When approximately 22 terabytes (TB) of Dallas Police Department (DPD) (Texas, USA) data were accidentally deleted during a cloud migration in March 2021, ultimately only 14 TB could be recovered, affecting myriad case files and prosecutorial actions.1 The City of Dallas later released a 131-page report which uncovered that DPD protocols for data management had been "inadequate."2 The DPD is not alone. Even highly experienced data managers and organizations can be at risk when it comes to data backup and recovery procedures. Show Reduce Risk With the 3-2-1 RuleDisruption to data is more a matter of when it will occur than if it will occur. A 2021 data center fire at a French cloud service provider (CSP) disrupted millions of websites, including government portals, banks and retailers.3 The CSP faced a difficult recovery because both copies of customer data had been backed up at a single location. The data center fire is a prime example of the need for resilience in digital disruption, especially in an environment of increasing cyberrisk, including hostile state-sponsored threats to critical infrastructures.4 To reduce the risk of data disruption, organizations should maintain at least 3 copies or versions of data stored on 2 different pieces of media, 1 of which is offsite. This is referred to as the 3-2-1 rule.5 With at least 3 different copies of important files and information, an organization can recover even from accidents that affect multiple versions. But, of course, one should not keep both copies of the data on the same media. At least 1 offline copy should be created and maintained in addition to on-premises and cloud storage versions of data. Local backups should be securely stored on portable hardware-encrypted storage devices. For example, portable and removable storage devices with built-in hardware encryption used across the workforce can ensure the existence of backups that maximize control for organizations, regardless of the breach, attack, damage, disaster or other disruption. Removable storage devices complement the cloud, enabling the retention of some element of control over the data rather than abdicating all responsibility to a CSP. Employees at all levels should be knowledgeable of procedures and incorporate backups into their everyday work. Develop a Procedure and Adhere to ItMost people understand that all organizations should consistently secure and back up their data, yet often this is not the case. Too often an enterprise becomes distracted and shifts its attention to other challenges. Today, those challenges may take the form of hybrid working and remote workforce management. Organizations may rely too much on faith when it comes to the security of data at rest or stored in the cloud. Often there is not even a written backup and recovery plan or policy in place and, if there is a strategy, it is not adhered to, or its status is unknown. Organizations may rely too much on faith when it comes to the security of data at rest or stored in the cloud.The Apricorn 2021 Global IT Security Survey reported that 49% of IT professionals say individual employees in their organization do not consider themselves potential attack targets for access to enterprise data.6 More than 50% of respondents to a recent Apricorn poll note that they, or their employees, have experienced a loss of data as a result of not creating backups or a backup failure.7 Despite this, more than 60% of respondents state that they are not required to play a role in backing up enterprise data. Worryingly, one-third of respondents admit to not backing up data to a second offsite location.8 Of those who do, approximately 30% back up to the cloud and slightly more than 20% rely on storage devices for secondary backup. Meanwhile, the COVID-19 pandemic has also created ongoing vulnerabilities. Even beyond the pandemic, remote work will likely continue to play a larger role for many organizations. Enterprises therefore must remain aware of the many new attack vectors represented by remote connections and hybrid working environments. In addition, large volumes of data now move beyond the boundaries of the enterprise network. Consider the Increasing ConsequencesCompounding these issues, threats to organizational and personal data and to the network itself continue to evolve and become more sophisticated. Today's cyberthreat landscape typically demands a multifaceted approach to best-practice cybersecurity. Addressing data protection, backup and recovery plays a central role in mitigating risk from any cyberattack to critical infrastructure and organizational information. Secure data backup processes can maximize data control, eliminate unauthorized data access and facilitate fast restoration of operations in the event of a breach or attack. The consequences of not addressing the situation can be catastrophic. Poor management and a lack of preparation constantly threaten the security of data and information. Data sprawl can increase the risk of data losses, whether from a common cyberthreat such as a ransomware attack or a force majeure event that results in downtime, financial loss and/or reputational damage. Organizations are at high risk of external investigations and penalties, including heavy fines. In addition, financial damage can result in costs related to restitution and repair, and an increased price to pay for future protection. Further costs are accrued by negative media coverage of the organization, which damages brands and can cause customer exits or deter new customers, impeding growth. Use Your Backup for a Fast, Efficient RecoveryMaking solid investments in data backup and recovery planning can save organizations considerable amounts of time and money in the future. The best pathways to achieve this have been made clear, including many different options for data backup for organizations with different requirements and challenges. Above all, centering an effective backup-and-recovery strategy around multiple copies of data provides both insurance against future cyberattacks and flexibility, defending against data loss due to weather, human error, hardware failure and more. As part of an up-to-date, regularly reviewed, multilayered cybersecurity approach, it is key to frequently back up data, including offline backups, and regularly practice procedures for data recovery from those backups. Stakeholders should ensure that all enterprise data are encrypted and offline backups remain inaccessible to unauthorized users.9, 10 Lastly, it is important to create a plan for quick data restoration in the event of disruption. Data resilience can be straightforward if organizations begin with first principles, create a plan and adhere to it. Using the 3-2-1 method can ensure that organizational data assets are properly secured in the event of a data loss incident. Endnotes1 Osborne, R.; “City of Dallas Calls IT Protocols ‘Inadequate’ in 131-page Report on Police Data Loss,” WFAA, USA, 1 October 2021 Kurt MarkleyIs the US managing director at Apricorn and has more than 20 years of experience in encryption and cybersecurity. He has worked with many organizations in the manufacturing, government, finance and health care industries to help strengthen their data protection.
CISA Practise Question Database 2013-2014
The PRIMARY advantage of a continuous audit approach is that it:Select an answer:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately
1.1. The correct answer is C.
Which of the following ensures the availability of transactions in the event of a disaster?Select an answer:A. Send tapes hourly containing transactions offsite.B. Send tapes daily containing transactions offsite. C. Capture transactions to multiple st
4.10. The correct answer is D.
An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)?Select an answer:A. Overall number of users supported B. Percentage of incidents solved in the fir
4.2. You are correct, the answer is B.
Which of the following will MOST successfully identify overlapping key controls in business application systems?Select an answer:A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through
The correct answer is C.
Overall business risk for a particular threat can be expressed as:Select an answer:A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source suc
2-8 The correct answer is A.
An IS auditor observes that one of the servers on the perimeter network is running a vulnerable operating system. What is the MOST likely implication due to the existence of a system vulnerability?Select an answer: A. The server is susceptible to an atta
5.1. You are correct, the answer is A.
Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?Select an answer:A. Halon gasB. Wet-pipe sprinklersC. Dry-pipe sprinklers D. Carbon dioxide gas
5.4. The correct answer is C.
Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process?Select an answer:A. The encryption algorithm formatB. The detailed internal control procedures C. The necessary com
3.4. The correct answer is C.
What kind of software application testing is considered the final stage of testing and typically includes users outside the development team?Select an answer:A. Alpha testingB. White box testingC. Regression testing D. Beta testing
3.5. You are correct, the answer is D.
For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation?
2.4 You are correct, the answer is A.
The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:A. integrity.B. authenticity.C. authorization. D. nonrepudiation.
4.8 You are correct, the answer is A.
Assessing IT risk is BEST achieved by:A. evaluating threats associated with existing IT assets and IT projects.B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from comparable organiza
3.4 The correct answer is A.
Which of the following is the MOST reliable sender authentication method?A. Digital signaturesB. Asymmetric cryptographyC. Digital certificates D. Message authentication code
2.9 The correct answer is C.
An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?A. User-level permissionsB. Role-basedC. Fine-grained D. Discretionary
5.5 You are correct, the answer is B.
An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by:A. digitally signing all email messages.B. encrypting all email messages.C. compressing all email messages. D. password protectin
5.2 You are correct, the answer is A.
A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:
5.2 The correct answer is D.
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?A. There are a growing number of emergency changes. B. There we
3.4 The correct answer is C.
An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?A. Request that the system be shut down to preserve evidence.B. Report the incident to management. C. A
1.3 The correct answer is B.
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:A. apply the patch according to the patch's release notes. B. ensure that a good chang
1.4 You are correct, the answer is B.
At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:Select an answer: A. report the error as a fi
3.5 You are correct, the answer is C.
A lower recovery time objective (RTO) results in:Select an answer:A. higher disaster tolerance.B. higher cost.C. wider interruption windows. D. more permissive data loss.
4.11 The correct answer is B.
A development group is designing an Internet application that accepts customer orders. Which of the following features is a MAJOR concern during the review of the design phase?Select an answer: A. The inclusion of technical information in error messages
5.2 The correct answer is A.A. Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities. B. It is a good practice to utilize stored pr
Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?Select an answer:A. The use of diskless workstationsB. Periodic checking of hard drivesC. The use of current antivirus software D.
4.1 You are correct, the answer is B.
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?Select an answer:A. Set up an exit interview with human resources (HR). B. Initiate the handover process to ensure continuity o
2.2 The correct answer is C.
Rotating job responsibilities is a good security practice PRIMARILY because it:Select an answer:A. ensures that personnel are cross-trained.B. improves employee morale.C. maximizes employee performance. D. reduces the opportunity for fraud.
2.3 The correct answer is D.A. While cross-training is useful, it is not typically a security issue.B. Improving morale is important, but it is not a security concern.C. Job rotation may affect employee performance either positively or negatively. D. W
Validated digital signatures in an email software application will:Select an answer:A. help detect spam.B. provide confidentiality.C. add to the workload of gateway servers. D. significantly reduce available bandwidth.
5.2 You are correct, the answer is A.
After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be
2.9 The correct answer is A.
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?Select an answer:A. Prioritize the identified risk.B. Define the audit universe.C. Identify the critical controls. D. Determine t
The correct answer is B.A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B. In a risk-based audit approach, the auditor
Which of the following distinguishes a business impact analysis (BIA) from a risk assessment?Select an answer:A. An inventory of critical assetsB. An identification of vulnerabilitiesC. A listing of threats D. A determination of acceptable downtime
The correct answer is D.A. An inventory of critical assets is completed in both a risk assessment and a BIA.B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C. A listing of threats is relevant both in a risk asses
It is MOST appropriate to implement an incremental backup scheme when:Select an answer:A. there is limited recovery time for critical data.B. online disk-based media are preferred.C. there is limited media capacity. D. a random selection of backup set
the answer is C.A. A full backup or differential backup is preferred in this situation.B. Incremental backup could be used irrespective of the media adopted. C. In an incremental backup, after the full backup, only the files that have changed are backed
Responsibility for the governance of IT should rest with the:Select an answer:A. IT strategy committee.B. chief information officer (CIO).C. audit committee. D. board of directors.
The correct answer is D.
When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor?Select an answer: A. Alert management and evaluate t
You are correct, the answer is A.
Which of the following fire suppression systems is MOST appropriate to use in a data center environment?Select an answer:A. Wet-pipe sprinkler systemB. Dry-pipe sprinkler systemC. FM-200 system D. Carbon dioxide-based fire extinguishers
You are correct, the answer is C.
Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network?Select an answer:A. Server antivirus softwareB. Virus wallsC. Workstation antivirus software D. Virus signature upda
The correct answer is B.
A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?
The correct answer is A.
Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)?Select an answer:A. Virtual tape librariesB. Disk-based snapshots C.
You are correct, the answer is C.
Which of the following is an appropriate test method to apply to a business continuity plan (BCP)?Select an answer:A. PilotB. PaperC. Unit D. System
? 10; ?? ???? ?????????? ?????. ????? ?? A. Pilot
An organization has terminated a database administrator (DBA). The organization immediately removes all of the DBA's access to all company systems. The DBA threatens that the database will be deleted in two months unless he/she is paid a large sum of mone
You are correct, the answer is D.
An organization has purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year.
The correct answer is B.A. While a viability study on the vendor may provide some assurance on the long-term availability of the vendor's services to the entity, in this case it is more important that the company has the rights to the source code. B. Con
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?Select an answer: A. IS audito
You are correct, the answer is D.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:Select an answer:A. audit trail of the versioning of the work papers.B. approval of the audit phases. C. access rights to t
You are correct, the answer is D.
Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?Select an answer:A. Overlapping controlsB. Boundary controlsC. Access controls D. Compensating controls
The correct answer is D.
Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?Select an answer: A. Rank requirements and test in terms of importance and
You are correct, the answer is A.
Which of the following ensures a sender's authenticity and an email's confidentiality?Select an answer:A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key B
You are correct, the answer is C.
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:Select an answer:A. address audit objectives.B. collect sufficient evidence.C. specify appropriate tests. D. minimize audit resources.
You are correct, the answer is A.
An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting fin
You are correct, the answer is B.
When reviewing the configuration of network devices, an IS auditor should FIRST identify:Select an answer:A. the best practices for the type of network devices deployed.B. whether components of the network are missing. C. the importance of the network
You are correct, the answer is C.
An IS auditor at a bank is performing compliance testing and has discovered that one of the branches has virus signatures that have not been updated in over six months. In this case, the IS auditor should recommend:Select an answer: A. security awareness
You are correct, the answer is B.
Which of the following is the MOST efficient way to test the design effectiveness of a change control process?Select an answer:A. Test a sample population of change requestsB. Test a sample of authorized changes C. Interview personnel in charge of the
You are correct, the answer is D.A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that ha
Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site D. Cold site
You are correct, the answer is D.
An IS auditor discovers that URLs for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks?Select an answer: A. IP s
You are correct, the answer is B.
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?Select an answer:A. Reviewing logs frequentlyB. Testing and validating the rules C. Training a local administrator a
You are correct, the answer is B.
Which of the following is the PRIMARY purpose for conducting parallel testing?Select an answer:A. To determine whether the system is cost-effectiveB. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with
The correct answer is D.
The use of object-oriented design and development techniques would MOST likely:Select an answer:A. facilitate the ability to reuse modules.B. improve system performance.C. enhance control effectiveness. D. speed up the system development life cycle.
You are correct, the answer is A.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?Select an answer:A. InherentB. DetectionC. Control D. Business
The correct answer is B.
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:Select an answer:A. expand activities to determine whether an investigation is warranted.B. report the matter to the audit committee. C.
The correct answer is A.
Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?Select an answer:A. AnalyzerB. Administration consoleC. User interface D. Sensor
5.2 You are correct, the answer is D.
When reviewing an implementation of a Voice-over IP (VoIP) system over a corporate wide area network (WAN), an IS auditor should expect to find:Select an answer:A. an integrated services digital network (ISDN) data link.B. traffic engineering. C. wired
5.2 The correct answer is B.
Which of the following must exist to ensure the viability of a duplicate information processing facility?Select an answer:A. The site is near the primary site to ensure quick and efficient recovery. B. The site contains the most advanced hardware availa
2.9 The correct answer is C.
When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the:Select an answer: A. project be discontinued.
3.3 The correct answer is B.
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?Select an answer:A. UsefulnessB. ReliabilityC. Relevance D. Adequacy
1.2 The correct answer is B.A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly collected by t
Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented?Select an answer:A. The reporting of the mean time between failures over timeB. The overall mean time to repair failures C. The first repo
3.5 The correct answer is C.A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time t
Which of the following would be of MOST concern to an IS auditor performing an audit of a disaster recovery plan (DRP)?Select an answer:A. The DRP has not been tested.B. New team members have not read the DRP. C. The manager responsible for the DRP rec
2.11 You are correct, the answer is A.
The MOST effective control for reducing the risk related to phishing is:Select an answer:A. centralized monitoring of systems.B. including signatures for phishing in antivirus software.C. publishing the policy on antiphishing on the intranet. D. secur
5.3 You are correct, the answer is D.
Which of the following is the BEST control to implement in order to mitigate the risk of an insider attack?Select an answer:A. Ensure that a comprehensive incident response plan has been put into place.B. Log all user activity for critical systems. C.
5.2 You are correct, the answer is D.
Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?Select an answer:A. Prioritize the identified risk.B. Define the audit universe.C. Identify the critical controls. D. Determine t
1.1 The correct answer is B.A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. B. In a risk-based audit approach, the aud
When auditing the provisioning procedures of the identity management (IDM) system of a large organization, an IS auditor immediately finds a small number of access requests that had not been authorized by managers through the normal predefined workflow st
1.3 The correct answer is A.
Network Data Management Protocol (NDMP) technology should be used for backup if:Select an answer:A. a network attached storage (NAS) appliance is required.B. the use of TCP/IP must be avoided. C. file permissions that cannot be handled by legacy backup
4.10 You are correct, the answer is A.NDMP defines three kind of services:1. A data service that interfaces with the primary storage to be backed up or restored2. A tape service that interfaces with the secondary storage (primarily a tape device) 3. A
IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:Select an answer:A. upgrading to a level 5 RAID. B. in
4.11 The correct answer is C.
Which of the following BEST limits the impact of server failures in a distributed environment?Select an answer:A. Redundant pathwaysB. ClusteringC. Dial backup lines D. Standby power
4.10 The correct answer is B.
An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:Select an answer: A. correlation
3.5 The correct answer is A.
During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:Select an answer: A. assessment of the situation may be
2.11 You are correct, the answer is B.
The PRIMARY control purpose of required vacations or job rotations is to:Select an answer:A. allow cross-training for development.B. help preserve employee morale.C. detect improper or illegal employee acts. D. provide a competitive employee benefit.
2.7 You are correct, the answer is C.
Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test?Select an answer: A. Due to the limited test time window, only the most essential systems were tested. The other systems were teste
4.11 The correct answer is D.
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:Select an answer:A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of th
1.4 The correct answer is B.
The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:Select an answer:A. control design testing.B. substantive testing. C. inspection of relevant documentation
1.3 You are correct, the answer is B.A. Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively. B. Among other methods, such as do
An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address?Select an answer:A. Simple Object Access Protocol (SOAP) B. Address Resol
5.2 You are correct, the answer is B.
Which of the following is the MOST important element for the successful implementation of IT governance?Select an answer:A. Implementing an IT scorecardB. Identifying organizational strategiesC. Performing a risk assessment D. Creating a formal securi
2.1 The correct answer is B.
Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?Select an answer:A. Resuming critical processesB. Recovering sensitive processesC. Restoring the site D. Relocating operations to an alternative site
4.11 You are correct, the answer is A.
In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:Select an answer:A. isolation.B. consistency. C. ato
3.4 You are correct, the answer is C.
An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:Select an answer: A. correlation
3.5 You are correct, the answer is A.
Which of the following is the MOST efficient way to test the design effectiveness of a change control process?Select an answer:A. Test a sample population of change requestsB. Test a sample of authorized changes C. Interview personnel in charge of the
4.9 You are correct, the answer is D.A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes tha
Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected h
4.1 The correct answer is A.
Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?Select an answer:A. A hot site maintained by the businessB. A commercial cold site C. A reciprocal arran
4.3 The correct answer is C.
Disabling which of the following would make wireless local area networks MORE secure against unauthorized access?Select an answer:A. MAC (Media Access Control) address filteringB. WPA (Wi-Fi Protected Access Protocol) C. LEAP (Lightweight Extensible Au
5.2 The correct answer is D.
Ideally, stress testing should be carried out in a:Select an answer:A. test environment using test data.B. production environment using live workloads.C. test environment using live workloads. D. production environment using test data.
3.4 You are correct, the answer is C.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?Select an answer:A. InherentB. DetectionC. Control D. Business
1.2 You are correct, the answer is B.
During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?Select an answer:A. Dumping the memory content to a file B. Generating disk images o
1.3 You are correct, the answer is C.
Effective IT governance will ensure that the IT plan is consistent with the organization's:Select an answer:A. business plan.B. audit plan.C. security plan. D. investment plan.
2.4 You are correct, the answer is A.
While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:Select an answer:A. shadow file processing.B. electronic vaulting. C. hard-disk mi
4.10 You are correct, the answer is A.
An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?Select an answer:A. A clause providing a "right to audit" service provider B. A clause defining penalty payments for
4.2 The correct answer is A.
An IS auditor reviewing the IS security policies should verify whether information security management roles and responsibilities are communicated to which of the following?Select an answer:A. Functional headsB. Organizational users C. The IS steering
5.1 The correct answer is B.
A decision support system (DSS):Select an answer:A. is aimed at solving highly structured problems.B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision making approach of users
3.4 The correct answer is C.
An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?Select an answer: A. Walk-through with the reviewer of the operation of th
1.3 You are correct, the answer is C.
Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)?Select an answer:A. The plan is approved by the chief information officer (CIO).B. The plan contact lists have not been updated. C. Test resul
2.11 You are correct, the answer is C.
A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it?Select an answer:A. Rewrite the hard disk with random 0s and 1s.B. Low-level format the hard disk. C.
5.5 The correct answer is D.
An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?Select an answer:A. Process narrativeB. Inquiry C. Reperforma
1.3 The correct answer is D.A. Process narratives may not be current or complete and may not reflect the actual process in operation.B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence. C.
Which of the following controls helps prevent duplication of vouchers during data entry?Select an answer:A. A range checkB. Transposition and substitutionC. A sequence check D. A cyclic redundancy check (CRC)
3.4 You are correct, the answer is C.
During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?Select an answer: A. Postpon
4.2 The correct answer is C.
An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate
3.4 The correct answer is A.
Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as
1.3 The correct answer is A.
An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods?Select an answer:A. PiggybackingB. Dumpster divingC. Shoulder surfing D. Impersonation
5.1 You are correct, the answer is C.
The MOST important difference between hashing and encryption is that hashing:Select an answer:A. is irreversible.B. output is the same length as the original message.C. is concerned with integrity and security. D. is the same at the sending and receiv
5.2 You are correct, the answer is A.
The BEST way to minimize the risk of communication failures in an e-commerce environment would be to use:Select an answer:A. compression software to minimize transmission duration.B. functional or message acknowledgments. C. a packet-filtering firewall
5.2 The correct answer is D.
Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?Select an answer:A. Variable samplingB. Stratified mean per unit C. Attribut
1.3 The correct answer is C.
Distributed denial-of-service (DDoS) attacks on Internet sites are typically evoked by hackers using which of the following?Select an answer:A. Logic bombsB. PhishingC. Spyware D. Trojan horses
5.2 The correct answer is D.
The BEST audit procedure to determine if unauthorized changes have been made to production code is to:Select an answer:A. examine the change control system records and trace them forward to object code files. B. review access control permissions operati
4.9 You are correct, the answer is C.
To support an organization's goals, an IS department should have:Select an answer:A. a low-cost philosophy.B. long- and short-range plans.C. leading-edge technology. D. plans to acquire new hardware and software.
2.3 You are correct, the answer is B.
Which of the following is MOST important to ensure business continuity?Select an answer:A. Current contact information for key employeesB. Backup dataC. Access to funds for short-term needs D. Alternate processing site
4.11 The correct answer is B.
The PRIMARY benefit of implementing a security program as part of a security governance framework is the:Select an answer:A. alignment of the IT activities with IS audit recommendations.B. enforcement of the management of security risk. C. implementati
2.9 The correct answer is B.
An IS auditor examining the security configuration of an operating system should review the:Select an answer:A. transaction logs.B. authorization tables.C. parameter settings. D. routing tables.
4.8 The correct answer is C.
Which of the following is a passive attack to a network?Select an answer:A. Message modificationB. MasqueradingC. Denial of service D. Traffic analysis
5.2 You are correct, the answer is D.
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:Select an answer:A. can identify high-risk areas that might need a detailed review later.B. allows IS auditors to independently assess risk. C.
1.1 You are correct, the answer is A.
Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?Select an answer:A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual pro
3.4 You are correct, the answer is B.
An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a:Select an answer:A. cold site.B. warm site.C. dial-up site. D. duplicate processing facility.
4.10 You answered D. The correct answer is A.
Neural networks are effective in detecting fraud because they can:Select an answer:A. discover new trends since they are inherently linear.B. solve problems where large and general sets of training data are not obtainable. C. attack problems that requi
5.2 You are correct, the answer is C.
An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform?Select an answer:A. Program output testingB. System configuration C. Program logic speci
3.5 You are correct, the answer is A.
An IS auditor reviewing an organization's IT strategic plan should FIRST review:Select an answer:A. the existing IT environment.B. the business plan.C. the present IT budget. D. current technology trends.
2.3 The correct answer is B.
The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor?Select an answer:A. The right to audit clause was not included in the contract. B. The business case was n
2.8 The correct answer is B.
An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its voice-over IP (VoIP) system and data traffic. Which of the following would meet this objective?Select an answer: A. VoIP infrastructu
5.2 You are correct, the answer is A.
To verify that the correct version of a data file was used for a production run, an IS auditor should review:Select an answer:A. operator problem reports.B. operator work schedules.C. system logs. D. output distribution reports.
4.4 You are correct, the answer is C.
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:Select an answer:A. rules.B. decision trees.C. semantic nets. D. dataflow diagrams.
3.5 The correct answer is B.
Which of the following is a prevalent risk in the development of end-user computing (EUC) applications?Select an answer:A. Applications may not be subject to testing and IT general controls.B. Development and maintenance costs may be increased. C. Appl
3.4 The correct answer is A.
Which of the following would BEST provide assurance of the integrity of new staff?Select an answer:A. Background screeningB. ReferencesC. Bonding D. Qualifications listed on a r�sum�
2.2 You are correct, the answer is A.
Which of the following is MOST indicative of the effectiveness of an information security awareness program?Select an answer:A. Employees report more information regarding security incidents. B. All employees have signed the information security policy.
2.6 You are correct, the answer is A.
Overall business risk for a particular threat can be expressed as:Select an answer:A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source suc
2.9 You are correct, the answer is A.
During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:Select an answer:A. ask the auditee to sign a release form accepting full legal responsibility. B. elaborate on the significance of th
You answered C. The correct answer is B.
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management D. Knowledge of inte
1.3 You answered D. The correct answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of th
From a control perspective, the PRIMARY objective of classifying information assets is to:Select an answer:A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets
5.3 You answered D. The correct answer is A.
An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?Select an answer:A. Request that the system be shut down to preserve evidence. B. Report the incident t
1.4 You are correct, the answer is B.
During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be:Select an answer:A. increased maintenance. B. improper documen
3.4 You are correct, the answer is C.
When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation?Select an answer:A. Wiring and schematic diagramB. Users' lists and responsibilities C. Application lists an
5.2 You are correct, the answer is A.
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?Select an answer: A. There are a growing number of emergency ch
1.3 You answered A. The correct answer is C.
General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach?Select an answer: A. Reduction of IT person-hours to support th
1.3 You answered B. The correct answer is D.A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity. B. The risk of errors would
Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime?Select an answer:A. Utilization reportsB. Hardware error reportsC. System logs D. Availability reports
4.1 You answered C. The correct answer is D.
Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that
5.2 You are correct, the answer is D.
Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that
2.11 You are correct, the answer is A.
Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to:
3.6 You answered D. The correct answer is C.
Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment?Select an answer:A. Noncompliance with software license agreementsB. Performance issues due to Internet delivery method C. Higher cost due to
You are correct, the answer is B.
Many organizations require employees to take a mandatory one-week (or two-week) vacation each year PRIMARILY because the organization wants to ensure that:Select an answer:A. adequate cross-training exists between all functions of the organization. B. e
You are correct, the answer is C.
An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software:Select an answer:A. is configured with an implicit deny rule as the last rule in the rule base. B. is
You answered C. The correct answer is B.
Which of the following physical access controls effectively reduces the risk of piggybacking?Select an answer:A. Biometric door locksB. Combination door locksC. Deadman doors D. Bolting door locks
You answered A. The correct answer is C.
An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next?Select an answer:A. Obtain senior management sponsorship.B. Identify business needs.C. Conduct a paper test. D. Perform a system restore
You answered D. The correct answer is C.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?Select an answer:A. Certificate revocation list (CRL)B. Certification practice statement (CPS) C. Certificate poli
You answered A. The correct answer is B.
The PRIMARY advantage of a continuous audit approach is that it:Select an answer:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately
You answered D. The correct answer is C.
An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should:Select an answer: A. interface with various types of enterprise res
You are correct, the answer is B.
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?Select an answer:A. Bottom upB. Sociability testingC. Top-down D. System test
You answered B. The correct answer is C.
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?Select an answer: A. The point at which controls are exercised as data flow through the syste
You answered C. The correct answer is A.
After a disaster declaration, the media creation date at a warm recovery site is based on the:Select an answer:A. recovery point objective (RPO).B. recovery time objective (RTO).C. service delivery objective (SDO). D. maximum tolerable outage (MTO).
You are correct, the answer is A.
IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?
You are correct, the answer is D.
An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved?Select an answer:A. Self-assessmentB. Reverse engineeringC. Prototyping D. Gap analysis
You answered A. The correct answer is D.
Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts?Select an answer:A. SYN flood attacksB. Social engineering C. Buffe
You are correct, the answer is D.
A hot site should be implemented as a recovery strategy when the:Select an answer:A. disaster tolerance is low.B. recovery point objective (RPO) is high.C. recovery time objective (RTO) is high. D. disaster tolerance is high.
You are correct, the answer is A.
It is MOST appropriate to implement an incremental backup scheme when:Select an answer:A. there is limited recovery time for critical data.B. online disk-based media are preferred.C. there is limited media capacity. D. a random selection of backup set
You are correct, the answer is C.A. A full backup or differential backup is preferred in this situation.B. Incremental backup could be used irrespective of the media adopted. C. In an incremental backup, after the full backup, only the files that have c
Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?Select an answer:A. Intrusion detection systems B. Data mining techniq
You are correct, the answer is B.
While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should:Select an answer:A. recommend the use of disk mirroring.B. review the adequacy of offsite storage. C. review the cap
You are correct, the answer is C.
Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit?Select an answer:A. Complexity of the organization's operationB. Findings and issues noted from the prior year C
You are correct, the answer is C.
Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly?Select an answer:A. Backup time would steadily increase.B. Backup operational costs would significantly increase. C. Storage operational c
You answered B. The correct answer is D.
During external audit, an IS auditor discovers that systems that are in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:Select an answer:A. remove the IS auditor from the engagement. B. cancel
1.3 You are correct, the answer is C.A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries.B. Canceling the engagement is not called for. C. In circumstances in which the IS auditor's in
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:Select an answer:A. rules.B. decision trees.C. semantic nets. D. dataflow diagrams.
3.5 You are correct, the answer is B.
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:Select an answer:A. control self-assessments.B. a business impact analysis (BIA).C. an IT balanced scorecard (BSC). D. business process reengineering (
2.3 You answered B. The correct answer is C.
When reviewing the configuration of network devices, an IS auditor should FIRST identify:Select an answer:A. the best practices for the type of network devices deployed.B. whether components of the network are missing. C. the importance of the network
4.1 You are correct, the answer is C.
When using public key encryption to secure data being transmitted across a network:Select an answer:A. both the key used to encrypt and decrypt the data are public.B. the key used to encrypt is private, but the key used to decrypt the data is public. C
5.2 You are correct, the answer is C.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?Select an answer:A. Certificate revocation list (CRL)B. Certification practice statement (CPS) C. Certificate poli
5.2 You answered C. The correct answer is B.
The risk of dumpster diving is BEST mitigated by:Select an answer:A. implementing security awareness training.B. placing shred bins in copy rooms.C. developing a media disposal policy. D. placing shredders in individual offices.
5.5 You answered B. The correct answer is A.A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The s
An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place
5.2 You are correct, the answer is C.
An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to est
3.2 You answered A. The correct answer is B.A. PERT is a project management technique used in the planning and control of system projects. B. FPA is a technique used to determine the size of a development task based on the number of function points. Func
A start-up company has a policy that requires strong encryption of all tape backups. As the volume of data has grown, the time necessary to back up all data has become operationally unacceptable. Which of the following is the BEST recommendation to fix th
5.5 You are correct, the answer is B.A. While running backups without encryption would solve the performance issue, this does not meet security requirements. B. The primary benefit of performing data classification is so that the appropriate security con
The ultimate purpose of IT governance is to:Select an answer:A. encourage optimal use of IT.B. reduce IT costs.C. decentralize IT resources across the organization. D. centralize control of IT.
2.1 You are correct, the answer is A.
During which phase of software application testing should an organization perform the testing of architectural design?Select an answer:A. Acceptance testingB. System testingC. Integration testing D. Unit testing
3.5 You answered B. The correct answer is C.
An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:Select an answer: A. report that the control is operating effectively since deactivation happens within t
2.2 You are correct, the answer is C.
During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST:
3.4 You are correct, the answer is D.
In the 2c area of the diagram, there are three hubs connected to each other. What potential risk might this indicate?PictureSelect an answer:A. Virus attackB. Performance degradationC. Poor management controls D. Vulnerability to external hackers
5.4 You are correct, the answer is B.
When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor?Select an answer:A. Passwords are not shared.B. Password files are not encrypted.C. Redundant logon IDs are deleted. D. The all
5.2 You answered A. The correct answer is B.
When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?Select an answer: A. Develop an alternate te
1.3 You answered C. The correct answer is A.
The MOST common problem in the operation of an intrusion detection system (IDS) is:Select an answer:A. the detection of false positives.B. receiving trap messages.C. reject-error rates. D. denial-of-service attacks.
5.2 You are correct, the answer is A.
In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:Select an answer: A. application programmer copy the source program and compiled object module to the production lib
4.9 You answered C. The correct answer is D.
An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern?
3.5 You are correct, the answer is A.
A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects?Select an answer: A. Functional verification of the
3.2 You are correct, the answer is C.A. Prototypes are verified by users.B. UAT is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C. Errors or lack of attention in
During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which
4.9 You answered A. The correct answer is D.
The purpose of code signing is to provide assurance that:Select an answer:A. the software has not been subsequently modified.B. the application can safely interface with another signed application.C. the signer of the application is trusted. D. the pr
4.9 You are correct, the answer is A.
Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:Select an answer:A. meets or exceeds industry security standards. B. agre
2.8 You are correct, the answer is B.
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?Select an answer:A. Reviewing logs frequentlyB. Testing and validating the rules C. Training a local administrator a
5.2 You are correct, the answer is B.
While investigating online transactions, an enterprise realizes that a transaction was fraudulent and requires involvement of law enforcement. What should the enterprise do FIRST?Select an answer: A. Document the analysis of the fraudulent transactions.
5.1 You answered D. The correct answer is C.
Which of the following acts as a decoy to detect active Internet attacks?Select an answer:A. HoneypotsB. FirewallsC. Trapdoors D. Traffic analysis
5.2 You are correct, the answer is A.
A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:Select an answer: A. system and th
4.11 You answered B. The correct answer is A.
When an employee is terminated from service, the MOST important action is to:Select an answer:A. hand over all of the employee's files to another designated employee.B. complete a backup of the employee's work. C. notify other employees of the terminat
2.2 D. disable the employee's logical access.
Which of the following is in the BEST position to approve changes to the audit charter?Select an answer:A. Board of directorsB. Audit committeeC. Executive management D. Director of internal audit
1.1 You answered A. The correct answer is B.A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. B. The audit committee is a subgroup of the board of directors. The audit department sho
An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to:Select an answer:A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness
3.5 You are correct, the answer is C.
To address an organization's disaster recovery requirements, backup intervals should not exceed the:Select an answer:A. service level objective (SLO).B. recovery time objective (RTO).C. recovery point objective (RPO). D. maximum acceptable outage (MAO
4.11 You are correct, the answer is C.
An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:Select an answer: A. effective
3.6 You are correct, the answer is D.
An advantage in using a bottom-up vs. a top-down approach to software testing is that:Select an answer:A. interface errors are detected earlier.B. confidence in the system is achieved earlier.C. errors in critical modules are detected earlier. D. majo
3.4 You are correct, the answer is C.
Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:Select an answer:A. meets or exceeds industry security standards. B. agre
2.8 You are correct, the answer is B.
An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violat
4.6 You are correct, the answer is D.
In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?Select an answer:A. A size checkB. A hash totalC. A validity check D. A field check
1.5 You answered B. The correct answer is C.
The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it:Select an answer:A. does not exceed the existing IT budget.B. is aligned with the investment strategy. C. has been approved by the
2.3 You answered C. The correct answer is D.
Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)?Select an answer:A. Circuit gatewayB. Application gatewayC. Packet filter D. Screening router
5.2 You are correct, the answer is B.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:Select an answer:A. most valuable information assets.B. IS audit resources to be deployed.C. auditee personnel to be interviewed. D. control objecti
1.2 You answered A. The correct answer is D.
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:Select an answer:A. hardware configuration.B. access control software.C. ownership of intellectual property. D. application development methodology.
2.8 You are correct, the answer is C.
An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should:Select an answer: A. conclude that the project is progressing
3.2 You are correct, the answer is D.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:Select an answer:A. most valuable information assets.B. IS audit resources to be deployed.C. auditee personnel to be interviewed. D. control objecti
1.2 You are correct, the answer is D.
An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should:Select an answer: A. interface with various types of enterprise res
1.3 You are correct, the answer is B.
During the audit of a database server, which of the following would be considered the GREATEST exposure?Select an answer:A. The password on the administrator account does not expire. B. Default global security settings for the database remain unchanged.
4.6 You are correct, the answer is B.
What is the GREATEST risk of a bank outsourcing its data center?Select an answer:A. Loss or leakage of informationB. Noncompliance with regulatory requirementsC. Vendor failure or bankruptcy D. Loss of internal knowledge and experience
2.8 You are correct, the answer is A.A. The risk of loss or leakage of information is the greatest risk because it can subject the company to regulatory fines, lawsuits and reputation risk. B. Although noncompliance with regulations subjects a company to
When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST concerned with the lack of:Select an answer:A. process owner involvement.B. well-documented testing procedures.C. an alternate processing facility. D. a well-documented data c
4.11 You are correct, the answer is A.
An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:Select an answer: A. check to ensure that the type of transaction is valid for
3.4 You answered D. The correct answer is B.
In the context of effective information security governance, the primary objective of value delivery is to:Select an answer:A. optimize security investments in support of business objectives.B. implement a standard set of security practices. C. institu
2.7 You are correct, the answer is A.
The MOST important difference between hashing and encryption is that hashing:Select an answer:A. is irreversible.B. output is the same length as the original message.C. is concerned with integrity and security. D. is the same at the sending and receiv
5.2 You are correct, the answer is A.
An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company network and email systems, which were newly implemented last year, but the
1.2 You are correct, the answer is C.
An IS auditor observed brute-force attacks on the administrator account. The BEST recommendation to prevent a successful brute-force attack would be to:Select an answer:A. increase the password length for the user. B. configure a session timeout mechani
5.2 You answered B. The correct answer is D.
An IS auditor wishes to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness?Select an answer:A. Observation of a logged eventB. Review of the procedure manual C. Interview w
5.4 You are correct, the answer is A.A. Observation of the process to reset an employee's security access to the server room and the subsequent logging of this event provide the best evidence of the adequacy of the physical security control. B. Although
Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?Select an answer:A. Attribute samplingB. Computer Aided Audit Techniques (CAATs)C. Test data D. Integrated test facility (ITF)
1.3 You answered A. The correct answer is B.
For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?Select an answer:A. Mobile siteB. Redundant siteC. Hot site D. Reciprocal agreements
4.11 You answered C. The correct answer is B.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:Select an answer: A. periodic review of user ac
4.5 You answered B. The correct answer is A.
The BEST overall quantitative measure of the performance of biometric control devices is:Select an answer:A. false-rejection rate (FRR).B. false-acceptance rate (FAR).C. equal-error rate (EER). D. estimated-error rate.
5.4 You answered A. The correct answer is C.
During external audit, an IS auditor discovers that systems that are in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:Select an answer:A. remove the IS auditor from the engagement. B. cancel
1.3 You are correct, the answer is C.A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries.B. Canceling the engagement is not called for. C. In circumstances in which the IS auditor's in
Which of the following is an implementation risk within the process of decision support systems (DSSs)?Select an answer:A. Management controlB. Semistructured dimensionsC. Inability to specify purpose and usage patterns D. Changes in decision processe
3.5 You are correct, the answer is C.
Receiving an electronic data interchange (EDI) transaction and passing it through the communication's interface stage usually requires:Select an answer:A. translating and unbundling transactions.B. routing verification procedures. C. passing data to th
5.2 You answered C. The correct answer is B.
An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?Select an answer:A. Development of an audit programB. Review of the audit charter C. Identification
1.1 You are correct, the answer is D.A. The results of the risk assessment are used for the input for the audit program. B. The audit charter is prepared when the audit department is established or as updates are needed. Creation of the audit charter is
A human resources (HR) company offers free public wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST add
5.2 You are correct, the answer is C.
The internal audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the auditors?Select an answer:A. Stop-or-goB. Classical variableC. Discovery D. Probability-proport
1.3 You are correct, the answer is C.
When installing an intrusion detection system (IDS), which of the following is MOST important?Select an answer:A. Properly locating it in the network architectureB. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quar
5.2 You are correct, the answer is A.
During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:Select an answer: A. the detail of involved transactions may no longer be associated with master data, caus
4.6 You are correct, the answer is A.
When auditing a proxy-based firewall, an IS auditor should:Select an answer:A. verify that the firewall is not dropping any forwarded packets. B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC)
5.2 You answered D. The correct answer is C.
Which of the following potentially blocks hacking attempts?Select an answer:A. Intrusion detection system (IDS)B. Honeypot systemC. Intrusion prevention system (IPS) D. Network security scanner
5.2 You are correct, the answer is C.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:Select an answer:A. most valuable information assets.B. IS audit resources to be deployed.C. auditee personnel to be interviewed. D. control objecti
1.2 You are correct, the answer is D.
When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of:Select an answer:A. excessive transaction turnaround time.B. application interface failure. C. improper trans
3.1 You answered A. The correct answer is C.
Overall business risk for a particular threat can be expressed as:Select an answer:A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability. B. the magnitude of the impact should a threat source suc
2.9 You are correct, the answer is A.
Which of the following is the GREATEST concern when an organization's backup facility is at a warm site?Select an answer:A. Timely availability of hardwareB. Availability of heat, humidity and air conditioning equipment C. Adequacy of electrical power
4.3 You are correct, the answer is A.
The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is:Select an answer:A. that there will be too many alerts for system administrators to verify.B. decreased network performance due to IPS traffic. C. the blocking of cri
5.2 You are correct, the answer is C.
An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should:Select an answer: A. interface with various types of enterprise res
1.3 You are correct, the answer is B.
Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:Select an answer:A. database integrity checks.B. validation checks. C. input controls.
4.6 You answered A. The correct answer is D.
When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?Select an answer:A. Using a cryptographic hashing algorithmB. Enciphering the message digestC. Deciphering the message digest D. U
3.4 You are correct, the answer is D.
An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to:Select an answer:A. obtain an understanding of the control objective. B. confirm that the cont
1.2 You answered C. The correct answer is B.
General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach?Select an answer: A. Reduction of IT person-hours to support th
1.3 You are correct, the answer is D.A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity. B. The risk of errors would increas
Which of the following situations would increase the likelihood of fraud?Select an answer:A. Application programmers are implementing changes to production programs.B. Application programmers are implementing changes to test programs. C. Operations sup
3.5 You are correct, the answer is A.
Which of the following is responsible for the development of an information security policy?Select an answer:A. The IS departmentB. The security committeeC. The security administrator D. The board of directors
2.4 You answered B. The correct answer is D.
Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?Select an answer:A. Generalized audit software (GAS)B. Integrated test facilityC. Systems control audit review file (SCARF) D. Snapshots
3.4 You answered A. The correct answer is C.
Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a Software as a Service (SaaS) model with an external provider?Select an answer: A. Workstation upgrades must be performed
3.1 You are correct, the answer is D.
An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate
3.4 You are correct, the answer is A.
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?Select an answer:A. UsefulnessB. ReliabilityC. Relevance D. Adequacy
1.2 You are correct, the answer is B.A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly colle
A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process?Select an answer: A. Whether key co
3.4 You are correct, the answer is A.
In a financial organization that deals with highly sensitive client data, an IS auditor is asked to provide recommendations for secure email communication. What is the MOST appropriate recommendation?Select an answer: A. Establish private keys with clien
5.2 You are correct, the answer is C.
An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software:Select an answer:A. is configured with an implicit deny rule as the last rule in the rule base. B. is
5.2 You are correct, the answer is B.
Which of the following forms of evidence for the auditor would be considered the MOST reliable?Select an answer:A. An oral statement from the auditeeB. The results of a test performed by an external IS auditor C. An internally generated computer accoun
1.3 You are correct, the answer is B.
What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?Select an answer:A. Malicious code could be spread across the network.B. The VPN logon could be spoofed. C. Traffic coul
5.2 You are correct, the answer is A.
The extent to which data will be collected during an IS audit should be determined based on the:Select an answer:A. availability of critical and required information.B. auditor's familiarity with the circumstances. C. auditee's ability to find relevant
1.2 You answered A. The correct answer is D.
The MOST important success factor in planning a black box penetration test is:Select an answer:A. the documentation of the planned testing procedure.B. a realistic evaluation of the environment architecture to determine scope. C. knowledge by the manag
5.2 You answered A. The correct answer is C.
An IS auditor reviewing a web application discovers that multiple users are logging in with the same user ID and password. What is the auditor's PRIMARY concern regarding this practice?Select an answer:A. Violation of confidentiality B. Difficulty maint
5.2 You are correct, the answer is C.A. Shared user accounts do not allow the organization to establish accountability for actions executed under the account. Confidentiality is secondary in the described scenario. B. Shared user IDs do not add complexit
Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:Select an answer:A. pre-BPR process flowcharts.B. post-BPR process flowcharts. C. BPR projec
4.1 You answered C. The correct answer is B.
An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:Select an answer:A. most valuable information assets.B. IS audit resources to be deployed.C. auditee personnel to be interviewed. D. control objecti
1.2 You are correct, the answer is D.
An IS steering committee should:Select an answer:A. include a mix of members from different departments and staff levels.B. ensure that IS security policies and procedures have been executed properly. C. maintain minutes of its meetings and keep the bo
2.1 You answered B. The correct answer is C.
Which of the following is the GREATEST concern when an organization's backup facility is at a warm site?Select an answer:A. Timely availability of hardwareB. Availability of heat, humidity and air conditioning equipment C. Adequacy of electrical power
4.3 You answered B. The correct answer is A.
In determining the acceptable time period for the resumption of critical business processes:Select an answer:A. only downtime costs need to be considered.B. recovery operations should be analyzed. C. both downtime costs and recovery costs need to be ev
2.11 You are correct, the answer is C.
Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse?Select an answer:A. Accuracy of the source dataB. Credibility of the data sourceC. Accuracy of the extraction rocess D. Accuracy of the
3.4 You are correct, the answer is A.
During which phase of software application testing should an organization perform the testing of architectural design?Select an answer:A. Acceptance testingB. System testingC. Integration testing D. Unit testing
3.5 You are correct, the answer is C.
The PRIMARY objective of testing a business continuity plan is to:Select an answer:A. familiarize employees with the business continuity plan.B. ensure that all residual risk is addressed.C. exercise all possible disaster scenarios. D. identify limita
2.11 You are correct, the answer is D.
Which of the following would BEST maintain the integrity of a firewall log?Select an answer:A. Granting access to log information only to administratorsB. Capturing log events in the operating system layer C. Writing dual logs onto separate storage med
4.8 You answered A. The correct answer is D.
An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term
5.5 You answered A. The correct answer is B.
The PRIMARY objective of service-level management (SLM) is to:Select an answer:A. define, agree on, record and manage the required levels of service.B. ensure that services are managed to deliver the highest achievable level of availability. C. keep th
4.2 You are correct, the answer is A.
Which of the following goals would you expect to find in an organization's strategic plan?Select an answer:A. Test a new accounting package.B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the
2.3 You answered C. The correct answer is D.
An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:Select an answer:A. EDI trading partner agreements.B. physical controls for terminals. C.
3.4 You are correct, the answer is C.
The final decision to include a material finding in an audit report should be made by the:Select an answer:A. audit committee.B. auditee's manager.C. IS auditor. D. chief executive officer (CEO) of the organization.
1.4 You answered A. The correct answer is C.
An IS auditor is tasked to review the adequacy of an organization's technology recovery strategy. Which of the following factors would the auditor PRIMARILY review?Select an answer:A. Recovery time objective (RTO)B. Business impact analysis (BIA) C. Ab
4.11 You are correct, the answer is B.
Which of the following would BEST help to detect errors in data processing?Select an answer:A. Programmed edit checksB. Well-designed data entry screensC. Segregation of duties D. Hash totals
3.4 You answered C. The correct answer is D.
When developing a security architecture, which of the following steps should be executed FIRST?Select an answer:A. Developing security proceduresB. Defining a security policyC. Specifying an access control methodology D. Defining roles and responsibil
2.4 You are correct, the answer is B.
An IS auditor has been asked to review the implementation of a customer relationship management (CRM) system for a large organization. The IS auditor discovered the project incurred significant overbudget expenses and scope creep caused the project to mis
3.2 You are correct, the answer is B.A. While project management training is a good practice, it does not necessarily prevent scope creep without the use of a software baseline and a robust requirements change process. B. Use of a software baseline provi
Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily weighted spam keyword from being labeled as spam?Select an answer:A. Heuristic (rule-based)B. Signature-based C. Pattern
5.2 You answered B. The correct answer is D.
The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:Select an answer:A. integrity.B. authenticity.C. authorization. D. nonrepudiation.
3.14 You are correct, the answer is A.
Which of the following is the MOST important requirement for the successful testing of a disaster recovery plan (DRP)?Select an answer:A. Participation by all of the identified resourcesB. Management approval of the testing scenario C. Advance notice f
2.11 You are correct, the answer is B.
An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure?Select an answer:A. The corporate network is using an intrusion prevention system (IPS). B. This part of the network is isolated from
5.2 You answered A. The correct answer is B.
An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business?Select an answer:A. Security policiesB. Operational proceduresC. Project portfolio D
2.1 You are correct, the answer is D.A. Security policies are important; however, they are not designed to align IT to the business.B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business. C. The pr
An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
1.4 You are correct, the answer is A.
A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?A. Comparing source codeB. Reviewing system log files C. Comparing obj
4.9 You answered D. The correct answer is B.
An IS auditor reviewing an organization's disaster recovery plan should PRIMARILY verify that it is:A. tested every six months.B. regularly reviewed and updated.C. approved by the chief executive officer (CEO). D. communicated to every department head
4.11 You answered C. The correct answer is B.
The risk of dumpster diving is BEST mitigated by:A. implementing security awareness training.B. placing shred bins in copy rooms.C. developing a media disposal policy. D. placing shredders in individual offices.
5.5 You answered C. The correct answer is A.A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The s
Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?A. Proxy serverB. Firewall installationC. Network administrator D. Password implementation and administration
5.2 You answered B. The correct answer is D.
In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying
1.3 You answered B. The correct answer is D.
An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP
5.2 You answered C. The correct answer is A.
An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate:
4.11 You are correct, the answer is A.
An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term
5.5 You are correct, the answer is B.
After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?A. Stress B. Black b
4.9 You answered C. The correct answer is D.
A development group is designing an Internet application that accepts customer orders. Which of the following features is a MAJOR concern during the review of the design phase?A. The inclusion of technical information in error messages B. The use of stor
5.2 You are correct, the answer is A.A. Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities. B. It is a good practice to utilize
Which of the following is the BEST basis for determining the appropriate levels of information resource protection?A. Asset classificationB. A business caseC. Vulnerability assessment D. Asset valuation
5.3 You are correct, the answer is A.A. Asset classification based on criticality and sensitivity provides the best basis for assigning levels of information resource protection. B. A business case may be useful to support the need for asset classificati
The effect of which of the following should have priority in planning the scope and objectives of an IS audit?A. Applicable statutory requirementsB. Applicable corporate standardsC. Applicable industry best practices D. Organizational policies and proc
1.3 You answered D. The correct answer is A.
During an IS audit of a global organization, the IS auditor discovers that the organization uses voice-over IP (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk fo
5.2 You are correct, the answer is B.
Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than 10 years of experience?A. Supervision is required to comply with internal quality requirements. B. Supervision is required to comply with the audit guid
1.1 You are correct, the answer is D.A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with professional standards. B. Audit guidelines exist to provide guidance on how to achieve compliance with p
Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle?A. Adequate involvement of stakeholdersB. Selection of a risk management framework C. Identification of risk mit
3.2 You are correct, the answer is A.
During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do?A. Recommend compensating controls. B. Review the code created by th
1.4 You answered C. The correct answer is D.A. While compensating controls may be a good idea, the primary response in this case should be to report the condition. B. Evaluating the code created by the application developer is not the appropriate respons
In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?A. Approve and document the change the next business day. B. Limit developer access to productio
4.9 You answered C. The correct answer is A.
An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting fin
1.1 You are correct, the answer is B.
Recovery procedures for an information processing facility are BEST based on:A. recovery time objective (RTO).B. recovery point objective (RPO).C. maximum tolerable outage (MTO). D. information security policy.
4.10 You are correct, the answer is A.A. The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not determine acceptable data loss. B. The RPO has the greatest influence on the recovery
In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?A. Foreign key B.
4.6 You answered D. The correct answer is A.
In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:Select an answer:A. connectionless integrity.B. data origin authentication. C. antireplay s
5.2 You answered A. The correct answer is D.
When auditing the provisioning procedures of the identity management (IDM) system of a large organization, an IS auditor immediately finds a small number of access requests that had not been authorized by managers through the normal predefined workflow st
1.3 You answered D. The correct answer is A.
An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:
2.11 You answered A. The correct answer is D.
An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor s
2.6 You answered A. The correct answer is B.
Which of the following BEST helps ensure that deviations from the project plan are identified?Select an answer:A. A project management frameworkB. A project management approachC. A project resource plan D. Project performance criteria
3.3 You answered C. The correct answer is D.
Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?Select an answer:A. Halon gasB. Wet-pipe sprinklersC. Dry-pipe sprinklers D. Carbon dioxide gas
5.4 You are correct, the answer is C.
An IS auditor reviewing the IS security policies should verify whether information security management roles and responsibilities are communicated to which of the following?Select an answer:A. Functional headsB. Organizational users C. The IS steering
5.1 ??????? A. Functional heads
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:Select an answer:A. rules.B. decision trees.C. semantic nets. D. dataflow diagrams.
3.5 You are correct, the answer is B.
A company has decided to implement an electronic signature scheme based on public key infrastructure (PKI). The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is:
5.2 You are correct, the answer is A.
An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the
1.3 You answered D. The correct answer is A.A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of tes
During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which
4.9 You are correct, the answer is D.
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:Select an answer:A. critical.B. vital.C. sensitive. D. nonc
4.11 You are correct, the answer is C.
Which of the following scenarios provides the BEST disaster recovery plan (DRP) to implement for critical applications?Select an answer:A. Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center B. Dail
4.11 You answered D. The correct answer is A.
Which of the following is an advantage of the top-down approach to software testing?Select an answer:A. Interface errors are identified early.B. Testing can be started before all programs are complete. C. It is more effective than other testing approac
3.4 You answered D. The correct answer is A.
During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:Select an answer: A. only systems administrators perform
4.9 You answered C. The correct answer is B.
An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In t
1.3 You answered B. The correct answer is A.A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. B. A higher confidence coefficient will result in the use of a larger sam
Which of the following is an appropriate test method to apply to a business continuity plan (BCP)?Select an answer:A. PilotB. PaperC. Unit D. System
2.11 You answered A. The correct answer is B.
An accuracy measure for a biometric system is:Select an answer:A. system response time.B. registration time.C. input file size. D. false-acceptance rate (FAR).
5.4 You are correct, the answer is D.
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:Select an answer:A. can identify high-risk areas that might need a detailed review later.B. allows IS auditors to independently assess risk. C.
1.1 You are correct, the answer is A.
An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate:Select an answer: A. a data loss of up to one minute, but the p
4.11 You are correct, the answer is A.
Which of the following is the MOST effective type of antivirus software?Select an answer:A. ScannersB. Active monitorsC. Integrity checkers D. Vaccines
You answered B. The correct answer is C.
An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?Select an answer:A. An audit clause is present in all contracts. B. The service
You answered A. The correct answer is C.
Which of the following is the MOST important aspect of effective business continuity management?Select an answer:A. The recovery site is secure and located an appropriate distance from the primary site.B. The recovery plans are periodically tested. C.
You are correct, the answer is B.
Which of the following insurance types provide for a loss arising from fraudulent acts by employees?Select an answer:A. Business interruptionB. Fidelity coverageC. Errors and omissions D. Extra expense
You are correct, the answer is B.
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?Select an answer:A. Delete all copies of the unauthorized software. B.
You are correct, the answer is C.
Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected h
You answered C. The correct answer is A.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:Select an answer: A. periodic review of user ac
You answered B. The correct answer is A.
Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as
You are correct, the answer is A.
An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is th
You answered C. The correct answer is A.
Which of the following types of firewalls would BEST protect a network from an Internet attack?Select an answer:A. Screened subnet firewallB. Application filtering gatewayC. Packet filtering router D. Circuit-level gateway
You answered D. The correct answer is A.
A disaster recovery plan for an organization's financial system specifies that the recovery point objective (RPO) is zero and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution?Select an answer: A. A
You are correct, the answer is D.
An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will del
You answered A. The correct answer is C.
Regarding a disaster recovery plan, the role of an IS auditor should include:Select an answer:A. identifying critical applications.B. determining the external service providers involved in a recovery test. C. observing the tests of the disaster recover
You answered A. The correct answer is C.
The waterfall life cycle model of software development is most appropriately used when:Select an answer:A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requiremen
You are correct, the answer is A.
When an employee is terminated from service, the MOST important action is to:Select an answer:A. hand over all of the employee's files to another designated employee.B. complete a backup of the employee's work. C. notify other employees of the terminat
You are correct, the answer is D.
Among the following controls, what is the BEST method to prevent inappropriate access to private and sensitive information through a business application?Select an answer:A. Two-factor authentication access controlB. Encryption of authentication data C
You are correct, the answer is C.
If a database is restored using before-image dumps, where should the process begin following an interruption?Select an answer:A. Before the last transactionB. After the last transactionC. As the first transaction after the latest checkpoint D. As the
You answered C. The correct answer is A.
To address an organization's disaster recovery requirements, backup intervals should not exceed the:Select an answer:A. service level objective (SLO).B. recovery time objective (RTO).C. recovery point objective (RPO). D. maximum acceptable outage (MAO
You are correct, the answer is C.
An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should:Select an answer:A. accept the DBA access as a common practice.B. assess the controls relevant to the DBA function. C. recommend
You are correct, the answer is B.
When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify?Select an answer:A. The risk associated with the use of the products is periodically assessed. B. The latest version of softwar
You are correct, the answer is A.
During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:Select an answer:A. review access control configuration.B. evaluate interface testing.C. review detailed design documentation. D. evaluate
You answered D. The correct answer is A.
Which of the following would help to ensure the portability of an application connected to a database?Select an answer:A. Verification of database import and export proceduresB. Usage of a structured query language (SQL) C. Analysis of stored procedure
You answered A. The correct answer is B.
An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:Select an answer:A. decline the assignment. B. inform management of the possible conflict of interest
You answered C. The correct answer is D.
An IS auditor is reviewing the expansion plans for an organization which is opening a new office about 80 meters away from their existing facility. The plan is to implement fiber-optic cabling within the new facility and it has been determined that a 100-
You are correct, the answer is A.
Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption?Select an answer:A. Computation speedB. Ability to support digital signaturesC. Simpler key distribution D. Greater strength for a given key length
You answered D. The correct answer is A.
When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the:Select an answer:A. node list.B. acceptance test report.C. network diagram. D. user's list.
You are correct, the answer is C.
An IS auditor performing a review of incident tickets notices that a help desk support technician noted personal identifiable information (PII) within the ticket comments as part of the incident documentation. What preventive action should the auditor rec
4.8 You are correct, the answer is C.A. Quality reviews are a detective control and will only discover exceptions after the information has been entered. B. Data masking is performed to assist with maintaining the privacy of customers from individuals th
An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of:Select an answer:A. variable sampling.B. substantive testing.C. compliance testing. D. stop-o
1.3 You answered A. The correct answer is C.
To ensure structured disaster recovery, it is MOST important that the business continuity plan (BCP) and disaster recovery plan (DRP) are:Select an answer:A. stored at an alternate location.B. communicated to all users.C. tested regularly. D. updated
4.11 You are correct, the answer is C.
While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:Select an answer:A. shadow file processing.B. electronic vaulting. C. hard-disk mi
4.10 You answered D. The correct answer is A.
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management D. Knowledge of inte
1.3 You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their dep
An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will del
3.2 You are correct, the answer is C.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?Select an answer:A. Certificate revocation list (CRL)B. Certification practice statement (CPS) C. Certificate poli
5.2 You are correct, the answer is B.
A cyclic redundancy check (CRC) is commonly used to determine the:Select an answer:A. accuracy of data input.B. integrity of a downloaded program.C. adequacy of encryption. D. validity of data transfer.
4.6 You are correct, the answer is D.A. Accuracy of data input can be enforced by data validation controls such as picklists, cross checks, reasonableness checks, control totals, allowed character checks and others. B. A checksum is commonly used to vali
A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process?Select an answer: A. Whether key co
3.4 You answered D. The correct answer is A.
The use of digital signatures:Select an answer:A. requires the use of a one-time password generator.B. provides encryption to a message.C. validates the source of a message. D. ensures message confidentiality.
5.2 You are correct, the answer is C.
In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations?Select an answer:A. Physical security measuresB. Total number of subscribers C. Number of subscribers permitted to use a si
4.3 You answered A. The correct answer is C.
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?Select an answer: A. IS audito
3.5 You are correct, the answer is D.
A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintaine
2.11 You answered D. The correct answer is A.
Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested?Select an answer:A. Catastrophic service interruptionB. High consumption of resources C. Total cost of the
4.11 You are correct, the answer is A.
Which of the following is the MOST important requirement for the successful testing of a disaster recovery plan (DRP)?Select an answer:A. Participation by all of the identified resourcesB. Management approval of the testing scenario C. Advance notice f
2.11 You are correct, the answer is B.
Which of the following reduces the potential impact of social engineering attacks?Select an answer:A. Compliance with regulatory requirementsB. Promoting ethical understandingC. Security awareness programs D. Effective performance incentives
2.2 You are correct, the answer is C.
Which of the following is the GREATEST concern for an IS auditor reviewing the security controls of an online job-search application?Select an answer:A. The web server is running an unsupported operating system (OS) and web server application. B. The we
5.2 You answered A. The correct answer is B.A. While outdated versions of the OS or web server can allow some vulnerabilities to exist, the more significant risk in this case is the SQL injection vulnerability. B. The biggest risk to any web application
During an IS audit, the IS auditor discovers that a wireless network is used within the enterprise's headquarters. What is the FIRST thing that the auditor should check?Select an answer:A. The signal strength outside of the building B. The configuration
5.2 You are correct, the answer is B.
A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:Select an answer: A. system and th
4.11 You are correct, the answer is A.
Which of the following does a lack of adequate controls represent?Select an answer:A. An impactB. A vulnerabilityC. An asset D. A threat
1.3 You are correct, the answer is B.A. Impact is the measure of the financial loss that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack
Information for detecting unauthorized input from a terminal would be BEST provided by the:Select an answer:A. console log printout.B. transaction journal.C. automated suspense file listing. D. user error report.
3.4 You answered C. The correct answer is B.
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:Select an answer:A. the controls already in place.B. the effectiveness of the controls in place. C. the mechanism for monitoring the ris
1.2 You answered B. The correct answer is D.
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?Select an answer:A. System log analysisB. Compliance testingC. Forensic analysis D. Analytical review
1.3 You answered A. The correct answer is B.
Which of the following would impair the independence of a quality assurance team?Select an answer:A. Ensuring compliance with development methodsB. Checking the testing assumptionsC. Correcting coding errors during the testing process D. Checking the
2.5 You answered A. The correct answer is C.
An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include:
4.10 You answered D. The correct answer is A.
In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability?
5.2 You answered D. The correct answer is A.
Which of the following is an advantage of prototyping?Select an answer:A. The finished system normally has strong internal controls.B. Prototype systems can provide significant time and cost savings. C. Change control is often less complicated with pro
3.4 You are correct, the answer is B.
When installing an intrusion detection system (IDS), which of the following is MOST important?Select an answer:A. Properly locating it in the network architectureB. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quar
5.2 You are correct, the answer is A.
When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?Select an answer: A. The point at which controls are exercised as data flow through the syste
1.3 You are correct, the answer is A.
The reason a certification and accreditation process is performed on critical systems is to ensure that:Select an answer:A. security compliance has been technically evaluated.B. data have been encrypted and are ready to be stored. C. the systems have b
3.5 You answered D. The correct answer is A.
As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through:Select an answer:A. performance measurement.B. strategic alignment.C. value delivery. D. resource management.
You answered B. The correct answer is A.
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?Select an answer:A. Delete all copies of the unauthorized software. B.
You are correct, the answer is C.
An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this
You are correct, the answer is C.
Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?Select an answer:A. Attribute samplingB. Computer Aided Audit Techniques (CAATs)C. Test data D. Integrated test facility (ITF)
You answered C. The correct answer is B.
Which of the following is the BEST way to ensure that an off-the-shelf production system continues to operate as expected?Select an answer:A. Changes are executed and tested in the production environment. B. Changes are reviewed by the analysts who desi
You answered C. The correct answer is B.A. Modifications that are executed and tested in the production environment pose a greater risk of unauthorized modifications. B. If the changes are reviewed by the authors of the application there are less likely
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management D. Knowledge of inte
You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departm
Which of the following would be the MOST significant audit finding when reviewing a point-of-sale (POS) system?Select an answer:A. Invoices recorded on the POS system are manually entered into an accounting application. B. An optical scanner is not used
You are correct, the answer is D.
In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:Select an answer:A. there is an integration of IS and business personnel within projects.B. there is a clear definition of the IS mission and vision. C. a strategic
You are correct, the answer is A.
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:Select an answer:A. apply the patch according to the patch's release notes. B. ensure
You are correct, the answer is B.
IS management is considering a Voice-over IP (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate?
You answered D. The correct answer is A.
Which of the following biometrics has the HIGHEST reliability and lowest false-acceptance rate (FAR)?Select an answer:A. Palm scanB. Face recognitionC. Retina scan D. Hand geometry
You answered A. The correct answer is C.
An IS auditor is performing a review of a network, and users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for
You answered C. The correct answer is A.
Naming conventions for system resources are important for access control because they:Select an answer:A. ensure that resource names are not ambiguous.B. reduce the number of rules required to adequately protect resources. C. ensure that user access to
You are correct, the answer is B.
During an IS audit, the IS auditor discovers that a wireless network is used within the enterprise's headquarters. What is the FIRST thing that the auditor should check?Select an answer:A. The signal strength outside of the building B. The configuration
You are correct, the answer is B.
An IS auditor should be concerned when a telecommunication analyst:Select an answer:A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volum
You answered C. The correct answer is A.
During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful:Select an answer: A. buffe
You are correct, the answer is A.
A subsidiary in another country is forced to depart from the parent organization's IT policies to conform to the local law. The BEST approach for the parent organization is to:Select an answer: A. create a provision to allow local policies to take preced
You are correct, the answer is A.A. Creating a provision to allow local policies to take precedence where required by local authorities allows the organization to implement the optimal level of control subject to legal limitations. B. This is not accepta
Which of the following should an incident response team address FIRST after a major incident in an information processing facility?Select an answer:A. Restoration at the facilityB. Documentation of the facilityC. Containment at the facility D. Monitor
You answered D. The correct answer is C.
An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types
You answered D. The correct answer is C.A. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures
The most common reason for the failure of information systems to meet the needs of users is that:Select an answer:A. user needs are constantly changing.B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the numb
You answered B. The correct answer is D.
Which of the following will BEST ensure the successful offshore development of business applications?Select an answer:A. Stringent contract management practicesB. Detailed and correctly applied specifications C. Awareness of cultural and political diff
You are correct, the answer is B.
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:Select an answer:A. hardware configuration.B. access control software.C. ownership of intellectual property. D. application development methodology.
You answered B. The correct answer is C.
An IS auditor performing an application maintenance audit would review the log of program changes for the:Select an answer:A. authorization of program changes.B. creation date of a current object module.C. number of program changes actually made. D. c
You answered D. The correct answer is A.
Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative?Select an answer:A. Perform disaster recovery exercises annually.B. Ensure that partnering organizations are separated geographically. C.
You answered A. The correct answer is B.A. While disaster recovery exercises are important, the greater risk is geographic proximity. B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being su
Which of the following provides the GREATEST assurance for database password encryption?Select an answer:A. Secure hash algorithm-256 (SHA-256)B. Advanced encryption standard (AES)C. Secure shell (SSH) D. Triple data encryption standard (DES)
You answered A. The correct answer is B.A. While hashing functions are used to protect passwords, hashing is not encryption.B. The use of AES is a secure encryption algorithm that is appropriate for encrypting passwords. C. SSH can only be used to encry
Which of the following documents is the BEST source for an IS auditor to understand the requirements for employee awareness training?Select an answer:A. Information security policyB. Acceptable usage policyC. Human resources (HR) policy D. End-user co
You answered C. The correct answer is A.
An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?Select an answer: A. System administrators use shared accounts which never expire at the hot site
You answered C. The correct answer is B.
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:Select an answer:A. critical.B. vital.C. sensitive. D. nonc
You answered D. The correct answer is C.
An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corpora
You are correct, the answer is A.
Which of the following is MOST important to an IS auditor reviewing an organization that allows the use of personal mobile devices on the organization's network?Select an answer:A. Organization's ability to track assetsB. Risk of malware infection C. P
You answered A. The correct answer is D.
An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corpora
You are correct, the answer is A.
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?
You answered A. The correct answer is C.
A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintaine
You are correct, the answer is A.
An IS auditor is conducting a compliance audit of a health care organization operating an online system that contains sensitive health care information. Which of the following should an IS auditor FIRST review?Select an answer: A. Network diagram and fir
You are correct, the answer is C.
During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a:Select an answer:A. user raises a change request and tests it in the test environment. B. programmer codes a change in the development environment and
You answered C. The correct answer is D.
Which of the following wide area network (WAN) transmission techniques offers the BEST error and flow control procedures while transmitting data?Select an answer:A. Message switchingB. Packet switchingC. Circuit switching D. Virtual circuits
You are correct, the answer is B.
Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?Select an answer:A. Transaction logsB. Before and after image reportingC. Table lookups D. Tracing and tagging
You answered A (2 attempts). The correct answer is C.
After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?Select an answer: A. Ob
You answered C. The correct answer is B.
Which of the following situations would increase the likelihood of fraud?Select an answer:A. Application programmers are implementing changes to production programs.B. Application programmers are implementing changes to test programs. C. Operations sup
You answered C. The correct answer is A.
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?Select an answer:A. Risk reductionB. Risk transfer C. R
You answered D. The correct answer is B.
Which of the following testing techniques would the IS auditor use to identify specific program logic that has not been tested?Select an answer:A. A snapshotB. Tracing and taggingC. Logging D. Mapping
You are correct, the answer is D.
An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violat
You answered A. The correct answer is D.
Which of the following penetration testing methods is MOST effective in uncovering vulnerabilities relating to incident response capabilities?Select an answer:A. ExternalB. Double-blindC. Internal D. Blind
You answered A. The correct answer is B.A. External testing is an intrusion attempt launched from outside the organization's perimeter, but it does not consider what information is known by the tester or the target. B. In double-blind testing, the incide
An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?Select an answer: A
You are correct, the answer is C.
An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop:Select an answer:A. a business continuity strategy.B. a test and exercise plan.C. a user training program. D
You are correct, the answer is A.
During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:Select an answer:A. address audit objectives.B. collect sufficient evidence.C. specify appropriate tests. D. minimize audit resources.
You are correct, the answer is A.
Documentation of a business case used in an IT development project should be retained until:Select an answer:A. the end of the system's life cycle.B. the project is approved.C. user acceptance of the system. D. the system is in production.
You answered D. The correct answer is A.
An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?Select an answer: A. System configuration values imported to a spreadsheet by the syste
You are correct, the answer is B.
Assessing IT risk is BEST achieved by:Select an answer:A. evaluating threats associated with existing IT assets and IT projects.B. using the firm's past actual loss experience to determine current exposure. C. reviewing published loss statistics from c
You answered D. The correct answer is A.
A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision?Select an answer: A. Technical skills and
You answered B. The correct answer is A.A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application. B. Privacy regulations on the data impact the usage of the application, not its prepa
An IS auditor reviewing a proposed application software acquisition should ensure that the:Select an answer:A. operating system (OS) being used is compatible with the existing hardware platform. B. planned OS updates have been scheduled to minimize nega
You are correct, the answer is D.
An e-commerce organization with a complex technological environment has numerous concurrent projects. This often results in production system changes. What is the MOST suitable approach to managing system changes so that system outages are minimized?
You answered D. The correct answer is B.
When using a digital signature, the message digest is computed:Select an answer:A. only by the sender.B. only by the receiver.C. by both the sender and the receiver. D. by the certificate authority (CA).
You answered A. The correct answer is C.
A decision support system (DSS):Select an answer:A. is aimed at solving highly structured problems.B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision making approach of users
You answered A. The correct answer is C.
Which of the following should be included in an organization's information security policy?Select an answer:A. A list of key IT resources to be securedB. The basis for control access authorizationC. Identity of sensitive security features D. Relevant
You answered A. The correct answer is B.
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?Select an answer:A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and
You answered B. The correct answer is A.
An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include:Select an answer:A. vouching.B. authorizations.C. corrections. D. tracing.
You answered C. The correct answer is D.
The most common reason for the failure of information systems to meet the needs of users is that:Select an answer:A. user needs are constantly changing.B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the numb
You are correct, the answer is D.
An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:Select an answer:A. verify how the organization follows the standards. B. identify and report the controls currently in place
You answered B. The correct answer is D.
The most likely error to occur when implementing a firewall is:Select an answer:A. incorrectly configuring the access lists.B. compromising the passwords due to social engineering.C. connecting a modem to the computers in the network. D. inadequately
You are correct, the answer is A.
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?Select an answer: A. Estimation of the actual end date based on the completion percentages and estimated time to complete, t
You are correct, the answer is C.
Which of the following is the MOST critical step to perform when planning an IS audit?Select an answer:A. Review findings from prior audits.B. Develop plans to conduct a physical security review of the data center facility. C. Review IS security polici
You are correct, the answer is D.
A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not avai
You are correct, the answer is A.
Which of the following is the BEST information source to obtain evidence when a server has been compromised by malware?Select an answer:A. Volatile data held in computer resourcesB. Operating system (OS) event log history C. Firewall event log history
You answered B. The correct answer is A.A. Information held in computer resources, such as the contents of a server's random access memory (RAM) memory, is the best information source when investigating a server compromise. B. OS logs are valuable; howev
During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by a supervisor would represent the BEST compe
You answered A. The correct answer is D.
During which phase of software application testing should an organization perform the testing of architectural design?Select an answer:A. Acceptance testingB. System testingC. Integration testing D. Unit testing
You answered A. The correct answer is C.
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?Select an answer: A. There are a growing number of emergency ch
You are correct, the answer is C.
An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business valu
You answered A. The correct answer is B.
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:Select an answer:A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to grant
You are correct, the answer is B.
Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity?Select an answer:A. Draft and publish a clear practice for enterprise-level incident response. B. Establish a
You are correct, the answer is C.A. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. B. Sharing p
A private enterprise has a project in place to modify the financial accounting system to comply with major changes in tax laws. Prior to going live, the finance manager, who is the application owner, went on emergency leave and could not complete function
You answered B. The correct answer is A.
Data flow diagrams are used by IS auditors to:Select an answer:A. order data hierarchically.B. highlight high-level data definitions.C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.
You answered D. The correct answer is C.
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:Select an answer:A. hardware configuration.B. access control software.C. ownership of intellectual property. D. application development methodology.
You answered A. The correct answer is C.
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is th
You are correct, the answer is D.
Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?Select an answer:A. Ensure that media are encrypted.B. Maintain a duplicate copy.C. Maintain chain of custody. D.
You are correct, the answer is B.A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data. B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive in
An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?Select an answer: A. Computer-aided software engineering (CAS
You answered D. The correct answer is C.
When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor?Select an answer: A. Alert management and evaluate t
You are correct, the answer is A.
An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?Select an answer: A. Advise on the adoptio
You answered C. The correct answer is D.
An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor s
You answered A. The correct answer is B.
Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:Select an answer: A. include the finding in the final report, because the IS auditor is responsible for an accurate report of
You are correct, the answer is A.
Which of the following append themselves to files as a protection against viruses?Select an answer:A. Behavior blockersB. Cyclical redundancy checkers (CRCs)C. Immunizers D. Active monitors
You answered A. The correct answer is C.
Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?Select an answer:A. Project databaseB. Policy documentsC. Project portfolio database D. Program organ
You are correct, the answer is C.
For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation?Select an answer: A. There are regulations reg
You are correct, the answer is A.
Which of the following is the MOST important requirement for the successful testing of a disaster recovery plan (DRP)?Select an answer:A. Participation by all of the identified resourcesB. Management approval of the testing scenario C. Advance notice f
You are correct, the answer is B.
Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site D. Cold site
You are correct, the answer is D.
When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?Select an answer:A. Using a cryptographic hashing algorithmB. Enciphering the message digestC. Deciphering the message digest D. U
You are correct, the answer is D.
Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster?Select an answer: A. The alternate facility will be available until the original information processing facility is restored.
You are correct, the answer is A.
Which of the following physical access controls effectively reduces the risk of piggybacking?Select an answer:A. Biometric door locksB. Combination door locksC. Deadman doors D. Bolting door locks
You are correct, the answer is C.
When performance issues are discovered during an assessment of the organization's network, the MOST efficient way for the IS auditor to proceed is to examine the:Select an answer:A. antivirus controls that have been put in place. B. protocols used on th
You are correct, the answer is C.
Which of the following is the BEST indicator that a newly developed system will be used after it is in production?Select an answer:A. Regression testingB. User acceptance testing (UAT)C. Sociability testing D. Parallel testing
You answered D. The correct answer is B.A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. UAT is underta
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?Select an answer:A. Three users with the ability to capture and verify their own messages B. Five users
You answered D. The correct answer is A.
The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure:Select an answer:A. the confidentiality of the message.B. nonrepudiation by the sender.C. the authenticity of the message. D. the integrity of data transmitted
You are correct, the answer is D.
An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include:
You are correct, the answer is A.
An IS auditor is reviewing the expansion plans for an organization which is opening a new office about 80 meters away from their existing facility. The plan is to implement fiber-optic cabling within the new facility and it has been determined that a 100-
You are correct, the answer is A.
When two or more systems are integrated, the IS auditor must review input/output controls in the:Select an answer:A. systems receiving the output of other systems.B. systems sending output to other systems.C. systems sending and receiving data. D. int
You answered D. The correct answer is C.
During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?
You answered D. The correct answer is B.
The PRIMARY purpose of a postimplementation review is to ascertain that:Select an answer:A. the lessons learned have been documented.B. future enhancements can be identified.C. the project has been delivered on time and budget. D. project objectives h
You answered C. The correct answer is D.A. It is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address. B. Identifying f
Which of the following would help to ensure the portability of an application connected to a database?Select an answer:A. Verification of database import and export proceduresB. Usage of a structured query language (SQL) C. Analysis of stored procedure
You are correct, the answer is B.
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:Select an answer:A. ensure the employee maintains a good quality of life, which will lead to greater productivity. B. reduce the opportunity for an employ
You answered D. The correct answer is B.
Which of the following is a prevalent risk in the development of end-user computing (EUC) applications?Select an answer:A. Applications may not be subject to testing and IT general controls.B. Development and maintenance costs may be increased. C. Appl
You answered D. The correct answer is A.
An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may a
You are correct, the answer is C.A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected. B. Compliance risk is the penalty ap
Sharing risk is a key factor in which of the following methods of managing risk?Select an answer:A. Transferring riskB. Tolerating riskC. Terminating risk D. Treating risk
You are correct, the answer is A.
An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes?Select an answer: A. Select a sample of change tickets and review them f
You are correct, the answer is C.A. Selecting a sample of change tickets and reviewing them for authorization helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets. B. Perfor
Value delivery from IT to the business is MOST effectively achieved by:Select an answer:A. aligning the IT strategy with the enterprise strategy.B. embedding accountability in the enterprise.C. providing a positive return on investment (ROI). D. estab
You are correct, the answer is A.A. IT's value delivery to the business is driven by aligning IT with the enterprise's strategy.B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance). C. While RO
An IS auditor discovers that URLs for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks?Select an answer: A. IP s
You are correct, the answer is B.
An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:Select an answer: A. implemented a specific functionality du
You answered D. The correct answer is A.
An IS auditor is reviewing the database backup and recovery plan developed by the organization's database administration team. Which of the following is of MOST importance to the auditor?Select an answer:A. Backup validation is being performed. B. The b
You are correct, the answer is A.
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:Select an answer:A. comply with regulatory requirements.B. provide a basis for drawing reasonable conclusions.C. ensure complete audit coverage. D. p
You answered A. The correct answer is B.
Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?Select an answer:A. Alpha testingB. Regression testingC. Beta testing D. White box testing
You are correct, the answer is C.
Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment?Select an answer:A. Successful regression testing by the developerB. Approval from the information asset owner C. Approval from th
You are correct, the answer is B.
Which of the following is the MOST important action in recovering from a cyberattack?Select an answer:A. Creating an incident response teamB. Using cyberforensic investigatorsC. Executing a business continuity plan D. Filing an insurance claim
You are correct, the answer is C.
A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. Which of the following would be of GREATEST concern during
You are correct, the answer is A.
Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit?Select an answer:A. Complexity of the organization's operationB. Findings and issues noted from the prior year C
You are correct, the answer is C.
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?Select an answer:A. The tools used to conduct the testB. Certifications held by the IS auditor C. Permiss
You are correct, the answer is C.
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application?Select an answer:A. User registration and password policiesB. User security awareness C. Use of intrusion detection/intrusion prevent
You are correct, the answer is D.
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?Select an answer:A. Bottom upB. Sociability testingC. Top-down D. System test
You are correct, the answer is C.
Which of the following would be BEST prevented by a raised floor in the computer machine room?Select an answer:A. Damage of wires around computers and serversB. A power failure from static electricityC. Shocks from earthquakes D. Water flood damage
You answered D. The correct answer is A.
Over the long term, which of the following has the greatest potential to improve the security incident response process?Select an answer:A. A walk-through review of incident response proceduresB. Postevent reviews by the incident response team C. Ongoi
You are correct, the answer is B.
Which of the following is an example of a passive attack initiated through the Internet?Select an answer:A. Traffic analysisB. MasqueradingC. Denial of service D. Email spoofing
You are correct, the answer is A.
An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of:Select an answer:A. variable sampling.B. substantive testing.C. compliance testing. D. stop-o
You answered B. The correct answer is C.
During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS a
You are correct, the answer is A.
Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event of a disaster?Select an answer:A. Enforced procedures for regular plan updatesB. A tabletop exercise with disaster scenarios C. A compreh
You are correct, the answer is B.A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes. B. A tabletop exercise is used to test the effectiveness of a BC
An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should:Select an answer: A. conclude that the project is progressing
You answered A. The correct answer is D.
Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment?Select an answer:A. Noncompliance with software license agreementsB. Performance issues due to Internet delivery method C. Higher cost due to
You are correct, the answer is B.
The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?Select an answer:A. Utilizing of intrusion detection system to report incidents B. Mandating the u
You are correct, the answer is D.
Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?Select an answer:A. A sufficient quantity of data for each test case B. Data representing conditions that are expected in actual pro
You are correct, the answer is B.
An IS auditor is reviewing an organization's business continuity plan (BCP) to determine the impact of a disruption in an industry where regulatory requirements demand high availability. Which of the following findings should be of MOST concern to the aud
You are correct, the answer is C.A. While an original copy of the agreement is important, many third parties will send a duplicate original copy of an agreement so that each party has an original. B. Encrypted backups are important to ensure the confiden
IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?
You are correct, the answer is D.
Which of the following is of GREATEST concern to an IS auditor when performing an audit of a client relationship management (CRM) system migration project?Select an answer: A. The technical migration is planned for a Friday preceding a long weekend, and
You are correct, the answer is C.
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?Select an answer: A. IS audito
You are correct, the answer is D.
Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?Select an answer:A. Minimizing costs for the services providedB. Prohibiting the provider from subcontracting services C. Eva
You answered C. The correct answer is D.
An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project
You answered D. The correct answer is A.
An IS auditor performing an application maintenance audit would review the log of program changes for the:Select an answer:A. authorization of program changes.B. creation date of a current object module.C. number of program changes actually made. D. c
You answered C. The correct answer is A.
During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the:Select an answer: A. event error log generated at the disa
You answered B. The correct answer is D.
Which of the following data validation edits is effective in detecting transposition and transcription errors?Select an answer:A. Range checkB. Check digitC. Validity check D. Duplicate check
You are correct, the answer is B.
An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective?Select an answer:A. Run a low-level data wipe utility on all hard drives.B. Erase all data file directories. C. Fo
You answered A. The correct answer is D.
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:Select an answer:A. rules.B. decision trees.C. semantic nets. D. dataflow diagrams.
You are correct, the answer is B.
An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:Select an answer:A. user accounts are not locked out after five failed attempts.B. passwords can be reused by employees within a defined time frame. C. s
You answered A. The correct answer is C.
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:Select an answer:A. expand activities to determine whether an investigation is warranted.B. report the matter to the audit committee. C.
You answered B. The correct answer is A.
Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site D. Cold site
You are correct, the answer is D.
An IS auditor performing a review of application controls would evaluate the:Select an answer:A. efficiency of the application in meeting the business processes.B. impact of any exposures discovered.C. business processes served by the application. D.
You answered A. The correct answer is B.
What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks?Select an answer:A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. B
You are correct, the answer is A.
A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?Select an answer:A. Dump the volatile storage data to a disk.B. Run the server in a fail-safe mode. C. Disconnect the web server from the
You are correct, the answer is C.
An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violat
You are correct, the answer is D.
When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is
You answered A. The correct answer is B.
When using public key encryption to secure data being transmitted across a network:Select an answer:A. both the key used to encrypt and decrypt the data are public.B. the key used to encrypt is private, but the key used to decrypt the data is public. C
You are correct, the answer is C.
While planning an audit, an assessment of risk should be made to provide:Select an answer:A. reasonable assurance that the audit will cover material items.B. definite assurance that material items will be covered during the audit work. C. reasonable as
You are correct, the answer is A.
An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?Select an answer:A. Process narrativeB. Inquiry C. Reperforma
You are correct, the answer is D.A. Process narratives may not be current or complete and may not reflect the actual process in operation. B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidenc
A benefit of quality of service (QoS) is that the:Select an answer:A. entire network's availability and performance will be significantly improved.B. telecom carrier will provide the company with accurate service-level compliance reports. C. participat
You answered A. The correct answer is C.
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management D. Knowledge of inte
You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departm
When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:Select an answer:A. incorporates state of the art technology.B. addresses the required operational controls.C. articulates the IT mission and vision. D. specif
You are correct, the answer is C.
The PRIMARY advantage of a continuous audit approach is that it:Select an answer:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place. B. requires the IS auditor to review and follow up immediately
You are correct, the answer is C.
Which of the following append themselves to files as a protection against viruses?Select an answer:A. Behavior blockersB. Cyclical redundancy checkers (CRCs)C. Immunizers D. Active monitors
You answered D. The correct answer is C.
The objective of concurrency control in a database system is to:Select an answer:A. restrict updating of the database to authorized users.B. prevent integrity problems when two processes attempt to update the same data at the same time. C. prevent inad
You answered C. The correct answer is B.
A consulting firm has created an FTP site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FT
You answered B. The correct answer is A.
Due to a recent economic downturn, an IT organization has terminated several administrators and consolidated all IT administration at its central headquarters. During an IT audit, the auditor determines that the organization has implemented remote adminis
You are correct, the answer is D.
Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users?Select an answer:A. System analysisB. Authorization of access to dataC. Application programming D. Data
You are correct, the answer is B.
Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?Select an answer:A. A service adjustment resulting from an exception report took a day to implement. B. The complexity of applicati
You are correct, the answer is C.
Accountability for the maintenance of appropriate security measures over information assets resides with the:Select an answer:A. security administrator.B. systems administrator.C. data and systems owners. D. systems operations group.
You are correct, the answer is C.
The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:Select an answer:A. confirm that the auditors did not overlook any important issues.B. gain agreement on the findings. C. receive feedback on the adequacy of the aud
You answered C. The correct answer is B.
Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)?Select an answer:A. The plan is approved by the chief information officer (CIO).B. The plan contact lists have not been updated. C. Test resul
You answered B. The correct answer is C.
An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:Select an answer:A. the controls already in place.B. the effectiveness of the controls in place. C. the mechanism for monitoring the ris
You answered C. The correct answer is D.
Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements?Select an answer:A. Benchmark test resultsB. Server logsC. Downtime reports D. Server utilization data
You answered C. The correct answer is D.
Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)?Select an answer:A. Business processes ownersB. IT management C. Senior business manageme
You are correct, the answer is A.
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:Select an answer:A. an unauthorized user may use the ID to gain access. B. user access management is t
You are correct, the answer is C.
Which of the following is the initial step in creating a firewall policy?Select an answer:A. A cost-benefit analysis of methods for securing the applicationsB. Identification of network applications to be externally accessed C. Identification of vulner
You answered D. The correct answer is B.
When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation?Select an answer:A. Wiring and schematic diagramB. Users' lists and responsibilities C. Application lists an
You are correct, the answer is A.
An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform?Select an answer:A. Program output testingB. System configuration C. Program logic speci
You are correct, the answer is A.
A sender of an email message applies a digital signature to the digest of the message. This action provides assurance of the:Select an answer:A. date and time stamp of the message.B. identity of the originating computer. C. confidentiality of the messa
You are correct, the answer is D.
During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:Select an answer: A. the detail of involved transactions may no longer be associated with master data, caus
You answered B. The correct answer is A.
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?Select an answer:A. System log analysisB. Compliance testingC. Forensic analysis D. Analytical review
You answered D. The correct answer is B.
When reviewing system parameters, an IS auditor's PRIMARY concern should be that:Select an answer:A. they are set to meet security and performance requirements.B. changes are recorded in an audit trail and periodically reviewed. C. changes are authoriz
You answered C. The correct answer is A.
Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?Select an answer: A. Function point ana
You are correct, the answer is B.
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?Select an answer:A. Review the parameter settings.B. Interview the firewall administrator. C. Review the ac
You are correct, the answer is A.
An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor i
You answered A. The correct answer is D.
IS management is considering a Voice-over IP (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate?
You answered C. The correct answer is A.
When preparing an audit report the IS auditor should ensure that the results are supported by:Select an answer:A. statements from IS management.B. work papers of other auditors.C. an organizational control self-assessment. D. sufficient and appropriat
You are correct, the answer is D.
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?Select an answer: A. IS audito
You are correct, the answer is D.
Which of the following would help to ensure the portability of an application connected to a database?Select an answer:A. Verification of database import and export proceduresB. Usage of a structured query language (SQL) C. Analysis of stored procedure
You are correct, the answer is B.
A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor?
You answered A. The correct answer is D.
The MOST likely effect of the lack of senior management commitment to IT strategic planning is:Select an answer:A. a lack of investment in technology.B. a lack of a methodology for systems development. C. technology not aligning with the organization's
You are correct, the answer is C.
An organization allows employees to connect company laptops to company-controlled wireless access points. To prevent unauthorized access to the organization's internal network, the BEST preventive control is to:Select an answer: A. enable media access co
You answered C. The correct answer is D.
The MAIN purpose of a transaction audit trail is to:Select an answer:A. reduce the use of storage media.B. determine accountability and responsibility for processed transactions.C. help an IS auditor trace transactions. D. provide useful information f
You answered C. The correct answer is B.
Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption?Select an answer:A. Computation speedB. Ability to support digital signaturesC. Simpler key distribution D. Greater strength for a given key length
You are correct, the answer is A.
A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:Select an answer: A. v
You answered C. The correct answer is D.
The information security policy that states "each individual must have their badge read at every controlled door" addresses which of the following attack methods?Select an answer:A. PiggybackingB. Shoulder surfingC. Dumpster diving D. Impersonation
You answered D. The correct answer is A.
Which of the following is a PRIMARY objective of an acceptable use policy?Select an answer:A. Creating awareness about the secure use of proprietary resourcesB. Ensuring compliance with information security policies C. Defining sanctions for noncomplia
You answered B. The correct answer is D.
What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?Select an answer:A. It detects risk sooner.B. It replaces the audit function.C. It reduces audit workload. D. It reduces audit resources.
You are correct, the answer is A.
An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability?Select an answer: A. That changes are authorized by IT man
You are correct, the answer is C.
Which of the following is the GREATEST concern to an IS auditor reviewing an organization's use of third-party-provided cloud services to store health care billing information?Select an answer:A. Disparate backup requirements B. Availability of infrastr
You are correct, the answer is C.A. Although disparate backup requirements may present a challenge, the primary concern is maintaining segregation of client data. B. Availability of infrastructure is an inherent benefit of cloud services, and as such is
An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:Select an answer:A. users may prefer to use contrived data for testing. B. unauthorized access to sensitiv
You are correct, the answer is B.
When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?Select an answer: A. Develop an alternate te
You are correct, the answer is A.
During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:Select an answer: A. only systems administrators perform
You answered D. The correct answer is B.
An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?Select an answer:A. Process narrativeB. Inquiry C. Reperforma
You answered B. The correct answer is D.A. Process narratives may not be current or complete and may not reflect the actual process in operation. B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of
Segmenting a highly sensitive database results in:Select an answer:A. reduced exposure.B. reduced threat.C. less criticality. D. less sensitivity.
You answered B. The correct answer is A.A. Segmenting data reduces the quantity of data exposed as a result of a particular event.B. The threat may remain constant, but each segment may represent a different vector against which it must be directed. C.
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management D. Knowledge of inte
You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their departm
An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:Select an answer:A. dependency on a single person.B. inadequate succession planning.C. one person knowing all parts of a system. D. a disruption of op
You are correct, the answer is C.
A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not avai
You are correct, the answer is A.
Which of the following would help to ensure the portability of an application connected to a database?Select an answer:A. Verification of database import and export proceduresB. Usage of a structured query language (SQL) C. Analysis of stored procedure
You are correct, the answer is B.
Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site D. Cold site
You are correct, the answer is D.
During a postimplementation review, an IS auditor finds that the delivered application does not meet end-user requirements. Which of the following is the BEST recommendation to prevent future problems with the project management process?
You answered D. The correct answer is B.A. The question implies that the application developer team is already involved. B. The waterfall method helps ensure that errors are detected early in the development process. Waterfall development is a procedure-
Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit?Select an answer:A. Data backups are performed on a timely basis.B. A recovery site is contracted for and available as needed. C. Hu
You answered A. The correct answer is C.
To minimize the cost of a software project, quality management techniques should be applied:Select an answer:A. as close to their writing (i.e., point of origination) as possible. B. primarily at project start to ensure that the project is established i
You answered B. The correct answer is C.
Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:Select an answer:A. substantive testing.B. compliance testing.C. qualitative analysis. D. judgment sampling.
You answered C. The correct answer is A.
When creating a password, a system generates the initial password and then forces the user to change the password when the user logs on for the first time. The system allows the user to enter the same password generated by the system as the user's own/new
You answered B. The correct answer is C.
An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business valu
You are correct, the answer is B.
Which of the following should an IS auditor be MOST concerned about in a financial application?Select an answer:A. Programmers have access to application source code.B. Secondary controls are documented for identified role conflicts. C. The information
You are correct, the answer is D.A. Programmers who have access to application source code are not of concern to the IS auditor because programmers need access to source code to do their job. B. When segregation of duties conflicts are identified, second
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?Select an answer:A. Log all table update transactions. B. Implement integrity constraints in the
You are correct, the answer is B.
Which of the following will prevent dangling tuples in a database?Select an answer:A. Cyclic integrityB. Domain integrityC. Relational integrity D. Referential integrity
You are correct, the answer is D.
The goal of IT risk analysis is to:Select an answer:A. enable the alignment of IT risk management with enterprise risk management (ERM).B. enable the prioritization of risk responses.C. satisfy legal and regulatory compliance requirements. D. identify
You answered A. The correct answer is B.A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis is a process
What control detects transmission errors by appending calculated bits onto the end of each segment of data?Select an answer:A. Reasonableness checkB. Parity checkC. Redundancy check D. Check digits
You answered D. The correct answer is C.
IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:Select an answer:A. upgrading to a level 5 RAID. B. in
You answered A. The correct answer is C.
In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:Select an answer: A. application programmer copy the source program and compiled object module to the production lib
You answered B. The correct answer is D.
An IS auditor reviewing an organization's IT strategic plan should FIRST review:Select an answer:A. the existing IT environment.B. the business plan.C. the present IT budget. D. current technology trends.
You are correct, the answer is B.
An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a:Select an answer:A. cold site.B. warm site.C. dial-up site. D. duplicate processing facility.
You answered B. The correct answer is A.
Data flow diagrams are used by IS auditors to:Select an answer:A. order data hierarchically.B. highlight high-level data definitions.C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.
You are correct, the answer is C.
Which of the following is the BEST method for determining the criticality of each application system in the production environment?Select an answer:A. Interview the application programmers.B. Perform a gap analysis. C. Review the most recent applicatio
You answered A. The correct answer is D.
During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should:Select an answer:A. create the procedures document.B. terminate the audit.C. conduct compliance testing. D. identify
You are correct, the answer is D.
Responsibility for the governance of IT should rest with the:Select an answer:A. IT strategy committee.B. chief information officer (CIO).C. audit committee. D. board of directors.
You answered A. The correct answer is D.
An IS auditor discovers that, in many cases, a username and password are the same, which is contrary to policy. What is the BEST recommendation?Select an answer:A. Modify the enterprise's security policy. B. Educate users about the risk of weak password
You are correct, the answer is D.
An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:Select an answer:A. users may prefer to use contrived data for testing. B. unauthorized access to sensitiv
You are correct, the answer is B.
While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step?Select an answer:A. Observe the response mechanism.B. Clear the virus from the network.C. Inform appropriate personnel immediately. D.
You are correct, the answer is C.
An IS auditor is reviewing a large financial institution's process of remotely managing network devices over the Internet. The IS auditor should be MOST concerned if:Select an answer:A. shared credentials are used.B. no login banner is displayed. C. Te
You answered A. The correct answer is C.A. Shared credentials for network devices do not allow for accountability. However, the use of Telnet is a greater risk. B. Normally a login banner should indicate to unauthorized personnel that access is forbidden
During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?Select an answer:A. Dumping the memory content to a file B. Generating disk images o
You are correct, the answer is C.
An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?Select an answer: A
You are correct, the answer is C.
During which of the following phases in system development would user acceptance test plans normally be prepared?Select an answer:A. Feasibility studyB. Requirements definitionC. Implementation planning D. Postimplementation review
You are correct, the answer is B.
Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?Select an answer:A. Resuming critical processesB. Recovering sensitive processesC. Restoring the site D. Relocating operations to an alternative site
You are correct, the answer is A.
After installing a network, an organization implemented a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?Select an answer:A. Differential reporting B. False-po
You answered B. The correct answer is C.
During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?Select an answer: A. Postpon
You answered B. The correct answer is C.
Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees?Select an answer:A. To ensure that employees are not misusing corporate resourcesB. To prevent conflicts of interest C. To prevent emp
You answered D. The correct answer is B.
An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?Select an answer:A. UsefulnessB. ReliabilityC. Relevance D. Adequacy
You answered A. The correct answer is B.A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does. B. Because the data are directly co
An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?Select an answer:A. The default configurations are changed. B. All tables in the database are normalized.
You are correct, the answer is A.
A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process?Select an answer: A. Whether key co
You answered D. The correct answer is A.
A start-up company has a policy that requires strong encryption of all tape backups. As the volume of data has grown, the time necessary to back up all data has become operationally unacceptable. Which of the following is the BEST recommendation to fix th
You answered D. The correct answer is B.A. While running backups without encryption would solve the performance issue, this does not meet security requirements. B. The primary benefit of performing data classification is so that the appropriate security
Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?Select an answer:A. Release-to-release source and object comparison reports B. Library control software restricting changes
You are correct, the answer is D.
Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?Select an answer:A. Validated daily backupsB. Change management proceduresC. Data dictionary maintenance D. A read-only restriction
You are correct, the answer is D.
Applying a digital signature to data traveling in a network provides:Select an answer:A. confidentiality and integrity.B. security and nonrepudiation.C. integrity and nonrepudiation. D. confidentiality and nonrepudiation.
You are correct, the answer is C.
In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?
You are correct, the answer is A.
An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:Select an answer:A. IDS sensors are placed outside of the firewall.B. a behavior-based IDS is causing many false alarms. C. a signature-based
You answered B. The correct answer is D.
A sender of an email message applies a digital signature to the digest of the message. This action provides assurance of the:Select an answer:A. date and time stamp of the message.B. identity of the originating computer. C. confidentiality of the messa
You are correct, the answer is D.
Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?Select an answer: A. Function point ana
You answered D. The correct answer is B.
Which of the following is the BEST way to satisfy a two-factor user authentication?Select an answer:A. A smart card requiring the user's personal identification number (PIN)B. User ID along with passwordC. Iris scanning plus fingerprint scanning D. A
You answered D. The correct answer is A.
Which of the following are the MOST important considerations when prioritizing the development of controls and countermeasures?Select an answer:A. Likelihood and impactB. Impact and exposureC. Criticality and sensitivity D. Value and classification
You answered C. The correct answer is A.A. The likelihood that a compromise will occur and the impact of that compromise are the two most important factors in determining risk, which in turn drives the development of controls and countermeasures. B. Impa
An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?Select an answer: A
You are correct, the answer is C.
Which of the following would BEST help to prioritize project activities and determine the timeline for a project?Select an answer:A. A Gantt chartB. Earned value analysis (EVA)C. Program evaluation review technique (PERT) D. Function point analysis (F
You are correct, the answer is C.
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:Select an answer:A. enrollment.B. identification.C. verification. D. storage.
You answered B. The correct answer is A.
In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:Select an answer: A. application programmer copy the source program and compiled object module to the production lib
You answered A. The correct answer is D.
The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:Select an answer:A. facilitates user involvement.B. allows early testing of technical features. C. facilitates conversion
You are correct, the answer is D.
The goal of IT risk analysis is to:Select an answer:A. enable the alignment of IT risk management with enterprise risk management (ERM).B. enable the prioritization of risk responses.C. satisfy legal and regulatory compliance requirements. D. identify
You are correct, the answer is B.A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis is a process by whic
Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management D. Knowledge of inte
1.3 You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques. B. IS managers are responsible for resource management of their dep
Which of the following would BEST help to detect errors in data processing?Select an answer:A. Programmed edit checksB. Well-designed data entry screensC. Segregation of duties D. Hash totals
You answered C. The correct answer is D.
Which of the following is a PRIMARY objective of an acceptable use policy?Select an answer:A. Creating awareness about the secure use of proprietary resourcesB. Ensuring compliance with information security policies C. Defining sanctions for noncomplia
You answered A. The correct answer is D.
In the process of evaluating program change controls, an IS auditor would use source code comparison software to:Select an answer:A. examine source program changes without information from IS personnel. B. detect a source program change made between acq
You answered B. The correct answer is A.
An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?Select an answer:A. Delete all copies of the unauthorized software. B.
You answered B. The correct answer is C.
An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?Select an answer:A. A clause providing a "right to audit" service provider B. A clause defining penalty payments for
You are correct, the answer is A.
An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this
You are correct, the answer is C.
When reviewing a hardware maintenance program, an IS auditor should assess whether:Select an answer:A. the schedule of all unplanned maintenance is maintained.B. it is in line with historical trends. C. it has been approved by the IS steering committee
You answered C. The correct answer is D.
To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:Select an answer: A. the entire message, enciphering
You answered D. The correct answer is A.
An IS auditor evaluating logical access controls should FIRST:Select an answer:A. document the controls applied to the potential access paths to the system.B. test controls over the access paths to determine if they are functional. C. evaluate the secu
You answered C. The correct answer is D.
Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility?Select an answer:A. Verify compatibility with the hot site B. Review the implementati
You answered A. The correct answer is D.
The PRIMARY objective of conducting a postimplementation review for a business process automation project is to:Select an answer:A. ensure that the project meets the intended business requirements.B. evaluate the adequacy of controls. C. confirm compli
You are correct, the answer is A.A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review. B. Evaluating the adequacy of controls may be part of the review, but is not the primary objec
An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:Select an answer:A. dependency on a single person.B. inadequate succession planning.C. one person knowing all parts of a system. D. a disruption of op
You are correct, the answer is C.
To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:Select an answer:A. schedule the audits and monitor the time spent on each audit. B. train the IS audit staff on current technology used in the company
You answered D. The correct answer is C.
To verify that the correct version of a data file was used for a production run, an IS auditor should review:Select an answer:A. operator problem reports.B. operator work schedules.C. system logs. D. output distribution reports.
You answered D. The correct answer is C.
Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event of a disaster?Select an answer:A. Enforced procedures for regular plan updatesB. A tabletop exercise with disaster scenarios C. A compreh
You are correct, the answer is B.A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes. B. A tabletop exercise is used to test the effectiveness of a BC
An IS auditor evaluating logical access controls should FIRST:Select an answer:A. document the controls applied to the potential access paths to the system.B. test controls over the access paths to determine if they are functional. C. evaluate the secu
You are correct, the answer is D.
An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor
You answered D. The correct answer is A.
With the help of a security officer, granting access to data is the responsibility of:Select an answer:A. data owners.B. programmers.C. system analysts. D. librarians.
You are correct, the answer is A.
Which of the following is the MOST effective type of antivirus software?Select an answer:A. ScannersB. Active monitorsC. Integrity checkers D. Vaccines
You answered B. The correct answer is C.
An IS auditor at a bank is performing compliance testing and has discovered that one of the branches has virus signatures that have not been updated in over six months. In this case, the IS auditor should recommend:Select an answer: A. security awareness
You are correct, the answer is B.
An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered:Select an answer: A. can deliver on
You answered C. The correct answer is D.
After implementation of a disaster recovery plan, predisaster and postdisaster operational costs for an organization will:Select an answer:A. decrease.B. not change (remain the same).C. increase. D. increase or decrease depending upon the nature of th
You are correct, the answer is C.
The use of object-oriented design and development techniques would MOST likely:Select an answer:A. facilitate the ability to reuse modules.B. improve system performance.C. enhance control effectiveness. D. speed up the system development life cycle.
You are correct, the answer is A.
Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:Select an answer: A. include the statement of management in the audit re
You are correct, the answer is B.
An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope?Select an answer: A. Data avail
You are correct, the answer is D.
The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software?Select an answer: A. Rewrite the patches and
You are correct, the answer is D.Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewr
An IS auditor performing an application maintenance audit would review the log of program changes for the:Select an answer:A. authorization of program changes.B. creation date of a current object module.C. number of program changes actually made. D. c
You answered D. The correct answer is A.
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?Select an answer:A. InheritanceB. Dynamic warehousingC. Encapsulation D. Polymorphism
You answered A. The correct answer is C.
A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of:Select an answer:A. concurrent access.B. deadlocks.C. unauthorized access to data. D.
You answered A. The correct answer is D.
Which one of the following could be used to provide automated assurance that proper data files are being used during processing?Select an answer:A. Internal labeling, including file header recordsB. Version usageC. Parity checking D. File security con
You answered B. The correct answer is A.
The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is:Select an answer:A. that there will be too many alerts for system administrators to verify.B. decreased network performance due to IPS traffic. C. the blocking of cri
You are correct, the answer is C.
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?Select an answer:A. Log all table update transactions. B. Implement integrity constraints in the
You are correct, the answer is B.
A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization, and the system should be capable of identifying errors that require follow up. Which of
You answered B. The correct answer is C.
The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may:Select an answer:A. use this information to launch attacks. B. fo
You are correct, the answer is A.
Which of the following is an advantage of the top-down approach to software testing?Select an answer:A. Interface errors are identified early.B. Testing can be started before all programs are complete. C. It is more effective than other testing approac
You answered D. The correct answer is A.
An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor?Select an answer: A. Administrative access to the biometr
You answered B. The correct answer is C.A. Generally, VPN software provides a secure tunnel so that remote administration functions can be performed. This is not a concern. B. Biometric scanners are best located in restricted areas to prevent tampering,
An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the
You answered D. The correct answer is A.A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing
When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:Select an answer:A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quali
You answered B. The correct answer is A.
Which of the following would be the BEST access control procedure?Select an answer:A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implements the user authorization tables a
You answered C. The correct answer is A.
An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption:Select an answer:A. provides authenticity.B. is faster than asymmetric encryption. C. can cause key
You answered A. The correct answer is C.
During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern?Select an answer: A. Restora
You answered A. The correct answer is C.
When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST?Select an answer:A. The project budgetB. The critical path for the project C. The length of the remaining
You answered A. The correct answer is B.
ABC Inc. offers a number of services though its web site. During one day, senior executives of ABC Inc. were surprised to discover that sensitive data on their servers were being leaked to unauthorized individuals on the Internet. Postincident investigati
You answered A. The correct answer is C.
The PRIMARY objective of business continuity and disaster recovery plans should be to:Select an answer:A. safeguard critical IS assets.B. provide for continuity of operations.C. minimize the loss to an organization. D. protect human life.
You are correct, the answer is D.
Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?Select an answer:A. Alpha testingB. Regression testingC. Beta testing D. White box testing
You are correct, the answer is C.
A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:Select an answer:A. with their named account to make the changes.B. with the shared DBA account to make the changes. C. to the ser
You are correct, the answer is A.
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?Select an answer:A. The tools used to conduct the testB. Certifications held by the IS auditor C. Permiss
You are correct, the answer is C.
The PRIMARY objective of implementing corporate governance is to:Select an answer:A. provide strategic direction.B. control business operations.C. align IT with business. D. implement best practices.
You are correct, the answer is A.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:Select an answer: A. periodic review of user ac
You answered B. The correct answer is A.
During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:Select an answer: A. only systems administrators perform
You are correct, the answer is B.
A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern?
You are correct, the answer is B.
Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:Select an answer: A. include the statement of management in the audit re
You are correct, the answer is B.
An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation?Select an answer:A. Symmetric key encryption B.
You are correct, the answer is D.
Which of the following biometrics has the HIGHEST reliability and lowest false-acceptance rate (FAR)?Select an answer:A. Palm scanB. Face recognitionC. Retina scan D. Hand geometry
You are correct, the answer is C.
The ability to recognize a potential security incident is:Select an answer:A. the primary responsibility of security personnel.B. not important because many types of incidents could involve security.C. supported by detailed policies. D. required of al
You are correct, the answer is D.
Information for detecting unauthorized input from a terminal would be BEST provided by the:Select an answer:A. console log printout.B. transaction journal.C. automated suspense file listing. D. user error report.
You answered A. The correct answer is B.
What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?Select an answer:A. It detects risk sooner.B. It replaces the audit function.C. It reduces audit workload. D. It reduces audit resources.
You are correct, the answer is A.
An organization allows employees to connect company laptops to company-controlled wireless access points. To prevent unauthorized access to the organization's internal network, the BEST preventive control is to:Select an answer: A. enable media access co
You are correct, the answer is D.
Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?Select an answer:A. AnalyzerB. Administration consoleC. User interface D. Sensor
You are correct, the answer is D.
For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be:Select an answer:A. stored in a secure, offsite facility.B. approved by senior management C. communicated to appropriate person
You answered B. The correct answer is C.
An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective?Select an answer:A. Run a low-level data wipe utility on all hard drives.B. Erase all data file directories. C. Fo
You are correct, the answer is D.
Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process?Select an answer:A. The application owner requested new functionality. B. Changes are developed
You are correct, the answer is C.A. Requests for new functionality by the application owner generally follow normal change control procedures, unless they have an impact on the business function. B. The agile system development methodology breaks down pr
The FIRST step in a successful attack to a system would be:Select an answer:A. gathering information.B. gaining access.C. denying services. D. evading detection.
You are correct, the answer is A.
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application?Select an answer:A. User registration and password policiesB. User security awareness C. Use of intrusion detection/intrusion prevent
You are correct, the answer is D.
A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:Select an answer:A. eavesdropping.B. spoofing.C. traffic analysis. D. masquerading.
You are correct, the answer is C.
A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achi
You are correct, the answer is B.
Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as
You are correct, the answer is A.
Before implementing an IT balanced scorecard (BSC), an organization must:Select an answer:A. deliver effective and efficient services.B. define key performance indicators.C. provide business value to IT projects. D. control IT expenses.
You are correct, the answer is B.
The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:Select an answer:A. outgoing traffic with IP source addresses external to the network. B. incoming traffic with discernible
You answered B. The correct answer is A.
When reviewing an organization's strategic IT plan an IS auditor should expect to find:Select an answer:A. an assessment of the fit of the organization's application portfolio with business objectives.B. actions to reduce hardware procurement cost. C.
You are correct, the answer is A.
Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?Select an answer:A. Assess the impact of patches prior to installation. B. Ask the vendors for a new software
You are correct, the answer is A.
An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?Select an answer: A. Advise on the adoptio
You answered A. The correct answer is D.
The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:Select an answer:A. integrity.B. authenticity.C. authorization. D. nonrepudiation.
You are correct, the answer is A.
The PRIMARY benefit of an IT manager monitoring technical capacity is to:Select an answer:A. identify needs for new hardware and storage procurement.B. determine future capacity needs based on usage. C. ensure that the service level agreement (SLA) req
You answered D. The correct answer is C.
An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business?Select an answer:A. Security policiesB. Operational proceduresC. Project portfolio D
You are correct, the answer is D.A. Security policies are important; however, they are not designed to align IT to the business.B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business. C. The projec
The PRIMARY outcome of a business impact analysis (BIA) is:Select an answer:A. a plan for resuming operations after a disaster.B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan
You answered C. The correct answer is D.A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA. B. The public's perception of an organization's physical and logi
An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk?Select an answer:A. The policy has not been updated in more than one year. B. The policy include
You are correct, the answer is C.
The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when:Select an answer:A. connecting points are available in the facility to connect laptops to the network. B. users take pre
You answered C. The correct answer is A.
While planning an audit, an assessment of risk should be made to provide:Select an answer:A. reasonable assurance that the audit will cover material items.B. definite assurance that material items will be covered during the audit work. C. reasonable as
You answered C. The correct answer is A.
Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:Select an answer: A. include the statement of management in the audit re
You are correct, the answer is B.
An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability?Select an answer: A. That changes are authorized by IT man
You answered B. The correct answer is C.
Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative?Select an answer:A. Perform disaster recovery exercises annually.B. Ensure that partnering organizations are separated geographically. C.
You answered D. The correct answer is B.A. While disaster recovery exercises are important, the greater risk is geographic proximity. B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being su
The MOST effective method to permanently remove sensitive data from magnetic media is:Select an answer:A. reformatting.B. degaussing.C. deleting data. D. overwriting.
You are correct, the answer is B.A. Unless it is low-level formatting repeated a number of times, it is not certain that all traces of data are destroyed. This method is inefficient. B. Degaussing is the application of variable levels of alternating curr
As an outcome of information security governance, strategic alignment provides:Select an answer:A. security requirements driven by enterprise requirements.B. baseline security following best practices.C. institutionalized and commoditized solutions. D
You answered D. The correct answer is A.
During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which
You are correct, the answer is D.
Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telec
You answered B. The correct answer is D.
Information for detecting unauthorized input from a terminal would be BEST provided by the:Select an answer:A. console log printout.B. transaction journal.C. automated suspense file listing. D. user error report.
You answered C. The correct answer is B.
The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the:Select an answer:A. duration of the outage.B. type of outage.C. probability of the outage. D. cause of the outage.
You answered B. The correct answer is A.
Which of the following is an implementation risk within the process of decision support systems (DSSs)?Select an answer:A. Management controlB. Semistructured dimensionsC. Inability to specify purpose and usage patterns D. Changes in decision processe
You are correct, the answer is C.
Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?Select an answer:A. Participating in the design of the risk management framework B. Advising on different i
You are correct, the answer is A.
An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor?Select an answer:A. A login screen is not displayed for guest users. B. The guest network is not segregated from th
You are correct, the answer is B.
Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?Select an answer:A. Manually copy files to accomplish replication. B. Review changes in th
You are correct, the answer is B.
A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of:Select an answer:A. concurrent access.B. deadlocks.C. unauthorized access to data. D.
You answered A. The correct answer is D.
A message signed with a digital signature cannot be repudiated by the sender because a digital signature:Select an answer:A. authenticates the identity of the sender using public key infrastructure (PKI). B. uses a hashing algorithm to validate that mes
You answered C. The correct answer is D.A. The digital signature validates both the identity of the sender and the content. B. Digital signatures have integrity features to ensure that the message content has not changed, which prevents an attacker from
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:Select an answer:A. apply the patch according to the patch's release notes. B. ensure
You are correct, the answer is B.
Electromagnetic emissions from a terminal represent an exposure because they:Select an answer:A. affect noise pollution.B. disrupt processor functions.C. produce dangerous levels of electric current. D. can be detected and displayed.
You are correct, the answer is D.
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:Select an answer:A. can identify high-risk areas that might need a detailed review later.B. allows IS auditors to independently assess risk. C.
You are correct, the answer is A.
Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?Select an answer:A. Load testing B
You answered A. The correct answer is B.A. Load testing evaluates the performance of the software at peak hours.B. Stress testing determines the capacity of the software to cope with an incremental number of concurrent users. C. Recovery testing evaluat
During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST imp
You answered D. The correct answer is C.
An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption:Select an answer:A. provides authenticity.B. is faster than asymmetric encryption. C. can cause key
You are correct, the answer is C.
To support an organization's goals, an IS department should have:Select an answer:A. a low-cost philosophy.B. long- and short-range plans.C. leading-edge technology. D. plans to acquire new hardware and software.
You are correct, the answer is B.
The editing/validation of data entered at a remote site would be performed MOST effectively at the:Select an answer:A. central processing site after running the application system. B. central processing site during the running of the application system.
You are correct, the answer is D.
An IS auditor reviews an organizational chart PRIMARILY for:Select an answer:A. an understanding of workflows.B. investigating various communication channels.C. understanding the responsibilities and authority of individuals. D. investigating the netw
You answered A. The correct answer is C.
Which of the following is a function of an IS steering committee?Select an answer:A. Monitoring vendor-controlled change control and testingB. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring m
You answered B. The correct answer is C.
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?Select an answer: A. There are a growing number of emergency ch
You are correct, the answer is C.
An IS auditor is reviewing a software application that is built on the principles of service oriented architecture (SOA). What is the BEST first step?Select an answer: A. Understanding services and their allocation to business processes by reviewing the
You are correct, the answer is A.
The reason for establishing a stop or freezing point on the design of a new system is to:Select an answer:A. prevent further changes to a project in process.B. indicate the point at which the design is to be completed. C. require that changes after tha
You answered A. The correct answer is C.
An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:Select an answer:A. the setup is geographically dispersed.B. the network servers are clustered in one site.C. a hot site is ready for activation. D. div
You answered D. The correct answer is B.
An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of:Select an answer:A. variable sampling.B. substantive testing.C. compliance testing. D. stop-o
You answered B. The correct answer is C.
The BEST overall quantitative measure of the performance of biometric control devices is:Select an answer:A. false-rejection rate (FRR).B. false-acceptance rate (FAR).C. equal-error rate (EER). D. estimated-error rate.
You answered B. The correct answer is C.
Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan?Select an answer:A. Preparedness testsB. Paper testsC. Full operational tests D. Actual service disruption
You are correct, the answer is A.
When using public key encryption to secure data being transmitted across a network:Select an answer:A. both the key used to encrypt and decrypt the data are public.B. the key used to encrypt is private, but the key used to decrypt the data is public. C
You are correct, the answer is C.
An IS auditor is reviewing the access control list (ACL) of active network users. Which of the following types of user IDs should be of GREATEST concern?Select an answer:A. Test or training user IDsB. Shared IDsC. Administrative IDs D. User IDs of pas
You answered C. The correct answer is D.A. Test or training user IDs could be a concern. However, it is unlikely that their access privileges are greater than a real user, and therefore they pose less of an overall risk. B. The use of shared IDs, while n
With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the:Select an answer: A. clarity
You answered B. The correct answer is A.
The MOST effective control for reducing the risk related to phishing is:Select an answer:A. centralized monitoring of systems.B. including signatures for phishing in antivirus software.C. publishing the policy on antiphishing on the intranet. D. secur
You are correct, the answer is D.
Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?Select an answer: A.
You are correct, the answer is B.
Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site D. Mobile recovery site
You answered B. The correct answer is C.
The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed?
You are correct, the answer is A.
An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should:Select an answer: A. conclude that the project is progressing
You are correct, the answer is D.
When an employee is terminated from service, the MOST important action is to:Select an answer:A. hand over all of the employee's files to another designated employee.B. complete a backup of the employee's work. C. notify other employees of the terminat
You are correct, the answer is D.
The reliability of an application system's audit trail may be questionable if:Select an answer:A. user IDs are recorded in the audit trail.B. the security administrator has read-only rights to the audit file. C. date and time stamps are recorded when a
You are correct, the answer is D.
When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the:Select an answer:A. annualized loss expectancy (ALE).B. service delivery objective.C. quantity of orphan data. D. maximum tolerable outage.
You are correct, the answer is D.
The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the:Select an answer:A. IT budget.B. existing IT environment.C. business plan. D. investment plan.
You are correct, the answer is C.
An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?Select an answer:A. Risk reductionB. Risk transfer C. R
You answered A. The correct answer is B.
When preparing an audit report the IS auditor should ensure that the results are supported by:Select an answer:A. statements from IS management.B. work papers of other auditors.C. an organizational control self-assessment. D. sufficient and appropriat
You are correct, the answer is D.
Which of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update?Select an answer:A. Test data runB. Code review C. Automated code compari
You are correct, the answer is C.
An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different
You answered A. The correct answer is B.
Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit?Select an answer:A. To establish adequate staffing requirements to complete the IS audit B. To provide reasonable assurance that all m
You are correct, the answer is B.A. A risk assessment does not directly influence staffing requirements. B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assuran
Which of the following auditing techniques is the MOST appropriate for a retail business with a large volume of transactions to address emerging risk proactively?Select an answer:A. Use of Computer Assisted Audit Techniques (CAATs) B. Control self-asses
You answered A. The correct answer is D.
An IS auditor who is auditing the software acquisition process will ensure that the:Select an answer:A. contract is reviewed and approved by the legal counsel before it is signed.B. requirements cannot be met with the systems already in place. C. requi
You answered C. The correct answer is A.
An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS aud
You answered A. The correct answer is B.
Which of the following is the MOST important requirement for a robust change management process?Select an answer:A. Chain of custodyB. Individual accountabilityC. Data entry controls D. Segregation of duties
You answered B. The correct answer is D.A. Chain of custody is applicable to forensic investigations and maintenance of data integrity. B. Individual accountability is important, and this is normally accomplished through the avoidance of group IDs. Howev
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?Select an answer: A. There are a growing number of emergency ch
You are correct, the answer is C.
An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test in order to ens
You answered D. The correct answer is A.
A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern?Select an answer:A. Most employees use laptops.B. A packet filtering firewall is used. C. The IP ad
You answered C. The correct answer is D.
Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected h
You answered B. The correct answer is A.
A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern?
You answered D. The correct answer is B.
During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?
You answered C. The correct answer is A.
During which of the following phases in system development would user acceptance test plans normally be prepared?Select an answer:A. Feasibility studyB. Requirements definitionC. Implementation planning D. Postimplementation review
You are correct, the answer is B.
An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will del
You answered B. The correct answer is C.
Which of the following is an advantage of an integrated test facility (ITF)?Select an answer:A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. B. Periodic testing does not require separat
You are correct, the answer is B.
When reviewing the configuration of network devices, an IS auditor should FIRST identify:Select an answer:A. the best practices for the type of network devices deployed.B. whether components of the network are missing. C. the importance of the network
You are correct, the answer is C.
An IS auditor observes that one of the servers on the perimeter network is running a vulnerable operating system. What is the MOST likely implication due to the existence of a system vulnerability?Select an answer: A. The server is susceptible to an atta
You are correct, the answer is A.
The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:Select an answer:A. rules.B. decision trees.C. semantic nets. D. dataflow diagrams.
You are correct, the answer is B.
While downloading software, a hash may be provided to:Select an answer:A. ensure that the software comes from a genuine source.B. ensure that the software is the correct revision number.C. ensure that the software has not been modified. D. serve as a
You are correct, the answer is C.
In determining the acceptable time period for the resumption of critical business processes:Select an answer:A. only downtime costs need to be considered.B. recovery operations should be analyzed. C. both downtime costs and recovery costs need to be ev
You are correct, the answer is C.
The MAIN purpose of a transaction audit trail is to:Select an answer:A. reduce the use of storage media.B. determine accountability and responsibility for processed transactions.C. help an IS auditor trace transactions. D. provide useful information f
You are correct, the answer is B.
As an outcome of information security governance, strategic alignment provides:Select an answer:A. security requirements driven by enterprise requirements.B. baseline security following best practices.C. institutionalized and commoditized solutions. D
You answered D. The correct answer is A.
The internal audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the auditors?Select an answer:A. Stop-or-goB. Classical variableC. Discovery D. Probability-proport
You answered D. The correct answer is C.
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:Select an answer:A. comply with regulatory requirements.B. provide a basis for drawing reasonable conclusions.C. ensure complete audit coverage. D. p
You answered A. The correct answer is B.
A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects?Select an answer: A. Functional verification of the
You are correct, the answer is C.A. Prototypes are verified by users.B. UAT is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. C. Errors or lack of attention in the
Ideally, stress testing should be carried out in a:Select an answer:A. test environment using test data.B. production environment using live workloads.C. test environment using live workloads. D. production environment using test data.
You answered B. The correct answer is C.
To verify that the correct version of a data file was used for a production run, an IS auditor should review:Select an answer:A. operator problem reports.B. operator work schedules.C. system logs. D. output distribution reports.
You are correct, the answer is C.
When using an integrated test facility (ITF), an IS auditor should ensure that:Select an answer:A. production data are used for testing.B. test data are isolated from production data.C. a test data generator is used. D. master files are updated with t
You answered A. The correct answer is B.
Which of the following is the most important element in the design of a data warehouse?Select an answer:A. Quality of the metadataB. Speed of the transactionsC. Volatility of the data D. Vulnerability of the system
You are correct, the answer is A.
Which of the following should be included in an organization's information security policy?Select an answer:A. A list of key IT resources to be securedB. The basis for control access authorizationC. Identity of sensitive security features D. Relevant
You are correct, the answer is B.
The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to:Select an answer:A. achieve performance improvement.B. provide user authentication.C. ensure availability of data. D. ensure the confidentia
You answered A. The correct answer is C.
When assessing the design of network monitoring controls, an IS auditor should FIRST review network:Select an answer:A. topology diagrams.B. bandwidth usage.C. traffic analysis reports. D. bottleneck locations.
You are correct, the answer is A.
Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:Select an answer:A. database integrity checks.B. validation checks. C. input controls.
You answered A. The correct answer is D.
An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?Select an answer: A. System administrators use shared accounts which never expire at the hot site
You are correct, the answer is B.
Which of the following is the BEST method for determining the criticality of each application system in the production environment?Select an answer:A. Interview the application programmers.B. Perform a gap analysis. C. Review the most recent applicatio
You are correct, the answer is D.
An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)?Select an answer:A. Overall number of users supported B. Percentage of incidents solved in the fir
You are correct, the answer is B.
When implementing an application software package, which of the following presents the GREATEST risk?Select an answer:A. Uncontrolled multiple software versionsB. Source programs that are not synchronized with object code C. Incorrectly set parameters
You answered B. The correct answer is C.
An IS auditor is conducting an audit of computer security incident response procedures for a large financial organization. Which of the following should be the IS auditor's GREATEST concern?Select an answer: A. The IT help desk is not trained to contain
You answered A. The correct answer is C.
Which of the following wide area network (WAN) transmission techniques offers the BEST error and flow control procedures while transmitting data?Select an answer:A. Message switchingB. Packet switchingC. Circuit switching D. Virtual circuits
You are correct, the answer is B.
A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achi
You are correct, the answer is B.
The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it:Select an answer:A. does not exceed the existing IT budget.B. is aligned with the investment strategy. C. has been approved by the
You are correct, the answer is D.
Two months after a major application implementation, management, who assumes that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to:Select an answer: A. determine whe
You answered A. The correct answer is C.
During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?Select an answer: A. Recommend redesigni
You are correct, the answer is B.
Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database?Select an answer:A. Authentication controlsB. Data normalization controls C. Read/write access
You are correct, the answer is D.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:Select an answer: A. periodic review of user ac
You are correct, the answer is A.
A benefit of open system architecture is that it:Select an answer:A. facilitates interoperability.B. facilitates the integration of proprietary components.C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of
You are correct, the answer is A.
A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:Select an answer:A. eavesdropping.B. spoofing.C. traffic analysis. D. masquerading.
You are correct, the answer is C.
An organization has bought a new system to integrate its human resources (HR) and payroll systems. Which of the following tests ensures that the new system can operate successfully with existing systems?Select an answer:A. Parallel testing B. Pilot test
You answered D. The correct answer is C.
An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have
You answered B. The correct answer is D.
Which of the following would effectively verify the originator of a transaction?Select an answer:A. Using a secret password between the originator and the receiverB. Encrypting the transaction with the receiver's public key C. Using a portable document
You are correct, the answer is D.
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?Select an answer:A. System log analysisB. Compliance testingC. Forensic analysis D. Analytical review
You answered D. The correct answer is B.
An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
You are correct, the answer is B.
An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should:Select an answer: A. interface with various types of enterprise res
You are correct, the answer is B.
An advantage of using sanitized live transactions in test data is that:Select an answer:A. all transaction types will be included.B. every error condition is likely to be tested.C. no special routines are required to assess the results. D. test transa
You are correct, the answer is D.
The reason a certification and accreditation process is performed on critical systems is to ensure that:Select an answer:A. security compliance has been technically evaluated.B. data have been encrypted and are ready to be stored. C. the systems have b
You are correct, the answer is A.
Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit?Select an answer:A. Complexity of the organization's operationB. Findings and issues noted from the prior year C
You are correct, the answer is C.
Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:Select an answer:A. database integrity checks.B. validation checks. C. input controls.
You are correct, the answer is D.
Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit?Select an answer:A. Data backups are performed on a timely basis.B. A recovery site is contracted for and available as needed. C. Hu
You answered A. The correct answer is C.
This question refers to the following diagram.
You answered A. The correct answer is C.
Users are issued security tokens to be used in combination with a personalized identification number (PIN) to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy?
You are correct, the answer is D.
An advantage in using a bottom-up vs. a top-down approach to software testing is that:Select an answer:A. interface errors are detected earlier.B. confidence in the system is achieved earlier.C. errors in critical modules are detected earlier. D. majo
You are correct, the answer is C.
The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:Select an answer:A. integrity.B. authenticity.C. authorization. D. nonrepudiation.
You answered D. The correct answer is A.
An IS auditor is evaluating the controls around provisioning visitor access cards to the organization's IT facility. The IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory count carri
You answered B. The correct answer is C.A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook failure of operation of the control. B. While the IS auditor may in some cases recommend a change
A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:
You are correct, the answer is A.
To ensure authentication, confidentiality and integrity of a message, the sender should encrypt the hash of the message with the sender's:Select an answer:A. public key and then encrypt the message with the receiver's private key. B. private key and the
You answered C. The correct answer is B.
Which of the following would BEST describe encrypting and decrypting data using an asymmetric encryption algorithm?Select an answer:A. Use the receiver's private key to decrypt data encrypted by the receiver's public key. B. Use the sender's private key
You are correct, the answer is A.
When an employee is terminated from service, the MOST important action is to:Select an answer:A. hand over all of the employee's files to another designated employee.B. complete a backup of the employee's work. C. notify other employees of the terminat
You are correct, the answer is D.
An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?Select an answer: A. Undoc
You answered A. The correct answer is B.
The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during:Select an answer:A. the internal lab testing phase.B. testing and prior to user acceptance. C
You are correct, the answer is C.
During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?Select an answer:A. Field definitionB. Master table definitionC. Composite keys D. Foreign key st
You are correct, the answer is D.
The editing/validation of data entered at a remote site would be performed MOST effectively at the:Select an answer:A. central processing site after running the application system. B. central processing site during the running of the application system.
You are correct, the answer is D.
A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing sh
You answered B. The correct answer is D.
To optimize an organization's business contingency plan (BCP), an IS auditor should recommend a business impact analysis (BIA) in order to determine:Select an answer: A. the business processes that generate the most financial value for the organization a
You are correct, the answer is C.
An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algo
You are correct, the answer is C.
An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?Select an answer:A. References from other clients for the service provider B. The physical secur
You are correct, the answer is C.
An organization's disaster recovery plan should address early recovery of:Select an answer:A. all information systems processes.B. all financial processing applications.C. only those applications designated by the IS manager. D. processing in priority
You are correct, the answer is D.
An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor?Select an answer:A. A login screen is not displayed for guest users. B. The guest network is not segregated from th
You are correct, the answer is B.
An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a
You are correct, the answer is A.
Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance B. Assurance from line management that an application is working as
You answered B. The correct answer is A.
When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:Select an answer:A. recommend that the database be normalized.B. review the conceptual data model. C. review the st
You answered A. The correct answer is D.
An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by:Select an answer:A. the project manager. B. systems development mana
You are correct, the answer is C.A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. B. Systems development management provides technical suppo
An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:Select an answer: A. implemented a specific functionality du
You answered B. The correct answer is A.
Which of the following append themselves to files as a protection against viruses?Select an answer:A. Behavior blockersB. Cyclical redundancy checkers (CRCs)C. Immunizers D. Active monitors
You answered B. The correct answer is C.
Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another?Select an answer:A. Compare the hash total before and after the migration. B. Verify that the number of re
You are correct, the answer is C.
Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?Select an answer:A. Minimizing costs for the services providedB. Prohibiting the provider from subcontracting services C. Eva
You answered C. The correct answer is D.
An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production en
You answered C. The correct answer is B.
When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:Select an answer:A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quali
You answered B. The correct answer is A.
Which of the following situations would increase the likelihood of fraud?Select an answer:A. Application programmers are implementing changes to production programs.B. Application programmers are implementing changes to test programs. C. Operations sup
You are correct, the answer is A.
A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue?Select an answer: A. The organization uses good practice guidelines instead of in
You answered C. The correct answer is B.
Which of the following types of risk could result from inadequate software baselining?Select an answer:A. Sign-off delaysB. Software integrity violationsC. Scope creep D. Inadequate controls
You answered B. The correct answer is C.A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep. B. Software integrity violations can be caused by hardware or software failures, malicious i
Digital signatures require the:Select an answer:A. signer to have a public key and the receiver to have a private key.B. signer to have a private key and the receiver to have a public key.C. signer and receiver to have a public key. D. signer and rece
You are correct, the answer is B.
The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?Select an answer:A. InherentB. DetectionC. Control D. Business
You are correct, the answer is B.
Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telec
You answered B. The correct answer is D.
An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:Select an answer: A. check to ensure that the type of transaction is valid for
You answered D. The correct answer is B.
Which of the following penetration tests would MOST effectively evaluate incident handling and response capabilities of an organization?Select an answer:A. Targeted testingB. External testingC. Internal testing D. Double-blind testing
You are correct, the answer is D.
Which of the following provides the best evidence of the adequacy of a security awareness program?Select an answer:A. The number of stakeholders including employees trained at various levels B. Coverage of training at all locations across the enterprise
You answered A. The correct answer is D.
An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may a
You answered A. The correct answer is C.A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected. B. Compliance risk is the pen
An IS auditor should be concerned when a telecommunication analyst:Select an answer:A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volum
You are correct, the answer is A.
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?Select an answer:A. Three users with the ability to capture and verify their own messages B. Five users
You are correct, the answer is A.
Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?Select an answer:A. System log analysisB. Compliance testingC. Forensic analysis D. Analytical review
You answered A. The correct answer is B.
At a hospital, medical personal carry handheld computers which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the following would be of the most importance?
You are correct, the answer is A.
During a system development life cycle (SDLC) audit of a human resources (HR) and payroll application, the IS auditor notes that the data used for user acceptance testing (UAT) have been masked. The purpose of masking the data is to ensure the:
You are correct, the answer is A.A. Masking the data is used to ensure the confidentiality of data, especially in a UAT exercise in which the testers have access to data that they would not have access to in normal production environments. B. Masking the
An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?Select an answer:A. To detect data transposition errors. B. To ensure that transacti
You answered B. The correct answer is A.A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring tha
An IS auditor is reviewing a large financial institution's process of remotely managing network devices over the Internet. The IS auditor should be MOST concerned if:Select an answer:A. shared credentials are used.B. no login banner is displayed. C. Te
You are correct, the answer is C.A. Shared credentials for network devices do not allow for accountability. However, the use of Telnet is a greater risk. B. Normally a login banner should indicate to unauthorized personnel that access is forbidden. Lack
Which of the following is MOST indicative of the effectiveness of an information security awareness program?Select an answer:A. Employees report more information regarding security incidents. B. All employees have signed the information security policy.
You are correct, the answer is A.
An IS auditor reviews an organizational chart PRIMARILY for:Select an answer:A. an understanding of workflows.B. investigating various communication channels.C. understanding the responsibilities and authority of individuals. D. investigating the netw
You answered A. The correct answer is C.
The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:Select an answer:A. understand the business process.B. comply with auditing standards.C. identify control weakness. D. plan s
You answered C. The correct answer is A.
An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope?Select an answer: A. Data avail
You answered A. The correct answer is D.
When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:Select an answer:A. controls needed to mitigate risk are in place.B. vulnerabilities and threats are identified.C. audit risk is considered. D.
You answered A. The correct answer is B.
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:Select an answer:A. critical.B. vital.C. sensitive. D. nonc
You answered D. The correct answer is C.
An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make?Select an answer: A. Consider the feas
You answered B. The correct answer is A.
An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?Select an answer: A. A
You are correct, the answer is D.
Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?Select an answer:A. Variable samplingB. Stratified mean per unit C. Attribut
You answered D. The correct answer is C.
When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?Select an answer: A. Develop an alternate te
You answered B. The correct answer is A.
An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:Select an answer: A. effective
You answered B. The correct answer is D.
After a disaster declaration, the media creation date at a warm recovery site is based on the:Select an answer:A. recovery point objective (RPO).B. recovery time objective (RTO).C. service delivery objective (SDO). D. maximum tolerable outage (MTO).
You answered B. The correct answer is A.
The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:Select an answer:A. facilitates user involvement.B. allows early testing of technical features. C. facilitates conversion
You are correct, the answer is D.
A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:Select an answer:A. with their named account to make the changes.B. with the shared DBA account to make the changes. C. to the ser
You are correct, the answer is A.
An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that:Select an answer: A. the photo frame storage media could be used to steal
You answered A. The correct answer is D.
The FIRST step in data classification is to:Select an answer:A. establish ownership.B. perform a criticality analysis.C. define access rules. D. create a data dictionary.
You answered B. The correct answer is A.
Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems?Select an answer:A. To collect evidence while transactions are processedB. To reduce requirements for periodic internal audits C. To
You answered D. The correct answer is A.
Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:Select an answer: A. physically separated from the data center and not subject to the same
You are correct, the answer is A.
A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and:Select an answer:A. recovery.B. retention.C. rebuilding. D. reuse.
You answered A. The correct answer is B.
An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies?Select an answer:A. Digitalized signaturesB. HashingC. Parsing D. Steganography
You answered A. The correct answer is D.
An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?Select an answer:A. The default configurations are changed. B. All tables in the database are normalized.
You are correct, the answer is A.
An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?Select an answer: A. There are a growing number of emergency ch
You are correct, the answer is C.
The PRIMARY outcome of a business impact analysis (BIA) is:Select an answer:A. a plan for resuming operations after a disaster.B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan
You are correct, the answer is D.A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA. B. The public's perception of an organization's physical and logical sec
Which of the following will BEST ensure the successful offshore development of business applications?Select an answer:A. Stringent contract management practicesB. Detailed and correctly applied specifications C. Awareness of cultural and political diff
You are correct, the answer is B.
Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?Select an answer:A. Intrusion detection systems B. Data mining techniq
You are correct, the answer is B.
A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it?Select an answer:A. Rewrite the hard disk with random 0s and 1s.B. Low-level format the hard disk. C.
You are correct, the answer is D.
In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a:Select an answer:A. requirement for job rotation on a periodic basis. B. process for formalized exit interview
You answered A. The correct answer is C.
During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the:Select an answer: A. event error log generated at the disa
You answered A. The correct answer is D.
Before implementing an IT balanced scorecard (BSC), an organization must:Select an answer:A. deliver effective and efficient services.B. define key performance indicators.C. provide business value to IT projects. D. control IT expenses.
You are correct, the answer is B.
The waterfall life cycle model of software development is most appropriately used when:Select an answer:A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate. B. requiremen
You are correct, the answer is A.
An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will del
You are correct, the answer is C.
The MOST likely explanation for a successful social engineering attack is:Select an answer:A. that computers make logic errors.B. that people make judgment errors.C. the computer knowledge of the attackers. D. the technological sophistication of the a
You are correct, the answer is B.
During a postimplementation review of a firewall upgrade project, an IS auditor discovered that several ports were left open that were not required for business purposes. It was determined that the ports were opened for a test server that was no longer be
You answered A. The correct answer is D.
During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:Select an answer: A. the detail of involved transactions may no longer be associated with master data, caus
You are correct, the answer is A.
An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this
You are correct, the answer is C.
An organization's IS audit charter should specify the:Select an answer:A. short- and long-term plans for IS audit engagements.B. objectives and scope of IS audit engagements.C. detailed training plan for the IS audit staff. D. role of the IS audit fun
You answered B. The correct answer is D.
An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope?Select an answer: A. Data avail
You are correct, the answer is D.
Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database?Select an answer:A. Authentication controlsB. Data normalization controls C. Read/write access
You are correct, the answer is D.
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?Select an answer:A. Set up an exit interview with human resources (HR). B. Initiate the handover process to ensure continuity o
You are correct, the answer is C.
An advantage in using a bottom-up vs. a top-down approach to software testing is that:Select an answer:A. interface errors are detected earlier.B. confidence in the system is achieved earlier.C. errors in critical modules are detected earlier. D. majo
You are correct, the answer is C.
Which of the following message services provides the STRONGEST evidence that a specific action has occurred?Select an answer:A. Proof of deliveryB. NonrepudiationC. Proof of submission D. Message origin authentication
You are correct, the answer is B.
Functional acknowledgements are used:Select an answer:A. as an audit trail for electronic data interchange (EDI) transactions.B. to functionally describe the IS department.C. to document user roles and responsibilities. D. as a functional description
You answered C. The correct answer is A.
Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts?Select an answer:A. SYN flood attacksB. Social engineering C. Buffe
You are correct, the answer is D.
Two-factor authentication can be circumvented through which of the following attacks?Select an answer:A. Denial-of-serviceB. Man-in-the-middleC. Key logging D. Brute force
You answered C. The correct answer is B.
Which of the following will MOST successfully identify overlapping key controls in business application systems?Select an answer:A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through
You answered B. The correct answer is C.
The phases and deliverables of a system development life cycle (SDLC) project should be determined:Select an answer:A. during the initial planning stages of the project.B. after early planning has been completed, but before work has begun. C. throughou
You are correct, the answer is A.
In auditing a database environment, an IS auditor will be MOST concerned if the database administrator (DBA) is performing which of the following functions?Select an answer:A. Performing database changes according to change management procedures B. Inst
You are correct, the answer is B.
Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed?Select an answer:A. The time and cost implications caused by the change B. The risk
You are correct, the answer is A.
A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data?Select an answer: A. Introduce a secondary authen
You are correct, the answer is B.
Establishing the level of acceptable risk is the responsibility of:Select an answer:A. quality assurance management.B. senior business management.C. the chief information officer. D. the chief security officer.
You are correct, the answer is B.
In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?Select an answer:A. A size checkB. A hash totalC. A validity check D. A field check
You are correct, the answer is C.
Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site D. Mobile recovery site
You are correct, the answer is C.
Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:Select an answer:A. substantive testing.B. compliance testing.C. qualitative analysis. D. judgment sampling.
You are correct, the answer is A.
When developing a security architecture, which of the following steps should be executed FIRST?Select an answer:A. Developing security proceduresB. Defining a security policyC. Specifying an access control methodology D. Defining roles and responsibil
You answered D. The correct answer is B.
An IS auditor reviewing a database discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action?Select an answer:A. Analyze the need for the structural change. B
You answered C. The correct answer is D.
Which of the following is the PRIMARY reason IS auditors conduct risk assessments?Select an answer:A. To focus effort on areas of highest business impactB. To maintain the organization's risk register C. To enable management to choose the correct risk
You are correct, the answer is A.
An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?Select an answer:A. Controls are implemented based on cost-benefit analysis. B. The risk management framework is based
You answered A. The correct answer is D.A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms. B. A risk management framework based on
Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?Select an answer:A. Minimizing costs for the services providedB. Prohibiting the provider from subcontracting services C. Eva
You are correct, the answer is D.
To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:Select an answer:A. control self-assessments.B. a business impact analysis (BIA).C. an IT balanced scorecard (BSC). D. business process reengineering (
You answered B. The correct answer is C.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:Select an answer:A. audit trail of the versioning of the work papers.B. approval of the audit phases. C. access rights to t
You are correct, the answer is D.
When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that:Select an answer:A. vulnerability testing was performed.B. the project was formally closed. C. the proje
You are correct, the answer is D.A. Vulnerability testing may be incorporated into the system development process; however, it is most important that business requirements were met. B. Formally closing the project is important, but the primary goal of me
An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the:Select an answer:A. complexity and risk associated with the project have been analyzed. B. resources need
You answered D. The correct answer is A.
An enterprise's risk appetite is BEST established by:Select an answer:A. the chief legal officer.B. security management.C. the audit committee. D. the steering committee.
You are correct, the answer is D.
Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site D. Mobile recovery site
You are correct, the answer is C.
The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?Select an answer:A. Test dataB. Generalized audit software C. Integrat
You are correct, the answer is B.
Which of the following controls would provide the GREATEST assurance of database integrity?A. Audit log proceduresB. Table link/reference checksC. Query/table access time checks D. Rollback and rollforward database features
You answered D. The correct answer is B.
Which of the following is the MOST effective control when granting temporary access to vendors?Select an answer:A. Vendor access corresponds to the service level agreement (SLA). B. User accounts are created with expiration dates and are based on servic
You are correct, the answer is B.
To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:Select an answer:A. schedule the audits and monitor the time spent on each audit. B. train the IS audit staff on current technology used in the company
You are correct, the answer is C.
An IS auditor is reviewing an IT security risk management program. Measures of security risk should:Select an answer:A. address all of the network risk.B. be tracked over time against the IT strategic plan. C. take into account the entire IT environmen
You are correct, the answer is C.
Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?Select an answer:A. Transaction logsB. Before and after image reportingC. Table lookups D. Tracing and tagging
You answered A. The correct answer is C.
Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities?Select an answer:A. The programming languageB. The development environmentC. A version control system D. Program
You are correct, the answer is D.A. The programming language may be a concern if it is not a commonly used language; however, program coding standards are more important. B. The development environment may be relevant to evaluate the efficiency of the pr
The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software?Select an answer: A. Rewrite the patches and
You are correct, the answer is D.Suitable patches from the existing developers should be selected and tested before applying them. Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewr
Which of the following does a lack of adequate controls represent?Select an answer:A. An impactB. A vulnerabilityC. An asset D. A threat
You answered D. The correct answer is B.A. Impact is the measure of the financial loss that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, att
Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?Select an answer: A.
You are correct, the answer is B.
An IS auditor is conducting a compliance audit of a health care organization operating an online system that contains sensitive health care information. Which of the following should an IS auditor FIRST review?Select an answer: A. Network diagram and fir
You are correct, the answer is C.
Which of the following is the most important element in the design of a data warehouse?Select an answer:A. Quality of the metadataB. Speed of the transactionsC. Volatility of the data D. Vulnerability of the system
You are correct, the answer is A.
The BEST method of confirming the accuracy of a system tax calculation is by:Select an answer:A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculat
You answered D. The correct answer is C.
When reviewing the configuration of network devices, an IS auditor should FIRST identify:Select an answer:A. the best practices for the type of network devices deployed.B. whether components of the network are missing. C. the importance of the network
You are correct, the answer is C.
Which of the following is a risk of cross-training?Select an answer:A. Increases the dependence on one employeeB. Does not assist in succession planningC. One employee may know all parts of a system D. Does not help in achieving a continuity of operat
You are correct, the answer is C.
An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan?Select an answer: A. Full oper
You are correct, the answer is B.
An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate
You are correct, the answer is A.
The MOST important difference between hashing and encryption is that hashing:Select an answer:A. is irreversible.B. output is the same length as the original message.C. is concerned with integrity and security. D. is the same at the sending and receiv
You are correct, the answer is A.
When installing an intrusion detection system (IDS), which of the following is MOST important?Select an answer:A. Properly locating it in the network architectureB. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quar
You are correct, the answer is A.
Which of the following is widely accepted as one of the critical components in networking management?Select an answer:A. Configuration managementB. Topological mappingsC. Application of monitoring tools D. Proxy server troubleshooting
You are correct, the answer is A.
Which of the following technologies is the BEST defense against a distributed denial-of-service (DDoS) attack?Select an answer:A. Stateful inspection firewallB. Cloud computingC. Load balancing D. Multiple Internet service provider (ISP) connections
You are correct, the answer is C.
Which of the following recovery strategies is MOST appropriate if the recovery time objective (RTO) is high?Select an answer:A. Warm siteB. Cold siteC. Hot site D. Mobile site
You answered C. The correct answer is B.A. If the RTO is high, it is financially reckless to use a warm site.B. If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations. C. If the RTO is high a hot sit
Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site D. Mobile recovery site
You are correct, the answer is C.
As an outcome of information security governance, strategic alignment provides:Select an answer:A. security requirements driven by enterprise requirements.B. baseline security following best practices.C. institutionalized and commoditized solutions. D
You are correct, the answer is A.
The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through:Select an answer:A. symmetric encryption.B. message authentication code.C. hash function. D. digital signature certificates.
You are correct, the answer is A.
An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?Select an answer:A. InspectionB. Inquiry C
You answered A. The correct answer is C.A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses. B. Inquiry pr
Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:Select an answer:A. database integrity checks.B. validation checks. C. input controls.
You are correct, the answer is D.
Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:Select an answer:A. substantive testing.B. compliance testing.C. qualitative analysis. D. judgment sampling.
You are correct, the answer is A.
Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)?Select an answer:A. A user from within could send a file to an unauthorized person. B. FTP services could allow a user to
You answered A. The correct answer is C.
Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?Select an answer:A. Alpha testingB. Regression testingC. Beta testing D. White box testing
You are correct, the answer is C.
Which of the following is an advantage of the top-down approach to software testing?Select an answer:A. Interface errors are identified early.B. Testing can be started before all programs are complete. C. It is more effective than other testing approac
You are correct, the answer is A.
An IS auditor examining the security configuration of an operating system should review the:Select an answer:A. transaction logs.B. authorization tables.C. parameter settings. D. routing tables.
You answered A. The correct answer is C.
Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)?Select an answer:A. Virtual tape librariesB. Disk-based snapshots C.
You answered D. The correct answer is C.
Which of the following physical access controls effectively reduces the risk of piggybacking?Select an answer:A. Biometric door locksB. Combination door locksC. Deadman doors D. Bolting door locks
You are correct, the answer is C.
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:Select an answer:A. an unauthorized user may use the ID to gain access. B. user access management is t
You answered A. The correct answer is C.
An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:Select an answer:A. critical.B. vital.C. sensitive. D. nonc
You answered D. The correct answer is C.
During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following ar
You answered C. The correct answer is A.
An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?Select an answer:A. References from other clients for the service provider B. The physical secur
You are correct, the answer is C.
An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site a
You answered D. The correct answer is B.
A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?Select an answer: A. IS audito
You are correct, the answer is D.
During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?Select an answer: A
You answered D. The correct answer is A.
While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step?Select an answer:A. Observe the response mechanism.B. Clear the virus from the network.C. Inform appropriate personnel immediately. D.
You are correct, the answer is C.
An accuracy measure for a biometric system is:Select an answer:A. system response time.B. registration time.C. input file size. D. false-acceptance rate (FAR).
You are correct, the answer is D.
An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk?Select an answer:A. The policy has not been updated in more than one year. B. The policy include
You are correct, the answer is C.
The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the:Select an answer:A. duration of the outage.B. type of outage.C. probability of the outage. D. cause of the outage.
You answered C. The correct answer is A.
An IS auditor is reviewing the process performed for the protection of digital evidence. Which of the following findings should be of MOST concern to the IS auditor?Select an answer: A. The owner of the system was not present at the time of the evidence
You answered B. The correct answer is C.
Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software?Select an answer:A. System testingB. Acceptance testingC. Integration testing D. Unit testing
You answered C. The correct answer is B.
Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?Select an answer:A. A hot site maintained by the businessB. A commercial cold site C. A reciprocal arran
You are correct, the answer is C.
Which of the following is the MOST likely benefit of implementing a standardized infrastructure?Select an answer:A. Improved cost-effectiveness of IT service delivery and operational supportB. Increased security of the IT service delivery center C. Red
You are correct, the answer is A.
An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:Select an answer:A. problem management procedures.B. software development procedures. C. fallba
You are correct, the answer is C.
An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corpora
You are correct, the answer is A.
Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another?Select an answer:A. Compare the hash total before and after the migration. B. Verify that the number of re
You answered B. The correct answer is C.
A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern?Select an answer:A. Most employees use laptops.B. A packet filtering firewall is used. C. The IP ad
You are correct, the answer is D.
The PRIMARY outcome of a business impact analysis (BIA) is:Select an answer:A. a plan for resuming operations after a disaster.B. a commitment of the organization to physical and logical security. C. a framework for an effective disaster recovery plan
You are correct, the answer is D.A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA. B. The public's perception of an organization's physical and logical sec
The database administrator (DBA) suggests that database (DB) efficiency can be improved by denormalizing some tables. This would result in:Select an answer:A. loss of confidentialityB. increased redundancy.C. unauthorized accesses. D. application malf
You answered D. The correct answer is B.
While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:Select an answer:A. audit trail of the versioning of the work papers.B. approval of the audit phases. C. access rights to t
You are correct, the answer is D.
Which of the following is the MOST efficient way to test the design effectiveness of a change control process?Select an answer:A. Test a sample population of change requestsB. Test a sample of authorized changes C. Interview personnel in charge of the
You answered A. The correct answer is D.A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes
When evaluating IT outsourcing strategies, an IS auditor should be MOST concerned if which of the following elements is part of the strategy?Select an answer:A. Transfer of legal compliance responsibility B. Promoting long-term contracts rather than sho
You are correct, the answer is A.
An IT executive of an insurance company asked an external auditor to evaluate the user IDs for emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a predefined expiration date. What should the IS auditor recom
You are correct, the answer is A.
During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST:
You answered C. The correct answer is D.
Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:Select an answer:A. substantive testing.B. compliance testing.C. qualitative analysis. D. judgment sampling.
You are correct, the answer is A.
A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:Select an answer:A. can identify high-risk areas that might need a detailed review later.B. allows IS auditors to independently assess risk. C.
You are correct, the answer is A.
The implementation of access controls FIRST requires:Select an answer:A. a classification of IS resources.B. the labeling of IS resources.C. the creation of an access control list. D. an inventory of IS resources
You answered A. The correct answer is D.
Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?Select an answer:A. Manually copy files to accomplish replication. B. Review changes in th
You answered D. The correct answer is B.
What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system?Select an answer:A. Multiple testingB. Parallel testing C. Integration t
You are correct, the answer is B.
Which of the following is a risk of cross-training?Select an answer:A. Increases the dependence on one employeeB. Does not assist in succession planningC. One employee may know all parts of a system D. Does not help in achieving a continuity of operat
You are correct, the answer is C.
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?Select an answer:A. The tools used to conduct the testB. Certifications held by the IS auditor C. Permiss
You are correct, the answer is C.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:Select an answer: A. periodic review of user ac
You are correct, the answer is A.
Which of the following will MOST successfully identify overlapping key controls in business application systems?Select an answer:A. Reviewing system functionalities that are attached to complex business processes B. Submitting test transactions through
You answered A. The correct answer is C.
Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees?Select an answer:A. To ensure that employees are not misusing corporate resourcesB. To prevent conflicts of interest C. To prevent emp
You are correct, the answer is B.
A lower recovery time objective (RTO) results in:Select an answer:A. higher disaster tolerance.B. higher cost.C. wider interruption windows. D. more permissive data loss.
You are correct, the answer is B.
Electromagnetic emissions from a terminal represent an exposure because they:Select an answer:A. affect noise pollution.B. disrupt processor functions.C. produce dangerous levels of electric current. D. can be detected and displayed.
You are correct, the answer is D.
An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this
You are correct, the answer is C.
After installing a network, an organization implemented a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?Select an answer:A. Differential reporting B. False-po
You answered B. The correct answer is C.
While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours.
You are correct, the answer is A.
An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the
You answered D. The correct answer is A.A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing
Which of the following recovery strategies is MOST appropriate if the recovery time objective (RTO) is high?Select an answer:A. Warm siteB. Cold siteC. Hot site D. Mobile site
You are correct, the answer is B.A. If the RTO is high, it is financially reckless to use a warm site.B. If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations. C. If the RTO is high a hot site is no
Which of the following controls helps prevent duplication of vouchers during data entry?Select an answer:A. A range checkB. Transposition and substitutionC. A sequence check D. A cyclic redundancy check (CRC)
You are correct, the answer is C.
A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor?
You are correct, the answer is D.
Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies?A. Developments may result in hardware and software incompatibility.B. Resources may not be available when needed. C.
You answered C. The correct answer is A.
The PRIMARY objective of testing a business continuity plan is to:A. familiarize employees with the business continuity plan.B. ensure that all residual risk is addressed.C. exercise all possible disaster scenarios. D. identify limitations of the busin
You answered B. The correct answer is D.
Java applets and Active X controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when:A. a firewall exists.B. a secure web connection is used. C. the source of the exec
You answered D. The correct answer is C.
An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when:A. the probability of error must be objectively quantified.B. the auditor wishes to avoid sampling risk.C. generalized audit software is unavailable. D. th
You answered B. The correct answer is A.
Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?A. Ensure that media are encrypted.B. Maintain a duplicate copy.C. Maintain chain of custody. D. Ensure that perso
You answered A. The correct answer is B.A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data. B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensi
A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing sh
You answered C. The correct answer is D.
The MOST likely explanation for the use of applets in an Internet application is that:Select an answer:A. it is sent over the network from the server.B. the server does not run the program and the output is not sent over the network. C. they improve th
You answered D. The correct answer is C.
To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:Select an answer: A. the entire message, enciphering
You answered D. The correct answer is A.
Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:Select an answer:A. pre-BPR process flowcharts.B. post-BPR process flowcharts. C. BPR projec
You are correct, the answer is B.
An IS auditor is assessing a biometric fingerprint system that protects a data center containing protected health information. The auditor should be MOST concerned with which of the following?Select an answer:A. False rejection rate (FRR) B. Crossover e
You answered D. The correct answer is C.
Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?Select an answer:A. Ensuring that invoices are paid to the providerB. Participating in systems design with the provider C. Renegot
You are correct, the answer is D.
An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?Select an answer:A. Log all table update transactions. B. Implement integrity constraints in the
You are correct, the answer is B.
An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel?
You answered D. The correct answer is A.
The BEST method of confirming the accuracy of a system tax calculation is by:Select an answer:A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculat
You are correct, the answer is C.
An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?Select an answer:A. An audit clause is present in all contracts. B. The service
You answered B. The correct answer is C.
In a small manufacturing business, an IT employee is doing both manufacturing work as well as all the programming activities. Which of the following is the BEST control to mitigate risk in the given scenario?Select an answer: A. Access restrictions to pr
You answered C. The correct answer is D.
The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during:Select an answer:A. the internal lab testing phase.B. testing and prior to user acceptance. C
You are correct, the answer is C.
A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:Select an answer: A. v
You answered A. The correct answer is D.
An advantage of using sanitized live transactions in test data is that:Select an answer:A. all transaction types will be included.B. every error condition is likely to be tested.C. no special routines are required to assess the results. D. test transa
You are correct, the answer is D.
When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:Select an answer:A. increases in quality can be achieved, even if resource allocation is decreased. B. increases in quali
You answered B. The correct answer is A.
An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?Select an answer:A. To detect data transposition errors. B. To ensure that transacti
You are correct, the answer is A.A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data
Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?Select an answer:A. Project databaseB. Policy documentsC. Project portfolio database D. Program organ
You are correct, the answer is C.
An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern?
You are correct, the answer is A.
Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications?Select an answer:A. Phased changeoverB. Abrupt changeoverC. Rollback procedure D. Parallel changeover
You are correct, the answer is D.A. Phased changeover involves the changeover from the old system to the new system in a phased manner. Therefore, at no time will the old system and the new system both be fully operational as one integrated system. B. In
An IS auditor is reviewing a new web-based order entry system the week before it goes live. The auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card informa
You are correct, the answer is C.
Which of the following types of risk could result from inadequate software baselining?Select an answer:A. Sign-off delaysB. Software integrity violationsC. Scope creep D. Inadequate controls
You answered A. The correct answer is C.A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep. B. Software integrity violations can be caused by hardware or software failures, malicious i
An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by:Select an answer:A. the project manager. B. systems development mana
You are correct, the answer is C.A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. B. Systems development management provides technical suppo
Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment?Select an answer:A. Noncompliance with software license agreementsB. Performance issues due to Internet delivery method C. Higher cost due to
You are correct, the answer is B.
An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have
You are correct, the answer is D.
An e-commerce organization with a complex technological environment has numerous concurrent projects. This often results in production system changes. What is the MOST suitable approach to managing system changes so that system outages are minimized?
You are correct, the answer is B.
Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented?Select an answer:A. The reporting of the mean time between failures over timeB. The overall mean time to repair failures C. The first repo
You answered A. The correct answer is C.A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The
When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software:Select an answer:A. was installed, but not documented in the IT department records. B. was installed and the license has
You are correct, the answer is C.
An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?Select an answer: A. Computer-aided software engineering (CAS
You answered A. The correct answer is C.
Which of the following would contribute MOST to an effective business continuity plan (BCP)?Select an answer:A. The document is circulated to all interested parties.B. Planning involves all user departments. C. The plan is approved by senior management
You are correct, the answer is B.
A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of:Select an answer:A. concurrent access.B. deadlocks.C. unauthorized access to data. D.
You are correct, the answer is D.
A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:Select an answer:A. eavesdropping.B. spoofing.C. traffic analysis. D. masquerading.
You are correct, the answer is C.
Corporate IS policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation?
You answered A. The correct answer is C.
There is a concern that the risk of unauthorized access may increase after implementing a single sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to:A. ensure that all failed authentication attempts are monitored. B. re
You answered A. The correct answer is D.A. Ensuring that all failed authentication attempts are monitored is a good practice; however, a strong password policy is a better preventive control. B. Reviewing the log files can increase the probability of det
Network Data Management Protocol (NDMP) technology should be used for backup if:A. a network attached storage (NAS) appliance is required.B. the use of TCP/IP must be avoided. C. file permissions that cannot be handled by legacy backup systems must be b
You are correct, the answer is A.NDMP defines three kind of services:1. A data service that interfaces with the primary storage to be backed up or restored2. A tape service that interfaces with the secondary storage (primarily a tape device) 3. A trans
An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training, and:A. succession planning.B. staff job evaluation. C. responsib
You answered C. The correct answer is A.
Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application?A. User managementB. Project steering committeeC. Senior management D. Qu
You answered C. The correct answer is A.
Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?A. Validated daily backupsB. Change management proceduresC. Data dictionary maintenance D. A read-only restriction
You answered A. The correct answer is D.
An investment advisor emails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by:A. encrypting the hash of the newsletter using the advisor's private key. B. encrypting
You answered C. The correct answer is A.
Which of the following is the BEST method of disposing of sensitive data on a former employee's laptop so that it can be reused by another employee?A. Overwrite the hard drive sectors.B. Degauss the hard drive.C. Reimage the computer. D. Format the har
You answered B. The correct answer is A.
Two-factor authentication can be circumvented through which of the following attacks?A. Denial-of-serviceB. Man-in-the-middleC. Key logging D. Brute force
You are correct, the answer is B.
The BEST method of confirming the accuracy of a system tax calculation is by:A. detailed visual review and analysis of the source code of the calculation programs. B. recreating program logic using generalized audit software to calculate monthly totals.
You answered B. The correct answer is C.
For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?A. Mobile siteB. Redundant siteC. Hot site D. Reciprocal agreements
You are correct, the answer is B.
Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training?
You answered C. The correct answer is B.
To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:A. the company policy be changed.B. passwords are periodically changed. C. an automated password management
You answered A. The correct answer is C.
During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:Select an answer: A. assessment of the situation may be
You are correct, the answer is B.
When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:Select an answer:A. incorporates state of the art technology.B. addresses the required operational controls.C. articulates the IT mission and vision. D. specif
You are correct, the answer is C.
An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training, and:Select an answer:A. succession planning. B. staff job evalua
You are correct, the answer is A.
Which of the following would contribute MOST to an effective business continuity plan (BCP)?Select an answer:A. The document is circulated to all interested parties.B. Planning involves all user departments. C. The plan is approved by senior management
You are correct, the answer is B.
The BEST method for assessing the effectiveness of a business continuity plan is to review the:Select an answer:A. plans and compare them to appropriate standards.B. results from previous tests.C. emergency procedures and employee training. D. offsite
You are correct, the answer is B.
Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date?Select an answer:A. The group walks through the different scenarios of the plan, from beginning to end. B. The group ensures that specific sys
You are correct, the answer is A.
With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the:Select an answer: A. clarity
You are correct, the answer is A.
An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:Select an answer:A. dependency on a single person.B. inadequate succession planning.C. one person knowing all parts of a system. D. a disruption of op
You are correct, the answer is C.
An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task?Select an answer: A. Immediately report the risk to the chief
You are correct, the answer is C.
Which of the following activities performed by a database administrator (DBA) should be performed by a different person?Select an answer:A. Deleting database activity logsB. Implementing database optimization toolsC. Monitoring database usage D. Defin
You are correct, the answer is A.
An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:Select an answer: A. docum
You are correct, the answer is B.
A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintaine
You are correct, the answer is A.
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:Select an answer:A. compute the amortization of the related assets. B. calculate a re
You answered A. The correct answer is C.
Effective IT governance requires organizational structures and processes to ensure that:Select an answer:A. the organization's strategies and objectives extend the IT strategy.B. the business strategy is derived from an IT strategy. C. IT governance is
You are correct, the answer is D.
Which of the following tasks should be performed FIRST when preparing a disaster recovery plan?Select an answer:A. Develop a recovery strategy.B. Perform a business impact analysis (BIA).C. Map software systems, hardware and network components. D. App
You are correct, the answer is B.
When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is
You answered A. The correct answer is B.
For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be:Select an answer:A. stored in a secure, offsite facility.B. approved by senior management C. communicated to appropriate person
You are correct, the answer is C.
When developing a security architecture, which of the following steps should be executed FIRST?Select an answer:A. Developing security proceduresB. Defining a security policyC. Specifying an access control methodology D. Defining roles and responsibil
You are correct, the answer is B.
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?Select an answer:A. User management coordination does not exist.B. Specific user accountability cannot be established. C. Unauthorized user
You are correct, the answer is C.
A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be MOST based on the individual's
You answered C. The correct answer is D.
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?A. NonrepudiationB. EncryptionC. Authentication D. Integrity
You answered C. The correct answer is A.
The initial step in establishing an information security program is the:A. development and implementation of an information security standards manual.B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate
You answered A. The correct answer is C.
Which of the following IT governance best practices improves strategic alignment?A. Supplier and partner risk is managed.B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creat
You answered A. The correct answer is D.
During an IS audit of a global organization, the IS auditor discovers that the organization uses voice-over IP (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk fo
You answered A. The correct answer is B.
Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?A. Minimizing costs for the services providedB. Prohibiting the provider from subcontracting services C. Evaluating the proces
You answered B. The correct answer is D.
Which of the following is an attribute of the control self-assessment (CSA) approach?A. Broad stakeholder involvementB. Auditors are the primary control analystsC. Limited employee participation D. Policy driven
You answered D. The correct answer is A.
Which of the following is the BEST indicator that a newly developed system will be used after it is in production?A. Regression testingB. User acceptance testing (UAT)C. Sociability testing D. Parallel testing
You answered C. The correct answer is B.A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. UAT is underta
Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?
You answered B. The correct answer is A.
Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse?Select an answer:A. Accuracy of the source dataB. Credibility of the data sourceC. Accuracy of the extraction process D. Accuracy of th
You are correct, the answer is A.
An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site a
You are correct, the answer is B.
An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by:Select an answer:A. the project manager B. systems development manag
You are correct, the answer is C.A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. B. Systems development management provides technical suppo
Change control for business application systems being developed using prototyping could be complicated by the:Select an answer:A. iterative nature of prototyping.B. rapid pace of modifications in requirements and design. C. emphasis on reports and scre
You answered A. The correct answer is B.
Which of the following is MOST relevant to an IS auditor evaluating how the project manager has monitored the progress of the project?Select an answer:A. Critical path diagramsB. Program evaluation review technique (PERT) diagrams C. Function point ana
You answered B. The correct answer is D.A. Critical path diagrams are used to determine the critical path for the project that represents the shortest possible time required for completing the project. B. PERT diagrams are a critical path method (CPM) te
When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?Select an answer:A. Using a cryptographic hashing algorithmB. Enciphering the message digestC. Deciphering the message digest D. U
You are correct, the answer is D.
An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
You are correct, the answer is B.
Which of the following is an advantage of the top-down approach to software testing?Select an answer:A. Interface errors are identified early.B. Testing can be started before all programs are complete. C. It is more effective than other testing approac
You are correct, the answer is A.
Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process?Select an answer:A. The encryption algorithm formatB. The detailed internal control procedures C. The necessary com
You are correct, the answer is C.
Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?Select an answer:A. Increase the time allocated for system testing. B. Implement formal software i
You are correct, the answer is B.
The editing/validation of data entered at a remote site would be performed MOST effectively at the:Select an answer:A. central processing site after running the application system. B. central processing site during the running of the application system.
You are correct, the answer is D.
While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours.
You are correct, the answer is A.
A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the c
You are correct, the answer is A.
An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
You are correct, the answer is B.
When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:Select an answer: A. not be concerned since there may be other compensa
You answered C. The correct answer is B.
Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?Select an answer:A. Load testing B
You answered C. The correct answer is B.A. Load testing evaluates the performance of the software at peak hours.B. Stress testing determines the capacity of the software to cope with an incremental number of concurrent users. C. Recovery testing evaluat
Which of the following controls helps prevent duplication of vouchers during data entry?Select an answer:A. A range checkB. Transposition and substitutionC. A sequence check D. A cyclic redundancy check (CRC)
You are correct, the answer is C.
An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find?Select an answer:A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progr
You are correct, the answer is D.
Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process?Select an answer:A. The encryption algorithm formatB. The detailed internal control procedures C. The necessary com
You are correct, the answer is C.
An IS auditor is reviewing a new web-based order entry system the week before it goes live. The auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card informa
You are correct, the answer is C. |