a hack attack), that situation is not likely to change,
and at the end of the day, the result will be a not well-supported evaluation.
..........................................................................................................
61. The IT balanced scorecard is a business governance tool intended to monitor IT
performance evaluation indicators other than:
A. financial results.
B. customer satisfaction.
C. internal process efficiency.
D. innovation capacity.
The correct answer is:
A. financial results.
Explanation:
Financial results have traditionally been the sole overall performance metric. The IT balanced
scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance
evaluation indicators other than financial results. The IT BSC considers other key success
factors, such as customer satisfaction, innovation capacity and processing.
..........................................................................................................
62. Establishing the level of acceptable risk is the responsibility of:
A. quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.
The correct answer is:
B. senior business management.
Explanation:
Senior management should establish the acceptable risk level, since they have the ultimate or
final responsibility for the effective and efficient operation of the organization. Choices A, C and
D should act as advisors to senior management in determining an acceptable risk level.
..........................................................................................................
63. Which of the following is the MOST critical for the successful implementation and
maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a
security policy
C. Enforcement of security rules by providing punitive actions for any violation of security
rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer
through access control software
The correct answer is:
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
Explanation:
Assimilation of the framework and intent of a written security policy by the users of the system
is critical to the successful implementation and maintenance of the security policy. A good
password system may exist, but if the users of the system keep passwords written on his/her
table, the password is of little value. Management support and commitment is no doubt
important, but for successful implementation and maintenance of security policy, educating the
users on the importance of security is paramount. The stringent implementation, monitoring and
enforcing of rules by the security officer through access control software, and provision for
punitive actions for violation of security rules are also required along with the user's education
on the importance of security.
..........................................................................................................
64. To ensure an organization is complying with privacy requirements, the IS auditor
should FIRST review:
A. the IT infrastructure.
B. the organization's policies, standards and procedures.
C. legal and regulatory requirements.
D. the adherence to organizational policies, standards and procedures.
The correct answer is:
C. legal and regulatory requirements.
Explanation:
To ensure that the organization is complying with privacy issues, an IS auditor should address
legal and regulatory requirements first. To comply with legal and regulatory requirements,
organizations need to adopt the appropriate infrastructure. After understanding the legal and
regulatory requirements, the IS auditor should evaluate organizational policies, standards and
procedures to determine whether they adequately address the privacy requirements, and then
review the adherence to these specific policies, standards and procedures.
..........................................................................................................
65. Which of the following controls would an IS auditor look for in an environment where
duties cannot be appropriately segregated?
A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls
The correct answer is:
D. Compensating controls
Explanation:
Compensating controls are internal controls that are intended to reduce the risk of an existing or
potential control weakness that may arise when duties cannot be appropriately segregated.
Overlapping controls are two controls addressing the same control objective or exposure Since
primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is
difficult to install overlapping controls. Boundary controls establish the interface between the
would-be user of a computer system and the computer system itself, and are individual-based,
not role-based, controls. Access controls for resources are based on individuals and not on roles.
..........................................................................................................
66. Which of the following is the MOST important function to be performed by IS
management when a service has been outsourced?
A. Ensuring that invoices are paid to the provider
B. Participating in systems design with the provider
C. Renegotiating the provider's fees
D. Monitoring the outsourcing provider's performance
The correct answer is:
D. Monitoring the outsourcing provider's performance
Explanation:
In an outsourcing environment, the company is dependent on the performance of the service
provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure
that services are delivered to the company as required. Payment of invoices is a finance function,
which would be completed per contractual requirements. Participating in systems design is a
byproduct of monitoring the outsourcing provider's performance, while renegotiating fees is
usually a one-time activity.
..........................................................................................................
67. Before implementing an IT balanced scorecard, an organization must:
A. deliver effective and efficient services.
B. define key performance indicators.
C. provide business value to IT projects.
D. control IT expenses.
The correct answer is:
B. define key performance indicators.
Explanation:
A definition of key performance indicators is required before implementing an IT balanced
scorecard. Choices A, C and D are objectives.
..........................................................................................................
68. The MOST likely effect of the lack of senior management commitment to IT strategic
planning is:
A. a lack of investment in technology.
B. a lack of a methodology for systems development.
C. the technology not aligning with the organization's objectives.
D. an absence of control over technology contracts.
The correct answer is:
C. the technology not aligning with the organization's objectives.
Explanation:
A steering committee should exist to ensure that the IT strategies support the organization's
goals. The absence of an information technology committee or a committee not composed of
senior managers would be an indication of a lack of top-level management commitment. This
condition would increase the risk that IT would not be aligned with the organization's strategy.
..........................................................................................................
69. Which of the following would BEST provide assurance of the integrity of new staff?
A. Background screening
B. References
C. Bonding
D. Qualifications listed on a resumé
The correct answer is:
A. Background screening
Explanation:
A background screening is the primary method for assuring the integrity of a prospective staff
member. References are important and would need to be verified, but they are not as reliable as
background screening. Bonding is directed at due-diligence compliance, not at integrity, and
qualifications listed on a résumé may not be accurate.
..........................................................................................................
70. Which of the following is the GREATEST risk of an inadequate policy definition for
ownership of data and systems?
A. User management coordination does not exist.
B. Specific user accountability cannot be established.
C. Unauthorized users may have access to originate, modify or delete data.
D. Audit recommendations may not be implemented.
The correct answer is:
C. Unauthorized users may have access to originate, modify or delete data.
Explanation:
Without a policy defining who has the responsibility for granting access to specific systems,
there is an increased risk that one could gain (be given) system access when they should not have
authorization. By assigning authority to grant access to specific users, there is a better chance
that business objectives will be properly supported.
..........................................................................................................
71. Effective IT governance will ensure that the IT plan is consistent with the
organization's:
A. business plan.
B. audit plan.
C. security plan.
D. investment plan.
The correct answer is:
A. business plan.
Explanation:
To govern IT effectively, IT and business should be moving in the same direction, requiring that
the IT plans are aligned with an organization's business plans. The audit and investment plans are
not part of the IT plan, and the security plan should be at a corporate level.
..........................................................................................................
72. Which of the following is a function of an IS steering committee?
A. Monitoring vendor-controlled change control and testing
B. Ensuring a separation of duties within the information's processing environment
C. Approving and monitoring major projects, the status of IS plans and budgets
D. Liaising between the IS department and the end users
The correct answer is:
C. Approving and monitoring major projects, the status of IS plans and budgets
Explanation:
The IS steering committee typically serves as a general review board for major IS projects and
should not become involved in routine operations; therefore, one of its functions is to approve
and monitor major projects, the status of IS plans and budgets. Vendor change control is an
outsourcing issue and should be monitored by IS management. Ensuring a separation of duties
within the information's processing environment is an IS management responsibility. Liaising
between the IS department and the end users is a function of the individual parties and not a
committee.
..........................................................................................................
73. A long-term IS employee with a strong technical background and broad managerial
experience has applied for a vacant position in the IS audit department. Determining
whether to hire this individual for this position should be based on the individual's
experience and:
A. the length of service since this will help ensure technical competence.
B. age as training in audit techniques may be impractical.
C. IS knowledge since this will bring enhanced credibility to the audit function.
D. ability, as an IS auditor, to be independent of existing IS relationships.
The correct answer is:
D. ability, as an IS auditor, to be independent of existing IS relationships.
Explanation:
Independence should be continually assessed by the auditor and management. This assessment
should consider such factors as changes in personal relationships, financial interests, and prior
job assignments and responsibilities. The fact that the employee has worked in IS for many years
may not in itself ensure credibility. The audit department's needs should be defined and any
candidate should be evaluated against those requirements. The length of service will not ensure
technical competency. Evaluating an individual's qualifications based on the age of the
individual is not a good criterion and is illegal in many parts of the world.
..........................................................................................................
74. Which of the following programs would a sound information security policy MOST
likely include to handle suspected intrusions?
A. Response
B. Correction
C. Detection
D. Monitoring
The correct answer is:
A. Response
Explanation:
A sound IS security policy will most likely outline a response program to handle suspected
intrusions. Correction, detection and monitoring programs are all aspects of information security,
but will not likely be included in an IS security policy statement.
..........................................................................................................
75. An organization has outsourced its software development. Which of the following is the
responsibility of the organization's IT management?
A. Paying for provider services
B. Participating in systems design with the provider
C. Managing compliance with the contract for the outsourced services
D. Negotiating contractual agreement with the provider
The correct answer is:
C. Managing compliance with the contract for the outsourced services
Explanation:
Actively managing compliance with the contract terms for the outsourced services is the
responsibility of IT management. Payment of invoices is a finance responsibility. Negotiation of
the contractual agreement would have already taken place and is usually a shared responsibility
of the legal department and other departments, such as IT.
..........................................................................................................
76. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy
supports the organizations' business objectives by determining if IS:
A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.
The correct answer is:
B. plans are consistent with management strategy.
Explanation:
Determining if the IS plan is consistent with management strategy relates IS/IT planning to
business plans. Choices A, C and D are effective methods for determining the alignment of IS
plans with business objectives and the organization's strategies.
..........................................................................................................
77. Which of the following is the PRIMARY objective of an IT performance measurement
process?
A. Minimize errors.
B. Gather performance data.
C. Establish performance baselines.
D. Optimize performance.
The correct answer is:
D. Optimize performance.
Explanation:
An IT performance measurement process can be used to optimize performance, measure and
manage products/services, assure accountability, and make budget decisions. Minimizing errors
is an aspect of performance, but not the primary objective of performance management.
Gathering performance data is a phase of the IT measurement process and would be used to
evaluate the performance against previously established performance baselines.
..........................................................................................................
78. Which of the following is the initial step in creating a firewall policy?
A. A cost-benefit analysis of methods for securing the applications
B. Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally
accessed
D. Creation of an applications traffic matrix showing protection methods
The correct answer is:
B. Identification of network applications to be externally accessed
Explanation:
Identification of the applications required across the network should be identified first. After
identification, depending on the physical location of these applications in the network and the
network model, the person in charge will be able to understand the need for and possible
methods of controlling access to these applications. Identifying methods to protect against
identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having
identified the applications, the next step is to identify vulnerabilities (weaknesses) associated
with the network applications. The next step is to analyze the application traffic and create a
matrix showing how each type of traffic will be protected.
..........................................................................................................
79. Many organizations require an employee to take a mandatory vacation (holiday) of a
week or more to:
A. ensure the employee maintains a good quality of life, which will lead to greater
productivity.
B. reduce the opportunity for an employee to commit an improper or illegal act.
C. provide proper cross-training for another employee.
D. eliminate the potential disruption caused when an employee takes vacation one day at a
time.
The correct answer is:
B. reduce the opportunity for an employee to commit an improper or illegal act.
Explanation:
Required vacations/holidays of a week or more duration in which someone other than the regular
employee performs the job function is often mandatory for sensitive positions. This reduces the
opportunity to commit improper or illegal acts, and during this time it may be possible to
discover any fraudulent activity that was taking place. Choices A, C and D could all be
organizational benefits from a mandatory vacation po
licy, but they are not the reason why the
policy is established.
..........................................................................................................
80. In reviewing the IS short-range (tactical) plan, the IS auditor should determine
whether:
A. there is an integration of IS and business staffs within projects.
B. there is a clear definition of the IS mission and vision.
C. there is a strategic information technology planning methodology in place.
D. the plan correlates business objectives to IS goals and objectives.
The correct answer is:
A. there is an integration of IS and business staffs within projects.
Explanation:
The integration of IS and business staff in projects is an operational issue and should be
considered while reviewing the short-range plan. A strategic plan would provide a framework for
the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.
..........................................................................................................
81. An organization acquiring other businesses continues using its legacy EDI systems and
uses three separate value-added network (VAN) providers. No written VAN agreements
exist. The IS auditor should recommend that management:
A. obtains independent assurance of the third-party service providers.
B. sets up a process for monitoring the service delivery of the third party.
C. ensures that formal contracts are in place.
D. considers agreements with third-party service providers in the development of
continuity plans.
The correct answer is:
C. ensures that formal contracts are in place.
Explanation:
Written agreements would assist management in ensuring compliance with external
requirements. While management should obtain independent assurance of compliance, this
cannot be achieved until there is a contract in place. One aspect of managing third-party services
is to provide monitoring; however, this cannot be achieved until there is a contract. Ensuring that
VAN agreements are available for review may assist in the development of continuity plans, if
they are deemed critical IT resources. However, this cannot be achieved until a contract is in
place.
..........................................................................................................
82. Which of the following goals would you expect to find in an organization's strategic
plan?
A. Test a new accounting package.
B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.
The correct answer is:
D. Become the supplier of choice for the product offered.
Explanation:
Strategic planning sets corporate or departmental objectives into motion. Comprehensive
planning helps ensure an effective and efficient organization. Strategic planning is time- and
project-oriented, but also must address and help determine priorities to meet business needs.
Long- and short-range plans should be consistent with the organization's broader plans for
attaining their goals. Choice D represents a business objective that is intended to focus the
overall direction of the business and would thus be a part of the organization's strategic plan. The
other choices are project-oriented and do not address business objectives.
..........................................................................................................
83. Assessing IT risks is BEST achieved by:
A. evaluating threats associated with existing IT assets and IT projects.
B. using the firm's past actual loss experience to determine current exposure.
C. reviewing published loss statistics from comparable organizations.
D. reviewing IT control weaknesses identified in audit reports.
The correct answer is:
A. evaluating threats associated with existing IT assets and IT projects.
Explanation:
To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or
quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the
risk assessment process, but by themselves not sufficient. Basing an assessment on past losses
will not adequately reflect inevitable changes to the firm's IT assets, projects, controls and
strategic environment. There are also likely to be problems with the scope and quality of the loss
data available to be assessed. Comparable organizations will have differences in their IT assets,
control environment and strategic circumstances. Hence, their loss experience cannot be used to
directly assess organizational IT risk. Control weaknesses identified during audits will be
relevant in assessing threat exposure and further analysis may be needed to assess threat
probability. Depending on the scope of the audit coverage, it is possible that not all of the critical
IT assets and projects will have recently been audited and there may not be a sufficient
assessment of strategic IT risks.
..........................................................................................................
84. An IS auditor was hired to review e-business security. The IS auditor's first task was to
examine each existing e-business application looking for vulnerabilities. Which would be
the next task?
A. Report the risks to the CIO and CEO immediately.
B. Examine e-business application in development.
C. Identify threats and likelihood of occurrence.
D. Check the budget available for risk management.
The correct answer is:
C. Identify threats and likelihood of occurrence.
Explanation:
The IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and
the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report
should be delivered to the CEO. The report should include the findings along with priorities and
costs.
..........................................................................................................
85. Which of the following IT governance best practices improves strategic alignment?
A. Supplier and partner risks are managed.
B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information.
D. Top management mediate between the imperatives of business and technology
The correct answer is:
D. Top management mediate between the imperatives of business and technology
Explanation:
Top management mediating between the imperatives of business and technology is an IT
strategic alignment best practice. Supplier and partner risks being managed is a risk management
best practice. A knowledge base on customers, products, markets and processes being in place is
an IT value delivery best practice. An infrastructure being provided to facilitate the creation and
sharing of business information is an IT value delivery and risk management best practice.
..........................................................................................................
86. Which of the following would be a compensating control to mitigate risks resulting
from an inadequate segregation of duties?
A. Sequence check
B. Check digit
C. Source documentation retention
D. Batch control reconciliations
The correct answer is:
D. Batch control reconciliations
Explanation:
Batch control reconciliations are an example of compensating controls. Other examples of
compensating controls are transaction logs, reasonableness tests, independent reviews and audit
trails, such as console logs, library logs and job accounting date. Sequence checks and check
digits are data validation edits, and source documentation retention is an example of a data file
control.
..........................................................................................................
87. The lack of adequate security controls represents a(n):
A. threat.
B. asset.
C. impact.
D. vulnerability.
The correct answer is:
D. vulnerability.
Explanation:
The lack of adequate security controls represents a vulnerability, exposing sensitive information
and data to the risk of malicious damage, attack or unauthorized access by hackers, resulting in
loss of sensitive information, which could lead to the loss of goodwill for the organization. A
succinct definition of risk is provided by the Guidelines for the Management of IT Security
published by the International Organization for Standardization (ISO), which defines risk as the
“Potential that a given threat will exploit the vulnerability of an asset or group of assets to cause
loss or damage to the assets.” The various elements of the definition are vulnerability, threat,
asset and impact. Lack of adequate security functionality in this context is a vulnerability.
..........................................................................................................
88. IT control objectives are useful to IS auditors, as they provide the basis for
understanding the:
A. desired result or purpose of implementing specific control procedures.
B. best IT security control practices relevant to a specific entity.
C. techniques for securing information.
D. security policy.
The correct answer is:
A. desired result or purpose of implementing specific control procedures.
Explanation:
An IT control objective is defined as the statement of the desired result or purpose to be achieved
by implementing control procedures in a particular IT activity. They provide the actual
objectives for implementing controls and may or may not be the best practices. Techniques are
the means of achieving an objective, and a security policy is a subset of IT control objectives.
..........................................................................................................
89. To support an organization's goals, the IS department should have:
A. a low-cost philosophy.
B. long- and short-range plans.
C. leading-edge technology.
D. planned to acquire new hardware and software.
The correct answer is:
B. long- and short-range plans.
Explanation:
To ensure its contribution to the realization of an organization's overall goals, the IS department
should have long- and short-range plans that are consistent with the organization's broader plans
for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate
how each of the objectives would be achieved. Choice D could be a part of the overall plan but
would be required only if hardware or software is needed to achieve the organizational goals.
..........................................................................................................
90. An IS auditor finds that not all employees are aware of the enterprise's information
security policy. The IS auditor should conclude that:
A. this lack of knowledge may lead to unintentional disclosure of sensitive information
B. information security is not critical to all functions.
C. IS audit should provide security training to the employees.
D. the audit finding will cause management to provide continuous training to staff.
The correct answer is:
A. this lack of knowledge may lead to unintentional disclosure of sensitive information
Explanation:
All employees should be aware of the enterprise's information security policy to prevent
unintentional disclosure of sensitive information. Training is a preventive control. Security
awareness programs for employees can prevent unintentional disclosure of sensitive information
to outsiders.
..........................................................................................................
91. The general ledger setup function in an enterprise resource planning (ERP) system
allows for setting accounting periods. Access to this function has been permitted to users in
finance, the warehouse and order entry. The MOST likely reason for such broad access is
the:
A. need to change accounting periods on a regular basis.
B. requirement to post entries for a closed accounting period.
C. lack of policies and procedures for the proper segregation of duties.
D. need to create/modify the chart of accounts and its allocations.
The correct answer is:
C. lack of policies and procedures for the proper segregation of duties.
Explanation:
Setting of accounting periods is one of the critical activities of the finance function. Granting
access to this function to warehouse and order entry personnel could be a result of a lack of
proper policies and procedures for the adequate segregation of duties. Accounting periods should
not be changed at regular intervals, but established permanently. The requirement to post entries
for a closed accounting period is a risk. If necessary, this should be done by someone in the
finance or accounting area. The need to create/modify the chart of accounts and its allocations is
the responsibility of the finance department and is not a function that should be performed by
warehouse or order entry personnel.
..........................................................................................................
92. A comprehensive and effective e-mail policy should address the issues of e-mail
structure, policy enforcement, monitoring and:
A. recovery.
B. retention.
C. rebuilding.
D. reuse.
The correct answer is:
B. retention.
Explanation:
Besides being a good practice, laws and regulations may require that an organization keep
information that has an impact on the financial statements. The prevalence of lawsuits in which
e-mail communication is held in the same regard as the official form of classic "paper" makes the
retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is
the property of the organization, and an e-mail policy should address the retention of messages,
considering both known and unforeseen litigation. The policy should also address the destruction
of e-mails after a specified time to protect the nature and confidentiality of the messages
themselves. Addressing the retention issue in the e-mail policy would facilitate recovery,
rebuilding and reuse.
..........................................................................................................
93. A top-down approach to the development of operational policies will help ensure:
A. that they are consistent across the organization.
B. that they are implemented as a part of risk assessment.
C. compliance with all policies.
D. that they are reviewed periodically.
The correct answer is:
A. that they are consistent across the organization.
Explanation:
Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring
consistency across the organization and consistency with other policies. The bottom-up approach
to the development of operational policies is derived as a result of risk assessment. A top-down
approach of itself does not ensure compliance and development does not ensure that policies are
reviewed.
..........................................................................................................
94. When developing a risk management program, the FIRST activity to be performed is
a(n):
A. threat assessment.
B. classification of data.
C. inventory of assets.
D. criticality analysis.
The correct answer is:
C. inventory of assets.
Explanation:
Identification of the assets to be protected is the first step in the development of a risk
management program. A listing of the threats that can affect the performance of these assets and
criticality analysis are later steps in the process. Data classification is required for defining
access controls and in criticality analysis.
..........................................................................................................
95. A probable advantage to an organization that has outsourced its data processing
services is that:
A. needed IS expertise can be obtained from the outside.
B. greater control can be exercised over processing.
C. processing priorities can be established and enforced internally.
D. greater user involvement is required to communicate user needs.
The correct answer is:
A. needed IS expertise can be obtained from the outside.
Explanation:
Outsourcing is a contractual arrangement whereby the organization relinquishes control over part
or all of the information processing to an external party. This is frequently done to acquire
additional resources or expertise that is not obtainable from inside the organization.
..........................................................................................................
96. When an organization is outsourcing their information security function, which of the
following should be kept in the organization?
A. Accountability for the corporate security policy
B. Defining the corporate security policy
C. Implementing the corporate security policy
D. Defining security procedures and guidelines
The correct answer is:
A. Accountability for the corporate security policy
Explanation:
Accountability cannot be transferred to external parties. Choices B, C and D can be performed
by outside entities as long as accountability remains within the organization.
..........................................................................................................
97. When segregation of duties concerns exist between IT support staff and end users, what
would be a suitable compensating control?
A. Restricting physical access to computing equipment
B. Reviewing transaction and application logs
C. Performing background checks prior to hiring IT staff
D. Locking user sessions after a specified period of inactivity
The correct answer is:
B. Reviewing transaction and application logs
Explanation:
Only reviewing transaction and application logs directly addresses the threat posed by poor
segregation of duties. The review is a means of detecting inappropriate behavior and also
discourages abuse, because people who may otherwise be tempted to exploit the situation are
aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be
exploited via logical access to data and computing resources rather than physical access. Choice
C is a useful control to ensure IT staff are trustworthy and competent but does not directly
address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users
from gaining system access, but the issue with a lack of segregation of duties is more the misuse
(deliberately or inadvertently) of access privileges that have officially been granted.
..........................................................................................................
98. Which of the following reduces the potential impact of social engineering attacks?
A. Compliance with regulatory requirements
B. Promoting ethical understanding
C. Security awareness programs
D. Effective performance incentives
The correct answer is:
C. Security awareness programs
Explanation:
Because social engineering is based on deception of the user, the best countermeasure or defense
is a security awareness program. The other choices are not user-focused.
..........................................................................................................
99. An IS auditor reviewing an organization that uses cross-training practices should assess
the risk of:
A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.
The correct answer is:
C. one person knowing all parts of a system.
Explanation:
Cross-training is a process of training more than one individual to perform a specific job or
procedure. This practice helps decrease the dependence on a single person and assists in
succession planning. This provides for the backup of personnel in the event of an absence and,
thereby, provides for the continuity of operations. However, in using this approach, it is prudent
to have first assessed the risk of any person knowing all parts of a system and the related
potential exposures. Cross-training reduces the risks addressed in choices A, B and D.
..........................................................................................................
100. When performing a review of the structure of an electronic funds transfer (EFT)
system, an IS auditor observes that the technological infrastructure is based on a
centralized processing scheme that has been outsourced to a provider in another country.
Based on this information, which of the following conclusions should be the main concern
of the IS auditor?
A. There could be a question with regards to the legal jurisdiction.
B. Having a provider abroad will cause excessive costs in future audits.
C. The auditing process will be difficult because of the distances.
D. There could be different auditing norms.
The correct answer is:
A. There could be a question with regards to the legal jurisdiction.
Explanation:
In the funds transfer process, when the processing scheme is centralized in a different country,
there could be legal issues of jurisdiction that might affect the right to perform a review in the
other country. The other choices, though possible, are not as relevant as the issue of legal
jurisdiction.
..........................................................................................................
101. Which of the following is critical to the selection and acquisition of the correct operating
system software?
A. Competitive bids
B. User department approval
C. Hardware configuration analysis
D. Purchasing department approval
The correct answer is:
C. Hardware configuration analysis
Explanation:
The purchase of operating system software is dependent on the fact that the software is
compatible with the existing hardware. Choices A and D, although important, are not as
important as choice C. Users do not normally approve the acquisition of operating systems
software.
..........................................................................................................
102. A single digitally signed instruction was given to a financial institution to credit a
customer's account. The financial institution received the instruction three times and
credited the account three times. Which of the following would be the MOST appropriate
control against such multiple credits?
A. Encrypting the hash of the payment instruction with the public key of the financial
institution
B. Affixing a time stamp to the instruction and using it to check for duplicate payments
C. Encrypting the hash of the payment instruction with the private key of the instructor
D. Affixing a time stamp to the hash of the instruction before having it digitally signed by
the instructor
The correct answer is:
B. Affixing a time stamp to the instruction and using it to check for duplicate payments
Explanation:
Affixing a time stamp to the instruction and using it to check for duplicate payments makes the
instruction unique. The financial institution can check that the instruction was not intercepted
and replayed, and thus, it could prevent crediting the account three times. Encrypting the hash of
the payment instruction with the public key of the financial institution does not protect replay, it
only protects confidentiality and integrity of the instruction. Encrypting the hash of the payment
instruction with the private key of the instructor ensures integrity of the instruction and
nonrepudiation of the issued instruction. The process of creating a message digest requires
applying a cryptographic hashing algorithm to the entire message. The receiver, upon decrypting
the message digest, will recompute the hash using the same hashing algorithm and compare the
result with what was sent. Hence, affixing a time stamp into the hash of the instruction before
being digitally signed by the instructor would violate the integrity requirements of a digital
signature.
..........................................................................................................
103. Assumptions while planning an IS project involve a high degree of risk because they are:
A. based on known constraints.
B. based on objective past data.
C. a result of a lack of information.
D. often made by unqualified people.
The correct answer is:
C. a result of a lack of information.
Explanation:
Assumptions are made when adequate information is not available. When an IS project manager
makes an assumption, there is a high degree of risk because the lack of proper information can
cause unexpected loss to an IS project. Assumptions are not based on "known" constraints. When
constraints are known in advance, a project manager can plan according to those constraints
rather than assuming the constraints will not affect the project. Having objective data about past
IS projects will not lead to making assumptions, but rather helps the IS project manager in
planning the project. Hence, if objective past data are available and the project manager makes
use of them, the risk to the project is less. Regardless of whether they are made by qualified
people or unqualified people, assumptions are risky.
..........................................................................................................
104. An existing system is being extensively enhanced by extracting and reusing design and
program components. This is an example of:
A. reverse engineering.
B. prototyping.
C. software reuse.
D. reengineering.
The correct answer is:
D. reengineering.
Explanation:
Old (legacy) systems that have been corrected, adapted and enhanced extensively require
reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new
technologies into existing systems. Using program language statements, reverse engineering
involves reversing a program's machine code into the source code in which it was written to
identify malicious content in a program, such as a virus, or to adapt a program written for use
with one processor for use with a differently designed processor. Prototyping is the development
of a system through controlled trial and error. Software reuse is the process of planning,
analyzing and using previously developed software components. The reusable components are
integrated into the current software product systematically.
..........................................................................................................
105. When implementing an acquired system in a client-server environment, which of the
following tests would confirm that the modifications in the Windows registry do not
adversely impact the desktop environment?
A. Sociability testing
B. Parallel testing
C. White box testing
D. Validation testing
The correct answer is:
A. Sociability testing
Explanation:
When implementing an acquired system in an client-server environment, sociability testing
would confirm that the system can operate in the target environment without adversely impacting
other systems. Parallel testing is the process of feeding test data to the old and new systems and
comparing the results. White box testing is based on a close examination of procedural details,
and validation testing tests the functionality of the system against the detailed requirements to
ensure that the software that has been built is traceable to customer requirements.
..........................................................................................................
106. Information for detecting unauthorized input from a terminal would be BEST provided
by the:
A. console log printout.
B. transaction journal.
C. automated suspense file listing.
D. user error report.
The correct answer is:
B. transaction journal.
Explanation:
The transaction journal would record all transaction activity, which then could be compared to
the authorized source documents to identify any unauthorized input. A console log printout is not
the best, because it would not record activity from a specific terminal. An automated suspense
file listing would only list transaction activity where an edit error occurred, and the user error
report would only list input that resulted in an edit error.
..........................................................................................................
107. The IS auditor finds that a system under development has 12 linked modules and each
item of data can carry up to 10 definable attribute fields. The system handles several
million transactions a year. Which of these techniques could the IS auditor use to estimate
the size of the development effort?
A. Program evaluation review technique (PERT)
B. Counting source lines of code (SLOC)
C. Function point analysis
D. White box testing
The correct answer is:
C. Function point analysis
Explanation:
Function point analysis is an indirect method of measuring the size of an application by
considering the number and complexity of its inputs, outputs and files. It is useful for evaluating
complex applications. PERT is a project management technique that helps with both planning
and control. SLOC gives a direct measure of program size, but does not allow for the complexity
that may be caused by having multiple, linked modules and a variety of inputs and outputs.
White box testing involves a detailed review of the behavior of program code, and is a quality
assurance technique suited to simpler applications during the design and build stage of
development.
..........................................................................................................
108. The editing/validation of data entered at a remote site would be performed MOST
effectively at the:
A. central processing site after running the application system.
B. central processing site during the running of the application system.
C. remote processing site after transmission of the data to the central processing site.
D. remote processing site prior to transmission of the data to the central processing site.
The correct answer is:
D. remote processing site prior to transmission of the data to the central processing site.
Explanation:
It is important that the data entered from a remote site is edited and validated prior to
transmission to the central processing site.
..........................................................................................................
109. Which of the following is the FIRST thing an IS auditor should do after the discovery of
a Trojan horse program in a computer system?
A. Investigate the author.
B. Remove any underlying threats.
C. Establish compensating controls.
D. Have the offending code removed.
The correct answer is:
D. Have the offending code removed.
Explanation:
The IS auditor's first duty is to prevent the Trojan horse from causing further damage. After
removing the offending code, follow up actions would include investigation and
recommendations (choices B and C).
..........................................................................................................
110. The GREATEST benefit in implementing an expert system is the:
A. capturing of the knowledge and experience of individuals in an organization.
B. sharing of knowledge in a central repository.
C. enhancement of personnel productivity and performance.
D. reduction of employee turnover in key departments.
The correct answer is:
A. capturing of the knowledge and experience of individuals in an organization.
Explanation:
The basis for an expert system is the capture and recording of the knowledge and experience of
individuals in an organization. Coding and entering the knowledge in a central repository,
shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel
productivity and performance is a benefit; however, it is not as important as capturing the
knowledge and experience. Employee turnover is not necessarily affected by an expert system.
..........................................................................................................
111. An IS auditor reviewing a proposed application software acquisition should ensure that
the:
A. operating system (OS) being used is compatible with the existing hardware platform.
B. planned OS updates have been scheduled to minimize negative impacts on company
needs.
C. OS has the latest versions and updates.
D. products are compatible with the current or planned OS.
The correct answer is:
D. products are compatible with the current or planned OS.
Explanation:
Choices A, B and C are incorrect because none of them is related to the area being audited. In
reviewing the proposed application the auditor should ensure that the products to be purchased
are compatible with the current or planned OS. Regarding choice A, if the OS is currently being
used, it is compatible with the existing hardware platform, because if it is not, it would not
operate properly. In choice B, the planned OS updates should be scheduled to minimize negative
impacts on the organization. For choice C, the installed OS should be equipped with the most
recent versions and updates (with sufficient history and stability).
..........................................................................................................
112. Which of the following is MOST likely to occur when a system development project is
in the middle of the programming/coding phase?
A. Unit tests
B. Stress tests
C. Regression tests
D. Acceptance tests
The correct answer is:
A. Unit tests
Explanation:
During the programming phase, the development team should have mechanisms in place to
ensure that coding is being developed to standard and is working correctly. Unit tests are key
elements of that process in that they ensure that individual programs are working correctly. They
would normally be supported by code reviews. Stress tests, regression tests and acceptance tests
would normally occur later in the development and testing phases. As part of the process of
assessing compliance with quality processes, IS auditors should verify that such reviews are
undertaken.
..........................................................................................................
113. An organization planning to purchase a software package asks the IS auditor for a risk
assessment. Which of the following is the MAJOR risk?
A. Unavailability of the source code
B. Lack of a vendor-quality certification
C. Absence of vendor/client references
D. Little vendor experience with the package
The correct answer is:
A. Unavailability of the source code
Explanation:
If the vendor goes out of business, not having the source code available would make it
impossible to update the (software) package. Lack of a vendor-quality certification, absence of
vendor/client references and little vendor experience with the package are important issues but
not critical.
..........................................................................................................
114. An IS auditor assigned to audit a reorganized process should FIRST review which of
the following?
A. A map of existing controls
B. Eliminated controls
C. Process charts
D. Compensating controls
The correct answer is:
C. Process charts
Explanation:
To ensure adequate control over the business process, the auditor should first review the flow
charts showing the before and after processes. The process charts aid in analyzing the changes in
the processes. The other choices—analyzing eliminated controls, ensuring that compensating
controls are in place and analyzing the existing controls—are incorrect as each, performed
individually, would not be as effective and all-encompassing as reviewing the process charts.
..........................................................................................................
115. The PRIMARY benefit of integrating total quality management (TQM) into a software
development project is:
A. comprehensive documentation.
B. on-time delivery.
C. cost control.
D. end-user satisfaction.
The correct answer is:
D. end-user satisfaction.
Explanation:
Quality is ultimately a measure of end-user satisfaction. If the end user is not satisfied, then the
product was not properly developed. Comprehensive documentation, on-time delivery and costs
are all secondary to end-user satisfaction.
..........................................................................................................
116. When reviewing the quality of an IS department's development process, the IS auditor
finds that he/she does not use any formal, documented methodology and standards. The IS
auditor's MOST appropriate action would be to:
A. complete the audit and report the finding.
B. investigate and recommend appropriate formal standards.
C. document the informal standards and test for compliance.
D. withdraw and recommend a further audit when standards are implemented.
The correct answer is:
C. document the informal standards and test for compliance.
Explanation:
The IS auditor's first concern would be to ensure that projects are consistently managed. Where it
is claimed that an internal standard exists, it is important to ensure that it is operated correctly,
even when this means documenting the claimed standards first. Merely reporting the issue as a
weakness and closing the audit without findings would not help the organization in any way and
investigating formal methodologies may be unnecessary if the existing, informal standards prove
to be adequate and effective.
..........................................................................................................
117. During unit testing, the test strategy applied is:
A. black box.
B. white box.
C. bottom-up.
D. top-down.
The correct answer is:
B. white box.
Explanation:
White box testing examines the internal structure of a module. A programmer should perform
this test for each module prior to integrating the module with others. Black box testing focuses
on the functional requirements and does not consider the control structure of the module.
Choices C and D are not correct because these tests require that several modules have already
been assembled and tested.
..........................................................................................................
118. A decision support system (DSS):
A. is aimed at solving highly structured problems.
B. combines the use of models with nontraditional data access and retrieval functions.
C. emphasizes flexibility in the decision-making approach of users.
D. supports only structured decision-making tasks.
The correct answer is:
C. emphasizes flexibility in the decision-making approach of users.
Explanation:
DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving lessstructured
problems, combines the use of models and analytic techniques with traditional data
access and retrieval functions, and supports semistructured decision-making tasks.
..........................................................................................................
119. Which of the following phases represents the optimum point for software baselining to
occur?
A. Testing
B. Design
C. Requirement
D. Development
The correct answer is:
B. Design
Explanation:
Software baselining is the cut-off point in the design and development of an application, beyond
which change should not occur without undergoing formal procedures for approval and should
be supported by a cost-benefit business impact analysis. The optimum point for software
baselining to occur is the design phase.
..........................................................................................................
120. A proposed transaction processing application will have many data capture sources and
outputs in paper and electronic form. To ensure that transactions are not lost during
processing, the IS auditor should recommend the inclusion of:
A. validation controls.
B. internal credibility checks.
C. clerical control procedures.
D. automated systems balancing.
The correct answer is:
D. automated systems balancing.
Explanation:
Automated systems balancing would be the best way to ensure that no transactions are lost as
any imbalance between total inputs and total outputs would be reported for investigation and
correction. Validation controls and internal credibility checks are certainly valid controls, but
will not detect and report lost transactions. In addition, although a clerical procedure could be
used to summarize and compare inputs and outputs, an automated process is less susceptible to
error.
..........................................................................................................
121. When auditing the conversion of an accounting system an IS auditor should verify the
existence of a:
A. control total check.
B. validation check.
C. completeness check.
D. limit check.
The correct answer is:
A. control total check.
Explanation:
Tallying a control total of all accounts before and after conversion will assure the IS auditor that
all amount data has been taken into the new system. Later one-to-one checking by users will
assure that all the data has been converted. The other choices are incorrect. Validation checks,
completeness checks and limit checks would be applied at the point at which the data are
originally entered into the accounting system.
..........................................................................................................
122. A debugging tool, which reports on the sequence of steps executed by a program, is
called a(n):
A. output analyzer.
B. memory dump.
C. compiler.
D. logic path monitor.
The correct answer is:
D. logic path monitor.
Explanation:
Logic path monitors report on the sequence of steps executed by a program. This provides the
programmer with clues to logic errors, if any, in the program. An output analyzer checks the
results of a program for accuracy by comparing the expected results with the actual results. A
memory dump provides a picture of the content of a computer's internal memory at any point in
time, often when the program is aborted, thus providing information on inconsistencies in data or
parameter values. Though compilers have some potential to provide feedback to a programmer,
they are not generally considered a debugging tool.
..........................................................................................................
123
. Which of the following facilitates program maintenance?
A. More cohesive and loosely coupled programs
B. Less cohesive and loosely coupled programs
C. More cohesive and strongly coupled programs
D. Less cohesive and strongly coupled programs
The correct answer is:
A. More cohesive and loosely coupled programs
Explanation:
Cohesion refers to the performance of a single, dedicated function by each program. Coupling
refers to the independence of the comparable units. Loosely coupled units, when the program
code is changed, will reduce the probability of affecting other program units. More cohesive and
loosely coupled units are best for maintenance.
..........................................................................................................
124. Which of the following ensures completeness and accuracy of accumulated data?
A. Processing control procedures
B. Data file control procedures
C. Output controls
D. Application controls
The correct answer is:
A. Processing control procedures
Explanation:
Processing controls ensure the completeness and accuracy of accumulated data, for example,
editing and run-to-run totals. Data file control procedures ensure that only authorized processing
occurs to stored data, for example, transaction logs. Output controls ensure that data delivered to
users will be presented, formatted and delivered in a consistent and secure manner, for example,
using report distribution. "Application controls" is a general term comprising all kinds of
controls used in an application.
..........................................................................................................
125. The MAJOR concern for an IS auditor reviewing a CASE environment should be that
the use of CASE does not automatically:
A. result in a correct capture of requirements.
B. ensure that desirable application controls have been implemented.
C. produce ergonomic and user-friendly interfaces.
D. generate efficient code.
The correct answer is:
A. result in a correct capture of requirements.
Explanation:
The principal concern should be to ensure an alignment of the application with business needs
and user requirements. While the CASE being used may provide tools to cover this crucial initial
phase, a cooperative user-analyst interaction is always needed. Choice B should be the next
concern. If the system meets business needs and user requirements, it should also incorporate all
desirable controls. Controls have to be specified since CASE can only automatically incorporate
certain, rather low-level, controls (such as type of input data, e.g., date, expected). CASE will not
(choice C) automatically generate ergonomic and user-friendly interfaces, but it should provide
tools for easy (and automatically documented) tuning. CASE applications (choice D) generally
come short of optimizing the use of hardware and software resources, precisely because they are
designed to optimize other elements, such as developers' effort or documentation.
..........................................................................................................
126. The MOST likely explanation for the use of applets in an Internet application is that:
A. it is sent over the network from the server.
B. the server does not run the program and the output is not sent over the network.
C. they improve the performance of the web server and network.
D. it is a JAVA program downloaded through the web browser and executed by the web
server of the client machine.
The correct answer is:
C. they improve the performance of the web server and network.
Explanation:
An applet is a JAVA program that is sent over the network from the web server, through a web
browser, to the client machine. Then the code is run on the machine. Since the server does not
run the program and the output is not sent over the network, the performance on the web server
and network, over which the server and client are connected, drastically improves through the
use of applets. Performance improvement is more important than the reasons offered in choices
A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet
download through the web browser runs on the client machine from the web browser, not from
the web server, making choice D incorrect.
..........................................................................................................
127. Ideally, stress testing should be carried out in a:
A. test environment using test data.
B. production environment using live workloads.
C. test environment using live workloads.
D. production environment using test data.
The correct answer is:
C. test environment using live workloads.
Explanation:
Stress testing is carried out to ensure a system can cope with production workloads. A test
environment should always be used to avoid damaging the production environment. Hence,
testing should never take place in a production environment (choices B and D), and if only test
data is used, there is no certainty that the system was stress tested adequately.
..........................................................................................................
128. Good quality software is BEST achieved:
A. through thorough testing.
B. by finding and quickly correcting programming errors.
C. by determining the amount of testing using the available time and budget.
D. by applying well-defined processes and structured reviews throughout the project.
The correct answer is:
D. by applying well-defined processes and structured reviews throughout the project.
Explanation:
Testing can point to quality deficiencies, However, it cannot by itself fix them. Corrective action
at this point in the project is expensive. While it is necessary to detect and correct program
errors, the bigger return comes from detecting defects as they occur in upstream phases, such as
requirements and design. Choice C is representative of the most common mistake when applying
quality management to a software project. It is seen as overhead, instead early removal of defects
has a substantial payback. Rework is actually the largest cost driver on most software projects.
Choice D represents the core of achieving quality, that is, following a well-defined, consistent
process and effectively reviewing key deliverables.
..........................................................................................................
129. A company undertakes a business process reengineering (BPR) project in support of a
new and direct marketing approach to its customers. Which of the following would be the
IS auditor's main concern about the new process?
A. Are key controls in place to protect assets and information resources?
B. Does it address the corporate customer requirements?
C. Does the system meet the performance goals (time and resources)?
D. Have owners been identified who will be responsible for the process?
The correct answer is:
A. Are key controls in place to protect assets and information resources?
Explanation:
The audit team must advocate the inclusion of the key controls and verify that the controls are in
place before implementing the new process. Choices B, C and D are objectives that the BPR
process should achieve, but they are not the auditor's primary concern.
..........................................................................................................
130. A company has contracted with an external consulting firm to implement a commercial
financial system to replace its existing in-house-developed system. In reviewing the
proposed development approach, which of the following would be of GREATEST concern?
A. Acceptance testing is to be managed by users.
B. A quality plan is not part of the contracted deliverables.
C. Not all business functions will be available on initial implementation.
D. Prototyping is being used to confirm that the system meets business requirements.
The correct answer is:
B. A quality plan is not part of the contracted deliverables.
Explanation:
A quality plan is an essential element of all projects. It is critical that the contracted supplier be
required to produce such a plan. The quality plan for the proposed development contract should
be comprehensive and encompass all phases of the development and include which business
functions will be included and when. Acceptance is normally managed by the user area, since
they must be satisfied that the new system will meet their requirements. If the system is large, a
phased-in approach to implementing the application is a reasonable approach. Prototyping is a
valid method of ensuring that the system will meet business requirements.
..........................................................................................................
131. The use of a GANTT chart can:
A. aid in scheduling project tasks.
B. determine project checkpoints.
C. ensure documentation standards.
D. direct the postimplementation review.
The correct answer is:
A. aid in scheduling project tasks.
Explanation:
A GANTT chart is used in project control. It may aid in the identification of needed checkpoints,
but its primary use is in scheduling. It will not ensure the completion of documentation nor will it
provide direction for the postimplementation review.
..........................................................................................................
132. Using test data as part of a comprehensive test of program controls in a continuous
online manner is called a(n):
A. test data/deck.
B. base-case system evaluation.
C. integrated test facility (ITF).
D. parallel simulation.
The correct answer is:
B. base-case system evaluation.
Explanation:
A base-case system evaluation uses test data sets developed as part of comprehensive testing
programs. It is used to verify correct systems operations before acceptance, as well as periodic
validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious
files in the database with test transactions processed simultaneously with live input. Parallel
simulation is the production of data processed using computer programs that simulate application
program logic.
..........................................................................................................
133. Testing the connection of two or more system components that pass information from
one area to another is:
A. pilot testing.
B. parallel testing
C. interface testing.
D. regression testing.
The correct answer is:
C. interface testing.
Explanation:
Interface testing is a hardware or software test that evaluates the connection of two or more
components that pass information from one area to another. Pilot testing is a preliminary test that
focuses on specific and predetermined aspects of a system and is not meant to replace other
methods. Parallel testing is the process of feeding test data into two systems—the modified
system and an alternative system—and comparing the results. Regression testing is the process
of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have
not introduced new errors. The data used in regression testing is the same as the data used in the
original test.
..........................................................................................................
134. Regression testing is the process of testing a program to determine if:
A. the new code contains errors.
B. discrepancies exist between functional specifications and performance.
C. new requirements have been met.
D. changes have introduced any errors in the unchanged code.
The correct answer is:
D. changes have introduced any errors in the unchanged code.
Explanation:
Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure
that changes or corrections have not introduced new errors. The data used in regression testing
should be the same as the data used in the original test. Unit testing is used to determine if a new
code contains errors or does not meet requirements.
..........................................................................................................
135. Which of the following groups/individuals should assume overall direction and
responsibility for costs and timetables of system development projects?
A. User management
B. Project steering committee
C. Senior management
D. Systems development management
The correct answer is:
B. Project steering committee
Explanation:
The project steering committee is ultimately responsible for all costs and timetables. User
management assumes ownership of the project and the resulting system. Senior management
commits to the project and approves the resources necessary to complete the project. System
development management provides technical support for the hardware and software
environments by developing, installing and operating the requested system.
..........................................................................................................
136. The difference between white box testing and black box testing is that white box testing:
A. involves the IS auditor.
B. is performed by an independent programmer team.
C. examines a program's internal logical structure.
D. uses the bottom-up approach.
The correct answer is:
C. examines a program's internal logical structure.
Explanation:
Black box testing observes a system's external behavior, while white box testing is a detailed
exam of a logical path, checking the possible conditions. The IS auditor need not be involved in
either testing method. The bottom-up approach can be used in both tests. White box testing
requires knowledge of the internals of the program or the module to be implemented/tested.
Black box testing requires that the functionality of the program be known. The independent
programmer team would not be aware of the application of a program in which they have not
been involved; hence, the independent programmer team cannot provide any assistance in either
of these testing approaches.
..........................................................................................................
137. An IS auditor reviewing a project, where quality is a major concern, should use the
project management triangle to explain that a(n):
A. increase in quality can be achieved, even if resource allocation is decreased.
B. increase in quality is only achieved, if resource allocation is increased.
C. decrease in delivery time can be achieved, even if resource allocation is decreased.
D. decrease in delivery time can only be achieved, if quality is decreased.
The correct answer is:
A. increase in quality can be achieved, even if resource allocation is decreased.
Explanation:
The three primary dimensions of a project are determined by the deliverables, the allocated
resources and the delivery time. The area of the project management triangle, comprised of these
three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might
be compensated by changing either one or both remaining dimensions. Thus, if resource
allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of
the project will be accepted. The area of the triangle always remains constant.
..........................................................................................................
138. Which of the following integrity tests examines the accuracy, completeness, consistency
and authorization of data?
A. Data
B. Relational
C. Domain
D. Referential
The correct answer is:
A. Data
Explanation:
Data integrity testing examines the accuracy, completeness, consistency and authorization of
data. Relational integrity testing detects modification to sensitive data by the use of control
totals. Domain integrity testing verifies that data conforms to specifications. Referential integrity
testing ensures that data exists in its parent or original file before it exists in the child or another
file.
..........................................................................................................
139. Which of the following is MOST effective in controlling application maintenance?
A. Informing users of the status of changes
B. Establishing priorities on program changes
C. Obtaining user approval of program changes
D. Requiring documented user specifications for changes
The correct answer is:
C. Obtaining user approval of program changes
Explanation:
User approvals of program changes will ensure that changes are correct as specified by the user
and that they are authorized. Therefore, erroneous or unauthorized changes are less likely to
occur, minimizing system downtime and errors.
..........................................................................................................
140. Which of the following groups should assume ownership of a systems development
project and the resulting system?
A. User management
B. Senior management
C. Project steering committee
D. Systems development management
The correct answer is:
A. User management
Explanation:
User management assumes ownership of the project and resulting system. They should review
and approve deliverables as they are defined and accomplished. Senior management approves
the project and the resources needed to complete it. The project steering committee provides
overall direction and is responsible for monitoring costs and timetables. Systems development
management provides technical support.
........................................................................................................
141. To make an electronic funds transfer (EFT), one employee enters the amount field and
another employee reenters the same data again, before the money is transferred. The
control adopted by the organization in this case is:
A. sequence check.
B. key verification.
C. check digit.
D. completeness check.
The correct answer is:
B. key verification.
Explanation:
Key verification is a process in which keying-in is repeated by a separate individual using a
machine that compares the original entry to the repeated entry. Sequence check refers to the
continuity in serial numbers within the number range on documents. A check digit is a numeric
value that has been calculated mathematically and added to data to ensure that the original data
have not been altered or an incorrect, but valid, value substituted. Completeness checks ensure
that all the characters required for a field have been input.
..........................................................................................................
142. An IS auditor is told by IS management that the organization has recently reached the
highest level of the software capability maturity model (CMM). The software quality
process MOST recently added by the organization is:
A. continuous improvement.
B. quantitative quality goals.
C. a documented process.
D. a process tailored to specific projects.
The correct answer is:
A. continuous improvement.
Explanation:
An organization would have reached the highest level of the software CMM at level 5,
optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process
is executed at level 3 and below, and a process tailored to specific projects can be achieved at
level 3 or below.
..........................................................................................................
143. The use of fourth-generation languages (4GLs) should be weighed carefully against
using traditional languages, because 4GLs:
A. can lack the lower-level detail commands necessary to perform data intensive
operations.
B. cannot be implemented on both the mainframe processors and microcomputers.
C. generally contain complex language subsets that must be used by skilled users.
D. cannot access database records and produce complex online outputs.
The correct answer is:
A. can lack the lower-level detail commands necessary to perform data intensive
operations.
Explanation:
All of the answers are advantages of using 4GLs except that they can lack the lower-level detail
commands necessary to perform data intensive operations. These operations are usually required
when developing major applications.
..........................................................................................................
144. During the development of an application, the quality assurance testing and user
acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the
project is that there will be:
A. increased maintenance.
B. improper documentation of testing.
C. inadequate functional testing.
D. delays in problem resolution.
The correct answer is:
C. inadequate functional testing.
Explanation:
The major risk of combining quality assurance testing and user acceptance testing is that
functional testing may be inadequate. Choices A, B and D are not as important.
..........................................................................................................
145. An organization has contracted with a vendor for a turnkey solution for their electronic
toll collection system (ETCS). The vendor has provided its proprietary application software
as part of the solution. The contract should require that:
A. a backup server be available to run ETCS operations with up-to-date data.
B. a backup server be loaded with all the relevant software and data.
C. the systems staff of the organization be trained to handle any event.
D. source code of the ETCS application be placed in escrow.
The correct answer is:
D. source code of the ETCS application be placed in escrow.
Explanation:
Whenever proprietary application software is purchased, the contract should provide for a source
code agreement. This will ensure that the purchasing company will have the opportunity to
modify the software should the vendor cease to be in business. Having a backup server with
current data and staff training is critical but not as critical as ensuring the availability of the
source code.
..........................................................................................................
146. Which of the following is a dynamic analysis tool for the purpose of testing software
modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
The correct answer is:
A. Black box test
Explanation:
A black box test is a dynamic analysis tool for testing software modules. During the testing of
software modules a black box test works first in a cohesive manner as a single unit/entity
consisting of numerous modules, and second with the user data that flows across software
modules. In some cases, this even drives the software behavior. In choices B, C and D, the
software (design or code) remains static and somebody closely examines it by applying his/her
mind, without actually activating the software. Hence, these cannot be referred to as dynamic
analysis tools.
..........................................................................................................
147. The impact of EDI on internal controls will be:
A. that fewer opportunities for review and authorization will exist.
B. an inherent authentication.
C. a proper distribution of EDI transactions while in the possession of third parties.
D. that IPF management will have increased responsibilities over data center controls.
The correct answer is:
A. that fewer opportunities for review and authorization will exist.
Explanation:
EDI promotes a more efficient paperless environment, but at the same time, less human
intervention makes it more difficult for reviewing and authorizing. Choice B is incorrect; since
the interaction between parties is electronic, there is no inherent authentication occurring.
Computerized data can look the same no matter what the source and does not include any
distinguishing human element or signature. Choice C is incorrect because this is a security risk
associated with EDI. Choice D is incorrect because there are relatively few, if any, additional
data center controls associated with the implementation of EDI applications. Instead, more
control will need to be exercised by the user's application system to replace manual controls,
such as site reviews of documents. More emphasis will need to be placed on control over data
transmission (network management controls).
..........................................................................................................
148. Which of the following tasks occurs during the research stage of the benchmarking
process?
A. Critical processes are identified.
B. Benchmarking partners are visited.
C. Findings are translated into core principles.
D. Benchmarking partners are identified.
The correct answer is:
D. Benchmarking partners are identified.
Explanation:
During the research stage, the team collects data and identifies the benchmarking partners. In the
planning stage, the team identifies the critical processes to be benchmarked. Visiting the
benchmarking partners is performed in the observation stage. Translating the findings into core
principles is performed during the adaptation stage.
..........................................................................................................
149. Which of the following would be a risk specifically associated with the agile
development process?
A. Lack of documentation
B. Lack of testing
C. Poor requirements definition
D. Poor project management practices
The correct answer is:
A. Lack of documentation
Explanation:
Agile development relies on knowledge held by people within the organization, as opposed to
external knowledge. The main issue is the necessity for providing compensating controls to
ensure that changes and enhancements to the system can be made later on, even if the key
personnel who know the implemented business logic leave the company. Lack of testing might
be an issue but without formal documentation it is difficult for an auditor to gather objective
evidence. Rapid response to changing requirements is one strength of the agile development
processes. Replanning the project at the end of each iteration, including reprioritizing
requirements, identifying any new requirements and determining in which release delivered
functionality is to be implemented, is a main aspect of the agile process. Applied project
management practices are slightly different than those required for traditional methods of
software development. The project manager's role. This role shifts from one primarily concerned
with planning the project, allocating tasks and monitoring progress, to that of a facilitator and
advocate. Responsibility for planning and control shifts to the team members.
..........................................................................................................
150. An IS auditor evaluating data integrity in a transaction-driven system environment
should review atomicity to determine whether:
A. the database survives failures (hardware or software).
B. each transaction is separated from other transactions.
C. integrity conditions are maintained.
D. a transaction is completed or a database is updated.
The correct answer is:
D. a transaction is completed or a database is updated.
Explanation:
This concept is included in the atomicity, completeness, isolation and durability (ACID)
principle. Durability means that the database survives failures (hardware or software). Isolation
means that each transaction is separated from other transactions. Consistency means that
integrity conditions are maintained.
..........................................................................................................