Which of the following best mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?

When approximately 22 terabytes (TB) of Dallas Police Department (DPD) (Texas, USA) data were accidentally deleted during a cloud migration in March 2021, ultimately only 14 TB could be recovered, affecting myriad case files and prosecutorial actions.1 The City of Dallas later released a 131-page report which uncovered that DPD protocols for data management had been "inadequate."2 The DPD is not alone. Even highly experienced data managers and organizations can be at risk when it comes to data backup and recovery procedures.

Table of Contents Show

Reduce Risk With the 3-2-1 Rule
Develop a Procedure and Adhere to It
Consider the Increasing Consequences
Use Your Backup for a Fast, Efficient Recovery

Reduce Risk With the 3-2-1 Rule

Disruption to data is more a matter of when it will occur than if it will occur. A 2021 data center fire at a French cloud service provider (CSP) disrupted millions of websites, including government portals, banks and retailers.3 The CSP faced a difficult recovery because both copies of customer data had been backed up at a single location. The data center fire is a prime example of the need for resilience in digital disruption, especially in an environment of increasing cyberrisk, including hostile state-sponsored threats to critical infrastructures.4

To reduce the risk of data disruption, organizations should maintain at least 3 copies or versions of data stored on 2 different pieces of media, 1 of which is offsite. This is referred to as the 3-2-1 rule.5 With at least 3 different copies of important files and information, an organization can recover even from accidents that affect multiple versions. But, of course, one should not keep both copies of the data on the same media.

At least 1 offline copy should be created and maintained in addition to on-premises and cloud storage versions of data. Local backups should be securely stored on portable hardware-encrypted storage devices. For example, portable and removable storage devices with built-in hardware encryption used across the workforce can ensure the existence of backups that maximize control for organizations, regardless of the breach, attack, damage, disaster or other disruption.

Removable storage devices complement the cloud, enabling the retention of some element of control over the data rather than abdicating all responsibility to a CSP. Employees at all levels should be knowledgeable of procedures and incorporate backups into their everyday work.

Develop a Procedure and Adhere to It

Most people understand that all organizations should consistently secure and back up their data, yet often this is not the case. Too often an enterprise becomes distracted and shifts its attention to other challenges. Today, those challenges may take the form of hybrid working and remote workforce management. Organizations may rely too much on faith when it comes to the security of data at rest or stored in the cloud. Often there is not even a written backup and recovery plan or policy in place and, if there is a strategy, it is not adhered to, or its status is unknown.

Organizations may rely too much on faith when it comes to the security of data at rest or stored in the cloud.

The Apricorn 2021 Global IT Security Survey reported that 49% of IT professionals say individual employees in their organization do not consider themselves potential attack targets for access to enterprise data.6 More than 50% of respondents to a recent Apricorn poll note that they, or their employees, have experienced a loss of data as a result of not creating backups or a backup failure.7 Despite this, more than 60% of respondents state that they are not required to play a role in backing up enterprise data. Worryingly, one-third of respondents admit to not backing up data to a second offsite location.8 Of those who do, approximately 30% back up to the cloud and slightly more than 20% rely on storage devices for secondary backup.

Meanwhile, the COVID-19 pandemic has also created ongoing vulnerabilities. Even beyond the pandemic, remote work will likely continue to play a larger role for many organizations. Enterprises therefore must remain aware of the many new attack vectors represented by remote connections and hybrid working environments. In addition, large volumes of data now move beyond the boundaries of the enterprise network.

Consider the Increasing Consequences

Compounding these issues, threats to organizational and personal data and to the network itself continue to evolve and become more sophisticated. Today's cyberthreat landscape typically demands a multifaceted approach to best-practice cybersecurity. Addressing data protection, backup and recovery plays a central role in mitigating risk from any cyberattack to critical infrastructure and organizational information.

Secure data backup processes can maximize data control, eliminate unauthorized data access and facilitate fast restoration of operations in the event of a breach or attack. The consequences of not addressing the situation can be catastrophic. Poor management and a lack of preparation constantly threaten the security of data and information. Data sprawl can increase the risk of data losses, whether from a common cyberthreat such as a ransomware attack or a force majeure event that results in downtime, financial loss and/or reputational damage.

Organizations are at high risk of external investigations and penalties, including heavy fines. In addition, financial damage can result in costs related to restitution and repair, and an increased price to pay for future protection. Further costs are accrued by negative media coverage of the organization, which damages brands and can cause customer exits or deter new customers, impeding growth.

Use Your Backup for a Fast, Efficient Recovery

Making solid investments in data backup and recovery planning can save organizations considerable amounts of time and money in the future. The best pathways to achieve this have been made clear, including many different options for data backup for organizations with different requirements and challenges.

Above all, centering an effective backup-and-recovery strategy around multiple copies of data provides both insurance against future cyberattacks and flexibility, defending against data loss due to weather, human error, hardware failure and more. As part of an up-to-date, regularly reviewed, multilayered cybersecurity approach, it is key to frequently back up data, including offline backups, and regularly practice procedures for data recovery from those backups. Stakeholders should ensure that all enterprise data are encrypted and offline backups remain inaccessible to unauthorized users.9, 10 Lastly, it is important to create a plan for quick data restoration in the event of disruption.

Data resilience can be straightforward if organizations begin with first principles, create a plan and adhere to it. Using the 3-2-1 method can ensure that organizational data assets are properly secured in the event of a data loss incident.

Endnotes

1 Osborne, R.; “City of Dallas Calls IT Protocols ‘Inadequate’ in 131-page Report on Police Data Loss,” WFAA, USA, 1 October 2021
2 Ibid.
3 Rosemain, M.; R. Satter; “Millions of Websites Offline After Fire at French Cloud Services Firm,” Reuters, 10 March 2021
4 Scimeca, D.; “Maintain Readiness Against Russian State-sponsored Cyberattacks,” IndustryWeek, 12 January 2022
5 Elliot, J.; “What Is the 3-2-1 Backup Rule?,” CO, USA, 6 October 2021
6 Apricorn, Apricorn 2021 Global IT Security Survey, 2021
7 Continuitycentral.com, “High Levels of Data Loss Due to Inadequate Backup Procedures Identified: Survey,” 14 October 2021
8 Help Net Security, “Most Employees Believe Backing Up Data Is Not Their Problem,” 18 October 2021
9 Fielding, J.; “Backing Up Data – Whose Job Is It Anyway?,” TechRadar, 14 November 2021
10 Donovan-Stevens, A.; “Encryption Is the Surest Way to Protect Data, So Why Isn’t Everyone Doing It?,” tbtech, 20 July 2021

Kurt Markley

Is the US managing director at Apricorn and has more than 20 years of experience in encryption and cybersecurity. He has worked with many organizations in the manufacturing, government, finance and health care industries to help strengthen their data protection.

CISA Practise Question Database 2013-2014

The PRIMARY advantage of a continuous audit approach is that it:Select an answer:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.

B. requires the IS auditor to review and follow up immediately

1.1. The correct answer is C.
The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the continu

Which of the following ensures the availability of transactions in the event of a disaster?Select an answer:A. Send tapes hourly containing transactions offsite.B. Send tapes daily containing transactions offsite.

C. Capture transactions to multiple st

4.10. The correct answer is D.
The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility. Choices A and B are not in real time and, therefore, would not include all the transactions. Choice C doe

An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)?Select an answer:A. Overall number of users supported

B. Percentage of incidents solved in the fir

4.2. You are correct, the answer is B.
Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the only option that is relevant. Choices A, C and D are not quality measures of the help desk service

Which of the following will MOST successfully identify overlapping key controls in business application systems?Select an answer:A. Reviewing system functionalities that are attached to complex business processes

B. Submitting test transactions through

The correct answer is C.
As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, an

Overall business risk for a particular threat can be expressed as:Select an answer:A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability.

B. the magnitude of the impact should a threat source suc

2-8 The correct answer is A.
Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the asset but

An IS auditor observes that one of the servers on the perimeter network is running a vulnerable operating system. What is the MOST likely implication due to the existence of a system vulnerability?Select an answer:

A. The server is susceptible to an atta

5.1. You are correct, the answer is A.
Vulnerabilities, if not addressed, leave the server at a risk of being attacked. The existence of a vulnerability does not automatically imply that an attack will occur. A control may be designed only if it would be

Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?Select an answer:A. Halon gasB. Wet-pipe sprinklersC. Dry-pipe sprinklers

D. Carbon dioxide gas

5.4. The correct answer is C.
Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pipe to pr

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange (EDI) process?Select an answer:A. The encryption algorithm formatB. The detailed internal control procedures

C. The necessary com

3.4. The correct answer is C.
Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must be i

What kind of software application testing is considered the final stage of testing and typically includes users outside the development team?Select an answer:A. Alpha testingB. White box testingC. Regression testing

D. Beta testing

3.5. You are correct, the answer is D.
Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT), and generally involves a limited number of users who are

For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation?
A. There are regulations regarding data privac

2.4 You are correct, the answer is A.
Regulations prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer/member information in another county. Training cost, rem

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:A. integrity.B. authenticity.C. authorization.

D. nonrepudiation.

4.8 You are correct, the answer is A.
A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need othe

Assessing IT risk is BEST achieved by:A. evaluating threats associated with existing IT assets and IT projects.B. using the firm's past actual loss experience to determine current exposure.

C. reviewing published loss statistics from comparable organiza

3.4 The correct answer is A.
To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but by themselv

Which of the following is the MOST reliable sender authentication method?A. Digital signaturesB. Asymmetric cryptographyC. Digital certificates

D. Message authentication code

2.9 The correct answer is C.
Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key infra

An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?A. User-level permissionsB. Role-basedC. Fine-grained

D. Discretionary

5.5 You are correct, the answer is B.
Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user's role. User-level permissions for an ERP system

An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by:A. digitally signing all email messages.B. encrypting all email messages.C. compressing all email messages.

D. password protectin

5.2 You are correct, the answer is A.
By digitally signing all email messages, the receiver will be able to validate the authenticity of the sender. Encrypting all email messages would ensure that only the intended recipient will be able to open the messa

A proposed transaction processing application will have many data capture sources and outputs in paper and electronic form. To ensure that transactions are not lost during processing, an IS auditor should recommend the inclusion of:
A. validation controls

5.2 The correct answer is D.
Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation controls and inte

An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor?A. There are a growing number of emergency changes.

B. There we

3.4 The correct answer is C.
The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as critical because iss

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?A. Request that the system be shut down to preserve evidence.B. Report the incident to management.

C. A

1.3 The correct answer is B.
Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is no

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:A. apply the patch according to the patch's release notes.

B. ensure that a good chang

1.4 You are correct, the answer is B.
An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should:Select an answer:

A. report the error as a fi

3.5 You are correct, the answer is C.
When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted. Recording it as a minor error and leaving it to the auditee's discretion

A lower recovery time objective (RTO) results in:Select an answer:A. higher disaster tolerance.B. higher cost.C. wider interruption windows.

D. more permissive data loss.

4.11 The correct answer is B.
RTO is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the le

A development group is designing an Internet application that accepts customer orders. Which of the following features is a MAJOR concern during the review of the design phase?Select an answer:

A. The inclusion of technical information in error messages

5.2 The correct answer is A.A. Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities.

B. It is a good practice to utilize stored pr

Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?Select an answer:A. The use of diskless workstationsB. Periodic checking of hard drivesC. The use of current antivirus software

4.1 You are correct, the answer is B.
The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded to the network. Antivirus software will not necessarily identify illegal software, unless the sof

A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?Select an answer:A. Set up an exit interview with human resources (HR).

B. Initiate the handover process to ensure continuity o

2.2 The correct answer is C.
In order to protect IT assets, terminating logical access to IT resources is the first and most important action to take once management has confirmed the employee's clear intention to leave the enterprise. The interview with

Rotating job responsibilities is a good security practice PRIMARILY because it:Select an answer:A. ensures that personnel are cross-trained.B. improves employee morale.C. maximizes employee performance.

D. reduces the opportunity for fraud.

2.3 The correct answer is D.A. While cross-training is useful, it is not typically a security issue.B. Improving morale is important, but it is not a security concern.C. Job rotation may affect employee performance either positively or negatively.

D. W

Validated digital signatures in an email software application will:Select an answer:A. help detect spam.B. provide confidentiality.C. add to the workload of gateway servers.

D. significantly reduce available bandwidth.

5.2 You are correct, the answer is A.
Validated electronic signatures are based on qualified certificates that are created by a certification authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways, and that all business units should be

2.9 The correct answer is A.
In a cost-benefit analysis, the total expected purchase and operational/support costs and a qualitative value for all actions are weighted against the total expected benefits in order to choose the best technical, most profita

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan?Select an answer:A. Prioritize the identified risk.B. Define the audit universe.C. Identify the critical controls.

D. Determine t

The correct answer is B.A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe.

B. In a risk-based audit approach, the auditor

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment?Select an answer:A. An inventory of critical assetsB. An identification of vulnerabilitiesC. A listing of threats

D. A determination of acceptable downtime

The correct answer is D.A. An inventory of critical assets is completed in both a risk assessment and a BIA.B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA.

C. A listing of threats is relevant both in a risk asses

It is MOST appropriate to implement an incremental backup scheme when:Select an answer:A. there is limited recovery time for critical data.B. online disk-based media are preferred.C. there is limited media capacity.

D. a random selection of backup set

the answer is C.A. A full backup or differential backup is preferred in this situation.B. Incremental backup could be used irrespective of the media adopted.

C. In an incremental backup, after the full backup, only the files that have changed are backed

Responsibility for the governance of IT should rest with the:Select an answer:A. IT strategy committee.B. chief information officer (CIO).C. audit committee.

D. board of directors.

The correct answer is D.
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appro

When auditing a disaster recovery plan for a critical business area, an IS auditor finds that it does not cover all the systems. Which of the following is the MOST appropriate action for the IS auditor?Select an answer:

A. Alert management and evaluate t

You are correct, the answer is A.
An IS auditor should make management aware that some systems are omitted from the disaster recovery plan. An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the

Which of the following fire suppression systems is MOST appropriate to use in a data center environment?Select an answer:A. Wet-pipe sprinkler systemB. Dry-pipe sprinkler systemC. FM-200 system

D. Carbon dioxide-based fire extinguishers

You are correct, the answer is C.
FM-200 is safer to use than carbon dioxide. It is considered a clean agent for use in gaseous fire suppression applications. A water-based fire extinguisher is suitable when sensitive computer equipment could be damaged b

Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network?Select an answer:A. Server antivirus softwareB. Virus wallsC. Workstation antivirus software

D. Virus signature upda

The correct answer is B.
An important means of controlling the spread of viruses is to detect the virus at the point of entry, before it has an opportunity to cause damage. In an interconnected corporate network, virus scanning software, used as an integr

A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?
Select an answ

The correct answer is A.
Choice A would prevent or detect the use of an unauthorized interest rate. Choice B informs the manager after the fact that a change was made, thereby making it possible for transactions to use an unauthorized rate prior to manage

Which of the following backup techniques is the MOST appropriate when an organization requires extremely granular data restore points, as defined in the recovery point objective (RPO)?Select an answer:A. Virtual tape librariesB. Disk-based snapshots

You are correct, the answer is C.
RPO is based on the acceptable data loss in the case of a disruption. In this scenario the organization needs a short RPO. Virtual tape libraries, disk-based snapshots and disk-to-tape backup would require time to complet

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)?Select an answer:A. PilotB. PaperC. Unit

D. System

? 10; ?? ???? ?????????? ?????. ????? ?? A. Pilot

An organization has terminated a database administrator (DBA). The organization immediately removes all of the DBA's access to all company systems. The DBA threatens that the database will be deleted in two months unless he/she is paid a large sum of mone

You are correct, the answer is D.
A logic bomb is hidden code that will activate when certain conditions are met; in this example, after a certain period of time. A virus is another type of malicious code, but it does not typically operate on a time delay

An organization has purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year.

The correct answer is B.A. While a viability study on the vendor may provide some assurance on the long-term availability of the vendor's services to the entity, in this case it is more important that the company has the rights to the source code.

B. Con

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live?Select an answer:

A. IS audito

You are correct, the answer is D.
During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for re

While reviewing sensitive electronic work papers, the IS auditor noticed that they were not encrypted. This could compromise the:Select an answer:A. audit trail of the versioning of the work papers.B. approval of the audit phases.

C. access rights to t

You are correct, the answer is D.
Encryption provides confidentiality for the electronic work papers. Audit trails, audit phase approvals and access to the work papers do not, of themselves, affect the confidentiality but are part of the reason for requir

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?Select an answer:A. Overlapping controlsB. Boundary controlsC. Access controls

D. Compensating controls

The correct answer is D.
Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. Overlapping controls are two controls add

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?Select an answer:

A. Rank requirements and test in terms of importance and

You are correct, the answer is A.
The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and, therefore, on the areas where defects represent the greatest risk to user acceptance. A further extension

Which of the following ensures a sender's authenticity and an email's confidentiality?Select an answer:A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key

You are correct, the answer is C.
To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender's private key, and then with the receiver's public key. The receiver can decrypt the message, thus ensuring confidential

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:Select an answer:A. address audit objectives.B. collect sufficient evidence.C. specify appropriate tests.

D. minimize audit resources.

You are correct, the answer is A.
ISACA IT audit and assurance standards require that an IS auditor plan the audit work to address the audit objectives. Choice B is incorrect because the IS auditor does not collect evidence in the planning stage of an aud

An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting fin

You are correct, the answer is B.
In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audi

When reviewing the configuration of network devices, an IS auditor should FIRST identify:Select an answer:A. the best practices for the type of network devices deployed.B. whether components of the network are missing.

C. the importance of the network

You are correct, the answer is C.
The first step is to understand the importance and role of the network device within the organization's network topology. After understanding the devices in the network, the best practice for using the device should be re

An IS auditor at a bank is performing compliance testing and has discovered that one of the branches has virus signatures that have not been updated in over six months. In this case, the IS auditor should recommend:Select an answer:

A. security awareness

You are correct, the answer is B.
An automated process is a holistic solution across the branches. While security awareness and education are important, they would not resolve the issue of the outdated signatures. Reconfiguration of the firewall and imple

Which of the following is the MOST efficient way to test the design effectiveness of a change control process?Select an answer:A. Test a sample population of change requestsB. Test a sample of authorized changes

C. Interview personnel in charge of the

You are correct, the answer is D.A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design.

B. Testing changes that ha

Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site

D. Cold site

You are correct, the answer is D.
Generally a cold site is contracted for a longer period at a lower cost. Since it requires more time to make a cold site operational, it is generally used for noncritical applications. A warm site is generally available a

An IS auditor discovers that URLs for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks?Select an answer:

A. IP s

You are correct, the answer is B.
URL shortening services have been adopted by hackers to fool users and spread malware, i.e., phishing. IP spoofing is used to change the source IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) pack

A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?Select an answer:A. Reviewing logs frequentlyB. Testing and validating the rules

C. Training a local administrator a

You are correct, the answer is B.
A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until t

Which of the following is the PRIMARY purpose for conducting parallel testing?Select an answer:A. To determine whether the system is cost-effectiveB. To enable comprehensive unit and system testing

C. To highlight errors in the program interfaces with

The correct answer is D.
The purpose of parallel testing is to ensure that the implementation of a new system will meet user requirements. Parallel testing may show that the old system is, in fact, better than the new system, but this is not the primary r

The use of object-oriented design and development techniques would MOST likely:Select an answer:A. facilitate the ability to reuse modules.B. improve system performance.C. enhance control effectiveness.

D. speed up the system development life cycle.

You are correct, the answer is A.
One of the major benefits of object-oriented design and development is the ability to reuse modules. The other options do not normally benefit from the object-oriented technique.

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?Select an answer:A. InherentB. DetectionC. Control

D. Business

The correct answer is B.
Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risk is not usually affected by an IS auditor. Control risk can be mitigated by the actions of the company's management

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:Select an answer:A. expand activities to determine whether an investigation is warranted.B. report the matter to the audit committee.

The correct answer is A.
An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the a

Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?Select an answer:A. AnalyzerB. Administration consoleC. User interface

D. Sensor

5.2 You are correct, the answer is D.
Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.

When reviewing an implementation of a Voice-over IP (VoIP) system over a corporate wide area network (WAN), an IS auditor should expect to find:Select an answer:A. an integrated services digital network (ISDN) data link.B. traffic engineering.

C. wired

5.2 The correct answer is B.
To ensure that quality of service requirements are achieved, the VoIP service over the WAN should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statis

Which of the following must exist to ensure the viability of a duplicate information processing facility?Select an answer:A. The site is near the primary site to ensure quick and efficient recovery.

B. The site contains the most advanced hardware availa

2.9 The correct answer is C.
Resource availability must be assured. The workload of the site must be monitored to ensure that availability for emergency backup use is not impaired. The site chosen should not be subject to the same natural disaster as the

When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the:Select an answer:

A. project be discontinued.

3.3 The correct answer is B.
An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. The IS auditor should recommend that the business case be kept current throughout the project since it is a

An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs?Select an answer:A. UsefulnessB. ReliabilityC. Relevance

D. Adequacy

1.2 The correct answer is B.A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does.

B. Because the data are directly collected by t

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented?Select an answer:A. The reporting of the mean time between failures over timeB. The overall mean time to repair failures

C. The first repo

3.5 The correct answer is C.A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues.

B. The mean time t

Which of the following would be of MOST concern to an IS auditor performing an audit of a disaster recovery plan (DRP)?Select an answer:A. The DRP has not been tested.B. New team members have not read the DRP.

C. The manager responsible for the DRP rec

2.11 You are correct, the answer is A.
If the DRP has not been tested, it is very likely that the plan is incomplete or inadequate. This situation would be of concern to an IS auditor because the organization would have no way to accurately assess whether

The MOST effective control for reducing the risk related to phishing is:Select an answer:A. centralized monitoring of systems.B. including signatures for phishing in antivirus software.C. publishing the policy on antiphishing on the intranet.

D. secur

5.3 You are correct, the answer is D.
Phishing is a type of email attack that attempts to convince a user that the originator is genuine, with the intention of obtaining information. Phishing is an example of a social engineering attack. Any social engine

Which of the following is the BEST control to implement in order to mitigate the risk of an insider attack?Select an answer:A. Ensure that a comprehensive incident response plan has been put into place.B. Log all user activity for critical systems.

5.2 You are correct, the answer is D.
The most critical factor to consider is to limit the access granted to an individual to only what is required for his/her job duties. The other options are not as critical. Insider attacks may be initiated by employee

D. Determine t

1.1 The correct answer is B.A. Once the audit universe is defined, the auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe.

B. In a risk-based audit approach, the aud

When auditing the provisioning procedures of the identity management (IDM) system of a large organization, an IS auditor immediately finds a small number of access requests that had not been authorized by managers through the normal predefined workflow st

1.3 The correct answer is A.
The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should

Network Data Management Protocol (NDMP) technology should be used for backup if:Select an answer:A. a network attached storage (NAS) appliance is required.B. the use of TCP/IP must be avoided.

C. file permissions that cannot be handled by legacy backup

4.10 You are correct, the answer is A.NDMP defines three kind of services:1. A data service that interfaces with the primary storage to be backed up or restored2. A tape service that interfaces with the secondary storage (primarily a tape device)

3. A

IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend:Select an answer:A. upgrading to a level 5 RAID.

B. in

4.11 The correct answer is C.
A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site. Choices A, B and D do not comp

Which of the following BEST limits the impact of server failures in a distributed environment?Select an answer:A. Redundant pathwaysB. ClusteringC. Dial backup lines

D. Standby power

4.10 The correct answer is B.
Clustering allows two or more servers to work as a unit, so that when one of them fails, the other takes over. Choices A and C are intended to minimize the impact of channel communications failures, but not a server failure.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a:Select an answer:

A. correlation

3.5 The correct answer is A.
Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the new as it

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:Select an answer:

A. assessment of the situation may be

2.11 You are correct, the answer is B.
Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem

The PRIMARY control purpose of required vacations or job rotations is to:Select an answer:A. allow cross-training for development.B. help preserve employee morale.C. detect improper or illegal employee acts.

D. provide a competitive employee benefit.

2.7 You are correct, the answer is C.
The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud. While cross-training is a good practice for business continuity, it is not achieved throug

Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test?Select an answer:

A. Due to the limited test time window, only the most essential systems were tested. The other systems were teste

4.11 The correct answer is D.
A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff since a disaste

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:Select an answer:A. ask the auditee to sign a release form accepting full legal responsibility.

B. elaborate on the significance of th

1.4 The correct answer is B.
If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should b

The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is:Select an answer:A. control design testing.B. substantive testing.

C. inspection of relevant documentation

1.3 You are correct, the answer is B.A. Testing of control design assesses whether the control is structured to meet a specific control objective. It does not help determine whether the control is operating effectively.

B. Among other methods, such as do

An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address?Select an answer:A. Simple Object Access Protocol (SOAP)

B. Address Resol

5.2 You are correct, the answer is B.
ARP provides dynamic address mapping between an IP address and hardware address. SOAP is a platform-independent XML-based protocol, enabling applications to communicate with each other over the Internet, and does not

Which of the following is the MOST important element for the successful implementation of IT governance?Select an answer:A. Implementing an IT scorecardB. Identifying organizational strategiesC. Performing a risk assessment

D. Creating a formal securi

2.1 The correct answer is B.
The key objective of an IT governance program is to support the business, thus the identification of organizational trategies

Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?Select an answer:A. Resuming critical processesB. Recovering sensitive processesC. Restoring the site

D. Relocating operations to an alternative site

4.11 You are correct, the answer is A.
The resumption of critical processes has the highest priority as it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of

In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:Select an answer:A. isolation.B. consistency.

C. ato

3.4 You are correct, the answer is C.
The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all int

A. correlation

3.5 You are correct, the answer is A.
Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data is the same in the

C. Interview personnel in charge of the

4.9 You are correct, the answer is D.A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design.

B. Testing changes tha

Management considered two projections for its business continuity plan; plan A with two months to recover and plan B with eight months to recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected h

4.1 The correct answer is A.
Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. Because the recovery time for plan B is longer, resumption and recovery costs can be expec

Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget?Select an answer:A. A hot site maintained by the businessB. A commercial cold site

C. A reciprocal arran

4.3 The correct answer is C.
For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expens

Disabling which of the following would make wireless local area networks MORE secure against unauthorized access?Select an answer:A. MAC (Media Access Control) address filteringB. WPA (Wi-Fi Protected Access Protocol)

C. LEAP (Lightweight Extensible Au

5.2 The correct answer is D.
Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Disabling MAC address filtering would reduce security. Using MAC filtering makes it more diffic

Ideally, stress testing should be carried out in a:Select an answer:A. test environment using test data.B. production environment using live workloads.C. test environment using live workloads.

D. production environment using test data.

3.4 You are correct, the answer is C.
Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in a p

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?Select an answer:A. InherentB. DetectionC. Control

D. Business

1.2 You are correct, the answer is B.
Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risk is not usually affected by an IS auditor. Control risk can be mitigated by the actions of the company

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system?Select an answer:A. Dumping the memory content to a file

B. Generating disk images o

1.3 You are correct, the answer is C.
Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.

Effective IT governance will ensure that the IT plan is consistent with the organization's:Select an answer:A. business plan.B. audit plan.C. security plan.

D. investment plan.

2.4 You are correct, the answer is A.
To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. The audit and investment plans are not part of the IT pl

While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be:Select an answer:A. shadow file processing.B. electronic vaulting.

C. hard-disk mi

4.10 You are correct, the answer is A.
In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline booking sy

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?Select an answer:A. A clause providing a "right to audit" service provider

B. A clause defining penalty payments for

4.2 The correct answer is A.
The absence of a "right to audit" clause would potentially prevent the auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requi

An IS auditor reviewing the IS security policies should verify whether information security management roles and responsibilities are communicated to which of the following?Select an answer:A. Functional headsB. Organizational users

C. The IS steering

5.1 The correct answer is B.
All of the roles and responsibilities relating to IS security management should be defined. Documented responsibilities and accountabilities must be established and communicated to all enterprise users. The responsibilities ma

A decision support system (DSS):Select an answer:A. is aimed at solving highly structured problems.B. combines the use of models with nontraditional data access and retrieval functions.

C. emphasizes flexibility in the decision making approach of users

3.4 The correct answer is C.
DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?Select an answer:

A. Walk-through with the reviewer of the operation of th

1.3 You are correct, the answer is C.
Choice C represents the best possible evidence of the effective operation of the control because the reviewer has documented the actions to be taken based on the review of the exception report. A walk-through will hig

Which of the following should be a MAJOR concern for an IS auditor reviewing a business continuity plan (BCP)?Select an answer:A. The plan is approved by the chief information officer (CIO).B. The plan contact lists have not been updated.

C. Test resul

2.11 You are correct, the answer is C.
A. Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the CIO. Pragmatically, lack of documenting test results could have more signif

A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it?Select an answer:A. Rewrite the hard disk with random 0s and 1s.B. Low-level format the hard disk.

5.5 The correct answer is D.
Physically destroying the hard disk is the most economical and practical way to ensure that the data cannot be recovered. Rewriting data and low-level formatting are impractical, because the hard disk is damaged. Demagnetizing

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt?Select an answer:A. Process narrativeB. Inquiry

C. Reperforma

1.3 The correct answer is D.A. Process narratives may not be current or complete and may not reflect the actual process in operation.B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidence.

Which of the following controls helps prevent duplication of vouchers during data entry?Select an answer:A. A range checkB. Transposition and substitutionC. A sequence check

D. A cyclic redundancy check (CRC)

3.4 You are correct, the answer is C.
A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. A range check works over a range of numbers. Even if the same

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?Select an answer:

A. Postpon

4.2 The correct answer is C.
An IS auditor should first confirm and understand the current practice before making any recommendations. The agreement can be documented after it has been established that there is an agreement in place. The fact that there i

An enterprise is developing a new procurement system, and things are behind schedule. As a result, it is proposed that the time originally planned for the testing phase be shortened. The project manager asks the IS auditor for recommendations to mitigate

3.4 The correct answer is A.
Choice A reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select group

Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance

B. Assurance from line management that an application is working as

1.3 The correct answer is A.
Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods?Select an answer:A. PiggybackingB. Dumpster divingC. Shoulder surfing

D. Impersonation

5.1 You are correct, the answer is C.
If a password is displayed on a monitor, any person nearby could look over the shoulder of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, author

The MOST important difference between hashing and encryption is that hashing:Select an answer:A. is irreversible.B. output is the same length as the original message.C. is concerned with integrity and security.

D. is the same at the sending and receiv

5.2 You are correct, the answer is A.
Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As suc

The BEST way to minimize the risk of communication failures in an e-commerce environment would be to use:Select an answer:A. compression software to minimize transmission duration.B. functional or message acknowledgments.

C. a packet-filtering firewall

5.2 The correct answer is D.
Leased asynchronous transfer mode lines are a way to avoid using public and shared infrastructures from the carrier or Internet service provider that have a greater number of communication failures. Choice A, compression softw

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?Select an answer:A. Variable samplingB. Stratified mean per unit

C. Attribut

1.3 The correct answer is C.
Attribute sampling is the method used for compliance testing. In this scenario, the operation of control is being evaluated, and therefore attribute sampling should be used to determine whether the purchase orders have been ap

Distributed denial-of-service (DDoS) attacks on Internet sites are typically evoked by hackers using which of the following?Select an answer:A. Logic bombsB. PhishingC. Spyware

D. Trojan horses

5.2 The correct answer is D.
Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDoS attacks that affect computers that access the same Internet site at the same moment, resulting i

The BEST audit procedure to determine if unauthorized changes have been made to production code is to:Select an answer:A. examine the change control system records and trace them forward to object code files.

B. review access control permissions operati

4.9 You are correct, the answer is C.
The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code c

To support an organization's goals, an IS department should have:Select an answer:A. a low-cost philosophy.B. long- and short-range plans.C. leading-edge technology.

D. plans to acquire new hardware and software.

2.3 You are correct, the answer is B.
To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its g

Which of the following is MOST important to ensure business continuity?Select an answer:A. Current contact information for key employeesB. Backup dataC. Access to funds for short-term needs

D. Alternate processing site

4.11 The correct answer is B.
Data are the most important of all options listed, and without data, a business cannot recover. Contact details are important as a first step, but cannot ensure business continuity. Access to funds for short-term needs is imp

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:Select an answer:A. alignment of the IT activities with IS audit recommendations.B. enforcement of the management of security risk.

C. implementati

2.9 The correct answer is B.
The major benefit of implementing a security program is management's assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risk. Recommendations, visions and object

An IS auditor examining the security configuration of an operating system should review the:Select an answer:A. transaction logs.B. authorization tables.C. parameter settings.

D. routing tables.

4.8 The correct answer is C.
Parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload and control

Which of the following is a passive attack to a network?Select an answer:A. Message modificationB. MasqueradingC. Denial of service

D. Traffic analysis

5.2 You are correct, the answer is D.
The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place. Message modification involves the capturing of a message

A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it:Select an answer:A. can identify high-risk areas that might need a detailed review later.B. allows IS auditors to independently assess risk.

1.1 You are correct, the answer is A.
CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of IS auditors and line ma

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?Select an answer:A. A sufficient quantity of data for each test case

B. Data representing conditions that are expected in actual pro

3.4 You are correct, the answer is B.
Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity.

An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a:Select an answer:A. cold site.B. warm site.C. dial-up site.

D. duplicate processing facility.

4.10 You answered D. The correct answer is A.
A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. A warm site is an offsite backup facility that is partially configured with network connections a

Neural networks are effective in detecting fraud because they can:Select an answer:A. discover new trends since they are inherently linear.B. solve problems where large and general sets of training data are not obtainable.

C. attack problems that requi

5.2 You are correct, the answer is C.
Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform?Select an answer:A. Program output testingB. System configuration

C. Program logic speci

3.5 You are correct, the answer is A.
A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. System configuration

An IS auditor reviewing an organization's IT strategic plan should FIRST review:Select an answer:A. the existing IT environment.B. the business plan.C. the present IT budget.

D. current technology trends.

2.3 The correct answer is B.
The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor?Select an answer:A. The right to audit clause was not included in the contract.

B. The business case was n

2.8 The correct answer is B.
Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and formally approved by senior

An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its voice-over IP (VoIP) system and data traffic. Which of the following would meet this objective?Select an answer:

A. VoIP infrastructu

5.2 You are correct, the answer is A.
Segregating the VoIP traffic using VLANs would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime). Choice B is not c

To verify that the correct version of a data file was used for a production run, an IS auditor should review:Select an answer:A. operator problem reports.B. operator work schedules.C. system logs.

D. output distribution reports.

4.4 You are correct, the answer is C.
System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as:Select an answer:A. rules.B. decision trees.C. semantic nets.

D. dataflow diagrams.

3.5 The correct answer is B.
Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets consist

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications?Select an answer:A. Applications may not be subject to testing and IT general controls.B. Development and maintenance costs may be increased.

C. Appl

3.4 The correct answer is A.
End-user computing is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outsid

Which of the following would BEST provide assurance of the integrity of new staff?Select an answer:A. Background screeningB. ReferencesC. Bonding

D. Qualifications listed on a r�sum�

2.2 You are correct, the answer is A.
A background screening is the primary method for assuring the integrity of a prospective staff member. References are important and would need to be verified, but they are not as reliable as background screening. Bond

Which of the following is MOST indicative of the effectiveness of an information security awareness program?Select an answer:A. Employees report more information regarding security incidents.

B. All employees have signed the information security policy.

2.6 You are correct, the answer is A.
Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. Choice A is the correct answer

Overall business risk for a particular threat can be expressed as:Select an answer:A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability.

B. the magnitude of the impact should a threat source suc

2.9 You are correct, the answer is A.
Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in the a

B. elaborate on the significance of th

You answered C. The correct answer is B.
If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risk and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The g

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?Select an answer:A. Contingency planningB. IS management resource allocationC. Project management

D. Knowledge of inte

1.3 You answered D. The correct answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques.

B. IS managers are responsible for resource management of th

From a control perspective, the PRIMARY objective of classifying information assets is to:Select an answer:A. establish guidelines for the level of access controls that should be assigned.

B. ensure access controls are assigned to all information assets

5.3 You answered D. The correct answer is A.
Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish gu

An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?Select an answer:A. Request that the system be shut down to preserve evidence.

B. Report the incident t

1.4 You are correct, the answer is B.
Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response.

During the development of an application, quality assurance testing and user acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the project is that there will be:Select an answer:A. increased maintenance.

B. improper documen

3.4 You are correct, the answer is C.
The major risk of combining quality assurance testing and user acceptance testing is that functional testing may be inadequate. Choices A, B and D are not as important.

When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation?Select an answer:A. Wiring and schematic diagramB. Users' lists and responsibilities

C. Application lists an

5.2 You are correct, the answer is A.
The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are import

A. There are a growing number of emergency ch

1.3 You answered A. The correct answer is C.
The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as crit

General ledger (GL) data are required for an audit. Instead of asking IT to extract the data, the IS auditor is granted direct access to the data. What is the MAIN advantage of this approach?Select an answer:

A. Reduction of IT person-hours to support th

1.3 You answered B. The correct answer is D.A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity.

B. The risk of errors would

Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime?Select an answer:A. Utilization reportsB. Hardware error reportsC. System logs

D. Availability reports

4.1 You answered C. The correct answer is D.
IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. Utilization rep

Depending on the complexity of an organization's business continuity plan (BCP), the plan may be developed as a set of more than one plan to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that

2.11 You are correct, the answer is A.
Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery. These do not necessarily have to be integrated into one singl

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to:
A. assess whether the p

3.6 You answered D. The correct answer is C.
Since management is aware that the project had problems, reviewing the subsequent fixes will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has

Which of the following types of risk is MOST likely encountered in a Software as a Service (SaaS) environment?Select an answer:A. Noncompliance with software license agreementsB. Performance issues due to Internet delivery method

C. Higher cost due to

You are correct, the answer is B.
The risk that could be most likely encountered in an SaaS environment is speed and availability issues, due to the fact that SaaS relies on the Internet for connectivity. SaaS is provisioned on a usage basis, not a licens

Many organizations require employees to take a mandatory one-week (or two-week) vacation each year PRIMARILY because the organization wants to ensure that:Select an answer:A. adequate cross-training exists between all functions of the organization.

B. e

You are correct, the answer is C.
Employees who perform critical and sensitive functions within an organization should be required to take some time off in order to help ensure that irregularities and fraud are detected. Cross-training is a good practice

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software:Select an answer:A. is configured with an implicit deny rule as the last rule in the rule base.

B. is

You answered C. The correct answer is B.
Default settings are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a syst

Which of the following physical access controls effectively reduces the risk of piggybacking?Select an answer:A. Biometric door locksB. Combination door locksC. Deadman doors

D. Bolting door locks

You answered A. The correct answer is C.
Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This effectively reduces the risk of piggybacking. An

An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next?Select an answer:A. Obtain senior management sponsorship.B. Identify business needs.C. Conduct a paper test.

D. Perform a system restore

You answered D. The correct answer is C.
A best practice would be to conduct a paper test. Senior management sponsorship and business needs identification should have been obtained prior to implementing the plan. A paper test should be conducted first, fo

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?Select an answer:A. Certificate revocation list (CRL)B. Certification practice statement (CPS)

C. Certificate poli

You answered A. The correct answer is B.
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the

The PRIMARY advantage of a continuous audit approach is that it:Select an answer:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.

B. requires the IS auditor to review and follow up immediately

You answered D. The correct answer is C.
The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since

An IS auditor is evaluating data mining and auditing software to be used in future IS audits. What is the PRIMARY requirement that the software tool should meet? The software tool should:Select an answer:

A. interface with various types of enterprise res

You are correct, the answer is B.
While all of the options above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool does not compromise data integrity or make changes to the sys

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?Select an answer:A. Bottom upB. Sociability testingC. Top-down

D. System test

You answered B. The correct answer is C.
The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs a

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?Select an answer:

A. The point at which controls are exercised as data flow through the syste

You answered C. The correct answer is A.
An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect because corrective contr

After a disaster declaration, the media creation date at a warm recovery site is based on the:Select an answer:A. recovery point objective (RPO).B. recovery time objective (RTO).C. service delivery objective (SDO).

D. maximum tolerable outage (MTO).

You are correct, the answer is A.
A. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissi

IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?
Select an

You are correct, the answer is D.
A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside. Port scanning will often target the external firewall of the organization. A

An IS auditor is involved in the reengineering process that aims to optimize IT infrastructure. Which of the following will BEST identify the issues to be resolved?Select an answer:A. Self-assessmentB. Reverse engineeringC. Prototyping

D. Gap analysis

You answered A. The correct answer is D.
Gap analysis would be the best method to identify issues that need to be addressed in the reengineering process. Gap analysis indicates which parts of current processes conform to best practices and which do not. S

Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts?Select an answer:A. SYN flood attacksB. Social engineering

C. Buffe

You are correct, the answer is D.
Malicious code and Trojans commonly attempt to log on to administrator accounts. A SYN attack is a denial-of-service (DoS) attack on a particular network service and does not log on to administrator accounts. Social engin

A hot site should be implemented as a recovery strategy when the:Select an answer:A. disaster tolerance is low.B. recovery point objective (RPO) is high.C. recovery time objective (RTO) is high.

D. disaster tolerance is high.

You are correct, the answer is A.
Disaster tolerance is the time gap during which the business can accept nonavailability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot s

D. a random selection of backup set

You are correct, the answer is C.A. A full backup or differential backup is preferred in this situation.B. Incremental backup could be used irrespective of the media adopted.

C. In an incremental backup, after the full backup, only the files that have c

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card?Select an answer:A. Intrusion detection systems

B. Data mining techniq

You are correct, the answer is B.
Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted

While reviewing the IT infrastructure, an IS auditor notices that storage resources are continuously being added. The IS auditor should:Select an answer:A. recommend the use of disk mirroring.B. review the adequacy of offsite storage.

C. review the cap

You are correct, the answer is C.
Capacity management is the planning and monitoring of computer resources to ensure that available IT resources are used efficiently and effectively. Business criticality must be considered before recommending a disk mirro

Which of the following is the BEST factor for determining the extent of data collection during the planning phase of an IS compliance audit?Select an answer:A. Complexity of the organization's operationB. Findings and issues noted from the prior year

You are correct, the answer is C.
The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result i

Which of the following is the GREATEST risk when storage growth in a critical file server is not managed properly?Select an answer:A. Backup time would steadily increase.B. Backup operational costs would significantly increase.

C. Storage operational c

You answered B. The correct answer is D.
In case of a crash, recovering a server with an extensive amount of data could require a significant amount of time. If the recovery cannot meet the RTO, there will be a discrepancy in IT strategies. It's important

During external audit, an IS auditor discovers that systems that are in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should:Select an answer:A. remove the IS auditor from the engagement.

B. cancel

1.3 You are correct, the answer is C.A. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, as exists in certain countries.B. Canceling the engagement is not called for.

C. In circumstances in which the IS auditor's in

D. dataflow diagrams.

3.5 You are correct, the answer is B.
Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic net

To aid management in achieving IT and business alignment, an IS auditor should recommend the use of:Select an answer:A. control self-assessments.B. a business impact analysis (BIA).C. an IT balanced scorecard (BSC).

D. business process reengineering (

2.3 You answered B. The correct answer is C.
An IT BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the abil

C. the importance of the network

4.1 You are correct, the answer is C.
The first step is to understand the importance and role of the network device within the organization's network topology. After understanding the devices in the network, the best practice for using the device should b

When using public key encryption to secure data being transmitted across a network:Select an answer:A. both the key used to encrypt and decrypt the data are public.B. the key used to encrypt is private, but the key used to decrypt the data is public.

5.2 You are correct, the answer is C.
Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

C. Certificate poli

5.2 You answered C. The correct answer is B.
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by

The risk of dumpster diving is BEST mitigated by:Select an answer:A. implementing security awareness training.B. placing shred bins in copy rooms.C. developing a media disposal policy.

D. placing shredders in individual offices.

5.5 You answered B. The correct answer is A.A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items.

B. The s

An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place

5.2 You are correct, the answer is C.
Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating t

An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to est

3.2 You answered A. The correct answer is B.A. PERT is a project management technique used in the planning and control of system projects.

B. FPA is a technique used to determine the size of a development task based on the number of function points. Func

A start-up company has a policy that requires strong encryption of all tape backups. As the volume of data has grown, the time necessary to back up all data has become operationally unacceptable. Which of the following is the BEST recommendation to fix th

5.5 You are correct, the answer is B.A. While running backups without encryption would solve the performance issue, this does not meet security requirements.

B. The primary benefit of performing data classification is so that the appropriate security con

The ultimate purpose of IT governance is to:Select an answer:A. encourage optimal use of IT.B. reduce IT costs.C. decentralize IT resources across the organization.

D. centralize control of IT.

2.1 You are correct, the answer is A.
IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance out

During which phase of software application testing should an organization perform the testing of architectural design?Select an answer:A. Acceptance testingB. System testingC. Integration testing

D. Unit testing

3.5 You answered B. The correct answer is C.
Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure acco

An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should:Select an answer:

A. report that the control is operating effectively since deactivation happens within t

2.2 You are correct, the answer is C.
Although a policy provides a reference for performing IS audit assignments, an IS auditor needs to review the adequacy and the appropriateness of the policy. If, in the opinion of the IS auditor, the time frame define

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST:
Select an ans

3.4 You are correct, the answer is D.
In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by t

In the 2c area of the diagram, there are three hubs connected to each other. What potential risk might this indicate?PictureSelect an answer:A. Virus attackB. Performance degradationC. Poor management controls

D. Vulnerability to external hackers

5.4 You are correct, the answer is B.
Hubs are internal devices that usually have no direct external connectivity, and thus are not prone to hackers. There are no known viruses that are specific to hub attacks. While this situation may be an indicator of

When reviewing an organization's logical access security, which of the following should be of MOST concern to an IS auditor?Select an answer:A. Passwords are not shared.B. Password files are not encrypted.C. Redundant logon IDs are deleted.

D. The all

5.2 You answered A. The correct answer is B.
When evaluating the technical aspects of logical security, unencrypted files represent the greatest risk. The sharing of passwords, checking for the redundancy of logon IDs and proper logon ID procedures are es

When testing program change requests, an IS auditor finds that the population of changes was too small to provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?Select an answer:

A. Develop an alternate te

1.3 You answered C. The correct answer is A.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit m

The MOST common problem in the operation of an intrusion detection system (IDS) is:Select an answer:A. the detection of false positives.B. receiving trap messages.C. reject-error rates.

D. denial-of-service attacks.

5.2 You are correct, the answer is A.
Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents�false positives, the equivalent of a

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:Select an answer:

A. application programmer copy the source program and compiled object module to the production lib

4.9 You answered C. The correct answer is D.
The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern?
Select

3.5 You are correct, the answer is A.
A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can cr

A company's development team does not follow generally accepted system development life cycle (SDLC) practices. Which of the following is MOST likely to cause problems for software development projects?Select an answer:

A. Functional verification of the

3.2 You are correct, the answer is C.A. Prototypes are verified by users.B. UAT is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage.

C. Errors or lack of attention in

During a fieldwork observation of system administrative functions, an IS auditor discovered that changes made to the database after normal working hours required only an abbreviated number of steps compared to those made during normal working hours. Which

4.9 You answered A. The correct answer is D.
The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed. The privileged

The purpose of code signing is to provide assurance that:Select an answer:A. the software has not been subsequently modified.B. the application can safely interface with another signed application.C. the signer of the application is trusted.

D. the pr

4.9 You are correct, the answer is A.
Code signing can only ensure that the executable code has not been modified after being signed. The other choices are incorrect and actually represent potential and exploitable weaknesses of code signing.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:Select an answer:A. meets or exceeds industry security standards.

B. agre

2.8 You are correct, the answer is B.
It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important,

C. Training a local administrator a

5.2 You are correct, the answer is B.
A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start unt

While investigating online transactions, an enterprise realizes that a transaction was fraudulent and requires involvement of law enforcement. What should the enterprise do FIRST?Select an answer:

A. Document the analysis of the fraudulent transactions.

5.1 You answered D. The correct answer is C.
In the case of electronic evidence, it is necessary for evidence to be produced in an original form and to establish that the electronic evidence has not been tampered with. All other options are secondary.

Which of the following acts as a decoy to detect active Internet attacks?Select an answer:A. HoneypotsB. FirewallsC. Trapdoors

D. Traffic analysis

5.2 You are correct, the answer is A.
Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A p

A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the:Select an answer:

A. system and th

4.11 You answered B. The correct answer is A.
The applications have been intensively operated; therefore, choices B, C and D have been actually tested, but the capability of the system and the IT operations team to sustain and support this environment (an

When an employee is terminated from service, the MOST important action is to:Select an answer:A. hand over all of the employee's files to another designated employee.B. complete a backup of the employee's work.

C. notify other employees of the terminat

2.2 D. disable the employee's logical access.
?? ????? ????????????

Which of the following is in the BEST position to approve changes to the audit charter?Select an answer:A. Board of directorsB. Audit committeeC. Executive management

D. Director of internal audit

1.1 You answered A. The correct answer is B.A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.

B. The audit committee is a subgroup of the board of directors. The audit department sho

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to:Select an answer:A. acknowledge receipt of electronic orders with a confirmation message.

B. perform reasonableness

3.5 You are correct, the answer is C.
An EDI system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service

To address an organization's disaster recovery requirements, backup intervals should not exceed the:Select an answer:A. service level objective (SLO).B. recovery time objective (RTO).C. recovery point objective (RPO).

D. maximum acceptable outage (MAO

4.11 You are correct, the answer is C.
RPO defines the point in time to which data must be restored after a disaster so as to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time fr

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:Select an answer:

A. effective

3.6 You are correct, the answer is D.
A. Continuous monitoring is detective in nature, and therefore does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurr

An advantage in using a bottom-up vs. a top-down approach to software testing is that:Select an answer:A. interface errors are detected earlier.B. confidence in the system is achieved earlier.C. errors in critical modules are detected earlier.

D. majo

3.4 You are correct, the answer is C.
The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up a

B. agre

An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violat

4.6 You are correct, the answer is D.
Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?Select an answer:A. A size checkB. A hash totalC. A validity check

D. A field check

1.5 You answered B. The correct answer is C.
A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used�for example, not using a dictionary word, including non-alphabetical ch

The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it:Select an answer:A. does not exceed the existing IT budget.B. is aligned with the investment strategy.

C. has been approved by the

2.3 You answered C. The correct answer is D.
Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projec

Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)?Select an answer:A. Circuit gatewayB. Application gatewayC. Packet filter

D. Screening router

5.2 You are correct, the answer is B.
An application gateway firewall is effective in preventing applications such as FTPs from entering the organization network. A circuit gateway firewall is able to prevent paths or circuits, not applications, from ente

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the:Select an answer:A. most valuable information assets.B. IS audit resources to be deployed.C. auditee personnel to be interviewed.

D. control objecti

1.2 You answered A. The correct answer is D.
A. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:Select an answer:A. hardware configuration.B. access control software.C. ownership of intellectual property.

D. application development methodology.

2.8 You are correct, the answer is C.
Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the deve

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget due to unplanned overtime by software developers. The IS auditor should:Select an answer:

A. conclude that the project is progressing

3.2 You are correct, the answer is D.
While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project

D. control objecti

1.2 You are correct, the answer is D.
A. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the

A. interface with various types of enterprise res

1.3 You are correct, the answer is B.
While all of the options above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool does not compromise data integrity or make changes to the

During the audit of a database server, which of the following would be considered the GREATEST exposure?Select an answer:A. The password on the administrator account does not expire.

B. Default global security settings for the database remain unchanged.

4.6 You are correct, the answer is B.
Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may pr

What is the GREATEST risk of a bank outsourcing its data center?Select an answer:A. Loss or leakage of informationB. Noncompliance with regulatory requirementsC. Vendor failure or bankruptcy

D. Loss of internal knowledge and experience

2.8 You are correct, the answer is A.A. The risk of loss or leakage of information is the greatest risk because it can subject the company to regulatory fines, lawsuits and reputation risk.

B. Although noncompliance with regulations subjects a company to

When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST concerned with the lack of:Select an answer:A. process owner involvement.B. well-documented testing procedures.C. an alternate processing facility.

D. a well-documented data c

4.11 You are correct, the answer is A.
Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create the DRP. If the IS auditor determined that process owners were not involved, this would be a significant con

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:Select an answer:

A. check to ensure that the type of transaction is valid for

3.4 You answered D. The correct answer is B.
The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validati

In the context of effective information security governance, the primary objective of value delivery is to:Select an answer:A. optimize security investments in support of business objectives.B. implement a standard set of security practices.

C. institu

2.7 You are correct, the answer is A.
In the context of effective information security governance, value delivery is implemented to ensure optimization of security investments in support of business objectives. The tools and techniques for implementing va

D. is the same at the sending and receiv

An IS auditor is developing an audit plan for a repeat client. The IS auditor reviews the prior-year audit plan and finds that the previous plan was designed to review the company network and email systems, which were newly implemented last year, but the

1.2 You are correct, the answer is C.
The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning), Substandard

An IS auditor observed brute-force attacks on the administrator account. The BEST recommendation to prevent a successful brute-force attack would be to:Select an answer:A. increase the password length for the user.

B. configure a session timeout mechani

5.2 You answered B. The correct answer is D.
Knowledge of both a username and password is required to successfully compromise an account using brute-force attack. If a username is guessable, brute-force attacks are much more feasible. Increasing the passw

An IS auditor wishes to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness?Select an answer:A. Observation of a logged eventB. Review of the procedure manual

C. Interview w

5.4 You are correct, the answer is A.A. Observation of the process to reset an employee's security access to the server room and the subsequent logging of this event provide the best evidence of the adequacy of the physical security control.

B. Although

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?Select an answer:A. Attribute samplingB. Computer Aided Audit Techniques (CAATs)C. Test data

D. Integrated test facility (ITF)

1.3 You answered A. The correct answer is B.
CAATs would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. Attribute sampling would aid in identifying records meeting specific conditions, but

For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?Select an answer:A. Mobile siteB. Redundant siteC. Hot site

D. Reciprocal agreements

4.11 You answered C. The correct answer is B.
A redundant site contains either duplicate mirror facilities that are online at all times or computing facilities of a reduced capacity that can process at the acceptable service delivery objective (SDO) requi

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:Select an answer:

A. periodic review of user ac

4.5 You answered B. The correct answer is A.
General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature

The BEST overall quantitative measure of the performance of biometric control devices is:Select an answer:A. false-rejection rate (FRR).B. false-acceptance rate (FAR).C. equal-error rate (EER).

D. estimated-error rate.

5.4 You answered A. The correct answer is C.
A low EER is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometri

B. cancel

C. In circumstances in which the IS auditor's in

Which of the following is an implementation risk within the process of decision support systems (DSSs)?Select an answer:A. Management controlB. Semistructured dimensionsC. Inability to specify purpose and usage patterns

D. Changes in decision processe

3.5 You are correct, the answer is C.
The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. Choices A, B and D are not types of risk, but characteristics of a DSS.

Receiving an electronic data interchange (EDI) transaction and passing it through the communication's interface stage usually requires:Select an answer:A. translating and unbundling transactions.B. routing verification procedures.

C. passing data to th

5.2 You answered C. The correct answer is B.
The communication's interface stage requires routing verification procedures. EDI or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, p

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?Select an answer:A. Development of an audit programB. Review of the audit charter

C. Identification

1.1 You are correct, the answer is D.A. The results of the risk assessment are used for the input for the audit program.

B. The audit charter is prepared when the audit department is established or as updates are needed. Creation of the audit charter is

A human resources (HR) company offers free public wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST add

5.2 You are correct, the answer is C.
Changing the password for the wireless network does not secure against unauthorized access to the company network, especially since a guest could gain access to the wireless local area network (WLAN) at any time prior

The internal audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the auditors?Select an answer:A. Stop-or-goB. Classical variableC. Discovery

D. Probability-proport

1.3 You are correct, the answer is C.
Discovery sampling is used when an auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken plac

When installing an intrusion detection system (IDS), which of the following is MOST important?Select an answer:A. Properly locating it in the network architectureB. Preventing denial-of-service (DoS) attacks

C. Identifying messages that need to be quar

5.2 You are correct, the answer is A.
Proper location of an IDS in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configurat

During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:Select an answer:

A. the detail of involved transactions may no longer be associated with master data, caus

4.6 You are correct, the answer is A.
When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to unde

When auditing a proxy-based firewall, an IS auditor should:Select an answer:A. verify that the firewall is not dropping any forwarded packets.

B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC)

5.2 You answered D. The correct answer is C.
A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on sp

Which of the following potentially blocks hacking attempts?Select an answer:A. Intrusion detection system (IDS)B. Honeypot systemC. Intrusion prevention system (IPS)

D. Network security scanner

5.2 You are correct, the answer is C.
An IPS is deployed as an in-line device that can detect and block hacking attempts. An IDS normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stop them. A honeypot solution

D. control objecti

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of:Select an answer:A. excessive transaction turnaround time.B. application interface failure.

C. improper trans

3.1 You answered A. The correct answer is C.
Foremost among the risk associated with EDI is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication. The other choices, although there is

Overall business risk for a particular threat can be expressed as:Select an answer:A. a product of the likelihood and magnitude of the impact should a threat successfully exploit a vulnerability.

B. the magnitude of the impact should a threat source suc

Which of the following is the GREATEST concern when an organization's backup facility is at a warm site?Select an answer:A. Timely availability of hardwareB. Availability of heat, humidity and air conditioning equipment

C. Adequacy of electrical power

4.3 You are correct, the answer is A.
A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally lacking computing equipment. Therefore, the availability of hardware becomes a primary c

The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is:Select an answer:A. that there will be too many alerts for system administrators to verify.B. decreased network performance due to IPS traffic.

C. the blocking of cri

5.2 You are correct, the answer is C.
An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the packets are coming from a spoofed address and the IPS is triggered based on previously defined behavior, it

A. interface with various types of enterprise res

Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by:Select an answer:A. database integrity checks.B. validation checks.

C. input controls.

4.6 You answered A. The correct answer is D.
Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already proces

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?Select an answer:A. Using a cryptographic hashing algorithmB. Enciphering the message digestC. Deciphering the message digest

D. U

3.4 You are correct, the answer is D.
When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay

An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to:Select an answer:A. obtain an understanding of the control objective.

B. confirm that the cont

1.2 You answered C. The correct answer is B.
Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls

A. Reduction of IT person-hours to support th

1.3 You are correct, the answer is D.A. While the burden on IT staff to support the audit may decrease if the IS auditor directly extracts the dates, this advantage is not as significant as the increased data validity.

B. The risk of errors would increas

Which of the following situations would increase the likelihood of fraud?Select an answer:A. Application programmers are implementing changes to production programs.B. Application programmers are implementing changes to test programs.

C. Operations sup

3.5 You are correct, the answer is A.
Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being

Which of the following is responsible for the development of an information security policy?Select an answer:A. The IS departmentB. The security committeeC. The security administrator

D. The board of directors

2.4 You answered B. The correct answer is D.
Normally, the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no a

Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?Select an answer:A. Generalized audit software (GAS)B. Integrated test facilityC. Systems control audit review file (SCARF)

D. Snapshots

3.4 You answered A. The correct answer is C.
SCARF works using predetermined exceptions. The constituents of "exceptions" have to be defined for the software to trap. GAS is a data analytic tool that does not require preset information. The integrated tes

Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a Software as a Service (SaaS) model with an external provider?Select an answer:

A. Workstation upgrades must be performed

3.1 You are correct, the answer is D.
An SaaS provider does not normally have onsite support for the organization. Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resoluti

3.4 You are correct, the answer is A.
Choice A reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a sele

D. Adequacy

1.2 You are correct, the answer is B.A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does.

B. Because the data are directly colle

A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor's main concern about the new process?Select an answer:

A. Whether key co

3.4 You are correct, the answer is A.
The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, but

In a financial organization that deals with highly sensitive client data, an IS auditor is asked to provide recommendations for secure email communication. What is the MOST appropriate recommendation?Select an answer:

A. Establish private keys with clien

5.2 You are correct, the answer is C.
A. Establishing private keys with preshared pass phrases is one option, but not the best option. Managing pass phrase changes is time consuming, and there is no trusted authority to vouch that the pass phrase is genui

B. is

5.2 You are correct, the answer is B.
Default settings are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system

Which of the following forms of evidence for the auditor would be considered the MOST reliable?Select an answer:A. An oral statement from the auditeeB. The results of a test performed by an external IS auditor

C. An internally generated computer accoun

1.3 You are correct, the answer is B.
An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party since a letter does not conform to audit standards and is sub

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?Select an answer:A. Malicious code could be spread across the network.B. The VPN logon could be spoofed.

C. Traffic coul

5.2 You are correct, the answer is A.
VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. Although choices B, C and D are types of

The extent to which data will be collected during an IS audit should be determined based on the:Select an answer:A. availability of critical and required information.B. auditor's familiarity with the circumstances.

C. auditee's ability to find relevant

1.2 You answered A. The correct answer is D.
The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope would result most likely in less data

The MOST important success factor in planning a black box penetration test is:Select an answer:A. the documentation of the planned testing procedure.B. a realistic evaluation of the environment architecture to determine scope.

C. knowledge by the manag

5.2 You answered A. The correct answer is C.
Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. It is important to have management knowled

An IS auditor reviewing a web application discovers that multiple users are logging in with the same user ID and password. What is the auditor's PRIMARY concern regarding this practice?Select an answer:A. Violation of confidentiality

B. Difficulty maint

5.2 You are correct, the answer is C.A. Shared user accounts do not allow the organization to establish accountability for actions executed under the account. Confidentiality is secondary in the described scenario.

B. Shared user IDs do not add complexit

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:Select an answer:A. pre-BPR process flowcharts.B. post-BPR process flowcharts.

C. BPR projec

4.1 You answered C. The correct answer is B.
An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as

D. control objecti

An IS steering committee should:Select an answer:A. include a mix of members from different departments and staff levels.B. ensure that IS security policies and procedures have been executed properly.

C. maintain minutes of its meetings and keep the bo

2.1 You answered B. The correct answer is C.
It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely

C. Adequacy of electrical power

4.3 You answered B. The correct answer is A.
A warm site has the basic infrastructure facilities implemented, such as power, air conditioning and networking, but is normally lacking computing equipment. Therefore, the availability of hardware becomes a pr

In determining the acceptable time period for the resumption of critical business processes:Select an answer:A. only downtime costs need to be considered.B. recovery operations should be analyzed.

C. both downtime costs and recovery costs need to be ev

2.11 You are correct, the answer is C.
Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be

Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse?Select an answer:A. Accuracy of the source dataB. Credibility of the data sourceC. Accuracy of the extraction rocess

D. Accuracy of the

3.4 You are correct, the answer is A.
Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but woul

During which phase of software application testing should an organization perform the testing of architectural design?Select an answer:A. Acceptance testingB. System testingC. Integration testing

D. Unit testing

3.5 You are correct, the answer is C.
Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according t

The PRIMARY objective of testing a business continuity plan is to:Select an answer:A. familiarize employees with the business continuity plan.B. ensure that all residual risk is addressed.C. exercise all possible disaster scenarios.

D. identify limita

2.11 You are correct, the answer is D.
Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effective

Which of the following would BEST maintain the integrity of a firewall log?Select an answer:A. Granting access to log information only to administratorsB. Capturing log events in the operating system layer

C. Writing dual logs onto separate storage med

4.8 You answered A. The correct answer is D.
Establishing a dedicated third-party log server and logging events in it is the best procedure for maintaining the integrity of a firewall log. When access control to the log server is adequately maintained, th

An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term

5.5 You answered A. The correct answer is B.
Lead-acid batteries emit hydrogen, which is a highly explosive gas. Hydrogen detectors are a compensating control for ventilation system failure. All battery rooms should have hydrogen sensors as well as adequa

The PRIMARY objective of service-level management (SLM) is to:Select an answer:A. define, agree on, record and manage the required levels of service.B. ensure that services are managed to deliver the highest achievable level of availability.

C. keep th

4.2 You are correct, the answer is A.
The objective of SLM is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. This does not necessarily ensure that services are delive

Which of the following goals would you expect to find in an organization's strategic plan?Select an answer:A. Test a new accounting package.B. Perform an evaluation of information technology needs.

C. Implement a new project planning system within the

2.3 You answered C. The correct answer is D.
Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also

An IS auditor who has discovered unauthorized transactions during a review of electronic data interchange (EDI) transactions is likely to recommend improving the:Select an answer:A. EDI trading partner agreements.B. physical controls for terminals.

3.4 You are correct, the answer is C.
Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues.

The final decision to include a material finding in an audit report should be made by the:Select an answer:A. audit committee.B. auditee's manager.C. IS auditor.

D. chief executive officer (CEO) of the organization.

1.4 You answered A. The correct answer is C.
The IS auditor should make the final decision about what to include or exclude from the audit report. The other choices would limit the independence of the IS auditor.

An IS auditor is tasked to review the adequacy of an organization's technology recovery strategy. Which of the following factors would the auditor PRIMARILY review?Select an answer:A. Recovery time objective (RTO)B. Business impact analysis (BIA)

C. Ab

4.11 You are correct, the answer is B.
The BIA identifies the financial, operational and service impacts that may result from a disruption in a business process or IT service and therefore the BIA is the primary driver for the technology recovery strategy

Which of the following would BEST help to detect errors in data processing?Select an answer:A. Programmed edit checksB. Well-designed data entry screensC. Segregation of duties

D. Hash totals

3.4 You answered C. The correct answer is D.
The use of hash totals is an effective method to reliably detect errors in data processing. Automated controls such as programmed edit checks or well-designed data entry screens are preventive controls. Enforci

When developing a security architecture, which of the following steps should be executed FIRST?Select an answer:A. Developing security proceduresB. Defining a security policyC. Specifying an access control methodology

D. Defining roles and responsibil

2.4 You are correct, the answer is B.
Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technic

An IS auditor has been asked to review the implementation of a customer relationship management (CRM) system for a large organization. The IS auditor discovered the project incurred significant overbudget expenses and scope creep caused the project to mis

3.2 You are correct, the answer is B.A. While project management training is a good practice, it does not necessarily prevent scope creep without the use of a software baseline and a robust requirements change process.

B. Use of a software baseline provi

Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily weighted spam keyword from being labeled as spam?Select an answer:A. Heuristic (rule-based)B. Signature-based

C. Pattern

5.2 You answered B. The correct answer is D.
Bayesian filtering applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious k

The purpose of a checksum on an amount field in an electronic data interchange (EDI) communication of financial transactions is to ensure:Select an answer:A. integrity.B. authenticity.C. authorization.

D. nonrepudiation.

3.14 You are correct, the answer is A.
A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need oth

Which of the following is the MOST important requirement for the successful testing of a disaster recovery plan (DRP)?Select an answer:A. Participation by all of the identified resourcesB. Management approval of the testing scenario

C. Advance notice f

2.11 You are correct, the answer is B.
Management approval of the testing scenario would help to ensure both that the test exercise was relevant and in alignment with business requirements. Obtaining management buy-in for the testing is critical to the su

An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure?Select an answer:A. The corporate network is using an intrusion prevention system (IPS).

B. This part of the network is isolated from

5.2 You answered A. The correct answer is B.
If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or being physi

An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business?Select an answer:A. Security policiesB. Operational proceduresC. Project portfolio

2.1 You are correct, the answer is D.A. Security policies are important; however, they are not designed to align IT to the business.B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business.

C. The pr

An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommends a specific vendor product to address this vulnerability. The IS auditor has failed to exercise:
Select an a

1.4 You are correct, the answer is A.
When an IS auditor recommends a specific vendor, that compromises the auditor's professional independence. Organizational independence has no relevance to the content of an audit report and should be considered at the

A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?A. Comparing source codeB. Reviewing system log files

C. Comparing obj

4.9 You answered D. The correct answer is B.
Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. Source and object code comparisons are ineffective, because the original pr

An IS auditor reviewing an organization's disaster recovery plan should PRIMARILY verify that it is:A. tested every six months.B. regularly reviewed and updated.C. approved by the chief executive officer (CEO).

D. communicated to every department head

4.11 You answered C. The correct answer is B.
The plan should be reviewed at appropriate intervals, depending on the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effectiv

The risk of dumpster diving is BEST mitigated by:A. implementing security awareness training.B. placing shred bins in copy rooms.C. developing a media disposal policy.

D. placing shredders in individual offices.

5.5 You answered C. The correct answer is A.A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items.

B. The s

Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?A. Proxy serverB. Firewall installationC. Network administrator

D. Password implementation and administration

5.2 You answered B. The correct answer is D.
The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and, therefore, an el

In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should:A. identify and assess the risk assessment process used by management.

B. identify information assets and the underlying

1.3 You answered B. The correct answer is D.
It is important for an IS auditor to identify and evaluate the existing controls and security once the potential threats and possible impacts are identified. Upon completion of an audit an IS auditor should des

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP

5.2 You answered C. The correct answer is A.
On an Ethernet switch there is a data table known as the ARP cache, which stores mappings between media access control (MAC) and IP addresses. During normal operations, Ethernet switches only allow directed tra

An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate:
A. a data loss of up to one minute, but the processing must be

4.11 You are correct, the answer is A.
RTO measures an organization's tolerance for downtime and RPO measures how much data loss can be accepted. Choices B, C and D are incorrect since they exceed the RTO limits set by the scenario.

5.5 You are correct, the answer is B.
Lead-acid batteries emit hydrogen, which is a highly explosive gas. Hydrogen detectors are a compensating control for ventilation system failure. All battery rooms should have hydrogen sensors as well as adequate vent

After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?A. Stress

B. Black b

4.9 You answered C. The correct answer is D.
Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumst

A development group is designing an Internet application that accepts customer orders. Which of the following features is a MAJOR concern during the review of the design phase?A. The inclusion of technical information in error messages

B. The use of stor

5.2 You are correct, the answer is A.A. Applications that are exposed to the Internet should not include technical details in error messages because they could provide attackers with information about vulnerabilities.

B. It is a good practice to utilize

Which of the following is the BEST basis for determining the appropriate levels of information resource protection?A. Asset classificationB. A business caseC. Vulnerability assessment

D. Asset valuation

5.3 You are correct, the answer is A.A. Asset classification based on criticality and sensitivity provides the best basis for assigning levels of information resource protection.

B. A business case may be useful to support the need for asset classificati

The effect of which of the following should have priority in planning the scope and objectives of an IS audit?A. Applicable statutory requirementsB. Applicable corporate standardsC. Applicable industry best practices

D. Organizational policies and proc

1.3 You answered D. The correct answer is A.
A. The effect of applicable statutory requirements must be factored in while planning an IS audit�the IS auditor has no options in this respect because there can be no limitation of scope in respect to statutor

During an IS audit of a global organization, the IS auditor discovers that the organization uses voice-over IP (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk fo

5.2 You are correct, the answer is B.
The use of VoIP does not introduce any unique risk with respect to equipment failure, so choice A is not correct. A DDoS attack would potentially disrupt the organization's ability to communicate among its offices and

Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than 10 years of experience?A. Supervision is required to comply with internal quality requirements.

B. Supervision is required to comply with the audit guid

1.1 You are correct, the answer is D.A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with professional standards.

B. Audit guidelines exist to provide guidance on how to achieve compliance with p

Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based approach to the IT system life cycle?A. Adequate involvement of stakeholdersB. Selection of a risk management framework

C. Identification of risk mit

3.2 You are correct, the answer is A.
A. The most important critical success factor (CSF) is the adequate involvement and support of the various quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk situa

During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do?A. Recommend compensating controls.

B. Review the code created by th

1.4 You answered C. The correct answer is D.A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.

B. Evaluating the code created by the application developer is not the appropriate respons

In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation?A. Approve and document the change the next business day.

B. Limit developer access to productio

4.9 You answered C. The correct answer is A.
It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. Restricting release time frame may help somewhat; however, it would not apply to

1.1 You are correct, the answer is B.
In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current

Recovery procedures for an information processing facility are BEST based on:A. recovery time objective (RTO).B. recovery point objective (RPO).C. maximum tolerable outage (MTO).

D. information security policy.

4.10 You are correct, the answer is A.A. The RTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it does not determine acceptable data loss.

B. The RPO has the greatest influence on the recovery

In a relational database with referential integrity, the use of which of the following keys would prevent deletion of a row from a customer table as long as the customer number of that row is stored with live orders on the orders table?A. Foreign key

4.6 You answered D. The correct answer is A.
In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. It should

In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:Select an answer:A. connectionless integrity.B. data origin authentication.

C. antireplay s

5.2 You answered A. The correct answer is D.
Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.

1.3 You answered D. The correct answer is A.
The IS auditor needs to perform substantive testing and an additional analysis in order to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS

An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:
� The existing disaster recovery plan was compiled two years earlier by a systems analyst in the organization's IT d

2.11 You answered A. The correct answer is D.
The primary concern is to establish a workable disaster recovery plan, which reflects current processing volumes to protect the organization from any disruptive incident. Censuring the deputy CEO will not achi

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor s

2.6 You answered A. The correct answer is B.
It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state rep

Which of the following BEST helps ensure that deviations from the project plan are identified?Select an answer:A. A project management frameworkB. A project management approachC. A project resource plan

D. Project performance criteria

3.3 You answered C. The correct answer is D.
A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project, but does not define the criteria us

Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?Select an answer:A. Halon gasB. Wet-pipe sprinklersC. Dry-pipe sprinklers

D. Carbon dioxide gas

5.4 You are correct, the answer is C.
Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pi

C. The IS steering

5.1 ??????? A. Functional heads
????????? ?????

D. dataflow diagrams.

A company has decided to implement an electronic signature scheme based on public key infrastructure (PKI). The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is:
Sele

5.2 You are correct, the answer is A.
The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. Choice C would require subversion of the public key inf

An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the

1.3 You answered D. The correct answer is A.A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

B. Compliance testing is evidence gathering for the purpose of tes

4.9 You are correct, the answer is D.
The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed. The privileged account

An IS auditor performing an independent classification of systems should consider a situation where functions could be performed manually at a tolerable cost for an extended period of time as:Select an answer:A. critical.B. vital.C. sensitive.

D. nonc

4.11 You are correct, the answer is C.
Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by ide

Which of the following scenarios provides the BEST disaster recovery plan (DRP) to implement for critical applications?Select an answer:A. Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center

B. Dail

4.11 You answered D. The correct answer is A.
Of the given choices, choice A is the most suitable answer. The DRP includes a hot site that is located sufficiently away from the main data center and will allow recovery in the event of a major disaster. The

Which of the following is an advantage of the top-down approach to software testing?Select an answer:A. Interface errors are identified early.B. Testing can be started before all programs are complete.

C. It is more effective than other testing approac

3.4 You answered D. The correct answer is A.
The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the envir

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that:Select an answer:

A. only systems administrators perform

4.9 You answered C. The correct answer is B.
The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the chan

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In t

1.3 You answered B. The correct answer is A.A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size.

B. A higher confidence coefficient will result in the use of a larger sam

Which of the following is an appropriate test method to apply to a business continuity plan (BCP)?Select an answer:A. PilotB. PaperC. Unit

D. System

2.11 You answered A. The correct answer is B.
A paper test is appropriate for testing a BCP. It is a walk-through of the entire plan, or part of the plan, involving major players in the plan's execution, who reason out what may happen in a particular disa

An accuracy measure for a biometric system is:Select an answer:A. system response time.B. registration time.C. input file size.

D. false-acceptance rate (FAR).

5.4 You are correct, the answer is D.
Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and FAR. FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often i

A. a data loss of up to one minute, but the p

Which of the following is the MOST effective type of antivirus software?Select an answer:A. ScannersB. Active monitorsC. Integrity checkers

D. Vaccines

You answered B. The correct answer is C.
Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the

An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?Select an answer:A. An audit clause is present in all contracts.

B. The service

You answered A. The correct answer is C.
The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business nee

Which of the following is the MOST important aspect of effective business continuity management?Select an answer:A. The recovery site is secure and located an appropriate distance from the primary site.B. The recovery plans are periodically tested.

You are correct, the answer is B.
Periodic testing of the recovery plan is critical to ensure that whatever has been planned and documented is feasible. The other options are more tactical considerations that are secondary to the need for testing. If a di

Which of the following insurance types provide for a loss arising from fraudulent acts by employees?Select an answer:A. Business interruptionB. Fidelity coverageC. Errors and omissions

D. Extra expense

You are correct, the answer is B.
Fidelity insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and o

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?Select an answer:A. Delete all copies of the unauthorized software.

You are correct, the answer is C.
The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk

You answered C. The correct answer is A.
Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. Because the recovery time for plan B is longer, resumption and recovery costs

A. periodic review of user ac

You answered B. The correct answer is A.
General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature. Ch

Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance

B. Assurance from line management that an application is working as

You are correct, the answer is A.
Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization's project management process is th

You answered C. The correct answer is A.
Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processe

Which of the following types of firewalls would BEST protect a network from an Internet attack?Select an answer:A. Screened subnet firewallB. Application filtering gatewayC. Packet filtering router

D. Circuit-level gateway

You answered D. The correct answer is A.
A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes base

A disaster recovery plan for an organization's financial system specifies that the recovery point objective (RPO) is zero and the recovery time objective (RTO) is 72 hours. Which of the following is the MOST cost-effective solution?Select an answer:

A. A

You are correct, the answer is D.
The synchronous copy of the storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO. Asynchronous updates of the database in distributed locations do not meet the RPO. Synchronous updates

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project in order to ensure that it is progressing in accordance with the project plan and that it will del

You answered A. The correct answer is C.
A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project

Regarding a disaster recovery plan, the role of an IS auditor should include:Select an answer:A. identifying critical applications.B. determining the external service providers involved in a recovery test.

C. observing the tests of the disaster recover

You answered A. The correct answer is C.
The IS auditor should be present when disaster recovery plans are tested, to ensure that the test meets the targets for restoration, and the recovery procedures are effective and efficient. As appropriate, the audi

The waterfall life cycle model of software development is most appropriately used when:Select an answer:A. requirements are well understood and are expected to remain stable, as is the business environment in which the system will operate.

B. requiremen

You are correct, the answer is A.
Historically, the waterfall model has been best suited to the stable conditions described in choice A. When the degree of uncertainty of the system to be delivered and the conditions in which it will be used rises, the wa

C. notify other employees of the terminat

You are correct, the answer is D.
There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs

Among the following controls, what is the BEST method to prevent inappropriate access to private and sensitive information through a business application?Select an answer:A. Two-factor authentication access controlB. Encryption of authentication data

You are correct, the answer is C.
RBAC is an approach to restrict access rights and privileges on a need-to-know basis. Roles or profiles are designed and approved according to what is required for the job and assigned tasks. While two-factor authenticati

If a database is restored using before-image dumps, where should the process begin following an interruption?Select an answer:A. Before the last transactionB. After the last transactionC. As the first transaction after the latest checkpoint

D. As the

You answered C. The correct answer is A.
If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. The last transaction will not have updated the database and must be reprocessed. Program

D. maximum acceptable outage (MAO

You are correct, the answer is C.
RPO defines the point in time to which data must be restored after a disaster so as to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame.

An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should:Select an answer:A. accept the DBA access as a common practice.B. assess the controls relevant to the DBA function.

C. recommend

You are correct, the answer is B.
It is good practice when finding a potential exposure to look for the best controls. Although granting access to production data to the DBA may be a common practice, the IS auditor should evaluate the relevant controls. T

When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify?Select an answer:A. The risk associated with the use of the products is periodically assessed.

B. The latest version of softwar

You are correct, the answer is A.
Since the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be BEST incorporated into the IT risk management

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:Select an answer:A. review access control configuration.B. evaluate interface testing.C. review detailed design documentation.

D. evaluate

You answered D. The correct answer is A.
Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance te

Which of the following would help to ensure the portability of an application connected to a database?Select an answer:A. Verification of database import and export proceduresB. Usage of a structured query language (SQL)

C. Analysis of stored procedure

You answered A. The correct answer is B.
The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/perf

An IS auditor who was involved in designing an organization's business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:Select an answer:A. decline the assignment.

B. inform management of the possible conflict of interest

You answered C. The correct answer is D.
Communicating the possibility of a conflict of interest to management prior to starting the assignment is the correct answer. A possible conflict of interest, likely to affect the IS auditor's independence, should

An IS auditor is reviewing the expansion plans for an organization which is opening a new office about 80 meters away from their existing facility. The plan is to implement fiber-optic cabling within the new facility and it has been determined that a 100-

You are correct, the answer is A.
Using Cat 5 UTP cabling for the link between the two buildings may meet short-term bandwidth requirements but, over time, additional new requirements may drive the need for more bandwidth that may not be delivered over UT

Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption?Select an answer:A. Computation speedB. Ability to support digital signaturesC. Simpler key distribution

D. Greater strength for a given key length

You answered D. The correct answer is A.
The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digi

When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the:Select an answer:A. node list.B. acceptance test report.C. network diagram.

D. user's list.

You are correct, the answer is C.
To properly review a LAN implementation, an IS auditor should first verify the network diagram and confirm the approval. Verification of nodes from the node list and the network diagram would be next, followed by a review

An IS auditor performing a review of incident tickets notices that a help desk support technician noted personal identifiable information (PII) within the ticket comments as part of the incident documentation. What preventive action should the auditor rec

4.8 You are correct, the answer is C.A. Quality reviews are a detective control and will only discover exceptions after the information has been entered.

B. Data masking is performed to assist with maintaining the privacy of customers from individuals th

An IS auditor is reviewing access to an application to determine whether the 10 most recent new accounts were appropriately authorized. This is an example of:Select an answer:A. variable sampling.B. substantive testing.C. compliance testing.

D. stop-o

1.3 You answered A. The correct answer is C.
Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to esti

To ensure structured disaster recovery, it is MOST important that the business continuity plan (BCP) and disaster recovery plan (DRP) are:Select an answer:A. stored at an alternate location.B. communicated to all users.C. tested regularly.

D. updated

4.11 You are correct, the answer is C.
If the BCP is tested regularly, the BCP/DRP team is adequately aware of the process and that helps in structured disaster recovery. Storing the BCP at an alternate location is useful in the case of complete site outa

C. hard-disk mi

4.10 You answered D. The correct answer is A.
In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files, such as airline boo

D. Knowledge of inte

1.3 You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques.

B. IS managers are responsible for resource management of their dep

3.2 You are correct, the answer is C.
A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project spo

C. Certificate poli

5.2 You are correct, the answer is B.
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CP

A cyclic redundancy check (CRC) is commonly used to determine the:Select an answer:A. accuracy of data input.B. integrity of a downloaded program.C. adequacy of encryption.

D. validity of data transfer.

4.6 You are correct, the answer is D.A. Accuracy of data input can be enforced by data validation controls such as picklists, cross checks, reasonableness checks, control totals, allowed character checks and others.

B. A checksum is commonly used to vali

A. Whether key co

3.4 You answered D. The correct answer is A.
The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achiev

The use of digital signatures:Select an answer:A. requires the use of a one-time password generator.B. provides encryption to a message.C. validates the source of a message.

D. ensures message confidentiality.

5.2 You are correct, the answer is C.
The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a r

In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations?Select an answer:A. Physical security measuresB. Total number of subscribers

C. Number of subscribers permitted to use a si

4.3 You answered A. The correct answer is C.
The contract should specify the number of subscribers permitted to use the site at any one time. Physical security measures are not always part of the contract, although they are an important consideration when

A. IS audito

3.5 You are correct, the answer is D.
During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible fo

A financial institution has recently developed and installed a new deposit system which interfaces with their customer web site and their automated teller machines (ATMs). During the project, the development team and the business continuity team maintaine

2.11 You answered D. The correct answer is A.
The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources i

Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested?Select an answer:A. Catastrophic service interruptionB. High consumption of resources

C. Total cost of the

4.11 You are correct, the answer is A.
Choices B, C and D are all possible problems that might occur, and would cause difficulties and financial losses or waste of resources. However, if a new disaster recovery plan is not tested, the possibility of a cat

C. Advance notice f

Which of the following reduces the potential impact of social engineering attacks?Select an answer:A. Compliance with regulatory requirementsB. Promoting ethical understandingC. Security awareness programs

D. Effective performance incentives

2.2 You are correct, the answer is C.
Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.

Which of the following is the GREATEST concern for an IS auditor reviewing the security controls of an online job-search application?Select an answer:A. The web server is running an unsupported operating system (OS) and web server application.

B. The we

5.2 You answered A. The correct answer is B.A. While outdated versions of the OS or web server can allow some vulnerabilities to exist, the more significant risk in this case is the SQL injection vulnerability.

B. The biggest risk to any web application

During an IS audit, the IS auditor discovers that a wireless network is used within the enterprise's headquarters. What is the FIRST thing that the auditor should check?Select an answer:A. The signal strength outside of the building

B. The configuration

5.2 You are correct, the answer is B.
The IS auditor should first check the configuration settings for the current network layout and connectivity and then, based on this, decide whether the security requirements are adequate. The signal strength outside

A. system and th

4.11 You are correct, the answer is A.
The applications have been intensively operated; therefore, choices B, C and D have been actually tested, but the capability of the system and the IT operations team to sustain and support this environment (ancillary

Which of the following does a lack of adequate controls represent?Select an answer:A. An impactB. A vulnerabilityC. An asset

D. A threat

1.3 You are correct, the answer is B.A. Impact is the measure of the financial loss that a threat event may have.

B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack

Information for detecting unauthorized input from a terminal would be BEST provided by the:Select an answer:A. console log printout.B. transaction journal.C. automated suspense file listing.

D. user error report.

3.4 You answered C. The correct answer is B.
The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because

An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review:Select an answer:A. the controls already in place.B. the effectiveness of the controls in place.

C. the mechanism for monitoring the ris

1.2 You answered B. The correct answer is D.
One of the key factors to be considered while assessing the risk related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risk related to the use of informa

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?Select an answer:A. System log analysisB. Compliance testingC. Forensic analysis

D. Analytical review

1.3 You answered A. The correct answer is B.
Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance te

Which of the following would impair the independence of a quality assurance team?Select an answer:A. Ensuring compliance with development methodsB. Checking the testing assumptionsC. Correcting coding errors during the testing process

D. Checking the

2.5 You answered A. The correct answer is C.
Correction of code should not be a responsibility of the quality assurance team as it would not ensure segregation of duties and would impair the team's independence. The other choices are valid quality assuran

An IS auditor notes during an audit that an organization's business continuity plan (BCP) does not adequately address information confidentiality during the recovery process. The IS auditor should recommend that the plan be modified to include:
Select an

4.10 You answered D. The correct answer is A.
Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access t

In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability?
Sele

5.2 You answered D. The correct answer is A.
The software for appliances is embedded into chips. Firmware-based firewall products cannot be moved to higher capacity servers. Firewall software that sits on an operating system can always be scalable due to

Which of the following is an advantage of prototyping?Select an answer:A. The finished system normally has strong internal controls.B. Prototype systems can provide significant time and cost savings.

C. Change control is often less complicated with pro

3.4 You are correct, the answer is B.
Prototype systems can provide significant time and cost savings; however, they also have several disadvantages. They often have poor internal controls, change control becomes much more complicated, and it often leads

C. Identifying messages that need to be quar

When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following?Select an answer:

A. The point at which controls are exercised as data flow through the syste

1.3 You are correct, the answer is A.
An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect because corrective controls

The reason a certification and accreditation process is performed on critical systems is to ensure that:Select an answer:A. security compliance has been technically evaluated.B. data have been encrypted and are ready to be stored.

C. the systems have b

3.5 You answered D. The correct answer is A.
Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified sy

As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through:Select an answer:A. performance measurement.B. strategic alignment.C. value delivery.

D. resource management.

You answered B. The correct answer is A.
Performance measurement includes setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance). Strategic align

An IS auditor is reviewing changes to a company's disaster recovery (DR) strategy. The IS auditor notices that the recovery point objective (RPO) has been shortened for the company's mission-critical application. What is the MOST significant risk of this

You are correct, the answer is C.
The RPO is defined in the glossary of the CISA Review Manual as "the earliest point in time to which it is acceptable to recover the data." If backups are not performed frequently enough to meet the new RPO, a risk is cre

D. Integrated test facility (ITF)

You answered C. The correct answer is B.
CAATs would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. Attribute sampling would aid in identifying records meeting specific conditions, but wou

Which of the following is the BEST way to ensure that an off-the-shelf production system continues to operate as expected?Select an answer:A. Changes are executed and tested in the production environment.

B. Changes are reviewed by the analysts who desi

You answered C. The correct answer is B.A. Modifications that are executed and tested in the production environment pose a greater risk of unauthorized modifications.

B. If the changes are reviewed by the authors of the application there are less likely

D. Knowledge of inte

You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques.

B. IS managers are responsible for resource management of their departm

Which of the following would be the MOST significant audit finding when reviewing a point-of-sale (POS) system?Select an answer:A. Invoices recorded on the POS system are manually entered into an accounting application.

B. An optical scanner is not used

You are correct, the answer is D.
It is important for the IS auditor to determine if any credit card information is stored on the local POS system. Any such information, if stored, should be encrypted or protected by other means to avoid the possibility o

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:Select an answer:A. there is an integration of IS and business personnel within projects.B. there is a clear definition of the IS mission and vision.

C. a strategic

You are correct, the answer is A.
The integration of IS and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choic

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:Select an answer:A. apply the patch according to the patch's release notes.

B. ensure

You are correct, the answer is B.
An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good chan

IS management is considering a Voice-over IP (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate?
A. Review and, whe

You answered D. The correct answer is A.
Firewalls used as entry points to a VoIP network should be VoIP-capable. VoIP network services such as H.323 introduce complexities that are likely to strain the capabilities of older firewalls. Allowing for remote

Which of the following biometrics has the HIGHEST reliability and lowest false-acceptance rate (FAR)?Select an answer:A. Palm scanB. Face recognitionC. Retina scan

D. Hand geometry

You answered A. The correct answer is C.
Retina scan uses optical technology to map the capillary pattern of an eye's retina. This is highly reliable and has the lowest FAR among the current biometric methods. Use of palm scanning entails placing a hand o

An IS auditor is performing a review of a network, and users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for

You answered C. The correct answer is A.
A. In this case, the first step is to identify whether there is a configuration issue or hardware malfunction, which is determined by using a protocol analyzer and reviewing the log files of the related switches or

Naming conventions for system resources are important for access control because they:Select an answer:A. ensure that resource names are not ambiguous.B. reduce the number of rules required to adequately protect resources.

C. ensure that user access to

You are correct, the answer is B.
Naming conventions for system resources are important for the efficient administration of security controls. The conventions can be structured, so resources beginning with the same high-level qualifier can be governed by

B. The configuration

You are correct, the answer is B.
The IS auditor should first check the configuration settings for the current network layout and connectivity and then, based on this, decide whether the security requirements are adequate. The signal strength outside of t

An IS auditor should be concerned when a telecommunication analyst:Select an answer:A. monitors systems performance and tracks problems resulting from program changes.

B. reviews network load requirements in terms of current and future transaction volum

You answered C. The correct answer is A.
The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal respo

During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful:Select an answer:

A. buffe

You are correct, the answer is A.
Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. A brute force attack is used to crack passwords. A DDoS attack floods its target with numerous pac

A subsidiary in another country is forced to depart from the parent organization's IT policies to conform to the local law. The BEST approach for the parent organization is to:Select an answer:

A. create a provision to allow local policies to take preced

You are correct, the answer is A.A. Creating a provision to allow local policies to take precedence where required by local authorities allows the organization to implement the optimal level of control subject to legal limitations.

B. This is not accepta

Which of the following should an incident response team address FIRST after a major incident in an information processing facility?Select an answer:A. Restoration at the facilityB. Documentation of the facilityC. Containment at the facility

D. Monitor

You answered D. The correct answer is C.
The first priority is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation. Restoration ensures that the affected systems o

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types

You answered D. The correct answer is C.A. While untested CGIs can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users.

B. Untested CGI scripts do not inherently lead to malware exposures

The most common reason for the failure of information systems to meet the needs of users is that:Select an answer:A. user needs are constantly changing.B. the growth of user requirements was forecast inaccurately.

C. the hardware system limits the numb

You answered B. The correct answer is D.
Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their ne

Which of the following will BEST ensure the successful offshore development of business applications?Select an answer:A. Stringent contract management practicesB. Detailed and correctly applied specifications

C. Awareness of cultural and political diff

You are correct, the answer is B.
When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in commun

D. application development methodology.

You answered B. The correct answer is C.
Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the d

An IS auditor performing an application maintenance audit would review the log of program changes for the:Select an answer:A. authorization of program changes.B. creation date of a current object module.C. number of program changes actually made.

D. c

You answered D. The correct answer is A.
The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library m

Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative?Select an answer:A. Perform disaster recovery exercises annually.B. Ensure that partnering organizations are separated geographically.

You answered A. The correct answer is B.A. While disaster recovery exercises are important, the greater risk is geographic proximity.

B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being su

Which of the following provides the GREATEST assurance for database password encryption?Select an answer:A. Secure hash algorithm-256 (SHA-256)B. Advanced encryption standard (AES)C. Secure shell (SSH)

D. Triple data encryption standard (DES)

You answered A. The correct answer is B.A. While hashing functions are used to protect passwords, hashing is not encryption.B. The use of AES is a secure encryption algorithm that is appropriate for encrypting passwords.

C. SSH can only be used to encry

Which of the following documents is the BEST source for an IS auditor to understand the requirements for employee awareness training?Select an answer:A. Information security policyB. Acceptable usage policyC. Human resources (HR) policy

D. End-user co

You answered C. The correct answer is A.
A. The information security policy states the organization's approach to managing information security. The policy contains the company's security objectives and explains the security policies, principles and stand

An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?Select an answer:

A. System administrators use shared accounts which never expire at the hot site

You answered C. The correct answer is B.
Not knowing how much disk space is in use and therefore how much is needed at the disaster recovery site could create major issues in the case of a disaster. While it is not a best practice for security administrat

D. nonc

You answered D. The correct answer is C.
Sensitive functions are best described as those that can be performed manually at a tolerable cost for an extended period of time. Critical functions are those that cannot be performed unless they are replaced by i

An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corpora

You are correct, the answer is A.
The inherent security features of GSM technology combined with the use of a VPN are appropriate. Choice A would be the correct answer since the confidentiality of the communication on the GSM radio link is ensured by the

Which of the following is MOST important to an IS auditor reviewing an organization that allows the use of personal mobile devices on the organization's network?Select an answer:A. Organization's ability to track assetsB. Risk of malware infection

C. P

You answered A. The correct answer is D.
A. An organization should maintain a list of devices owned by users that access the organization's network, which would allow the organization to track the device in the event of theft or loss. However, compliance

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?
A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status r

You answered A. The correct answer is C.
Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completio

You are correct, the answer is A.
The expectation is that the basic mechanics of recovery for the new system are understood and the recovery infrastructure has been put into place. An appropriate test now would be to involve actual resources in a simulate

An IS auditor is conducting a compliance audit of a health care organization operating an online system that contains sensitive health care information. Which of the following should an IS auditor FIRST review?Select an answer:

A. Network diagram and fir

You are correct, the answer is C.
Legal and regulatory requirements will define the audit criteria and should therefore be reviewed first. The other choices support the organization's approach to adhering to the requirements.

During the review of an in-house developed application, the GREATEST concern to an IS auditor is if a:Select an answer:A. user raises a change request and tests it in the test environment.

B. programmer codes a change in the development environment and

You answered C. The correct answer is D.
A. This option is in alignment with the principles of segregation of duties. Separation of duties, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieve

Which of the following wide area network (WAN) transmission techniques offers the BEST error and flow control procedures while transmitting data?Select an answer:A. Message switchingB. Packet switchingC. Circuit switching

D. Virtual circuits

You are correct, the answer is B.
Packet switching is a sophisticated means of maximizing the transmission capacity of networks. Messages are broken down into packets and routed independently through the network, depending on the availability of a channel

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?Select an answer:A. Transaction logsB. Before and after image reportingC. Table lookups

D. Tracing and tagging

You answered A (2 attempts). The correct answer is C.
Table lookups are preventive controls; data are checked against predefined tables, which prevent any undefined data to be entered. Transaction logs are a detective control and provide audit trails. Bef

After reviewing the disaster recovery planning (DRP) process of an organization, an IS auditor requests a meeting with company management to discuss the findings. Which of the following BEST describes the main goal of this meeting?Select an answer:

A. Ob

You answered C. The correct answer is B.
The goal of the meeting is to confirm the factual accuracy of the audit findings and present an opportunity for management to agree on corrective action. Management approval of the corrective actions is not require

C. Operations sup

You answered C. The correct answer is A.
Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs be

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk?Select an answer:A. Risk reductionB. Risk transfer

C. R

You answered D. The correct answer is B.
A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. However, choice B is the best answer because risk reduction tre

Which of the following testing techniques would the IS auditor use to identify specific program logic that has not been tested?Select an answer:A. A snapshotB. Tracing and taggingC. Logging

D. Mapping

You are correct, the answer is D.
Mapping identifies specific program logic that has not been tested and analyzes programs during execution to indicate whether program statements have been executed. A snapshot records the flow of designated transactions t

You answered A. The correct answer is D.
Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in

Which of the following penetration testing methods is MOST effective in uncovering vulnerabilities relating to incident response capabilities?Select an answer:A. ExternalB. Double-blindC. Internal

D. Blind

You answered A. The correct answer is B.A. External testing is an intrusion attempt launched from outside the organization's perimeter, but it does not consider what information is known by the tester or the target.

B. In double-blind testing, the incide

An IS auditor is testing employee access to a large financial system. The IS auditor selected a sample from the current employee list provided by the auditee. Which of the following evidence is the MOST reliable to support the testing?Select an answer:

You are correct, the answer is C.
The access list generated by the system is the most reliable because it is the most objective evidence to perform a comparison against the samples selected. The evidence is objective because it was generated by the system

An organization completed a business impact analysis (BIA) as part of business continuity planning. The NEXT step in the process is to develop:Select an answer:A. a business continuity strategy.B. a test and exercise plan.C. a user training program.

You are correct, the answer is A.
A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover and security must be considered during this p

During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to:Select an answer:A. address audit objectives.B. collect sufficient evidence.C. specify appropriate tests.

D. minimize audit resources.

Documentation of a business case used in an IT development project should be retained until:Select an answer:A. the end of the system's life cycle.B. the project is approved.C. user acceptance of the system.

D. the system is in production.

You answered D. The correct answer is A.
A business case can and should be used throughout the life cycle of the product. It serves as an anchor for new (management) personnel, helps to maintain focus and provides valuable information on estimates vs. act

An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings?Select an answer:

A. System configuration values imported to a spreadsheet by the syste

You are correct, the answer is B.
Evidence obtained directly from the source by an IS auditor is more reliable than information provided by a system administrator or a business owner because the IS auditor does not have a vested interest in the outcome of

Assessing IT risk is BEST achieved by:Select an answer:A. evaluating threats associated with existing IT assets and IT projects.B. using the firm's past actual loss experience to determine current exposure.

C. reviewing published loss statistics from c

You answered D. The correct answer is A.
To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment process, but

A large industrial organization is replacing an obsolete legacy system and evaluating whether to buy a custom solution or develop a system in-house. Which of the following will MOST likely influence the decision?Select an answer:

A. Technical skills and

You answered B. The correct answer is A.A. Critical core competencies will most likely be carefully considered before outsourcing the planning phase of the application.

B. Privacy regulations on the data impact the usage of the application, not its prepa

An IS auditor reviewing a proposed application software acquisition should ensure that the:Select an answer:A. operating system (OS) being used is compatible with the existing hardware platform.

B. planned OS updates have been scheduled to minimize nega

You are correct, the answer is D.
Choices A, B and C are incorrect because none of them are related to the area being audited. In reviewing the proposed application, the auditor should ensure that the products to be purchased are compatible with the curre

An e-commerce organization with a complex technological environment has numerous concurrent projects. This often results in production system changes. What is the MOST suitable approach to managing system changes so that system outages are minimized?
Sele

You answered D. The correct answer is B.
A. This is acceptable as a short-term strategy. However, more complex changes cannot be deferred indefinitely and need to be managed effectively, particularly if being introduced by multiple development initiatives

When using a digital signature, the message digest is computed:Select an answer:A. only by the sender.B. only by the receiver.C. by both the sender and the receiver.

D. by the certificate authority (CA).

You answered A. The correct answer is C.
A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the en

A decision support system (DSS):Select an answer:A. is aimed at solving highly structured problems.B. combines the use of models with nontraditional data access and retrieval functions.

C. emphasizes flexibility in the decision making approach of users

You answered A. The correct answer is C.
DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval fu

Which of the following should be included in an organization's information security policy?Select an answer:A. A list of key IT resources to be securedB. The basis for control access authorizationC. Identity of sensitive security features

D. Relevant

You answered A. The correct answer is B.
The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choi

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?Select an answer:A. Assimilation of the framework and intent of a written security policy by all appropriate parties

B. Management support and

You answered B. The correct answer is A.
Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist

An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include:Select an answer:A. vouching.B. authorizations.C. corrections.

D. tracing.

You answered C. The correct answer is D.
Tracing involves following the transaction from the original source through to its final destination. In EFT transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking

C. the hardware system limits the numb

You are correct, the answer is D.
Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to:Select an answer:A. verify how the organization follows the standards.

B. identify and report the controls currently in place

You answered B. The correct answer is D.
The first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organizati

The most likely error to occur when implementing a firewall is:Select an answer:A. incorrectly configuring the access lists.B. compromising the passwords due to social engineering.C. connecting a modem to the computers in the network.

D. inadequately

You are correct, the answer is A.
An updated and flawless access list is a significant challenge and, therefore, has the greatest chance for errors at the time of the initial installation. Passwords do not apply to firewalls, a modem bypasses a firewall a

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?Select an answer:

A. Estimation of the actual end date based on the completion percentages and estimated time to complete, t

You are correct, the answer is C.
Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and t

Which of the following is the MOST critical step to perform when planning an IS audit?Select an answer:A. Review findings from prior audits.B. Develop plans to conduct a physical security review of the data center facility.

C. Review IS security polici

You are correct, the answer is D.
Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IT Audit and Assurance Standard S11 (Use of Risk Assessment in Audit Planning). In addition to the standards

A rapid application development (RAD) methodology has been selected to implement a new enterprise resource planning (ERP) system. All of the project activities have been assigned to the contracted consulting company because internal employees are not avai

You are correct, the answer is A.
Rapid methodologies require available resources with good expertise and a fast decision-making process because the plan duration is usually short. Reviewing the project plan and approach is the best recommendation to make

Which of the following is the BEST information source to obtain evidence when a server has been compromised by malware?Select an answer:A. Volatile data held in computer resourcesB. Operating system (OS) event log history

C. Firewall event log history

You answered B. The correct answer is A.A. Information held in computer resources, such as the contents of a server's random access memory (RAM) memory, is the best information source when investigating a server compromise.

B. OS logs are valuable; howev

During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by a supervisor would represent the BEST compe

You answered A. The correct answer is D.
Computer logs will record the activities of individuals during their access to a computer system or data file and will record any abnormal activities, such as the modification or deletion of financial data. An audi

During which phase of software application testing should an organization perform the testing of architectural design?Select an answer:A. Acceptance testingB. System testingC. Integration testing

D. Unit testing

You answered A. The correct answer is C.
Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure accordin

A. There are a growing number of emergency ch

You are correct, the answer is C.
The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. The other options are not as critical becaus

An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business valu

You answered A. The correct answer is B.
Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning fu

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:Select an answer:A. maintenance of access logs of usage of various system resources.

B. authorization and authentication of the user prior to grant

You are correct, the answer is B.
The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The main

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity?Select an answer:A. Draft and publish a clear practice for enterprise-level incident response.

B. Establish a

You are correct, the answer is C.A. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around.

B. Sharing p

A private enterprise has a project in place to modify the financial accounting system to comply with major changes in tax laws. Prior to going live, the finance manager, who is the application owner, went on emergency leave and could not complete function

You answered B. The correct answer is A.
The business process owner should be consulted for any changes to the application. The head of operations is ultimately accountable; in a privately owned enterprise, that would include the enterprise owner. Applica

Data flow diagrams are used by IS auditors to:Select an answer:A. order data hierarchically.B. highlight high-level data definitions.C. graphically summarize data paths and storage.

D. portray step-by-step details of data generation.

You answered D. The correct answer is C.
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierar

D. application development methodology.

You answered A. The correct answer is C.
Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the d

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is th

You are correct, the answer is D.
Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk list an

Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?Select an answer:A. Ensure that media are encrypted.B. Maintain a duplicate copy.C. Maintain chain of custody.

You are correct, the answer is B.A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data.

B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive in

An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?Select an answer:

A. Computer-aided software engineering (CAS

You answered D. The correct answer is C.
Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers. CASE tools are used to assist in software development. Embedded (audit) data collectio

A. Alert management and evaluate t

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function?Select an answer:

A. Advise on the adoptio

You answered C. The correct answer is D.
Of the options presented, only the review of the test cases will facilitate the objective. Independence could be compromised if the IS auditor advises on the adoption of specific application controls. Independence

You answered A. The correct answer is B.
It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state represe

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should:Select an answer:

A. include the finding in the final report, because the IS auditor is responsible for an accurate report of

You are correct, the answer is A.
Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective

Which of the following append themselves to files as a protection against viruses?Select an answer:A. Behavior blockersB. Cyclical redundancy checkers (CRCs)C. Immunizers

D. Active monitors

You answered A. The correct answer is C.
Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting poten

Which of the following should an IS auditor review to gain an understanding of the effectiveness of controls over the management of multiple projects?Select an answer:A. Project databaseB. Policy documentsC. Project portfolio database

D. Program organ

You are correct, the answer is C.
A project portfolio database is the basis for project portfolio management. It includes project data, such as owner, schedules, objectives, project type, status and cost. Project portfolio management requires specific pro

A. There are regulations reg

You are correct, the answer is A.
Regulations prohibiting the cross-border flow of personally identifiable information (PII) may make it impossible to locate a data warehouse containing customer/member information in another county. Training cost, remote

C. Advance notice f

You are correct, the answer is B.
Management approval of the testing scenario would help to ensure both that the test exercise was relevant and in alignment with business requirements. Obtaining management buy-in for the testing is critical to the success

Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site

D. Cold site

D. U

You are correct, the answer is D.
When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay pro

Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster?Select an answer:

A. The alternate facility will be available until the original information processing facility is restored.

You are correct, the answer is A.
The alternate facility should be made available until the original site is restored to provide the greatest assurance of recovery after a disaster. Without this assurance, the plan will not be successful. All other choice

Which of the following physical access controls effectively reduces the risk of piggybacking?Select an answer:A. Biometric door locksB. Combination door locksC. Deadman doors

D. Bolting door locks

You are correct, the answer is C.
Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This effectively reduces the risk of piggybacking. An individ

When performance issues are discovered during an assessment of the organization's network, the MOST efficient way for the IS auditor to proceed is to examine the:Select an answer:A. antivirus controls that have been put in place.

B. protocols used on th

You are correct, the answer is C.
By reviewing the network topology, the IS auditor can quickly gain a high-level perspective of potential points of failure or bottlenecks. The IS auditor will be directed to specific areas of the network which may require

Which of the following is the BEST indicator that a newly developed system will be used after it is in production?Select an answer:A. Regression testingB. User acceptance testing (UAT)C. Sociability testing

D. Parallel testing

You answered D. The correct answer is B.A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality.

B. UAT is underta

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?Select an answer:A. Three users with the ability to capture and verify their own messages

B. Five users

You answered D. The correct answer is A.
The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.

The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure:Select an answer:A. the confidentiality of the message.B. nonrepudiation by the sender.C. the authenticity of the message.

D. the integrity of data transmitted

You are correct, the answer is D.
If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test. Signing the message with the public key of the receiver ensures confidentiality. Signing the mes

You are correct, the answer is A.
Business should consider whether information security levels required during recovery should be the same, lower or higher than when business is operating normally. In particular, any special rules for access to confidenti

When two or more systems are integrated, the IS auditor must review input/output controls in the:Select an answer:A. systems receiving the output of other systems.B. systems sending output to other systems.C. systems sending and receiving data.

D. int

You answered D. The correct answer is C.
Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other.

During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?
Select an a

You answered D. The correct answer is B.
There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with PHI

The PRIMARY purpose of a postimplementation review is to ascertain that:Select an answer:A. the lessons learned have been documented.B. future enhancements can be identified.C. the project has been delivered on time and budget.

D. project objectives h

You answered C. The correct answer is D.A. It is important to ensure that lessons learned during the project are not forgotten; however, it is more important to ascertain whether the project solved the problem it was designed to address.

B. Identifying f

C. Analysis of stored procedure

You are correct, the answer is B.
The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance

Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:Select an answer:A. ensure the employee maintains a good quality of life, which will lead to greater productivity.

B. reduce the opportunity for an employ

You answered D. The correct answer is B.
Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to co

C. Appl

You answered D. The correct answer is A.
End-user computing is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an indepe

An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may a

You are correct, the answer is C.A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected.

B. Compliance risk is the penalty ap

Sharing risk is a key factor in which of the following methods of managing risk?Select an answer:A. Transferring riskB. Tolerating riskC. Terminating risk

D. Treating risk

You are correct, the answer is A.
Transferring risk (e.g., by taking an insurance policy) is a way to share risk. Tolerating risk means that the risk is accepted, but not shared. Terminating risk is unlikely to involve sharing the risk because some risk w

An IS auditor is reviewing the change management process for an enterprise resource planning (ERP) application. Which of the following is the BEST method for testing program changes?Select an answer:

A. Select a sample of change tickets and review them f

You are correct, the answer is C.A. Selecting a sample of change tickets and reviewing them for authorization helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets.

B. Perfor

Value delivery from IT to the business is MOST effectively achieved by:Select an answer:A. aligning the IT strategy with the enterprise strategy.B. embedding accountability in the enterprise.C. providing a positive return on investment (ROI).

D. estab

You are correct, the answer is A.A. IT's value delivery to the business is driven by aligning IT with the enterprise's strategy.B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance).

C. While RO

A. IP s

An IS auditor is assigned to perform a postimplementation review of an application system. Which of the following situations may have impaired the independence of the IS auditor? The IS auditor:Select an answer:

A. implemented a specific functionality du

You answered D. The correct answer is A.
Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair an IS

An IS auditor is reviewing the database backup and recovery plan developed by the organization's database administration team. Which of the following is of MOST importance to the auditor?Select an answer:A. Backup validation is being performed.

B. The b

You are correct, the answer is A.
A. Database backup validation allows the database administrator (DBA) to verify the backups without performing an actual restore and is critical to ensure integrity of the backups. Of course, actual database restore testi

The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to:Select an answer:A. comply with regulatory requirements.B. provide a basis for drawing reasonable conclusions.C. ensure complete audit coverage.

D. p

You answered A. The correct answer is B.
The scope of an IS audit is defined by its objectives. This involves identifying control weaknesses relevant to the scope of the audit. Obtaining sufficient and appropriate evidence assists the auditor in not only

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?Select an answer:A. Alpha testingB. Regression testingC. Beta testing

D. White box testing

You are correct, the answer is C.
A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and may be

Which of the following is MOST important when an operating system (OS) patch is to be applied to a production environment?Select an answer:A. Successful regression testing by the developerB. Approval from the information asset owner

C. Approval from th

You are correct, the answer is B.
A. While testing is important for any patch, in this case it should be assumed that the OS vendor tested the patch before releasing it. Before this OS patch is put into production, the organization should do system testin

Which of the following is the MOST important action in recovering from a cyberattack?Select an answer:A. Creating an incident response teamB. Using cyberforensic investigatorsC. Executing a business continuity plan

D. Filing an insurance claim

You are correct, the answer is C.
The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should ex

A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. Which of the following would be of GREATEST concern during

You are correct, the answer is A.
Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should ha

An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?Select an answer:A. The tools used to conduct the testB. Certifications held by the IS auditor

C. Permiss

You are correct, the answer is C.
The data owner should be informed of the risk associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owner's responsibili

Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application?Select an answer:A. User registration and password policiesB. User security awareness

C. Use of intrusion detection/intrusion prevent

You are correct, the answer is D.
The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. In order to avoid this kind of attack, it is necessary to eliminate any known vulnerability that could

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?Select an answer:A. Bottom upB. Sociability testingC. Top-down

D. System test

You are correct, the answer is C.
The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modu

Which of the following would be BEST prevented by a raised floor in the computer machine room?Select an answer:A. Damage of wires around computers and serversB. A power failure from static electricityC. Shocks from earthquakes

D. Water flood damage

You answered D. The correct answer is A.
The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-li

Over the long term, which of the following has the greatest potential to improve the security incident response process?Select an answer:A. A walk-through review of incident response proceduresB. Postevent reviews by the incident response team

C. Ongoi

You are correct, the answer is B.
Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliab

Which of the following is an example of a passive attack initiated through the Internet?Select an answer:A. Traffic analysisB. MasqueradingC. Denial of service

D. Email spoofing

You are correct, the answer is A.
Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute force attacks,

D. stop-o

You answered B. The correct answer is C.
Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. Variable sampling is used to estimate

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS a

You are correct, the answer is A.
The IS auditor should recommend implementation of processes that could prevent improper changes from being made to the major application roles. The application role change request process should start and be approved by t

Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event of a disaster?Select an answer:A. Enforced procedures for regular plan updatesB. A tabletop exercise with disaster scenarios

C. A compreh

You are correct, the answer is B.A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes.

B. A tabletop exercise is used to test the effectiveness of a BC

A. conclude that the project is progressing

You answered A. The correct answer is D.
While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the proj

C. Higher cost due to

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?Select an answer:A. Utilizing of intrusion detection system to report incidents

B. Mandating the u

You are correct, the answer is D.
Training is the only choice that is directed at security awareness. Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing

Which of the following is MOST critical when creating data for testing the logic in a new or modified application system?Select an answer:A. A sufficient quantity of data for each test case

B. Data representing conditions that are expected in actual pro

You are correct, the answer is B.
Selecting the right kind of data is key in testing a computer system. The data should not only include valid and invalid data but should be representative of actual processing; quality is more important than quantity. It

An IS auditor is reviewing an organization's business continuity plan (BCP) to determine the impact of a disruption in an industry where regulatory requirements demand high availability. Which of the following findings should be of MOST concern to the aud

You are correct, the answer is C.A. While an original copy of the agreement is important, many third parties will send a duplicate original copy of an agreement so that each party has an original.

B. Encrypted backups are important to ensure the confiden

Which of the following is of GREATEST concern to an IS auditor when performing an audit of a client relationship management (CRM) system migration project?Select an answer:

A. The technical migration is planned for a Friday preceding a long weekend, and

You are correct, the answer is C.
Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risk. Decommissioning or disposing of the old hardware would complicate any fallback strategy, should the

A. IS audito

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?Select an answer:A. Minimizing costs for the services providedB. Prohibiting the provider from subcontracting services

C. Eva

You answered C. The correct answer is D.
From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless

An IS auditor invited to a project development meeting notes that no project risk has been documented. When the IS auditor raises this issue, the project manager responds that it is too early to identify risk and that, if risk starts impacting the project

You answered D. The correct answer is A.
The majority of project risk can typically be identified before a project begins, allowing mitigation/avoidance plans to be put in place to deal with this risk. A project should have a clear link back to corporate

D. c

You answered C. The correct answer is A.
The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library m

During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the:Select an answer:

A. event error log generated at the disa

You answered B. The correct answer is D.
Since the configuration of the system is the most probable cause, the IS auditor should review that first. If the issue cannot be clarified, the IS auditor should then review the event error log. The disaster recov

Which of the following data validation edits is effective in detecting transposition and transcription errors?Select an answer:A. Range checkB. Check digitC. Validity check

D. Duplicate check

You are correct, the answer is B.
A check digit is a numeric value that is calculated mathematically and is appended to data to ensure that the original data have not been altered, e.g., an incorrect, but valid, value substituted for the original. This co

An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective?Select an answer:A. Run a low-level data wipe utility on all hard drives.B. Erase all data file directories.

C. Fo

You answered A. The correct answer is D.
The most effective method is physical destruction. Running a low-level data wipe utility may leave some residual data that could be recovered; erasing data directories and formatting hard drives are easily reversed

D. dataflow diagrams.

You are correct, the answer is B.
Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. Rules refer to the expression of declarative knowledge through the use of if-then relationships. Semantic nets co

An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:Select an answer:A. user accounts are not locked out after five failed attempts.B. passwords can be reused by employees within a defined time frame.

C. s

You answered A. The correct answer is C.
A. If user accounts are not locked after multiple failed attempts, a brute force attack could be used to gain access to the system. While this is a risk, a typical user would have limited system access compared to

You answered B. The correct answer is A.
An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor sho

Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site

D. Cold site

An IS auditor performing a review of application controls would evaluate the:Select an answer:A. efficiency of the application in meeting the business processes.B. impact of any exposures discovered.C. business processes served by the application.

You answered A. The correct answer is B.
An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an appl

What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks?Select an answer:A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized.

You are correct, the answer is A.
The concept of piggybacking compromises all physical control established. Choice B would be of minimal concern in a disaster recovery environment. Items in choice C are not easily duplicated. Regarding choice D, while tec

A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?Select an answer:A. Dump the volatile storage data to a disk.B. Run the server in a fail-safe mode.

C. Disconnect the web server from the

You are correct, the answer is C.
The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does

You are correct, the answer is D.
Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends. Isolation means that, while in an inte

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is

You answered A. The correct answer is B.
IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization

You are correct, the answer is C.
Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

While planning an audit, an assessment of risk should be made to provide:Select an answer:A. reasonable assurance that the audit will cover material items.B. definite assurance that material items will be covered during the audit work.

C. reasonable as

You are correct, the answer is A.
ISACA IT Audit and Assurance Guideline G15 on planning the IS audit states that, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit work.

C. Reperforma

You are correct, the answer is D.A. Process narratives may not be current or complete and may not reflect the actual process in operation.

B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of evidenc

A benefit of quality of service (QoS) is that the:Select an answer:A. entire network's availability and performance will be significantly improved.B. telecom carrier will provide the company with accurate service-level compliance reports.

C. participat

You answered A. The correct answer is C.
The main function of QoS is to optimize network performance by assigning priority to business applications and end users, through the allocation of dedicated parts of the bandwidth to specific traffic. Choice A is

D. Knowledge of inte

You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques.

B. IS managers are responsible for resource management of their departm

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:Select an answer:A. incorporates state of the art technology.B. addresses the required operational controls.C. articulates the IT mission and vision.

D. specif

You are correct, the answer is C.
The IT strategic plan must include a clear articulation of the IT mission and vision. The plan need not address the technology, operational controls or project management practices.

The PRIMARY advantage of a continuous audit approach is that it:Select an answer:A. does not require an IS auditor to collect evidence on system reliability while processing is taking place.

B. requires the IS auditor to review and follow up immediately

You are correct, the answer is C.
The use of continuous auditing techniques can improve system security when used in time-sharing environments that process a large number of transactions, but leave a scarce paper trail. Choice A is incorrect since the con

Which of the following append themselves to files as a protection against viruses?Select an answer:A. Behavior blockersB. Cyclical redundancy checkers (CRCs)C. Immunizers

D. Active monitors

You answered D. The correct answer is C.
Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting poten

The objective of concurrency control in a database system is to:Select an answer:A. restrict updating of the database to authorized users.B. prevent integrity problems when two processes attempt to update the same data at the same time.

C. prevent inad

You answered C. The correct answer is B.
Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time. Access controls restrict updating of the database to authorized users, and

A consulting firm has created an FTP site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FT

You answered B. The correct answer is A.
Credentials that are transmitted in cleartext are vulnerable to compromise through the use of packet sniffers or other means. Once the site credentials are compromised, an unauthorized external party may download s

Due to a recent economic downturn, an IT organization has terminated several administrators and consolidated all IT administration at its central headquarters. During an IT audit, the auditor determines that the organization has implemented remote adminis

You are correct, the answer is D.
The greatest concern is whether the network is being managed using a conventional unencrypted Internet connection. Choice A is not correct because, while the authentication methods should be reviewed, the use of an unencr

Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users?Select an answer:A. System analysisB. Authorization of access to dataC. Application programming

D. Data

You are correct, the answer is B.
The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS wh

Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?Select an answer:A. A service adjustment resulting from an exception report took a day to implement.

B. The complexity of applicati

You are correct, the answer is C.
Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of IT services. Delays related to exception reports and the complexity of application logs are operational issues which are not

Accountability for the maintenance of appropriate security measures over information assets resides with the:Select an answer:A. security administrator.B. systems administrator.C. data and systems owners.

D. systems operations group.

You are correct, the answer is C.
Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the

The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:Select an answer:A. confirm that the auditors did not overlook any important issues.B. gain agreement on the findings.

C. receive feedback on the adequacy of the aud

You answered C. The correct answer is B.
The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings. The other choices, though related to the formal closure of an audit, are of secondary importanc

C. Test resul

You answered B. The correct answer is C.
A. Ideally, the board of directors should approve the plan to ensure acceptability, but it is possible to delegate approval authority to the CIO. Pragmatically, lack of documenting test results could have more sign

C. the mechanism for monitoring the ris

You answered C. The correct answer is D.
One of the key factors to be considered while assessing the risk related to the use of various information systems is the threats and vulnerabilities affecting the assets. The risk related to the use of information

Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements?Select an answer:A. Benchmark test resultsB. Server logsC. Downtime reports

D. Server utilization data

You answered C. The correct answer is D.
A. Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization

Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)?Select an answer:A. Business processes ownersB. IT management

C. Senior business manageme

You are correct, the answer is A.
Business process owners have the most relevant information to contribute since the BIA is designed to evaluate criticality, based on business needs. Choices B and C are not correct because, while IT management and senior

During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that:Select an answer:A. an unauthorized user may use the ID to gain access.

B. user access management is t

You are correct, the answer is C.
The use of a single user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is more difficult to hold anyone accountable. The risk of an unauthorized user accessi

Which of the following is the initial step in creating a firewall policy?Select an answer:A. A cost-benefit analysis of methods for securing the applicationsB. Identification of network applications to be externally accessed

C. Identification of vulner

You answered D. The correct answer is B.
Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the pe

C. Application lists an

You are correct, the answer is A.
The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important

C. Program logic speci

You are correct, the answer is A.
A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. System configuration is u

A sender of an email message applies a digital signature to the digest of the message. This action provides assurance of the:Select an answer:A. date and time stamp of the message.B. identity of the originating computer.

C. confidentiality of the messa

You are correct, the answer is D.
The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an email message does not prevent

During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:Select an answer:

A. the detail of involved transactions may no longer be associated with master data, caus

You answered B. The correct answer is A.
When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to u

D. Analytical review

You answered D. The correct answer is B.
Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testin

When reviewing system parameters, an IS auditor's PRIMARY concern should be that:Select an answer:A. they are set to meet security and performance requirements.B. changes are recorded in an audit trail and periodically reviewed.

C. changes are authoriz

You answered C. The correct answer is A.
The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)?Select an answer:

A. Function point ana

You are correct, the answer is B.
EVA is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds.

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy?Select an answer:A. Review the parameter settings.B. Interview the firewall administrator.

C. Review the ac

You are correct, the answer is A.
A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. The other choices do not provide audit evidence

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor i

You answered A. The correct answer is D.
DAC allows data owners to modify access, which is a normal procedure and is a benefit of DAC. Recommending MAC is not correct because it is more appropriate for data owners to have DAC in a low-risk application. Th

You answered C. The correct answer is A.
Firewalls used as entry points to a VoIP network should be VoIP-capable. VoIP network services such as H.323 introduce complexities that are likely to strain the capabilities of older firewalls. Allowing for remote

When preparing an audit report the IS auditor should ensure that the results are supported by:Select an answer:A. statements from IS management.B. work papers of other auditors.C. an organizational control self-assessment.

D. sufficient and appropriat

You are correct, the answer is D.
ISACA's IT audit and assurance standard on reporting requires that the IS auditor have sufficient and appropriate audit evidence to support the reported results. Statements from IS management provide a basis for obtaining

A. IS audito

C. Analysis of stored procedure

A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor?

You answered A. The correct answer is D.
Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in t

The MOST likely effect of the lack of senior management commitment to IT strategic planning is:Select an answer:A. a lack of investment in technology.B. a lack of a methodology for systems development.

C. technology not aligning with the organization's

You are correct, the answer is C.
A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication

An organization allows employees to connect company laptops to company-controlled wireless access points. To prevent unauthorized access to the organization's internal network, the BEST preventive control is to:Select an answer:

A. enable media access co

You answered C. The correct answer is D.
A. Enabling MAC filtering does not prevent mobile devices from connecting to unauthorized access points. MAC filters prevent unauthorized systems from connecting to the company's wireless access point. They do not

The MAIN purpose of a transaction audit trail is to:Select an answer:A. reduce the use of storage media.B. determine accountability and responsibility for processed transactions.C. help an IS auditor trace transactions.

D. provide useful information f

You answered C. The correct answer is B.
Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A t

D. Greater strength for a given key length

You are correct, the answer is A.
The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital sig

A. v

You answered C. The correct answer is D.
Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation contr

The information security policy that states "each individual must have their badge read at every controlled door" addresses which of the following attack methods?Select an answer:A. PiggybackingB. Shoulder surfingC. Dumpster diving

D. Impersonation

You answered D. The correct answer is A.
Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a strange

Which of the following is a PRIMARY objective of an acceptable use policy?Select an answer:A. Creating awareness about the secure use of proprietary resourcesB. Ensuring compliance with information security policies

C. Defining sanctions for noncomplia

You answered B. The correct answer is D.
A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics cov

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?Select an answer:A. It detects risk sooner.B. It replaces the audit function.C. It reduces audit workload.

D. It reduces audit resources.

You are correct, the answer is A.
A. CSAs require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help

An IS auditor is evaluating the effectiveness of the organization's change management process. What is the MOST important control that the IS auditor should look for to ensure system availability?Select an answer:

A. That changes are authorized by IT man

You are correct, the answer is C.
The most important control for ensuring system availability is to implement a sound testing plan and procedures which are consistently followed. The other options can be important considerations, but are not as important

Which of the following is the GREATEST concern to an IS auditor reviewing an organization's use of third-party-provided cloud services to store health care billing information?Select an answer:A. Disparate backup requirements

B. Availability of infrastr

You are correct, the answer is C.A. Although disparate backup requirements may present a challenge, the primary concern is maintaining segregation of client data.

B. Availability of infrastructure is an inherent benefit of cloud services, and as such is

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:Select an answer:A. users may prefer to use contrived data for testing.

B. unauthorized access to sensitiv

You are correct, the answer is B.
Unless the data are sanitized, there is a risk of disclosing sensitive data.

A. Develop an alternate te

You are correct, the answer is A.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management a

A. only systems administrators perform

You answered D. The correct answer is B.
The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change m

C. Reperforma

You answered B. The correct answer is D.A. Process narratives may not be current or complete and may not reflect the actual process in operation.

B. Inquiry can be used to understand the controls in a process only if it is accompanied by verification of

Segmenting a highly sensitive database results in:Select an answer:A. reduced exposure.B. reduced threat.C. less criticality.

D. less sensitivity.

You answered B. The correct answer is A.A. Segmenting data reduces the quantity of data exposed as a result of a particular event.B. The threat may remain constant, but each segment may represent a different vector against which it must be directed.

D. Knowledge of inte

You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques.

B. IS managers are responsible for resource management of their departm

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:Select an answer:A. dependency on a single person.B. inadequate succession planning.C. one person knowing all parts of a system.

D. a disruption of op

You are correct, the answer is C.
Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for

C. Analysis of stored procedure

Which of the following is the MOST reasonable option for recovering a noncritical system?Select an answer:A. Warm siteB. Mobile siteC. Hot site

D. Cold site

During a postimplementation review, an IS auditor finds that the delivered application does not meet end-user requirements. Which of the following is the BEST recommendation to prevent future problems with the project management process?
Select an answer:

You answered D. The correct answer is B.A. The question implies that the application developer team is already involved.

B. The waterfall method helps ensure that errors are detected early in the development process. Waterfall development is a procedure-

Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit?Select an answer:A. Data backups are performed on a timely basis.B. A recovery site is contracted for and available as needed.

C. Hu

You answered A. The correct answer is C.
The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.

To minimize the cost of a software project, quality management techniques should be applied:Select an answer:A. as close to their writing (i.e., point of origination) as possible.

B. primarily at project start to ensure that the project is established i

You answered B. The correct answer is C.
While it is important to properly establish a software development project, quality management should be effectively practiced throughout the project. The major source of unexpected costs on most software projects

Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as:Select an answer:A. substantive testing.B. compliance testing.C. qualitative analysis.

D. judgment sampling.

You answered C. The correct answer is A.
A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the

When creating a password, a system generates the initial password and then forces the user to change the password when the user logs on for the first time. The system allows the user to enter the same password generated by the system as the user's own/new

You answered B. The correct answer is C.
Hardening the password parameters so that old passwords are not accepted as new passwords is the most effective control because it is system enforced. Although education is important and users should be aware of th

You are correct, the answer is B.
Portfolio management is designed to assist in the definition, prioritization, approval and running of a set of projects within a given organization. These tools offer data capture, workflow and scenario planning functiona

Which of the following should an IS auditor be MOST concerned about in a financial application?Select an answer:A. Programmers have access to application source code.B. Secondary controls are documented for identified role conflicts.

C. The information

You are correct, the answer is D.A. Programmers who have access to application source code are not of concern to the IS auditor because programmers need access to source code to do their job.

B. When segregation of duties conflicts are identified, second

An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?Select an answer:A. Log all table update transactions.

B. Implement integrity constraints in the

You are correct, the answer is B.
Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered. Logging all table update transa

Which of the following will prevent dangling tuples in a database?Select an answer:A. Cyclic integrityB. Domain integrityC. Relational integrity

D. Referential integrity

You are correct, the answer is D.
Referential integrity ensures that a foreign key in one table will equal null or the value of a primary in the other table. For every tuple in a table having a referenced/foreign key, there should be a corresponding tuple

The goal of IT risk analysis is to:Select an answer:A. enable the alignment of IT risk management with enterprise risk management (ERM).B. enable the prioritization of risk responses.C. satisfy legal and regulatory compliance requirements.

D. identify

You answered A. The correct answer is B.A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment.

B. Risk analysis is a process

What control detects transmission errors by appending calculated bits onto the end of each segment of data?Select an answer:A. Reasonableness checkB. Parity checkC. Redundancy check

D. Check digits

You answered D. The correct answer is C.
A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data. A reasonableness check compares data to predefined reasonability limits or occurrence rates establis

B. in

You answered A. The correct answer is C.
A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site. Choices A, B and D

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:Select an answer:

A. application programmer copy the source program and compiled object module to the production lib

You answered B. The correct answer is D.
The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

An IS auditor reviewing an organization's IT strategic plan should FIRST review:Select an answer:A. the existing IT environment.B. the business plan.C. the present IT budget.

D. current technology trends.

You are correct, the answer is B.
The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

D. duplicate processing facility.

You answered B. The correct answer is A.
A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. A warm site is an offsite backup facility that is partially configured with network connections and se

Data flow diagrams are used by IS auditors to:Select an answer:A. order data hierarchically.B. highlight high-level data definitions.C. graphically summarize data paths and storage.

D. portray step-by-step details of data generation.

You are correct, the answer is C.
Data flow diagrams are used as aids to graph or chart data flow and storage. They trace the data from its origination to destination, highlighting the paths and storage of data. They do not order data in any hierarchy. Th

Which of the following is the BEST method for determining the criticality of each application system in the production environment?Select an answer:A. Interview the application programmers.B. Perform a gap analysis.

C. Review the most recent applicatio

You answered A. The correct answer is D.
A BIA will give the impact of the loss of each application. Interviews with the application programmers will provide limited information related to the criticality of the systems. A gap analysis is only relevant to

During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should:Select an answer:A. create the procedures document.B. terminate the audit.C. conduct compliance testing.

D. identify

You are correct, the answer is D.
One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditor

Responsibility for the governance of IT should rest with the:Select an answer:A. IT strategy committee.B. chief information officer (CIO).C. audit committee.

D. board of directors.

You answered A. The correct answer is D.
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk

An IS auditor discovers that, in many cases, a username and password are the same, which is contrary to policy. What is the BEST recommendation?Select an answer:A. Modify the enterprise's security policy.

B. Educate users about the risk of weak password

You are correct, the answer is D.
The best control is a preventive control through validation at the time the password is created or changed. Changing the enterprise's security policy and educating users about the risk of weak passwords provide only infor

B. unauthorized access to sensitiv

You are correct, the answer is B.
Unless the data are sanitized, there is a risk of disclosing sensitive data.

While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step?Select an answer:A. Observe the response mechanism.B. Clear the virus from the network.C. Inform appropriate personnel immediately.

You are correct, the answer is C.
The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. Choice A should be taken after choice C. This will enable an IS auditor to exam

An IS auditor is reviewing a large financial institution's process of remotely managing network devices over the Internet. The IS auditor should be MOST concerned if:Select an answer:A. shared credentials are used.B. no login banner is displayed.

C. Te

You answered A. The correct answer is C.A. Shared credentials for network devices do not allow for accountability. However, the use of Telnet is a greater risk.

B. Normally a login banner should indicate to unauthorized personnel that access is forbidden

B. Generating disk images o

You are correct, the answer is C.
Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. The other choices are appropriate actions for preserving evidence.

During which of the following phases in system development would user acceptance test plans normally be prepared?Select an answer:A. Feasibility studyB. Requirements definitionC. Implementation planning

D. Postimplementation review

You are correct, the answer is B.
During requirements definition, the project team will be working with the users to define their precise objectives and functional needs. At this time, the users should be working with the team to consider and document how

Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?Select an answer:A. Resuming critical processesB. Recovering sensitive processesC. Restoring the site

D. Relocating operations to an alternative site

You are correct, the answer is A.
The resumption of critical processes has the highest priority as it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of sens

After installing a network, an organization implemented a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools?Select an answer:A. Differential reporting

B. False-po

You answered B. The correct answer is C.
False-negative reporting on weaknesses means the control weaknesses in the network are not identified and therefore may not be addressed, leaving the network vulnerable to attack. False-positive reporting is one in

A. Postpon

You answered B. The correct answer is C.
An IS auditor should first confirm and understand the current practice before making any recommendations. The agreement can be documented after it has been established that there is an agreement in place. The fact

Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees?Select an answer:A. To ensure that employees are not misusing corporate resourcesB. To prevent conflicts of interest

C. To prevent emp

You answered D. The correct answer is B.
The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property

D. Adequacy

You answered A. The correct answer is B.A. Usefulness of audit evidence pulled by CAATs is determined by the audit objective, and the use of CAATs does not have as direct of an impact on usefulness as reliability does.

B. Because the data are directly co

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?Select an answer:A. The default configurations are changed.

B. All tables in the database are normalized.

You are correct, the answer is A.
Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be easily compromised by malicious code and by intruders. Choice B is not correct because it is re

A. Whether key co

You answered D. The correct answer is A.
The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the BPR process should achieve, b

You answered D. The correct answer is B.A. While running backups without encryption would solve the performance issue, this does not meet security requirements.

B. The primary benefit of performing data classification is so that the appropriate security

Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized?Select an answer:A. Release-to-release source and object comparison reports

B. Library control software restricting changes

You are correct, the answer is D.
Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production sourc

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?Select an answer:A. Validated daily backupsB. Change management proceduresC. Data dictionary maintenance

D. A read-only restriction

You are correct, the answer is D.
Applying read-only restrictions to historical information prevents data manipulation. Backups address availability, not integrity. Adequate change management and data dictionary maintenance procedures provide the integrit

Applying a digital signature to data traveling in a network provides:Select an answer:A. confidentiality and integrity.B. security and nonrepudiation.C. integrity and nonrepudiation.

D. confidentiality and nonrepudiation.

You are correct, the answer is C.
The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modificat

You are correct, the answer is A.
In a relational database with referential integrity, the use of foreign keys would prevent events such as primary key changes and record deletions, resulting in orphaned relations within the database. It should not be pos

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:Select an answer:A. IDS sensors are placed outside of the firewall.B. a behavior-based IDS is causing many false alarms.

C. a signature-based

You answered B. The correct answer is D.
An IDS cannot detect attacks within encrypted traffic, and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization can place sensors out

C. confidentiality of the messa

A. Function point ana

You answered D. The correct answer is B.
EVA is an industry standard method for measuring a project's progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project pr

Which of the following is the BEST way to satisfy a two-factor user authentication?Select an answer:A. A smart card requiring the user's personal identification number (PIN)B. User ID along with passwordC. Iris scanning plus fingerprint scanning

D. A

You answered D. The correct answer is A.
A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or PIN. An ID and password, what the user knows, is a single-factor user a

Which of the following are the MOST important considerations when prioritizing the development of controls and countermeasures?Select an answer:A. Likelihood and impactB. Impact and exposureC. Criticality and sensitivity

D. Value and classification

You answered C. The correct answer is A.A. The likelihood that a compromise will occur and the impact of that compromise are the two most important factors in determining risk, which in turn drives the development of controls and countermeasures.

B. Impa

Which of the following would BEST help to prioritize project activities and determine the timeline for a project?Select an answer:A. A Gantt chartB. Earned value analysis (EVA)C. Program evaluation review technique (PERT)

D. Function point analysis (F

You are correct, the answer is C.
The PERT method works on the principle of obtaining project timelines based on project events for three likely scenarios (worst, best, normal). The timeline is calculated by a predefined formula and identifies the critica

During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:Select an answer:A. enrollment.B. identification.C. verification.

D. storage.

You answered B. The correct answer is A.
The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a st

In regard to moving an application program from the test environment to the production environment, the BEST control would be to have the:Select an answer:

A. application programmer copy the source program and compiled object module to the production lib

You answered A. The correct answer is D.
The best control would be provided by having the production control group copy the source program to the production libraries and then compile the program.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:Select an answer:A. facilitates user involvement.B. allows early testing of technical features.

C. facilitates conversion

You are correct, the answer is D.
The greatest advantage of RAD is the shorter time frame for the development of a system. Choices A and B are true, but they are also true for the traditional systems development life cycle. Choice C is not necessarily alw

D. identify

You are correct, the answer is B.A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment.

B. Risk analysis is a process by whic

D. Knowledge of inte

1.3 You are correct, the answer is C.A. Contingency planning is often associated with the organization's operations. IS auditors should have knowledge of contingency planning techniques.

B. IS managers are responsible for resource management of their dep

Which of the following would BEST help to detect errors in data processing?Select an answer:A. Programmed edit checksB. Well-designed data entry screensC. Segregation of duties

D. Hash totals

You answered C. The correct answer is D.
The use of hash totals is an effective method to reliably detect errors in data processing. Automated controls such as programmed edit checks or well-designed data entry screens are preventive controls. Enforcing s

C. Defining sanctions for noncomplia

You answered A. The correct answer is D.
A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics cov

In the process of evaluating program change controls, an IS auditor would use source code comparison software to:Select an answer:A. examine source program changes without information from IS personnel.

B. detect a source program change made between acq

You answered B. The correct answer is A.
When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program ch

You answered B. The correct answer is C.
The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in exposure and can result in severe fines. An IS auditor must convince the user and user management of t

B. A clause defining penalty payments for

You are correct, the answer is A.
The absence of a "right to audit" clause would potentially prevent the auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal

When reviewing a hardware maintenance program, an IS auditor should assess whether:Select an answer:A. the schedule of all unplanned maintenance is maintained.B. it is in line with historical trends.

C. it has been approved by the IS steering committee

You answered C. The correct answer is D.
Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications. For business reasons, an organiz

To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:Select an answer:

A. the entire message, enciphering

You answered D. The correct answer is A.
Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key addresses nonrepudiation. Encrypting the me

An IS auditor evaluating logical access controls should FIRST:Select an answer:A. document the controls applied to the potential access paths to the system.B. test controls over the access paths to determine if they are functional.

C. evaluate the secu

You answered C. The correct answer is D.
When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and by conducting a

Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility?Select an answer:A. Verify compatibility with the hot site

B. Review the implementati

You answered A. The correct answer is D.
An IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IT infrastructure. The other choices are procedures required to u

The PRIMARY objective of conducting a postimplementation review for a business process automation project is to:Select an answer:A. ensure that the project meets the intended business requirements.B. evaluate the adequacy of controls.

C. confirm compli

You are correct, the answer is A.A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review.

B. Evaluating the adequacy of controls may be part of the review, but is not the primary objec

D. a disruption of op

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:Select an answer:A. schedule the audits and monitor the time spent on each audit.

B. train the IS audit staff on current technology used in the company

You answered D. The correct answer is C.
Monitoring the time (choice A) and audit programs (choice D), as well as adequate training (choice B), will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to t

To verify that the correct version of a data file was used for a production run, an IS auditor should review:Select an answer:A. operator problem reports.B. operator work schedules.C. system logs.

D. output distribution reports.

You answered D. The correct answer is C.
System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can t

C. A compreh

You are correct, the answer is B.A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes.

B. A tabletop exercise is used to test the effectiveness of a BC

C. evaluate the secu

You are correct, the answer is D.
When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk as

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor

You answered D. The correct answer is A.
Provided that data architecture, technical, and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. The us

With the help of a security officer, granting access to data is the responsibility of:Select an answer:A. data owners.B. programmers.C. system analysts.

D. librarians.

You are correct, the answer is A.
Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up

Which of the following is the MOST effective type of antivirus software?Select an answer:A. ScannersB. Active monitorsC. Integrity checkers

D. Vaccines

A. security awareness

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered:Select an answer:

A. can deliver on

You answered C. The correct answer is D.
The long-term financial viability of a vendor is essential for deriving maximum value for the organization�it is more likely that a financially sound vendor would be in business for a long period of time. The capab

After implementation of a disaster recovery plan, predisaster and postdisaster operational costs for an organization will:Select an answer:A. decrease.B. not change (remain the same).C. increase.

D. increase or decrease depending upon the nature of th

You are correct, the answer is C.
There are costs associated with all activities and a disaster recovery plan is not an exception. Although there are costs associated with a disaster recovery plan, there are unknown costs that are incurred if a disaster r

D. speed up the system development life cycle.

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:Select an answer:

A. include the statement of management in the audit re

You are correct, the answer is B.
When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in the report. With respect to this matter, representations obtaine

An IS auditor is planning an audit of a bank wire transfer system in the context of a regulation that requires banks to accurately report transactions. Which of the following represents the PRIMARY focus of the audit scope?Select an answer:

A. Data avail

You are correct, the answer is D.
Integrity represents accuracy of data and confidentiality represents availability of data to the customers or persons authorized by customers. Although choices A, B and C are important, they are not as important in this c

The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software?Select an answer:

A. Rewrite the patches and

You are correct, the answer is D.Suitable patches from the existing developers should be selected and tested before applying them.

Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewr

D. c

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data?Select an answer:A. InheritanceB. Dynamic warehousingC. Encapsulation

D. Polymorphism

You answered A. The correct answer is C.
Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not

A database administrator has detected a performance problem with some tables which could be solved through denormalization. This situation will increase the risk of:Select an answer:A. concurrent access.B. deadlocks.C. unauthorized access to data.

You answered A. The correct answer is D.
Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with th

Which one of the following could be used to provide automated assurance that proper data files are being used during processing?Select an answer:A. Internal labeling, including file header recordsB. Version usageC. Parity checking

D. File security con

You answered B. The correct answer is A.
Internal labeling, including file header records, is correct because it can provide assurance that proper data files are being used and it allows for automatic checking. Version usage is not correct because this ma

C. the blocking of cri

You are correct, the answer is C.
An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the packets are coming from a spoofed address and the IPS is triggered based on previously defined behavior, it may

B. Implement integrity constraints in the

A manufacturing firm wants to automate its invoice payment system. Objectives state that the system should require considerably less time for review and authorization, and the system should be capable of identifying errors that require follow up. Which of

You answered B. The correct answer is C.
EDI is the best answer. Properly implemented (e.g., agreements with trading partners transaction standards, controls over network security mechanisms in conjunction with application controls), EDI is best suited to

The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may:Select an answer:A. use this information to launch attacks.

B. fo

You are correct, the answer is A.
An organization's CSIRT should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk

C. It is more effective than other testing approac

You answered D. The correct answer is A.
The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environme

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor?Select an answer:

A. Administrative access to the biometr

You answered B. The correct answer is C.A. Generally, VPN software provides a secure tunnel so that remote administration functions can be performed. This is not a concern.

B. Biometric scanners are best located in restricted areas to prevent tampering,

You answered D. The correct answer is A.A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

B. Compliance testing is evidence gathering for the purpose of testing

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that:Select an answer:A. increases in quality can be achieved, even if resource allocation is decreased.

B. increases in quali

You answered B. The correct answer is A.
The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixe

Which of the following would be the BEST access control procedure?Select an answer:A. The data owner formally authorizes access and an administrator implements the user authorization tables.

B. Authorized staff implements the user authorization tables a

You answered C. The correct answer is A.
The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order.

An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption:Select an answer:A. provides authenticity.B. is faster than asymmetric encryption.

C. can cause key

You answered A. The correct answer is C.
In a symmetric algorithm, each pair of users needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encr

During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern?Select an answer:

A. Restora

You answered A. The correct answer is C.
A. Lack of restoration testing does not increase the risk of unauthorized leakage of information. Not performing restoration tests on backup tapes poses a risk; however, this risk is somewhat mitigated because past

When planning to add personnel to tasks imposing time constraints on the duration of a project, which of the following should be revalidated FIRST?Select an answer:A. The project budgetB. The critical path for the project

C. The length of the remaining

You answered A. The correct answer is B.
Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack t

ABC Inc. offers a number of services though its web site. During one day, senior executives of ABC Inc. were surprised to discover that sensitive data on their servers were being leaked to unauthorized individuals on the Internet. Postincident investigati

You answered A. The correct answer is C.
Unusual traffic captured via an intrusion detection system (IDS) or via filtering logs of the firewall is indicative of malware presence. When testing an application, it is common to perform network testing to iden

The PRIMARY objective of business continuity and disaster recovery plans should be to:Select an answer:A. safeguard critical IS assets.B. provide for continuity of operations.C. minimize the loss to an organization.

D. protect human life.

You are correct, the answer is D.
Since human life is invaluable, the main priority of any business continuity and disaster recovery plan should be to protect people. All other priorities are important but are secondary objectives of a business continuity

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?Select an answer:A. Alpha testingB. Regression testingC. Beta testing

D. White box testing

A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:Select an answer:A. with their named account to make the changes.B. with the shared DBA account to make the changes.

C. to the ser

You are correct, the answer is A.
Logging in using the named user account before using the DBA account provides accountability by noting the person making the changes. The DBA account is typically a shared user account. The shared account makes it difficu

C. Permiss

The PRIMARY objective of implementing corporate governance is to:Select an answer:A. provide strategic direction.B. control business operations.C. align IT with business.

D. implement best practices.

You are correct, the answer is A.
Corporate governance is a set of management practices to provide strategic direction, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly utilized. Hence, the p

A. periodic review of user ac

A. only systems administrators perform

You are correct, the answer is B.
The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change manageme

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern?
Se

You are correct, the answer is B.
A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and en

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:Select an answer:

A. include the statement of management in the audit re

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation?Select an answer:A. Symmetric key encryption

You are correct, the answer is D.
A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a tr

Which of the following biometrics has the HIGHEST reliability and lowest false-acceptance rate (FAR)?Select an answer:A. Palm scanB. Face recognitionC. Retina scan

D. Hand geometry

You are correct, the answer is C.
Retina scan uses optical technology to map the capillary pattern of an eye's retina. This is highly reliable and has the lowest FAR among the current biometric methods. Use of palm scanning entails placing a hand on a sca

The ability to recognize a potential security incident is:Select an answer:A. the primary responsibility of security personnel.B. not important because many types of incidents could involve security.C. supported by detailed policies.

D. required of al

You are correct, the answer is D.
A. The skill of recognizing potential security incidents should NOT be limited to security staff. While security staff may be more proficient in determining whether an incident is a problem, all employees should have the

Information for detecting unauthorized input from a terminal would be BEST provided by the:Select an answer:A. console log printout.B. transaction journal.C. automated suspense file listing.

D. user error report.

You answered A. The correct answer is B.
The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it

D. It reduces audit resources.

A. enable media access co

You are correct, the answer is D.
A. Enabling MAC filtering does not prevent mobile devices from connecting to unauthorized access points. MAC filters prevent unauthorized systems from connecting to the company's wireless access point. They do not prevent

Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)?Select an answer:A. AnalyzerB. Administration consoleC. User interface

D. Sensor

You are correct, the answer is D.
Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.

For effective implementation after a business continuity plan (BCP) has been developed, it is MOST important that the BCP be:Select an answer:A. stored in a secure, offsite facility.B. approved by senior management

C. communicated to appropriate person

You answered B. The correct answer is C.
The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. The BCP, if kept in a safe place, will not reach the users; users will never impleme

C. Fo

You are correct, the answer is D.
The most effective method is physical destruction. Running a low-level data wipe utility may leave some residual data that could be recovered; erasing data directories and formatting hard drives are easily reversed, expos

Which of the following is the MOST likely reason an organization implements an emergency change to an application using the emergency change control process?Select an answer:A. The application owner requested new functionality.

B. Changes are developed

You are correct, the answer is C.A. Requests for new functionality by the application owner generally follow normal change control procedures, unless they have an impact on the business function.

B. The agile system development methodology breaks down pr

The FIRST step in a successful attack to a system would be:Select an answer:A. gathering information.B. gaining access.C. denying services.

D. evading detection.

You are correct, the answer is A.
Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the

C. Use of intrusion detection/intrusion prevent

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:Select an answer:A. eavesdropping.B. spoofing.C. traffic analysis.

D. masquerading.

You are correct, the answer is C.
In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, and the intruder is able

A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achi

You are correct, the answer is B.
Role-based access control would be the best method to allow users to view reports on a need-to-know basis. While the other options could achieve the same goal, they would most likely be more difficult to implement and mai

Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance

B. Assurance from line management that an application is working as

Before implementing an IT balanced scorecard (BSC), an organization must:Select an answer:A. deliver effective and efficient services.B. define key performance indicators.C. provide business value to IT projects.

D. control IT expenses.

You are correct, the answer is B.
A definition of key performance indicators is required before implementing an IT BSC. Choices A, C and D are objectives.

The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:Select an answer:A. outgoing traffic with IP source addresses external to the network.

B. incoming traffic with discernible

You answered B. The correct answer is A.
Outgoing traffic with an IP source address different than the IP range in the network is invalid. In most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal

When reviewing an organization's strategic IT plan an IS auditor should expect to find:Select an answer:A. an assessment of the fit of the organization's application portfolio with business objectives.B. actions to reduce hardware procurement cost.

You are correct, the answer is A.
An assessment of how well an organization's application portfolio supports the organization's business objectives is a key component of the overall IT strategic planning process. This drives the demand side of IT planning

Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation?Select an answer:A. Assess the impact of patches prior to installation.

B. Ask the vendors for a new software

You are correct, the answer is A.
The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. To install the patch without knowing what it might affect could easily cause problem

A. Advise on the adoptio

You answered A. The correct answer is D.
Of the options presented, only the review of the test cases will facilitate the objective. Independence could be compromised if the IS auditor advises on the adoption of specific application controls. Independence

D. nonrepudiation.

You are correct, the answer is A.
A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need other co

The PRIMARY benefit of an IT manager monitoring technical capacity is to:Select an answer:A. identify needs for new hardware and storage procurement.B. determine future capacity needs based on usage.

C. ensure that the service level agreement (SLA) req

You answered D. The correct answer is C.
Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal SLA between the business and IT. It also helps in arriving at expected future capacity based on

You are correct, the answer is D.A. Security policies are important; however, they are not designed to align IT to the business.B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business.

C. The projec

The PRIMARY outcome of a business impact analysis (BIA) is:Select an answer:A. a plan for resuming operations after a disaster.B. a commitment of the organization to physical and logical security.

C. a framework for an effective disaster recovery plan

You answered C. The correct answer is D.A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA.

B. The public's perception of an organization's physical and logi

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk?Select an answer:A. The policy has not been updated in more than one year.

B. The policy include

You are correct, the answer is C.
The information security policy should have an owner who has approved management responsibility for the development, review and evaluation of the security policy. The position of security administrator is typically a staf

The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when:Select an answer:A. connecting points are available in the facility to connect laptops to the network.

B. users take pre

You answered C. The correct answer is A.
Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other c

C. reasonable as

You answered C. The correct answer is A.
ISACA IT Audit and Assurance Guideline G15 on planning the IS audit states that, "An assessment of risk should be made to provide reasonable assurance that material items will be adequately covered during the audit

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should:Select an answer:

A. include the statement of management in the audit re

A. That changes are authorized by IT man

You answered B. The correct answer is C.
The most important control for ensuring system availability is to implement a sound testing plan and procedures which are consistently followed. The other options can be important considerations, but are not as imp

You answered D. The correct answer is B.A. While disaster recovery exercises are important, the greater risk is geographic proximity.

B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being su

The MOST effective method to permanently remove sensitive data from magnetic media is:Select an answer:A. reformatting.B. degaussing.C. deleting data.

D. overwriting.

You are correct, the answer is B.A. Unless it is low-level formatting repeated a number of times, it is not certain that all traces of data are destroyed. This method is inefficient.

B. Degaussing is the application of variable levels of alternating curr

As an outcome of information security governance, strategic alignment provides:Select an answer:A. security requirements driven by enterprise requirements.B. baseline security following best practices.C. institutionalized and commoditized solutions.

You answered D. The correct answer is A.
Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input f

You are correct, the answer is D.
The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal working hours. The use of a log allows changes to be reviewed. The privileged accounts ca

Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telec

You answered B. The correct answer is D.
The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP. The ISP-generated downtime reports are

Information for detecting unauthorized input from a terminal would be BEST provided by the:Select an answer:A. console log printout.B. transaction journal.C. automated suspense file listing.

D. user error report.

You answered C. The correct answer is B.
The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the:Select an answer:A. duration of the outage.B. type of outage.C. probability of the outage.

D. cause of the outage.

You answered B. The correct answer is A.
The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational

D. Changes in decision processe

You are correct, the answer is C.
The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. Choices A, B and D are not types of risk, but characteristics of a DSS.

Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process?Select an answer:A. Participating in the design of the risk management framework

B. Advising on different i

You are correct, the answer is A.
Participating in the design of the risk management framework involves designing controls, which will compromise the independence of the IS auditor to audit the risk management process. Advising on different implementation

An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor?Select an answer:A. A login screen is not displayed for guest users.

B. The guest network is not segregated from th

You are correct, the answer is B.
A. Using a web captive portal, which displays a login screen in the user's web browser, is a best practice to authenticate guests. However, if the guest network is not segregated from the production network, users could i

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?Select an answer:A. Manually copy files to accomplish replication.

B. Review changes in th

You are correct, the answer is B.
It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production.

A message signed with a digital signature cannot be repudiated by the sender because a digital signature:Select an answer:A. authenticates the identity of the sender using public key infrastructure (PKI).

B. uses a hashing algorithm to validate that mes

You answered C. The correct answer is D.A. The digital signature validates both the identity of the sender and the content.

B. Digital signatures have integrity features to ensure that the message content has not changed, which prevents an attacker from

B. ensure

Electromagnetic emissions from a terminal represent an exposure because they:Select an answer:A. affect noise pollution.B. disrupt processor functions.C. produce dangerous levels of electric current.

D. can be detected and displayed.

You are correct, the answer is D.
Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. They should not cause disruption of CPUs or effect noise pollution. TEMPEST is a term referring to the i

You are correct, the answer is A.
CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of IS auditors and line manage

Results of a postimplementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application?Select an answer:A. Load testing

You answered A. The correct answer is B.A. Load testing evaluates the performance of the software at peak hours.B. Stress testing determines the capacity of the software to cope with an incremental number of concurrent users.

C. Recovery testing evaluat

During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST imp

You answered D. The correct answer is C.
The biggest risk to normal operations in a data center would be if an incident or mishap were to happen during critical peak processing times; therefore, it would be prudent to ensure that no type of system mainten

C. can cause key

You are correct, the answer is C.
In a symmetric algorithm, each pair of users needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encryption

To support an organization's goals, an IS department should have:Select an answer:A. a low-cost philosophy.B. long- and short-range plans.C. leading-edge technology.

D. plans to acquire new hardware and software.

You are correct, the answer is B.
To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals

The editing/validation of data entered at a remote site would be performed MOST effectively at the:Select an answer:A. central processing site after running the application system.

B. central processing site during the running of the application system.

You are correct, the answer is D.
It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

An IS auditor reviews an organizational chart PRIMARILY for:Select an answer:A. an understanding of workflows.B. investigating various communication channels.C. understanding the responsibilities and authority of individuals.

D. investigating the netw

You answered A. The correct answer is C.
An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. A workflow c

Which of the following is a function of an IS steering committee?Select an answer:A. Monitoring vendor-controlled change control and testingB. Ensuring a separation of duties within the information's processing environment

C. Approving and monitoring m

You answered B. The correct answer is C.
The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major proje

A. There are a growing number of emergency ch

An IS auditor is reviewing a software application that is built on the principles of service oriented architecture (SOA). What is the BEST first step?Select an answer:

A. Understanding services and their allocation to business processes by reviewing the

You are correct, the answer is A.
An SOA relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing service

The reason for establishing a stop or freezing point on the design of a new system is to:Select an answer:A. prevent further changes to a project in process.B. indicate the point at which the design is to be completed.

C. require that changes after tha

You answered A. The correct answer is C.
Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of

An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:Select an answer:A. the setup is geographically dispersed.B. the network servers are clustered in one site.C. a hot site is ready for activation.

D. div

You answered D. The correct answer is B.
A clustered setup in one location makes the entire network vulnerable to natural disasters or other disruptive events. Dispersed geographic locations and diverse routing provide backup if a site has been destroyed.

D. stop-o

The BEST overall quantitative measure of the performance of biometric control devices is:Select an answer:A. false-rejection rate (FRR).B. false-acceptance rate (FAR).C. equal-error rate (EER).

D. estimated-error rate.

You answered B. The correct answer is C.
A low EER is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics c

Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan?Select an answer:A. Preparedness testsB. Paper testsC. Full operational tests

D. Actual service disruption

You are correct, the answer is A.
Preparedness tests involve simulation of the entire environment (in phases) and help the team to better understand and prepare for the actual test scenario. Choices B, C and D are not cost-effective methods to obtain evid

You are correct, the answer is C.
Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.

An IS auditor is reviewing the access control list (ACL) of active network users. Which of the following types of user IDs should be of GREATEST concern?Select an answer:A. Test or training user IDsB. Shared IDsC. Administrative IDs

D. User IDs of pas

You answered C. The correct answer is D.A. Test or training user IDs could be a concern. However, it is unlikely that their access privileges are greater than a real user, and therefore they pose less of an overall risk.

B. The use of shared IDs, while n

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the:Select an answer:

A. clarity

You answered B. The correct answer is A.
The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the

D. secur

You are correct, the answer is D.
Phishing is a type of email attack that attempts to convince a user that the originator is genuine, with the intention of obtaining information. Phishing is an example of a social engineering attack. Any social engineerin

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?Select an answer:

You are correct, the answer is B.
A PERT chart will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is a technique for determining the size of a development task based

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site

D. Mobile recovery site

You answered B. The correct answer is C.
Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system. While a warm site may be

The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed?
Select an a

You are correct, the answer is A.
The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are,

A. conclude that the project is progressing

You are correct, the answer is D.
While the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project pla

C. notify other employees of the terminat

The reliability of an application system's audit trail may be questionable if:Select an answer:A. user IDs are recorded in the audit trail.B. the security administrator has read-only rights to the audit file.

C. date and time stamps are recorded when a

You are correct, the answer is D.
An audit trail is not effective if the details in it can be amended.

When developing a disaster recovery plan, the criteria for determining the acceptable downtime should be the:Select an answer:A. annualized loss expectancy (ALE).B. service delivery objective.C. quantity of orphan data.

D. maximum tolerable outage.

You are correct, the answer is D.
The recovery time objective (RTO) is determined based on the acceptable downtime in case of a disruption of operations. It indicates the maximum tolerable outage that an organization considers to be acceptable before a sy

The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the:Select an answer:A. IT budget.B. existing IT environment.C. business plan.

D. investment plan.

You are correct, the answer is C.
One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strateg

C. R

You answered A. The correct answer is B.
A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. However, choice B is the best answer because risk reduction tre

D. sufficient and appropriat

Which of the following audit techniques would BEST help an IS auditor in determining whether there have been unauthorized program changes since the last authorized program update?Select an answer:A. Test data runB. Code review

C. Automated code compari

You are correct, the answer is C.
An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit t

An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different

You answered A. The correct answer is B.
This choice directly addresses the problem. An organizationwide approach is needed to achieve effective management of data assets. This includes enforcing standard definitions of data elements, which is part of a d

Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit?Select an answer:A. To establish adequate staffing requirements to complete the IS audit

B. To provide reasonable assurance that all m

You are correct, the answer is B.A. A risk assessment does not directly influence staffing requirements.

B. A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assuran

Which of the following auditing techniques is the MOST appropriate for a retail business with a large volume of transactions to address emerging risk proactively?Select an answer:A. Use of Computer Assisted Audit Techniques (CAATs)

B. Control self-asses

You answered A. The correct answer is D.
The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes to achieve quicker implementation of corrective actions by management. Using sof

An IS auditor who is auditing the software acquisition process will ensure that the:Select an answer:A. contract is reviewed and approved by the legal counsel before it is signed.B. requirements cannot be met with the systems already in place.

C. requi

You answered C. The correct answer is A.
The process to review and approve the contract is one of the most important steps in the software acquisition process. An IS auditor should verify that legal counsel reviewed and approved the contract before manage

An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS aud

You answered A. The correct answer is B.
Even though a policy is not available, the auditor should make a determination as to the nature of the information on the hard drives to quantify, as much as possible, the risk. Drafting a finding without a quantif

Which of the following is the MOST important requirement for a robust change management process?Select an answer:A. Chain of custodyB. Individual accountabilityC. Data entry controls

D. Segregation of duties

You answered B. The correct answer is D.A. Chain of custody is applicable to forensic investigations and maintenance of data integrity.

B. Individual accountability is important, and this is normally accomplished through the avoidance of group IDs. Howev

A. There are a growing number of emergency ch

An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test in order to ens

You answered D. The correct answer is A.
The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all nonrequired functions before production, especially

A company is implementing a dynamic host configuration protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern?Select an answer:A. Most employees use laptops.B. A packet filtering firewall is used.

C. The IP ad

You answered C. The correct answer is D.
Given physical access to a port, anyone can connect to the internal network. The other choices do not present the exposure that access to a port does. DHCP provides convenience (an advantage) to the laptop users. S

You answered B. The correct answer is A.
Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. Because the recovery time for plan B is longer, resumption and recovery costs

You answered D. The correct answer is B.
A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive

During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?
Select an

You answered C. The correct answer is A.
Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process. The other choices could affect the reliability o

D. Postimplementation review

You answered B. The correct answer is C.
A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project

Which of the following is an advantage of an integrated test facility (ITF)?Select an answer:A. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction.

B. Periodic testing does not require separat

You are correct, the answer is B.
An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. However, careful planning is

C. the importance of the network

A. The server is susceptible to an atta

You are correct, the answer is A.
Vulnerabilities, if not addressed, leave the server at a risk of being attacked. The existence of a vulnerability does not automatically imply that an attack will occur. A control may be designed only if it would be cost-

D. dataflow diagrams.

While downloading software, a hash may be provided to:Select an answer:A. ensure that the software comes from a genuine source.B. ensure that the software is the correct revision number.C. ensure that the software has not been modified.

D. serve as a

You are correct, the answer is C.
Hash values are used as a means to ensure file integrity. The computed hash value for a file will be different if even a single bit within the file has been modified. It is common practice for the hash value to be display

In determining the acceptable time period for the resumption of critical business processes:Select an answer:A. only downtime costs need to be considered.B. recovery operations should be analyzed.

C. both downtime costs and recovery costs need to be ev

You are correct, the answer is C.
Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a rec

D. provide useful information f

You are correct, the answer is B.
Enabling audit trails aids in establishing the accountability and responsibility for processed transactions by tracing them through the information system. Enabling audit trails increases the use of disk space. A transact

D. Probability-proport

You answered D. The correct answer is C.
Discovery sampling is used when an auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken p

D. p

A. Functional verification of the

You are correct, the answer is C.A. Prototypes are verified by users.B. UAT is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage.

C. Errors or lack of attention in the

Ideally, stress testing should be carried out in a:Select an answer:A. test environment using test data.B. production environment using live workloads.C. test environment using live workloads.

D. production environment using test data.

You answered B. The correct answer is C.
Stress testing is carried out to ensure a system can cope with production workloads. A test environment should always be used to avoid damaging the production environment. Hence, testing should never take place in

To verify that the correct version of a data file was used for a production run, an IS auditor should review:Select an answer:A. operator problem reports.B. operator work schedules.C. system logs.

D. output distribution reports.

You are correct, the answer is C.
System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The auditor can then car

When using an integrated test facility (ITF), an IS auditor should ensure that:Select an answer:A. production data are used for testing.B. test data are isolated from production data.C. a test data generator is used.

D. master files are updated with t

You answered A. The correct answer is B.
An ITF creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. While this ensures that periodic testing does not require a separate test process, the

Which of the following is the most important element in the design of a data warehouse?Select an answer:A. Quality of the metadataB. Speed of the transactionsC. Volatility of the data

D. Vulnerability of the system

You are correct, the answer is A.
Quality of the metadata is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata aim to provide a table of co

D. Relevant

You are correct, the answer is B.
The security policy provides the broad framework of security, as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A,

The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to:Select an answer:A. achieve performance improvement.B. provide user authentication.C. ensure availability of data.

D. ensure the confidentia

You answered A. The correct answer is C.
RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy en

When assessing the design of network monitoring controls, an IS auditor should FIRST review network:Select an answer:A. topology diagrams.B. bandwidth usage.C. traffic analysis reports.

D. bottleneck locations.

You are correct, the answer is A.
The first step in assessing network monitoring controls should be the review of the adequacy of network documentation, specifically topology diagrams. If this information is not up to date, then monitoring processes and t

C. input controls.

You answered A. The correct answer is D.
Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed

An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?Select an answer:

A. System administrators use shared accounts which never expire at the hot site

You are correct, the answer is B.
Not knowing how much disk space is in use and therefore how much is needed at the disaster recovery site could create major issues in the case of a disaster. While it is not a best practice for security administrators to

C. Review the most recent applicatio

You are correct, the answer is D.
A BIA will give the impact of the loss of each application. Interviews with the application programmers will provide limited information related to the criticality of the systems. A gap analysis is only relevant to system

B. Percentage of incidents solved in the fir

You are correct, the answer is B.
Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the only option that is relevant. Choices A, C and D are not quality measures of the help desk service.

When implementing an application software package, which of the following presents the GREATEST risk?Select an answer:A. Uncontrolled multiple software versionsB. Source programs that are not synchronized with object code

C. Incorrectly set parameters

You answered B. The correct answer is C.
Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that i

An IS auditor is conducting an audit of computer security incident response procedures for a large financial organization. Which of the following should be the IS auditor's GREATEST concern?Select an answer:

A. The IT help desk is not trained to contain

You answered A. The correct answer is C.
A. While IT help desk personnel should be aware of computer security issues, containment and resolution is not their responsibility. The computer security incident response team is a team of specialists separate fr

D. Virtual circuits

C. has been approved by the

You are correct, the answer is D.
Portfolio management takes a holistic view of an enterprise's overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the p

Two months after a major application implementation, management, who assumes that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to:Select an answer:

A. determine whe

You answered A. The correct answer is C.
Since management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. Achieving the

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?Select an answer:

A. Recommend redesigni

You are correct, the answer is B.
A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor shou

Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database?Select an answer:A. Authentication controlsB. Data normalization controls

C. Read/write access

You are correct, the answer is D.
Commitment and rollback controls are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will complete in its entirety or not at all; i.e., if, for some reas

A. periodic review of user ac

You are correct, the answer is A.
General operating system access control functions include logging user activities, events, etc. Choice B is a database- and/or an application-level access control function. Choice C is a network control feature. Choice D

A benefit of open system architecture is that it:Select an answer:A. facilitates interoperability.B. facilitates the integration of proprietary components.C. will be a basis for volume discounts from equipment vendors.

D. allows for the achievement of

You are correct, the answer is A.
Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system comp

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:Select an answer:A. eavesdropping.B. spoofing.C. traffic analysis.

D. masquerading.

An organization has bought a new system to integrate its human resources (HR) and payroll systems. Which of the following tests ensures that the new system can operate successfully with existing systems?Select an answer:A. Parallel testing

B. Pilot test

You answered D. The correct answer is C.
A. Parallel testing is the process of feeding data into two systems�the modified system and an alternate system�and computing the results in parallel. In this approach, the old and new systems operate concurrently

An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have

You answered B. The correct answer is D.
In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network. While having two physically separate networks would ensure the security of c

Which of the following would effectively verify the originator of a transaction?Select an answer:A. Using a secret password between the originator and the receiverB. Encrypting the transaction with the receiver's public key

C. Using a portable document

You are correct, the answer is D.
A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify to a recipient the identity of the source of a transaction and the integrity of its content. Since they a

D. Analytical review

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE?
Select an an

You are correct, the answer is B.
One of the recognized strengths of an IDE is that it expands the programming resources and the aids that are available by maintaining all development tools centrally on the server along with the environment. IDE, in itsel

A. interface with various types of enterprise res

An advantage of using sanitized live transactions in test data is that:Select an answer:A. all transaction types will be included.B. every error condition is likely to be tested.C. no special routines are required to assess the results.

D. test transa

You are correct, the answer is D.
Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

C. the systems have b

You are correct, the answer is A.
Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are e

C. input controls.

You are correct, the answer is D.
Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not

C. Hu

You answered A. The correct answer is C.
The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan.

This question refers to the following diagram.
Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed

You answered A. The correct answer is C.
Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewall-2 is th

Users are issued security tokens to be used in combination with a personalized identification number (PIN) to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy?
Selec

You are correct, the answer is D.
If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. Access to the

D. majo

You are correct, the answer is C.
The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up appro

D. nonrepudiation.

You answered D. The correct answer is A.
A checksum calculated on an amount field and included in the EDI communication can be used to identify unauthorized modifications. Authenticity and authorization cannot be established by a checksum alone and need o

An IS auditor is evaluating the controls around provisioning visitor access cards to the organization's IT facility. The IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory count carri

You answered B. The correct answer is C.A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook failure of operation of the control.

B. While the IS auditor may in some cases recommend a change

A project manager of a project that is scheduled to take 18 months to complete announces that the project is in a healthy financial position because, after six months, only one-sixth of the budget has been spent. The IS auditor should FIRST determine:
Sel

You are correct, the answer is A.
Cost performance of a project cannot be properly assessed in isolation of schedule performance. Cost cannot be assessed simply in terms of elapsed time on a project. To properly assess the project budget position it is ne

To ensure authentication, confidentiality and integrity of a message, the sender should encrypt the hash of the message with the sender's:Select an answer:A. public key and then encrypt the message with the receiver's private key.

B. private key and the

You answered C. The correct answer is B.
Obtaining the hash of the message ensures integrity; signing the hash of the message with the sender's private key ensures the authenticity of the origin, and encrypting the resulting message with the receiver's pu

Which of the following would BEST describe encrypting and decrypting data using an asymmetric encryption algorithm?Select an answer:A. Use the receiver's private key to decrypt data encrypted by the receiver's public key.

B. Use the sender's private key

You are correct, the answer is A.
In asymmetric encryption, if the message was encrypted by the receiver's public key, it can only be decrypted by the receiver's private key. It is impossible to use the sender's private key because it is supposed to be pr

C. notify other employees of the terminat

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?Select an answer:

A. Undoc

You answered A. The correct answer is B.
The most significant risk after a payroll system conversion is not being able to pay employees in a timely and accurate manner. As a result, maintaining data integrity and accuracy during migration is paramount. Th

The BEST time for an IS auditor to assess the control specifications of a new application software package which is being considered for acquisition is during:Select an answer:A. the internal lab testing phase.B. testing and prior to user acceptance.

You are correct, the answer is C.
The best time for the involvement of an IS auditor is at the beginning of the requirements definition of the development or acquisition of applications software. This provides maximum opportunity for review of the vendors

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?Select an answer:A. Field definitionB. Master table definitionC. Composite keys

D. Foreign key st

You are correct, the answer is D.
Referential integrity in a relational database refers to consistency between coupled tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key

The editing/validation of data entered at a remote site would be performed MOST effectively at the:Select an answer:A. central processing site after running the application system.

B. central processing site during the running of the application system.

You are correct, the answer is D.
It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing sh

You answered B. The correct answer is D.
After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the

To optimize an organization's business contingency plan (BCP), an IS auditor should recommend a business impact analysis (BIA) in order to determine:Select an answer:

A. the business processes that generate the most financial value for the organization a

You are correct, the answer is C.
To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first. It is a common mistake to overemphasize value (A) rather than urgency. For example, while

An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algo

You are correct, the answer is C.
AES provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES i

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?Select an answer:A. References from other clients for the service provider

B. The physical secur

You are correct, the answer is C.
When contracting with a service provider, it is a best practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. Due diligence activities

An organization's disaster recovery plan should address early recovery of:Select an answer:A. all information systems processes.B. all financial processing applications.C. only those applications designated by the IS manager.

D. processing in priority

You are correct, the answer is D.
Business management should know which systems are critical and when they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be availab

B. The guest network is not segregated from th

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a

You are correct, the answer is A.
The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be

Which of the following would normally be the MOST reliable evidence for an IS auditor?Select an answer:A. A confirmation letter received from a third party verifying an account balance

B. Assurance from line management that an application is working as

You answered B. The correct answer is A.
Evidence obtained from independent third parties almost always is considered to be the most reliable. Choices B, C and D would not be considered as reliable as choice A.

When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next:Select an answer:A. recommend that the database be normalized.B. review the conceptual data model.

C. review the st

You answered A. The correct answer is D.
If the database is not normalized, the IS auditor should review the justification since, in some situations, denormalization is recommended for performance reasons. The IS auditor should not recommend normalizing t

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by:Select an answer:A. the project manager.

B. systems development mana

You are correct, the answer is C.A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction.

B. Systems development management provides technical suppo

A. implemented a specific functionality du

You answered B. The correct answer is A.
Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. Choices B and C are situations that do not impair an IS

Which of the following append themselves to files as a protection against viruses?Select an answer:A. Behavior blockersB. Cyclical redundancy checkers (CRCs)C. Immunizers

D. Active monitors

You answered B. The correct answer is C.
Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting poten

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another?Select an answer:A. Compare the hash total before and after the migration.

B. Verify that the number of re

You are correct, the answer is C.
Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before the migration. The hash total will only validate the data integrity

C. Eva

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production en

You answered C. The correct answer is B.
The matching of hash keys over time would allow detection of changes to files. Choice A is incorrect because having a log is not a control, reviewing the log is a control. Choice C is incorrect because the access w

B. increases in quali

C. Operations sup

You are correct, the answer is A.
Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being mod

A financial services organization is developing and documenting business continuity measures. In which of the following cases would an IS auditor MOST likely raise an issue?Select an answer:

A. The organization uses good practice guidelines instead of in

You answered C. The correct answer is B.
It is a common mistake to use scenario planning for business continuity. The problem is that it is impossible to plan and document actions for every possible scenario. Planning for just selected scenarios denies th

Which of the following types of risk could result from inadequate software baselining?Select an answer:A. Sign-off delaysB. Software integrity violationsC. Scope creep

D. Inadequate controls

You answered B. The correct answer is C.A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep.

B. Software integrity violations can be caused by hardware or software failures, malicious i

Digital signatures require the:Select an answer:A. signer to have a public key and the receiver to have a private key.B. signer to have a private key and the receiver to have a public key.C. signer and receiver to have a public key.

D. signer and rece

You are correct, the answer is B.
Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm. This requires the signer to have a private key a

The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk?Select an answer:A. InherentB. DetectionC. Control

D. Business

You are correct, the answer is B.
Detection risk is directly affected by the IS auditor's selection of audit procedures and techniques. Inherent risk is not usually affected by an IS auditor. Control risk can be mitigated by the actions of the company's m

An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:Select an answer:

A. check to ensure that the type of transaction is valid for

You answered D. The correct answer is B.
The initial validation should confirm whether the card is valid. This validity is established through the card number and personal identification number (PIN) entered by the user. Based on this initial validation,

Which of the following penetration tests would MOST effectively evaluate incident handling and response capabilities of an organization?Select an answer:A. Targeted testingB. External testingC. Internal testing

D. Double-blind testing

You are correct, the answer is D.
In a double-blind test, the administrator and security staff are not aware of the test, which will result in an assessment of the incident handling and response capability in an organization. In targeted, external, and in

Which of the following provides the best evidence of the adequacy of a security awareness program?Select an answer:A. The number of stakeholders including employees trained at various levels

B. Coverage of training at all locations across the enterprise

You answered A. The correct answer is D.
The adequacy of security awareness content can best be assessed by determining whether it is periodically reviewed and compared to industry best practices. Choices A, B and C provide metrics for measuring various a

You answered A. The correct answer is C.A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected.

B. Compliance risk is the pen

An IS auditor should be concerned when a telecommunication analyst:Select an answer:A. monitors systems performance and tracks problems resulting from program changes.

B. reviews network load requirements in terms of current and future transaction volum

You are correct, the answer is A.
The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response tim

B. Five users

You are correct, the answer is A.
The ability of one individual to capture and verify messages represents an inadequate segregation, since messages can be taken as correct and as if they had already been verified.

D. Analytical review

You answered A. The correct answer is B.
Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testin

At a hospital, medical personal carry handheld computers which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the following would be of the most importance?
Select an

You are correct, the answer is A.
Data confidentiality is a major requirement of privacy regulations. Choices B, C and D relate to internal security requirements, and are secondary when compared to compliance with data privacy laws.

During a system development life cycle (SDLC) audit of a human resources (HR) and payroll application, the IS auditor notes that the data used for user acceptance testing (UAT) have been masked. The purpose of masking the data is to ensure the:
Select an

You are correct, the answer is A.A. Masking the data is used to ensure the confidentiality of data, especially in a UAT exercise in which the testers have access to data that they would not have access to in normal production environments.

B. Masking the

An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit?Select an answer:A. To detect data transposition errors.

B. To ensure that transacti

You answered B. The correct answer is A.A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.B. Ensuring that data have not exceeded a predetermined amount is a limit check.

C. Ensuring tha

C. Te

You are correct, the answer is C.A. Shared credentials for network devices do not allow for accountability. However, the use of Telnet is a greater risk.

B. Normally a login banner should indicate to unauthorized personnel that access is forbidden. Lack

Which of the following is MOST indicative of the effectiveness of an information security awareness program?Select an answer:A. Employees report more information regarding security incidents.

B. All employees have signed the information security policy.

You are correct, the answer is A.
Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. Choice A is the correct answer bec

D. investigating the netw

The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to:Select an answer:A. understand the business process.B. comply with auditing standards.C. identify control weakness.

D. plan s

You answered C. The correct answer is A.
Understanding the business process is the first step an IS auditor needs to perform. ISACA IT audit and assurance standards encourage adoption of the audit procedures/processes required to assist the IS auditor in

A. Data avail

You answered A. The correct answer is D.
Integrity represents accuracy of data and confidentiality represents availability of data to the customers or persons authorized by customers. Although choices A, B and C are important, they are not as important in

When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that:Select an answer:A. controls needed to mitigate risk are in place.B. vulnerabilities and threats are identified.C. audit risk is considered.

You answered A. The correct answer is B.
In developing a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate c

D. nonc

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make?Select an answer:

A. Consider the feas

You answered B. The correct answer is A.
A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code. It is important that the development and testing code base be

An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?Select an answer:

A. A

You are correct, the answer is D.
The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circu

C. Attribut

You answered D. The correct answer is C.
Attribute sampling is the method used for compliance testing. In this scenario, the operation of control is being evaluated, and therefore attribute sampling should be used to determine whether the purchase orders

A. Develop an alternate te

You answered B. The correct answer is A.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit manag

A. effective

You answered B. The correct answer is D.
A. Continuous monitoring is detective in nature, and therefore does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occ

D. maximum tolerable outage (MTO).

You answered B. The correct answer is A.
A. The RPO is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the p

C. facilitates conversion

C. to the ser

An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that:Select an answer:

A. the photo frame storage media could be used to steal

You answered A. The correct answer is D.
Any storage device can be a vehicle for infecting other computers with malware. Recently, it has been discovered that some devices are infected in the factory during the manufacturing process and controls should ex

The FIRST step in data classification is to:Select an answer:A. establish ownership.B. perform a criticality analysis.C. define access rules.

D. create a data dictionary.

You answered B. The correct answer is A.
Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step

Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems?Select an answer:A. To collect evidence while transactions are processedB. To reduce requirements for periodic internal audits

C. To

You answered D. The correct answer is A.
A. Embedding a module for continuous auditing within an application processing a large number of transactions provides timely collection of audit evidence during processing and is the primary objective. The continu

Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be:Select an answer:

A. physically separated from the data center and not subject to the same

You are correct, the answer is A.
It is important that there be an offsite storage location for IS files and that it be in a location not subject to the same risk as the primary data center. The other choices are all issues that must be considered when es

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and:Select an answer:A. recovery.B. retention.C. rebuilding.

D. reuse.

You answered A. The correct answer is B.
Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies?Select an answer:A. Digitalized signaturesB. HashingC. Parsing

D. Steganography

You answered A. The correct answer is D.
Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding ri

B. All tables in the database are normalized.

A. There are a growing number of emergency ch

The PRIMARY outcome of a business impact analysis (BIA) is:Select an answer:A. a plan for resuming operations after a disaster.B. a commitment of the organization to physical and logical security.

C. a framework for an effective disaster recovery plan

You are correct, the answer is D.A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA.

B. The public's perception of an organization's physical and logical sec

C. Awareness of cultural and political diff

B. Data mining techniq

You are correct, the answer is D.
Physically destroying the hard disk is the most economical and practical way to ensure that the data cannot be recovered. Rewriting data and low-level formatting are impractical, because the hard disk is damaged. Demagnet

In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a:Select an answer:A. requirement for job rotation on a periodic basis.

B. process for formalized exit interview

You answered A. The correct answer is C.
A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of company property issued to the employee, there is the risk of unauthorized acc

A. event error log generated at the disa

You answered A. The correct answer is D.
Since the configuration of the system is the most probable cause, the IS auditor should review that first. If the issue cannot be clarified, the IS auditor should then review the event error log. The disaster recov

D. control IT expenses.

You are correct, the answer is B.
A definition of key performance indicators is required before implementing an IT BSC. Choices A, C and D are objectives.

B. requiremen

You are correct, the answer is C.
A project steering committee that provides an overall direction for the ERP implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor

The MOST likely explanation for a successful social engineering attack is:Select an answer:A. that computers make logic errors.B. that people make judgment errors.C. the computer knowledge of the attackers.

D. the technological sophistication of the a

You are correct, the answer is B.
Humans make errors in judging others; they may trust someone when, in fact, the person is untrustworthy. Driven by logic, computers make the same error every time they execute the erroneous logic; however, this is not the

During a postimplementation review of a firewall upgrade project, an IS auditor discovered that several ports were left open that were not required for business purposes. It was determined that the ports were opened for a test server that was no longer be

You answered A. The correct answer is D.
The best and most effective method for the enterprise to verify that its firewall rule base is correct is to perform periodic reviews itself. While documenting firewall rule changes is important, the only way to ga

During maintenance of a relational database, several values of the foreign key in a transaction table have been corrupted. The consequence is that:Select an answer:

A. the detail of involved transactions may no longer be associated with master data, caus

You are correct, the answer is A.
When the external key of a transaction is corrupted or lost, the application system will normally be incapable of directly attaching the master data to the transaction data. This will normally cause the system to undertak

An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this

You are correct, the answer is C.
The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. The us

An organization's IS audit charter should specify the:Select an answer:A. short- and long-term plans for IS audit engagements.B. objectives and scope of IS audit engagements.C. detailed training plan for the IS audit staff.

D. role of the IS audit fun

You answered B. The correct answer is D.
An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the

A. Data avail

C. Read/write access

A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?Select an answer:A. Set up an exit interview with human resources (HR).

B. Initiate the handover process to ensure continuity o

You are correct, the answer is C.
In order to protect IT assets, terminating logical access to IT resources is the first and most important action to take once management has confirmed the employee's clear intention to leave the enterprise. The interview

D. majo

Which of the following message services provides the STRONGEST evidence that a specific action has occurred?Select an answer:A. Proof of deliveryB. NonrepudiationC. Proof of submission

D. Message origin authentication

You are correct, the answer is B.
Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authenticat

Functional acknowledgements are used:Select an answer:A. as an audit trail for electronic data interchange (EDI) transactions.B. to functionally describe the IS department.C. to document user roles and responsibilities.

D. as a functional description

You answered C. The correct answer is A.
Functional acknowledgments are standard EDI transactions that tell trading partners that their electronic documents were received. Different types of functional acknowledgments provide various levels of detail and,

C. Buffe

Two-factor authentication can be circumvented through which of the following attacks?Select an answer:A. Denial-of-serviceB. Man-in-the-middleC. Key logging

D. Brute force

You answered C. The correct answer is B.
A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional trans

B. Submitting test transactions through

You answered B. The correct answer is C.
As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implemen

The phases and deliverables of a system development life cycle (SDLC) project should be determined:Select an answer:A. during the initial planning stages of the project.B. after early planning has been completed, but before work has begun.

C. throughou

You are correct, the answer is A.
It is extremely important that the project be planned properly and that the specific phases and deliverables be identified during the early stages of the project.

In auditing a database environment, an IS auditor will be MOST concerned if the database administrator (DBA) is performing which of the following functions?Select an answer:A. Performing database changes according to change management procedures

B. Inst

You are correct, the answer is B.
Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA. If a DBA were performing this function, there would be a risk based on inappropriate

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed and an impact study has not been performed?Select an answer:A. The time and cost implications caused by the change

B. The risk

You are correct, the answer is A.
Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted and the client is informed of the potential impact on the schedule and cost. A change in scope

A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data?Select an answer:

A. Introduce a secondary authen

You are correct, the answer is B.
When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a user's role.

Establishing the level of acceptable risk is the responsibility of:Select an answer:A. quality assurance management.B. senior business management.C. the chief information officer.

D. the chief security officer.

You are correct, the answer is B.
Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors t

In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on?Select an answer:A. A size checkB. A hash totalC. A validity check

D. A field check

You are correct, the answer is C.
A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used�for example, not using a dictionary word, including non-alphabetical characters, e

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site

D. Mobile recovery site

You are correct, the answer is C.
Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system. While a warm site may be a good

D. judgment sampling.

You are correct, the answer is A.
A. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base do

D. Defining roles and responsibil

You answered D. The correct answer is B.
Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and tech

An IS auditor reviewing a database discovers that the current configuration does not match the originally designed structure. Which of the following should be the IS auditor's next action?Select an answer:A. Analyze the need for the structural change.

You answered C. The correct answer is D.
An IS auditor should first determine whether the modifications were properly approved. Choices A, B and C are possible subsequent actions should the IS auditor find that the structural modification had not been app

Which of the following is the PRIMARY reason IS auditors conduct risk assessments?Select an answer:A. To focus effort on areas of highest business impactB. To maintain the organization's risk register

C. To enable management to choose the correct risk

You are correct, the answer is A.
A. Risk assessments form the basis of audit department management and are used to determine potential areas on which to focus audit efforts and resources. A risk assessment is the process used to identify and evaluate ris

An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review?Select an answer:A. Controls are implemented based on cost-benefit analysis.

B. The risk management framework is based

You answered A. The correct answer is D.A. Controls to mitigate risk must be implemented based on cost-benefit analysis; however, the cost-benefit analysis is effective only if risk is presented in business terms.

B. A risk management framework based on

C. Eva

You are correct, the answer is D.
From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in

D. business process reengineering (

You answered B. The correct answer is C.
An IT BSC provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability

C. access rights to t

When performing a postimplementation review of a software development project for a highly secure application, it is MOST important to confirm that:Select an answer:A. vulnerability testing was performed.B. the project was formally closed.

C. the proje

You are correct, the answer is D.A. Vulnerability testing may be incorporated into the system development process; however, it is most important that business requirements were met.

B. Formally closing the project is important, but the primary goal of me

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor's MAIN concern should be that the:Select an answer:A. complexity and risk associated with the project have been analyzed.

B. resources need

You answered D. The correct answer is A.
Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determi

An enterprise's risk appetite is BEST established by:Select an answer:A. the chief legal officer.B. security management.C. the audit committee.

D. the steering committee.

You are correct, the answer is D.
The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management. Although chief legal officers can give guidance regarding legal issu

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site

D. Mobile recovery site

The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?Select an answer:A. Test dataB. Generalized audit software

C. Integrat

You are correct, the answer is B.
Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could

Which of the following controls would provide the GREATEST assurance of database integrity?A. Audit log proceduresB. Table link/reference checksC. Query/table access time checks

D. Rollback and rollforward database features

You answered D. The correct answer is B.
Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audi

Which of the following is the MOST effective control when granting temporary access to vendors?Select an answer:A. Vendor access corresponds to the service level agreement (SLA).

B. User accounts are created with expiration dates and are based on servic

You are correct, the answer is B.
The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each ID. The use of an identity ma

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:Select an answer:A. schedule the audits and monitor the time spent on each audit.

B. train the IS audit staff on current technology used in the company

You are correct, the answer is C.
Monitoring the time (choice A) and audit programs (choice D), as well as adequate training (choice B), will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the orga

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:Select an answer:A. address all of the network risk.B. be tracked over time against the IT strategic plan.

C. take into account the entire IT environmen

You are correct, the answer is C.
When assessing IT security risk, it is important to take into account the entire IT environment. Measures of security risk should focus on those areas with the highest criticality so as to achieve maximum risk reduction a

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?Select an answer:A. Transaction logsB. Before and after image reportingC. Table lookups

D. Tracing and tagging

You answered A. The correct answer is C.
Table lookups are preventive controls; data are checked against predefined tables, which prevent any undefined data to be entered. Transaction logs are a detective control and provide audit trails. Before and after

Which of the following BEST helps an IS auditor evaluate the quality of programming activities related to future maintenance capabilities?Select an answer:A. The programming languageB. The development environmentC. A version control system

D. Program

You are correct, the answer is D.A. The programming language may be a concern if it is not a commonly used language; however, program coding standards are more important.

B. The development environment may be relevant to evaluate the efficiency of the pr

A. Rewrite the patches and

You are correct, the answer is D.Suitable patches from the existing developers should be selected and tested before applying them.

Rewriting the patches and applying them is not a correct answer because it would require skilled resources and time to rewr

Which of the following does a lack of adequate controls represent?Select an answer:A. An impactB. A vulnerabilityC. An asset

D. A threat

You answered D. The correct answer is B.A. Impact is the measure of the financial loss that a threat event may have.

B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, att

A. Network diagram and fir

Which of the following is the most important element in the design of a data warehouse?Select an answer:A. Quality of the metadataB. Speed of the transactionsC. Volatility of the data

D. Vulnerability of the system

The BEST method of confirming the accuracy of a system tax calculation is by:Select an answer:A. detailed visual review and analysis of the source code of the calculation programs.

B. recreating program logic using generalized audit software to calculat

You answered D. The correct answer is C.
Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analy

C. the importance of the network

Which of the following is a risk of cross-training?Select an answer:A. Increases the dependence on one employeeB. Does not assist in succession planningC. One employee may know all parts of a system

D. Does not help in achieving a continuity of operat

You are correct, the answer is C.
When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee an

An organization having a number of offices across a wide geographical area has developed a disaster recovery plan. Using actual resources, which of the following is the MOST cost-effective test of the disaster recovery plan?Select an answer:

A. Full oper

You are correct, the answer is B.
A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for disaster recovery. A paper test is a structured walk-through of the disaster recovery plan and sh

You are correct, the answer is A.
Choice A reduces risk in a number of ways. Reduced functionality should result in fewer overall test cases to run and defects to fix and retest, and in less regression testing. A pilot release made available to a select g

D. is the same at the sending and receiv

You are correct, the answer is A.
Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, h

C. Identifying messages that need to be quar

You are correct, the answer is A.
Proper location of an IDS in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration

Which of the following is widely accepted as one of the critical components in networking management?Select an answer:A. Configuration managementB. Topological mappingsC. Application of monitoring tools

D. Proxy server troubleshooting

You are correct, the answer is A.
Configuration management is widely accepted as one of the key components of any network, since it establishes how the network will function internally and externally. It also deals with the management of configuration and

Which of the following technologies is the BEST defense against a distributed denial-of-service (DDoS) attack?Select an answer:A. Stateful inspection firewallB. Cloud computingC. Load balancing

D. Multiple Internet service provider (ISP) connections

You are correct, the answer is C.
A. While a stateful packet inspection firewall can help defend against certain types of network attacks, neither the firewall nor the web server itself can differentiate DDoS attack traffic from normal web traffic. Theref

Which of the following recovery strategies is MOST appropriate if the recovery time objective (RTO) is high?Select an answer:A. Warm siteB. Cold siteC. Hot site

D. Mobile site

You answered C. The correct answer is B.A. If the RTO is high, it is financially reckless to use a warm site.B. If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations.

C. If the RTO is high a hot sit

Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)?Select an answer:A. Warm siteB. Hot siteC. Cold site

D. Mobile recovery site

You are correct, the answer is A.
Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for secu

The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through:Select an answer:A. symmetric encryption.B. message authentication code.C. hash function.

D. digital signature certificates.

You are correct, the answer is A.
SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?Select an answer:A. InspectionB. Inquiry

You answered A. The correct answer is C.A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses.

B. Inquiry pr

C. input controls.

D. judgment sampling.

Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)?Select an answer:A. A user from within could send a file to an unauthorized person.

B. FTP services could allow a user to

You answered A. The correct answer is C.
Since FTP is considered an insecure protocol, it should not be installed on a server in a DMZ. FTP could allow an unauthorized user to gain access to the network. Sending files to an unauthorized person and the ris

Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?Select an answer:A. Alpha testingB. Regression testingC. Beta testing

D. White box testing

C. It is more effective than other testing approac

You are correct, the answer is A.
The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. The most effective testing approach is dependent on the environment bein

An IS auditor examining the security configuration of an operating system should review the:Select an answer:A. transaction logs.B. authorization tables.C. parameter settings.

D. routing tables.

You answered A. The correct answer is C.
Parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization's workload

You answered D. The correct answer is C.
RPO is based on the acceptable data loss in the case of a disruption. In this scenario the organization needs a short RPO. Virtual tape libraries, disk-based snapshots and disk-to-tape backup would require time to

Which of the following physical access controls effectively reduces the risk of piggybacking?Select an answer:A. Biometric door locksB. Combination door locksC. Deadman doors

D. Bolting door locks

B. user access management is t

You answered A. The correct answer is C.
The use of a single user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is more difficult to hold anyone accountable. The risk of an unauthorized user

D. nonc

During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following ar

You answered C. The correct answer is A.
Protecting human resources during a disaster-related event should be addressed first. Having separate BCPs could result in conflicting evacuation plans, thus jeopardizing the safety of staff and clients. Choices B,

B. The physical secur

An organization sells books and music online at its secure web site. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure web site a

You answered D. The correct answer is B.
Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. Totaling transactions on the sales system does not add

A. IS audito

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness?Select an answer:

You answered D. The correct answer is A.
If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Choice B is a detective control while choices C and D are corrective controls, none

An accuracy measure for a biometric system is:Select an answer:A. system response time.B. registration time.C. input file size.

D. false-acceptance rate (FAR).

You are correct, the answer is D.
Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and FAR. FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often inval

B. The policy include

D. cause of the outage.

You answered C. The correct answer is A.
The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational

An IS auditor is reviewing the process performed for the protection of digital evidence. Which of the following findings should be of MOST concern to the IS auditor?Select an answer:

A. The owner of the system was not present at the time of the evidence

You answered B. The correct answer is C.
It is very important that evidence be handled properly and never modified physically or, more important, logically. The goal of this process is to be able to testify truthfully in court that the technical investiga

Failure in which of the following testing stages would have the GREATEST impact on the implementation of new application software?Select an answer:A. System testingB. Acceptance testingC. Integration testing

D. Unit testing

You answered C. The correct answer is B.
Acceptance testing is the final stage before the software is installed and is available for use. The greatest impact would occur if the software fails at the acceptance testing level, as this could result in delays

C. A reciprocal arran

You are correct, the answer is C.
For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least e

Which of the following is the MOST likely benefit of implementing a standardized infrastructure?Select an answer:A. Improved cost-effectiveness of IT service delivery and operational supportB. Increased security of the IT service delivery center

C. Red

You are correct, the answer is A.
A. A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms an

An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess:Select an answer:A. problem management procedures.B. software development procedures.

C. fallba

You are correct, the answer is C.
Fallback procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process�a process which specifies wh

B. Verify that the number of re

You answered B. The correct answer is C.
Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before the migration. The hash total will only validate the data in

C. The IP ad

You are correct, the answer is D.
Given physical access to a port, anyone can connect to the internal network. The other choices do not present the exposure that access to a port does. DHCP provides convenience (an advantage) to the laptop users. Sharing

The PRIMARY outcome of a business impact analysis (BIA) is:Select an answer:A. a plan for resuming operations after a disaster.B. a commitment of the organization to physical and logical security.

C. a framework for an effective disaster recovery plan

You are correct, the answer is D.A. A BIA does establish a starting point for planning how to resume operations after a disaster. This is, however, not the primary purpose of a BIA.

B. The public's perception of an organization's physical and logical sec

The database administrator (DBA) suggests that database (DB) efficiency can be improved by denormalizing some tables. This would result in:Select an answer:A. loss of confidentialityB. increased redundancy.C. unauthorized accesses.

D. application malf

You answered D. The correct answer is B.
Normalization is a design or optimization process for a relational DB that minimizes redundancy; therefore, denormalization would increase redundancy. Redundancy which is usually considered positive when it is a qu

C. access rights to t

C. Interview personnel in charge of the

You answered A. The correct answer is D.A. Testing a sample population of changes is a test of operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design.

B. Testing changes

When evaluating IT outsourcing strategies, an IS auditor should be MOST concerned if which of the following elements is part of the strategy?Select an answer:A. Transfer of legal compliance responsibility

B. Promoting long-term contracts rather than sho

You are correct, the answer is A.
The ultimate responsibility to comply with all applicable laws and regulations lies with the company that is outsourcing or contracting the service, not with the external service provider. Therefore, transferring such res

An IT executive of an insurance company asked an external auditor to evaluate the user IDs for emergency access (fire call ID). The IS auditor found that fire call accounts are granted without a predefined expiration date. What should the IS auditor recom

You are correct, the answer is A.
In this case, the IS auditor should recommend reviewing the process of access control management. Emergency system administration-level access should only be granted on an as-needed basis and configured to a predefined ex

You answered C. The correct answer is D.
In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved b

D. judgment sampling.

The implementation of access controls FIRST requires:Select an answer:A. a classification of IS resources.B. the labeling of IS resources.C. the creation of an access control list.

D. an inventory of IS resources

You answered A. The correct answer is D.
The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. Labeling of resources cannot be done without first determining the resources' classifications.

B. Review changes in th

You answered D. The correct answer is B.
It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to prod

What is the BEST method to facilitate successful user testing and acceptance of a new enterprise resource planning (ERP) payroll system that is replacing an existing legacy system?Select an answer:A. Multiple testingB. Parallel testing

C. Integration t

You are correct, the answer is B.
Parallel testing is the best method for testing data results and system behavior because it allows the users to compare obtained results with both systems before decommission of the legacy system. Parallel testing also re

Which of the following is a risk of cross-training?Select an answer:A. Increases the dependence on one employeeB. Does not assist in succession planningC. One employee may know all parts of a system

D. Does not help in achieving a continuity of operat

C. Permiss

A. periodic review of user ac

B. Submitting test transactions through

You answered A. The correct answer is C.
As part of the effort to realize continuous audit management (CAM), there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implemen

C. To prevent emp

You are correct, the answer is B.
The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Conflicts of interest could result in serious risk such as fraud, theft of intellectual property or oth

A lower recovery time objective (RTO) results in:Select an answer:A. higher disaster tolerance.B. higher cost.C. wider interruption windows.

D. more permissive data loss.

You are correct, the answer is B.
RTO is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and th

Electromagnetic emissions from a terminal represent an exposure because they:Select an answer:A. affect noise pollution.B. disrupt processor functions.C. produce dangerous levels of electric current.

D. can be detected and displayed.

B. False-po

While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours.

You are correct, the answer is A.
A. Earned value analysis (EVA) is based on the premise that if a project task is assigned 24 hours for completion, it can be reasonably completed during that time frame. According to EVA, the project is behind schedule be

You answered D. The correct answer is A.A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period.

B. Compliance testing is evidence gathering for the purpose of testing

Which of the following recovery strategies is MOST appropriate if the recovery time objective (RTO) is high?Select an answer:A. Warm siteB. Cold siteC. Hot site

D. Mobile site

You are correct, the answer is B.A. If the RTO is high, it is financially reckless to use a warm site.B. If the RTO is high, then the acceptable downtime is high. A cold site will be appropriate in such situations.

C. If the RTO is high a hot site is no

Which of the following controls helps prevent duplication of vouchers during data entry?Select an answer:A. A range checkB. Transposition and substitutionC. A sequence check

D. A cyclic redundancy check (CRC)

You are correct, the answer is C.
A sequence check involves increasing the order of numbering and would validate whether the vouchers are in sequence and, thus, prevent duplicate vouchers. A range check works over a range of numbers. Even if the same vouc

You are correct, the answer is D.
Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disr

Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies?A. Developments may result in hardware and software incompatibility.B. Resources may not be available when needed.

You answered C. The correct answer is A.
If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to us

The PRIMARY objective of testing a business continuity plan is to:A. familiarize employees with the business continuity plan.B. ensure that all residual risk is addressed.C. exercise all possible disaster scenarios.

D. identify limitations of the busin

You answered B. The correct answer is D.
Testing the business continuity plan provides the best evidence of any limitations that may exist. Familiarizing employees with the business continuity plan is a secondary benefit of a test. It is not cost effectiv

Java applets and Active X controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when:A. a firewall exists.B. a secure web connection is used.

C. the source of the exec

You answered D. The correct answer is C.
Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere

An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when:A. the probability of error must be objectively quantified.B. the auditor wishes to avoid sampling risk.C. generalized audit software is unavailable.

D. th

You answered B. The correct answer is A.
Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coef

Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit?A. Ensure that media are encrypted.B. Maintain a duplicate copy.C. Maintain chain of custody.

D. Ensure that perso

You answered A. The correct answer is B.A. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data.

B. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensi

You answered C. The correct answer is D.
After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Since the

The MOST likely explanation for the use of applets in an Internet application is that:Select an answer:A. it is sent over the network from the server.B. the server does not run the program and the output is not sent over the network.

C. they improve th

You answered D. The correct answer is C.
An applet is a JAVA program that is sent over the network from the web server, through a web browser and to the client machine; the code is then run on the machine. Since the server does not run the program and the

A. the entire message, enciphering

C. BPR projec

You are correct, the answer is B.
An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in t

An IS auditor is assessing a biometric fingerprint system that protects a data center containing protected health information. The auditor should be MOST concerned with which of the following?Select an answer:A. False rejection rate (FRR)

B. Crossover e

You answered D. The correct answer is C.
A. The FRR is the probability (or percentage of times) that the system fails to detect a match between the input pattern and a matching template in the database. The FRR is the likelihood that a previously authoriz

Which of the following is the MOST important function to be performed by IS management when a service has been outsourced?Select an answer:A. Ensuring that invoices are paid to the providerB. Participating in systems design with the provider

C. Renegot

You are correct, the answer is D.
In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to th

B. Implement integrity constraints in the

An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel?
Select an answer

You answered D. The correct answer is A.
A. Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to en

The BEST method of confirming the accuracy of a system tax calculation is by:Select an answer:A. detailed visual review and analysis of the source code of the calculation programs.

B. recreating program logic using generalized audit software to calculat

You are correct, the answer is C.
Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analysis of

B. The service

You answered B. The correct answer is C.
The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business nee

In a small manufacturing business, an IT employee is doing both manufacturing work as well as all the programming activities. Which of the following is the BEST control to mitigate risk in the given scenario?Select an answer:

A. Access restrictions to pr

You answered C. The correct answer is D.
Procedures to verify and review that only approved changes are implemented would be an effective control in this scenario. Segregation of duties will prevent a combination of conflicting functions, but choice B is

A. v

You answered A. The correct answer is D.
Automated systems balancing would be the best way to ensure that no transactions are lost as any imbalance between total inputs and total outputs would be reported for investigation and correction. Validation contr

D. test transa

You are correct, the answer is D.
Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

B. increases in quali

B. To ensure that transacti

You are correct, the answer is A.A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered.B. Ensuring that data have not exceeded a predetermined amount is a limit check.

C. Ensuring that data

D. Program organ

You are correct, the answer is A.
A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create

Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications?Select an answer:A. Phased changeoverB. Abrupt changeoverC. Rollback procedure

D. Parallel changeover

You are correct, the answer is D.A. Phased changeover involves the changeover from the old system to the new system in a phased manner. Therefore, at no time will the old system and the new system both be fully operational as one integrated system.

B. In

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card informa

You are correct, the answer is C.
If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. While it is important for programmers to understand security,

Which of the following types of risk could result from inadequate software baselining?Select an answer:A. Sign-off delaysB. Software integrity violationsC. Scope creep

D. Inadequate controls

You answered A. The correct answer is C.A. Sign-off delays may occur due to inadequate software baselining; however, these are most likely caused by scope creep.

B. Software integrity violations can be caused by hardware or software failures, malicious i

B. systems development mana

You are correct, the answer is C.A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction.

B. Systems development management provides technical suppo

C. Higher cost due to

You are correct, the answer is D.
In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network. While having two physically separate networks would ensure the security of customer

You are correct, the answer is B.
A. This is acceptable as a short-term strategy. However, more complex changes cannot be deferred indefinitely and need to be managed effectively, particularly if being introduced by multiple development initiatives. Care

C. The first repo

You answered A. The correct answer is C.A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues.

B. The

When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software:Select an answer:A. was installed, but not documented in the IT department records.

B. was installed and the license has

You are correct, the answer is C.
Choice C implies which software is not allowed by policy. Any software that is allowed should be part of a standard software list. This is the first thing to review since this would also indicate compliance with policies;

A. Computer-aided software engineering (CAS

You answered A. The correct answer is C.
Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers. CASE tools are used to assist in software development. Embedded (audit) data collectio

Which of the following would contribute MOST to an effective business continuity plan (BCP)?Select an answer:A. The document is circulated to all interested parties.B. Planning involves all user departments.

C. The plan is approved by senior management

You are correct, the answer is B.
The involvement of user departments in the BCP is crucial for the identification of the business processing priorities. The BCP circulation will ensure that the BCP document is received by all users. Although essential, t

You are correct, the answer is D.
Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the conse

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use:Select an answer:A. eavesdropping.B. spoofing.C. traffic analysis.

D. masquerading.

Corporate IS policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation?
A. Have the current configuration approved by oper

You answered A. The correct answer is C.
Individual user accounts allow for accountability of transactions and should be the most important recommendation, given the current scenario. Choices A and B are recommendations that are not in compliance with the

There is a concern that the risk of unauthorized access may increase after implementing a single sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to:A. ensure that all failed authentication attempts are monitored.

B. re

You answered A. The correct answer is D.A. Ensuring that all failed authentication attempts are monitored is a good practice; however, a strong password policy is a better preventive control.

B. Reviewing the log files can increase the probability of det

Network Data Management Protocol (NDMP) technology should be used for backup if:A. a network attached storage (NAS) appliance is required.B. the use of TCP/IP must be avoided.

C. file permissions that cannot be handled by legacy backup systems must be b

You are correct, the answer is A.NDMP defines three kind of services:1. A data service that interfaces with the primary storage to be backed up or restored2. A tape service that interfaces with the secondary storage (primarily a tape device)

3. A trans

An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training, and:A. succession planning.B. staff job evaluation.

C. responsib

You answered C. The correct answer is A.
Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. Job evaluation is the process of determining the worth of one job in relatio

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application?A. User managementB. Project steering committeeC. Senior management

D. Qu

You answered C. The correct answer is A.
User management assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in system requirements definition, acceptance testing and user train

Which of the following security measures BEST ensures the integrity of information stored in a data warehouse?A. Validated daily backupsB. Change management proceduresC. Data dictionary maintenance

D. A read-only restriction

You answered A. The correct answer is D.
Applying read-only restrictions to historical information prevents data manipulation. Backups address availability, not integrity. Adequate change management and data dictionary maintenance procedures provide the i

An investment advisor emails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by:A. encrypting the hash of the newsletter using the advisor's private key.

B. encrypting

You answered C. The correct answer is A.
It is not the intention of the investment advisor to maintain the confidentiality of the newsletter. The objective is to assure the receivers that it came to them without any modification (i.e., to give message int

Which of the following is the BEST method of disposing of sensitive data on a former employee's laptop so that it can be reused by another employee?A. Overwrite the hard drive sectors.B. Degauss the hard drive.C. Reimage the computer.

D. Format the har

You answered B. The correct answer is A.
A. Using a utility to overwrite each sector of the hard drive is the best way to ensure that data are not recoverable from the laptop. This method writes a sequence of information across the entire drive, therefore

Two-factor authentication can be circumvented through which of the following attacks?A. Denial-of-serviceB. Man-in-the-middleC. Key logging

D. Brute force

You are correct, the answer is B.
A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions

The BEST method of confirming the accuracy of a system tax calculation is by:A. detailed visual review and analysis of the source code of the calculation programs.

B. recreating program logic using generalized audit software to calculate monthly totals.

You answered B. The correct answer is C.
Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. Detailed visual review, flowcharting and analy

For a mission-critical application with a low recovery time objective (RTO), the IS auditor would recommend the use of which of the following recovery strategies?A. Mobile siteB. Redundant siteC. Hot site

D. Reciprocal agreements

You are correct, the answer is B.
A redundant site contains either duplicate mirror facilities that are online at all times or computing facilities of a reduced capacity that can process at the acceptable service delivery objective (SDO) requirement. The

Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training?
A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.

You answered C. The correct answer is B.
The inclusion of security responsibilities in job descriptions is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other thre

To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that:A. the company policy be changed.B. passwords are periodically changed.

C. an automated password management

You answered A. The correct answer is C.
The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also

A. assessment of the situation may be

You are correct, the answer is B.
Execution of the business continuity plan would be impacted if the organization does not know when to declare a crisis. Choices A, C and D are steps that must be performed to know whether to declare a crisis. Problem and

D. specif

B. staff job evalua

You are correct, the answer is A.
Succession planning ensures that internal personnel with the potential to fill key positions in the company are identified and developed. Job evaluation is the process of determining the worth of one job in relation to th

C. The plan is approved by senior management

The BEST method for assessing the effectiveness of a business continuity plan is to review the:Select an answer:A. plans and compare them to appropriate standards.B. results from previous tests.C. emergency procedures and employee training.

D. offsite

You are correct, the answer is B.
Previous test results will provide evidence of the effectiveness of the business continuity plan. Comparisons to standards will give some assurance that the plan addresses the critical aspects of a business continuity pla

Which of the following is the BEST method to ensure that the business continuity plan (BCP) remains up to date?Select an answer:A. The group walks through the different scenarios of the plan, from beginning to end.

B. The group ensures that specific sys

You are correct, the answer is A.
A structured walk-through test gathers representatives from each department who will review the plan and identify weaknesses. The ability of the group to ensure that specific systems can actually perform adequately at the

A. clarity

You are correct, the answer is A.
The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event

D. a disruption of op

An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task?Select an answer:

A. Immediately report the risk to the chief

You are correct, the answer is C.
An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to th

Which of the following activities performed by a database administrator (DBA) should be performed by a different person?Select an answer:A. Deleting database activity logsB. Implementing database optimization toolsC. Monitoring database usage

D. Defin

You are correct, the answer is A.
Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an app

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:Select an answer:

A. docum

You are correct, the answer is B.
When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Altho

A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:Select an answer:A. compute the amortization of the related assets.

B. calculate a re

You answered A. The correct answer is C.
The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor (e.

Effective IT governance requires organizational structures and processes to ensure that:Select an answer:A. the organization's strategies and objectives extend the IT strategy.B. the business strategy is derived from an IT strategy.

C. IT governance is

You are correct, the answer is D.
Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan?Select an answer:A. Develop a recovery strategy.B. Perform a business impact analysis (BIA).C. Map software systems, hardware and network components.

D. App

You are correct, the answer is B.
The first step in any disaster recovery plan is to perform a BIA. All other tasks come afterwards.

C. communicated to appropriate person

You are correct, the answer is C.
The implementation of a BCP will be effective only if appropriate personnel are informed and aware of all the aspects of the BCP. The BCP, if kept in a safe place, will not reach the users; users will never implement the

D. Defining roles and responsibil

You are correct, the answer is B.
Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical s

Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?Select an answer:A. User management coordination does not exist.B. Specific user accountability cannot be established.

C. Unauthorized user

You are correct, the answer is C.
Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning a

A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be MOST based on the individual's

You answered C. The correct answer is D.
Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and respo

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?A. NonrepudiationB. EncryptionC. Authentication

D. Integrity

You answered C. The correct answer is A.
Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message. Encryption may protect the data transmitted over the Internet

The initial step in establishing an information security program is the:A. development and implementation of an information security standards manual.B. performance of a comprehensive security control review by the IS auditor.

C. adoption of a corporate

You answered A. The correct answer is C.
A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program.

Which of the following IT governance best practices improves strategic alignment?A. Supplier and partner risk is managed.B. A knowledge base on customers, products, markets and processes is in place.

C. A structure is provided that facilitates the creat

You answered A. The correct answer is D.
Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risk being managed is a risk management best practice. A knowledge base o

You answered A. The correct answer is B.
The use of VoIP does not introduce any unique risk with respect to equipment failure, so choice A is not correct. A DDoS attack would potentially disrupt the organization's ability to communicate among its offices

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?A. Minimizing costs for the services providedB. Prohibiting the provider from subcontracting services

C. Evaluating the proces

You answered B. The correct answer is D.
From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless

Which of the following is an attribute of the control self-assessment (CSA) approach?A. Broad stakeholder involvementB. Auditors are the primary control analystsC. Limited employee participation

D. Policy driven

You answered D. The correct answer is A.
The CSA approach emphasizes management of and accountability for developing and monitoring the controls of an organization's business processes. The attributes of CSA include empowered employees, continuous improve

Which of the following is the BEST indicator that a newly developed system will be used after it is in production?A. Regression testingB. User acceptance testing (UAT)C. Sociability testing

D. Parallel testing

You answered C. The correct answer is B.A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality.

B. UAT is underta

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing?
A. Rank requirements and test in terms of importance and frequency of use.

You answered B. The correct answer is A.
The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and, therefore, on the areas where defects represent the greatest risk to user acceptance. A further ex

D. Accuracy of th

You are correct, the answer is A.
Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would no

You are correct, the answer is B.
Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions would be identified by a gap. Totaling transactions on the sales system does not address th

B. systems development manag

You are correct, the answer is C.A. The project manager provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction.

B. Systems development management provides technical suppo

Change control for business application systems being developed using prototyping could be complicated by the:Select an answer:A. iterative nature of prototyping.B. rapid pace of modifications in requirements and design.

C. emphasis on reports and scre

You answered A. The correct answer is B.
Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control.

Which of the following is MOST relevant to an IS auditor evaluating how the project manager has monitored the progress of the project?Select an answer:A. Critical path diagramsB. Program evaluation review technique (PERT) diagrams

C. Function point ana

You answered B. The correct answer is D.A. Critical path diagrams are used to determine the critical path for the project that represents the shortest possible time required for completing the project.

B. PERT diagrams are a critical path method (CPM) te

D. U

C. It is more effective than other testing approac

C. The necessary com

You are correct, the answer is C.
Encryption algorithms, third-party agreements and internal control procedures are too detailed for this phase. They would only be outlined and any cost or performance implications shown. The communications protocols must

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects?Select an answer:A. Increase the time allocated for system testing.

B. Implement formal software i

You are correct, the answer is B.
Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of corre

The editing/validation of data entered at a remote site would be performed MOST effectively at the:Select an answer:A. central processing site after running the application system.

B. central processing site during the running of the application system.

You are correct, the answer is D.
It is important that the data entered from a remote site is edited and validated prior to transmission to the central processing site.

A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the c

You are correct, the answer is A.
Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission,

When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:Select an answer:

A. not be concerned since there may be other compensa

You answered C. The correct answer is B.
If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. An IS auditor should not assume

You answered C. The correct answer is B.A. Load testing evaluates the performance of the software at peak hours.B. Stress testing determines the capacity of the software to cope with an incremental number of concurrent users.

C. Recovery testing evaluat

Which of the following controls helps prevent duplication of vouchers during data entry?Select an answer:A. A range checkB. Transposition and substitutionC. A sequence check

D. A cyclic redundancy check (CRC)

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find?Select an answer:A. Use of a capability maturity model (CMM)

B. Regular monitoring of task-level progr

You are correct, the answer is D.
A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is

C. The necessary com